remove Xss from ATM

remove CodeInjection from ATM
add Xss endpoint filters to XssThroughDom
2026-05-20 22:27:18 +02:00 · 2022-06-28 10:33:07 +01:00 · 2022-06-21 15:57:28 +01:00 · 2022-06-21 14:41:57 +01:00 · 2022-05-25 14:44:14 +01:00 · 2022-05-25 14:44:14 +01:00
1802 changed files with 57200 additions and 103087 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -0,0 +1,30 @@
+{
+    "provide": [
+        "*/ql/src/qlpack.yml",
+        "*/ql/lib/qlpack.yml",
+        "*/ql/test/qlpack.yml",
+        "*/ql/examples/qlpack.yml",
+        "*/ql/consistency-queries/qlpack.yml",
+        "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
+        "go/ql/config/legacy-support/qlpack.yml",
+        "go/build/codeql-extractor-go/codeql-extractor.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/lib/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/src/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/test/qlpack.yml",
+        "misc/legacy-support/*/qlpack.yml",
+        "misc/suite-helpers/qlpack.yml",
+        "ruby/extractor-pack/codeql-extractor.yml",
+        "swift/extractor-pack/codeql-extractor.yml",
+        "ql/extractor-pack/codeql-extractor.yml"
+    ],
+    "versionPolicies": {
+      "default": {
+        "requireChangeNotes": true,
+        "committedPrereleaseSuffix": "dev",
+        "committedVersion": "nextPatchRelease"
+      }
+    }
+}
--- a/.devcontainer/swift/Dockerfile
+++ b/.devcontainer/swift/Dockerfile
@@ -1,9 +0,0 @@
-# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.236.0/containers/cpp/.devcontainer/base.Dockerfile
-
-# [Choice] Debian / Ubuntu version (use Debian 11, Ubuntu 18.04/22.04 on local arm64/Apple Silicon): debian-11, debian-10, ubuntu-22.04, ubuntu-20.04, ubuntu-18.04
-FROM mcr.microsoft.com/vscode/devcontainers/cpp:0-ubuntu-22.04
-
-USER root
-ADD root.sh /tmp/root.sh
-ADD update-codeql.sh /usr/local/bin/update-codeql
-RUN bash /tmp/root.sh && rm /tmp/root.sh
--- a/.devcontainer/swift/devcontainer.json
+++ b/.devcontainer/swift/devcontainer.json
@@ -1,25 +0,0 @@
-{
-	"extensions": [
-		"github.vscode-codeql",
-		"hbenl.vscode-test-explorer",
-		"ms-vscode.test-adapter-converter",
-		"slevesque.vscode-zipexplorer",
-		"ms-vscode.cpptools"
-	],
-	"settings": {
-		"files.watcherExclude": {
-			"**/target/**": true
-		},
-		"codeQL.runningQueries.memory": 2048
-	},
-	"build": {
-		"dockerfile": "Dockerfile",
-	},
-	"runArgs": [
-		"--cap-add=SYS_PTRACE",
-		"--security-opt",
-		"seccomp=unconfined"
-	],
-	"remoteUser": "vscode",
-	"onCreateCommand": ".devcontainer/swift/user.sh"
-}
--- a/.devcontainer/swift/root.sh
+++ b/.devcontainer/swift/root.sh
@@ -1,22 +0,0 @@
-set -xe
-
-BAZELISK_VERSION=v1.12.0
-BAZELISK_DOWNLOAD_SHA=6b0bcb2ea15bca16fffabe6fda75803440375354c085480fe361d2cbf32501db
-
-apt-get update
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y install --no-install-recommends \
-    zlib1g-dev \
-    uuid-dev \
-    python3-distutils \
-    python3-pip \
-    bash-completion
-
-# Install Bazel
-curl -fSsL -o /usr/local/bin/bazelisk https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64
-echo "${BAZELISK_DOWNLOAD_SHA} */usr/local/bin/bazelisk" | sha256sum --check -
-chmod 0755 /usr/local/bin/bazelisk
-ln -s bazelisk /usr/local/bin/bazel
-
-# install latest codeql
-update-codeql
--- a/.devcontainer/swift/update-codeql.sh
+++ b/.devcontainer/swift/update-codeql.sh
@@ -1,20 +0,0 @@
-#!/bin/bash -e
-
-URL=https://github.com/github/codeql-cli-binaries/releases
-LATEST_VERSION=$(curl -L -s -H 'Accept: application/json' $URL/latest | sed -e 's/.*"tag_name":"\([^"]*\)".*/\1/')
-CURRENT_VERSION=v$(codeql version 2>/dev/null | sed -ne 's/.*release \([0-9.]*\)\./\1/p')
-if [[ $CURRENT_VERSION != $LATEST_VERSION ]]; then
-  if [[ $UID != 0 ]]; then
-    echo "update required, please run this script with sudo:"
-    echo "  sudo $0"
-    exit 1
-  fi
-  ZIP=$(mktemp codeql.XXXX.zip)
-  curl -fSqL -o $ZIP $URL/download/$LATEST_VERSION/codeql-linux64.zip
-  unzip -q $ZIP -d /opt
-  rm $ZIP
-  ln -sf /opt/codeql/codeql /usr/local/bin/codeql
-  echo installed version $LATEST_VERSION
-else
-  echo current version $CURRENT_VERSION is up-to-date
-fi
--- a/.devcontainer/swift/user.sh
+++ b/.devcontainer/swift/user.sh
@@ -1,13 +0,0 @@
-set -xe
-
-# add the workspace to the codeql search path
-mkdir -p /home/vscode/.config/codeql
-echo "--search-path /workspaces/codeql" > /home/vscode/.config/codeql/config
-
-# create a swift extractor pack with the current state
-cd /workspaces/codeql
-bazel run swift/create-extractor-pack
-
-#install and set up pre-commit
-python3 -m pip install pre-commit --no-warn-script-location
-$HOME/.local/bin/pre-commit install
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -6,23 +6,14 @@
  - csharp/**/*
  - change-notes/**/*csharp*

-Go:
-  - go/**/*
-  - change-notes/**/*go.*
-
 Java:
-  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ]
+  - java/**/*
  - change-notes/**/*java.*

 JS:
  - any: [ 'javascript/**/*', '!javascript/ql/experimental/adaptivethreatmodeling/**/*' ]
  - change-notes/**/*javascript*

-Kotlin:
-  - java/kotlin-extractor/**/*
-  - java/kotlin-explorer/**/*
-  - java/ql/test/kotlin/**/*
-
 Python:
  - python/**/*
  - change-notes/**/*python*
@@ -30,7 +21,7 @@ Python:
 Ruby:
  - ruby/**/*
  - change-notes/**/*ruby*
-
+  
 Swift:
  - swift/**/*
  - change-notes/**/*swift*
@@ -40,5 +31,5 @@ documentation:
  - "**/*.md"
  - docs/**/*

-"QL-for-QL":
+"QL-for-QL": 
  - ql/**/*
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -41,7 +41,7 @@ jobs:
        git log -1 --format='%H'
      working-directory: base
    - name: Set up Python 3.8
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v3
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -22,7 +22,7 @@ jobs:
    - name: Clone self (github/codeql)
      uses: actions/checkout@v3
    - name: Set up Python 3.8
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v3
      with:
        python-version: 3.8

--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -19,7 +19,7 @@ jobs:
        path: codeqlModels
        fetch-depth: 0
    - name: Set up Python 3.8
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v3
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -22,7 +22,7 @@ jobs:
        path: ql
        fetch-depth: 0
    - name: Set up Python 3.8
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v3
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -23,7 +23,7 @@ jobs:
        path: codeqlModels
        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
    - name: Set up Python 3.8
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v3
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -4,7 +4,6 @@ on:
    paths:
      - "go/**"
      - .github/workflows/go-tests.yml
-      - codeql-workspace.yml
 jobs:

  test-linux:
--- a/.github/workflows/js-ml-tests.yml
+++ b/.github/workflows/js-ml-tests.yml
@@ -5,7 +5,6 @@ on:
    paths:
      - "javascript/ql/experimental/adaptivethreatmodeling/**"
      - .github/workflows/js-ml-tests.yml
-      - codeql-workspace.yml
    branches:
      - main
      - "rc/*"
@@ -13,8 +12,6 @@ on:
    paths:
      - "javascript/ql/experimental/adaptivethreatmodeling/**"
      - .github/workflows/js-ml-tests.yml
-      - codeql-workspace.yml
-  workflow_dispatch:

 defaults:
  run:
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -4,9 +4,6 @@ on:

 jobs:
  triage:
-    permissions:
-      contents: read
-      pull-requests: write
    runs-on: ubuntu-latest
    steps:
    - uses: actions/labeler@v4
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -61,7 +61,7 @@ jobs:
            DATABASE=$2
            cd codeql-$QL_VARIANT
            SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $MODELS/${SHORTNAME}.qll
+            python java/ql/src/utils/model-generator/GenerateFlowModel.py $DATABASE $MODELS/${SHORTNAME}.qll
            mv $MODELS/${SHORTNAME}.qll $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.qll
            cd ..
          }
--- a/.github/workflows/mad_regenerate-models.yml
+++ b/.github/workflows/mad_regenerate-models.yml
@@ -20,7 +20,7 @@ jobs:
        ref: ["placeholder"]
        include:
          - slug: "apache/commons-io"
-            ref: "13258ce2d07aa0e764bbaa8020af4dcd3a02a620"
+            ref: "8985de8fe74f6622a419b37a6eed0dbc484dc128"
        exclude:
          - slug: "placeholder"
            ref: "placeholder"
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -5,12 +5,10 @@ on:
    branches: [main]
    paths:
      - "ql/**"
-      - codeql-workspace.yml
  pull_request:
    branches: [main]
    paths:
      - "ql/**"
-      - codeql-workspace.yml

 env:
  CARGO_TERM_COLOR: always
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -5,8 +5,6 @@ on:
    branches:
     - main
     - 'rc/**'
-    tags:
-     - 'codeql-cli/*'
  pull_request:
    paths:
      - '.github/workflows/query-list.yml'
@@ -23,7 +21,7 @@ jobs:
      with:
        path: codeql 
    - name: Set up Python 3.8
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v3
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -5,7 +5,6 @@ on:
    paths:
      - "ruby/**"
      - .github/workflows/ruby-build.yml
-      - codeql-workspace.yml
    branches:
      - main
      - "rc/*"
@@ -13,7 +12,6 @@ on:
    paths:
      - "ruby/**"
      - .github/workflows/ruby-build.yml
-      - codeql-workspace.yml
    branches:
      - main
      - "rc/*"
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -5,7 +5,6 @@ on:
    paths:
      - "ruby/**"
      - .github/workflows/ruby-qltest.yml
-      - codeql-workspace.yml
    branches:
      - main
      - "rc/*"
@@ -13,7 +12,6 @@ on:
    paths:
      - "ruby/**"
      - .github/workflows/ruby-qltest.yml
-      - codeql-workspace.yml
    branches:
      - main
      - "rc/*"
--- a/.github/workflows/swift-codegen.yml
+++ b/.github/workflows/swift-codegen.yml
@@ -22,10 +22,10 @@ jobs:
        run: |
          bazel run //swift/codegen
          git add swift
-          git diff --exit-code HEAD
+          git diff --exit-code --stat HEAD
      - name: Generate C++ files
        run: |
-          bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/swift-generated-headers
+          bazel run //swift/codegen:cppcodegen -- --cpp-output=$PWD/swift-generated-headers
      - uses: actions/upload-artifact@v3
        with:
          name: swift-generated-headers
--- a/.github/workflows/swift-qltest.yml
+++ b/.github/workflows/swift-qltest.yml
@@ -5,7 +5,6 @@ on:
    paths:
      - "swift/**"
      - .github/workflows/swift-qltest.yml
-      - codeql-workspace.yml
    branches:
      - main
 defaults:
--- a/.gitignore
+++ b/.gitignore
@@ -55,9 +55,3 @@ go/tools/win64
 go/tools/tokenizer.jar
 go/main

-# node_modules folders except in the JS test suite
-node_modules/
-!/javascript/ql/test/**/node_modules/
-
-# Temporary folders for working with generated models
-.model-temp
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -25,7 +25,7 @@ repos:

      - id: sync-files
        name: Fix files required to be identical
-        files: \.(qll?|qhelp|swift)$
+        files: \.(qll?|qhelp)$
        language: system
        entry: python3 config/sync-files.py --latest
        pass_filenames: false
@@ -40,7 +40,7 @@ repos:
        name: Run Swift checked in code generation
        files: ^swift/(codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements))
        language: system
-        entry: bazel run //swift/codegen -- --quiet
+        entry: bazel run //swift/codegen
        pass_filenames: false

      - id: swift-codegen-unit-tests
--- a/4
+++ b/4
@@ -28,8 +28,8 @@
 # QL for QL reviewers
 /ql/ @github/codeql-ql-for-ql-reviewers

-# Bazel (excluding BUILD.bazel files)
-WORKSPACE.bazel @github/codeql-ci-reviewers
+# Bazel
+**/*.bazel @github/codeql-ci-reviewers
 **/*.bzl @github/codeql-ci-reviewers

 # Documentation etc
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -1,32 +0,0 @@
-provide:
-  - "*/ql/src/qlpack.yml"
-  - "*/ql/lib/qlpack.yml"
-  - "*/ql/test/qlpack.yml"
-  - "*/ql/examples/qlpack.yml"
-  - "*/ql/consistency-queries/qlpack.yml"
-  - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
-  - "go/ql/config/legacy-support/qlpack.yml"
-  - "go/build/codeql-extractor-go/codeql-extractor.yml"
-  - "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml"
-  # This pack is explicitly excluded from the workspace since most users
-  # will want to use a version of this pack from the package cache. Internal
-  # users can uncomment the following line and place a custom ML model
-  # in the corresponding pack to test a custom ML model within their local
-  # checkout.
-  # - "javascript/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
-  - "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
-  - "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
-  - "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
-  - "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
-  - "csharp/ql/campaigns/Solorigate/test/qlpack.yml"
-  - "misc/legacy-support/*/qlpack.yml"
-  - "misc/suite-helpers/qlpack.yml"
-  - "ruby/extractor-pack/codeql-extractor.yml"
-  - "swift/extractor-pack/codeql-extractor.yml"
-  - "ql/extractor-pack/codeql-extractor.ym"
-
-versionPolicies:
-  default:
-    requireChangeNotes: true
-    committedPrereleaseSuffix: dev
-    committedVersion: nextPatchRelease
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -75,8 +75,7 @@
  "DataFlow Java/C# Flow Summaries": [
    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll"
  ],
  "SsaReadPosition Java/C#": [
    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
@@ -391,8 +390,7 @@
    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "go/ql/test/TestUtilities/InlineExpectationsTest.qll"
+    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll"
  ],
  "C++ ExternalAPIs": [
    "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
@@ -527,9 +525,7 @@
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
    "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
-    "python/ql/lib/semmle/python/frameworks/data/internal/AccessPathSyntax.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/AccessPathSyntax.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"
  ],
  "IncompleteUrlSubstringSanitization": [
    "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
@@ -547,8 +543,7 @@
  ],
  "ApiGraphModels": [
    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
-    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
-    "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll"
+    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll"
  ],
  "TaintedFormatStringQuery Ruby/JS": [
    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
@@ -569,21 +564,5 @@
  "Typo database": [
    "javascript/ql/src/Expressions/TypoDatabase.qll",
    "ql/ql/src/codeql_ql/style/TypoDatabase.qll"
-  ],
-  "Swift declarations test file": [
-    "swift/ql/test/extractor-tests/declarations/declarations.swift",
-    "swift/ql/test/library-tests/parent/declarations.swift"
-  ],
-  "Swift statements test file": [
-    "swift/ql/test/extractor-tests/statements/statements.swift",
-    "swift/ql/test/library-tests/parent/statements.swift"
-  ],
-  "Swift expressions test file": [
-    "swift/ql/test/extractor-tests/expressions/expressions.swift",
-    "swift/ql/test/library-tests/parent/expressions.swift"
-  ],
-  "Swift patterns test file": [
-    "swift/ql/test/extractor-tests/patterns/patterns.swift",
-    "swift/ql/test/library-tests/parent/patterns.swift"
  ]
-}
+}
--- a/cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/old.dbscheme
+++ b/cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/old.dbscheme
--- a/cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/upgrade.properties
+++ b/cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/upgrade.properties
@@ -1,3 +0,0 @@
-description: Add relation for tracking C++ braced initializers
-compatibility: full
-braced_initialisers.rel: delete
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,29 +1,3 @@
-## 0.3.0
-
-### Deprecated APIs
-
-* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.
-
-### Bug Fixes
-
-* `UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a `class`, `struct`, or `union`.
-
-## 0.2.3
-
-### New Features
-
-* An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.
-
-## 0.2.2
-
-### Deprecated APIs
-
- * The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
-
-### New Features
-
-* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.
-
 ## 0.2.1

 ## 0.2.0
--- a/cpp/ql/lib/change-notes/2022-04-12-if-and-switch-initializers.md
+++ b/cpp/ql/lib/change-notes/2022-04-12-if-and-switch-initializers.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.
--- a/cpp/ql/lib/change-notes/2022-05-11-deprecated-analysed-string.md
+++ b/cpp/ql/lib/change-notes/2022-05-11-deprecated-analysed-string.md
@@ -0,0 +1,4 @@
+---
+ category: deprecated
+---
+ * The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
--- a/cpp/ql/lib/change-notes/released/0.2.2.md
+++ b/cpp/ql/lib/change-notes/released/0.2.2.md
@@ -1,9 +0,0 @@
-## 0.2.2
-
-### Deprecated APIs
-
- * The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
-
-### New Features
-
-* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.
--- a/cpp/ql/lib/change-notes/released/0.2.3.md
+++ b/cpp/ql/lib/change-notes/released/0.2.3.md
@@ -1,5 +0,0 @@
-## 0.2.3
-
-### New Features
-
-* An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.
--- a/cpp/ql/lib/change-notes/released/0.3.0.md
+++ b/cpp/ql/lib/change-notes/released/0.3.0.md
@@ -1,9 +0,0 @@
-## 0.3.0
-
-### Deprecated APIs
-
-* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.
-
-### Bug Fixes
-
-* `UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a `class`, `struct`, or `union`.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.0
+lastReleaseVersion: 0.2.1
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.3.0
+version: 0.2.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Initializer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Initializer.qll
@@ -51,7 +51,4 @@ class Initializer extends ControlFlowNode, @initialiser {
  override Function getControlFlowScope() { result = this.getExpr().getEnclosingFunction() }

  override Stmt getEnclosingStmt() { result = this.getExpr().getEnclosingStmt() }
-
-  /** Holds if the initializer used the C++ braced initializer notation. */
-  predicate isBraced() { braced_initialisers(underlyingElement(this)) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/UserType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/UserType.qll
@@ -48,8 +48,8 @@ class UserType extends Type, Declaration, NameQualifyingElement, AccessHolder, @
  }

  override TypeDeclarationEntry getADeclarationEntry() {
-    if type_decls(_, unresolveElement(this), _)
-    then type_decls(underlyingElement(result), unresolveElement(this), _)
+    if type_decls(_, underlyingElement(this), _)
+    then type_decls(unresolveElement(result), underlyingElement(this), _)
    else exists(Class t | this.(Class).isConstructedFrom(t) and result = t.getADeclarationEntry())
  }

--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -168,7 +168,7 @@ private predicate callsVariadicFormatter(
 ) {
  // calls a variadic formatter with `formatParamIndex`, `outputParamIndex` linked
  exists(FunctionCall fc, int format, int output |
-    variadicFormatter(pragma[only_bind_into](fc.getTarget()), type, format, output) and
+    variadicFormatter(fc.getTarget(), type, format, output) and
    fc.getEnclosingFunction() = f and
    fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
    fc.getArgument(output) = f.getParameter(outputParamIndex).getAnAccess()
@@ -176,7 +176,7 @@ private predicate callsVariadicFormatter(
  or
  // calls a variadic formatter with only `formatParamIndex` linked
  exists(FunctionCall fc, string calledType, int format, int output |
-    variadicFormatter(pragma[only_bind_into](fc.getTarget()), calledType, format, output) and
+    variadicFormatter(fc.getTarget(), calledType, format, output) and
    fc.getEnclosingFunction() = f and
    fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
    not fc.getArgument(output) = f.getParameter(_).getAnAccess() and
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -850,34 +850,6 @@ class ContentSet instanceof Content {
 }

 /**
- * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
- *
- * The expression `e` is expected to be a syntactic part of the guard `g`.
- * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
- * the argument `x`.
- */
-signature predicate guardChecksSig(GuardCondition g, Expr e, boolean branch);
-
-/**
- * Provides a set of barrier nodes for a guard that validates an expression.
- *
- * This is expected to be used in `isBarrier`/`isSanitizer` definitions
- * in data flow and taint tracking.
- */
-module BarrierGuard<guardChecksSig/3 guardChecks> {
-  /** Gets a node that is safely guarded by the given guard check. */
-  ExprNode getABarrierNode() {
-    exists(GuardCondition g, SsaDefinition def, Variable v, boolean branch |
-      result.getExpr() = def.getAUse(v) and
-      guardChecks(g, def.getAUse(v), branch) and
-      g.controls(result.getExpr().getBasicBlock(), branch)
-    )
-  }
-}
-
-/**
- * DEPRECATED: Use `BarrierGuard` module instead.
- *
 * A guard that validates some expression.
 *
 * To use this in a configuration, extend the class and provide a
@@ -886,7 +858,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
 *
 * It is important that all extending classes in scope are disjoint.
 */
-deprecated class BarrierGuard extends GuardCondition {
+class BarrierGuard extends GuardCondition {
  /** Override this predicate to hold if this guard validates `e` upon evaluating to `b`. */
  abstract predicate checks(Expr e, boolean b);

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -47,6 +47,12 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
 */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }

+/**
+ * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
+ * but not in local taint.
+ */
+predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
 /**
 * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
 * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -116,30 +116,20 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
   * Holds if taint propagation through nodes guarded by `guard` is prohibited
   * when the flow state is `state`.
   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }

-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
    this.isSanitizerGuard(guard, state)
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -116,30 +116,20 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
   * Holds if taint propagation through nodes guarded by `guard` is prohibited
   * when the flow state is `state`.
   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }

-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
    this.isSanitizerGuard(guard, state)
  }

--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -49,9 +49,6 @@ class Expr extends StmtParent, @expr {
  /** Gets the enclosing variable of this expression, if any. */
  Variable getEnclosingVariable() { result = exprEnclosingElement(this) }

-  /** Gets the enclosing variable or function of this expression. */
-  Declaration getEnclosingDeclaration() { result = exprEnclosingElement(this) }
-
  /** Gets a child of this expression. */
  Expr getAChild() { exists(int n | result = this.getChild(n)) }

--- a/cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll
@@ -4,7 +4,11 @@
 * qualified.
 *
 * This file contains classes that mirror the standard AST classes for C++, but
- * these classes are only concerned with naming.
+ * these classes are only concerned with naming. The other difference is that
+ * these classes don't use the `ResolveClass.qll` mechanisms like
+ * `unresolveElement` because these classes should eventually be part of the
+ * implementation of `ResolveClass.qll`, allowing it to match up classes when
+ * their qualified names and parameters match.
 */

 private import semmle.code.cpp.Declaration as D
--- a/cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll
@@ -115,13 +115,15 @@ private module Cached {
   */
  cached
  predicate isClass(@usertype t) {
-    usertypes(t, _, 1) or
-    usertypes(t, _, 2) or
-    usertypes(t, _, 3) or
-    usertypes(t, _, 6) or
-    usertypes(t, _, 10) or
-    usertypes(t, _, 11) or
-    usertypes(t, _, 12)
+    (
+      usertypes(t, _, 1) or
+      usertypes(t, _, 2) or
+      usertypes(t, _, 3) or
+      usertypes(t, _, 6) or
+      usertypes(t, _, 10) or
+      usertypes(t, _, 11) or
+      usertypes(t, _, 12)
+    )
  }

  cached
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -90,20 +90,14 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }

  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
   * Holds if data flow through nodes guarded by `guard` is prohibited when
   * the flow state is `state`
   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
+  predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }

  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -341,29 +335,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -377,7 +348,10 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
    not config.isSink(n) and
    not config.isSink(n, _)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -386,7 +360,10 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
+    exists(BarrierGuard g |
+      config.isBarrierGuard(g, state) and
+      n = g.getAGuardedNode()
+    )
  )
 }

@@ -3877,11 +3854,16 @@ class PathNode extends TPathNode {
  /** Gets the associated configuration. */
  Configuration getConfiguration() { none() }

+  private PathNode getASuccessorIfHidden() {
+    this.(PathNodeImpl).isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
-    reach(this) and
-    reach(result)
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.(PathNodeImpl).isHidden() and
+    not result.(PathNodeImpl).isHidden()
  }

  /** Holds if this node is a source. */
@@ -3889,18 +3871,7 @@ class PathNode extends TPathNode {
 }

 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNodeImpl getASuccessorImpl();
-
-  private PathNodeImpl getASuccessorIfHidden() {
-    this.isHidden() and
-    result = this.getASuccessorImpl()
-  }
-
-  final PathNodeImpl getANonHiddenSuccessor() {
-    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.isHidden() and
-    not result.isHidden()
-  }
+  abstract PathNode getASuccessorImpl();

  abstract NodeEx getNodeEx();

@@ -3943,17 +3914,15 @@ abstract private class PathNodeImpl extends PathNode {
 }

 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNodeImpl n) {
-  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
+private predicate directReach(PathNode n) {
+  n instanceof PathNodeSink or directReach(n.getASuccessor())
 }

 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }

 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
-  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
-}
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }

 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)

@@ -3962,7 +3931,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 */
 module PathGraph {
  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
  query predicate nodes(PathNode n, string key, string val) {
@@ -4080,7 +4049,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {

  override Configuration getConfiguration() { result = config }

-  override PathNodeImpl getASuccessorImpl() { none() }
+  override PathNode getASuccessorImpl() { none() }

  override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4396,8 +4365,8 @@ private module Subpaths {
  }

  pragma[nomagic]
-  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getANonHiddenSuccessor() and
+  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getASuccessor() and
    succNode = succ.getNodeEx()
  }

@@ -4406,9 +4375,9 @@ private module Subpaths {
   * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
   * `ret -> out` is summarized as the edge `arg -> out`.
   */
-  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
    exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
      subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
      hasSuccessor(pragma[only_bind_into](arg), par, p) and
      not ret.isHidden() and
@@ -4421,12 +4390,12 @@ private module Subpaths {
  /**
   * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
   */
-  predicate retReach(PathNodeImpl n) {
+  predicate retReach(PathNode n) {
    exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
    or
-    exists(PathNodeImpl mid |
+    exists(PathNode mid |
      retReach(mid) and
-      n.getANonHiddenSuccessor() = mid and
+      n.getASuccessor() = mid and
      not subpaths(_, mid, _, _)
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -100,7 +100,7 @@ class Node extends TIRDataFlowNode {
  Declaration getEnclosingCallable() { none() } // overridden in subclasses

  /** Gets the function to which this node belongs, if any. */
-  Declaration getFunction() { none() } // overridden in subclasses
+  Function getFunction() { none() } // overridden in subclasses

  /** Gets the type of this node. */
  IRType getType() { none() } // overridden in subclasses
@@ -196,7 +196,7 @@ class InstructionNode extends Node, TInstructionNode {

  override Declaration getEnclosingCallable() { result = this.getFunction() }

-  override Declaration getFunction() { result = instr.getEnclosingFunction() }
+  override Function getFunction() { result = instr.getEnclosingFunction() }

  override IRType getType() { result = instr.getResultIRType() }

@@ -222,7 +222,7 @@ class OperandNode extends Node, TOperandNode {

  override Declaration getEnclosingCallable() { result = this.getFunction() }

-  override Declaration getFunction() { result = op.getUse().getEnclosingFunction() }
+  override Function getFunction() { result = op.getUse().getEnclosingFunction() }

  override IRType getType() { result = op.getIRType() }

@@ -274,7 +274,7 @@ class StoreNodeInstr extends StoreNode, TStoreNodeInstr {
  /** Gets the underlying instruction. */
  Instruction getInstruction() { result = instr }

-  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
+  override Function getFunction() { result = this.getInstruction().getEnclosingFunction() }

  override IRType getType() { result = this.getInstruction().getResultIRType() }

@@ -328,7 +328,7 @@ class StoreNodeOperand extends StoreNode, TStoreNodeOperand {
  /** Gets the underlying operand. */
  Operand getOperand() { result = operand }

-  override Declaration getFunction() { result = operand.getDef().getEnclosingFunction() }
+  override Function getFunction() { result = operand.getDef().getEnclosingFunction() }

  override IRType getType() { result = operand.getIRType() }

@@ -384,7 +384,7 @@ class ReadNode extends Node, TReadNode {

  override Declaration getEnclosingCallable() { result = this.getFunction() }

-  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
+  override Function getFunction() { result = this.getInstruction().getEnclosingFunction() }

  override IRType getType() { result = this.getInstruction().getResultIRType() }

@@ -436,7 +436,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {

  override Declaration getEnclosingCallable() { result = this.getFunction() }

-  override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
+  override Function getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }

  override IRType getType() { result instanceof IRVoidType }

@@ -673,7 +673,7 @@ class VariableNode extends Node, TVariableNode {
  /** Gets the variable corresponding to this node. */
  Variable getVariable() { result = v }

-  override Declaration getFunction() { none() }
+  override Function getFunction() { none() }

  override Declaration getEnclosingCallable() {
    // When flow crosses from one _enclosing callable_ to another, the
@@ -1092,56 +1092,6 @@ class ContentSet instanceof Content {
 }

 /**
- * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
- *
- * The expression `e` is expected to be a syntactic part of the guard `g`.
- * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
- * the argument `x`.
- */
-signature predicate guardChecksSig(IRGuardCondition g, Expr e, boolean branch);
-
-/**
- * Provides a set of barrier nodes for a guard that validates an expression.
- *
- * This is expected to be used in `isBarrier`/`isSanitizer` definitions
- * in data flow and taint tracking.
- */
-module BarrierGuard<guardChecksSig/3 guardChecks> {
-  /** Gets a node that is safely guarded by the given guard check. */
-  ExprNode getABarrierNode() {
-    exists(IRGuardCondition g, ValueNumber value, boolean edge |
-      guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
-      result.asInstruction() = value.getAnInstruction() and
-      g.controls(result.asInstruction().getBlock(), edge)
-    )
-  }
-}
-
-/**
- * Holds if the guard `g` validates the instruction `instr` upon evaluating to `branch`.
- */
-signature predicate instructionGuardChecksSig(IRGuardCondition g, Instruction instr, boolean branch);
-
-/**
- * Provides a set of barrier nodes for a guard that validates an instruction.
- *
- * This is expected to be used in `isBarrier`/`isSanitizer` definitions
- * in data flow and taint tracking.
- */
-module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardChecks> {
-  /** Gets a node that is safely guarded by the given guard check. */
-  ExprNode getABarrierNode() {
-    exists(IRGuardCondition g, ValueNumber value, boolean edge |
-      instructionGuardChecks(g, value.getAnInstruction(), edge) and
-      result.asInstruction() = value.getAnInstruction() and
-      g.controls(result.asInstruction().getBlock(), edge)
-    )
-  }
-}
-
-/**
- * DEPRECATED: Use `BarrierGuard` module instead.
- *
 * A guard that validates some instruction.
 *
 * To use this in a configuration, extend the class and provide a
@@ -1150,7 +1100,7 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
 *
 * It is important that all extending classes in scope are disjoint.
 */
-deprecated class BarrierGuard extends IRGuardCondition {
+class BarrierGuard extends IRGuardCondition {
  /** Override this predicate to hold if this guard validates `instr` upon evaluating to `b`. */
  predicate checksInstr(Instruction instr, boolean b) { none() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
@@ -94,6 +94,12 @@ private string getNodeProperty(DataFlow::Node node, string key) {
      any(DataFlow::Configuration cfg).isBarrierIn(node) and kind = "in"
      or
      any(DataFlow::Configuration cfg).isBarrierOut(node) and kind = "out"
+      or
+      exists(DataFlow::BarrierGuard guard |
+        any(DataFlow::Configuration cfg).isBarrierGuard(guard) and
+        node = guard.getAGuardedNode() and
+        kind = "guard(" + guard.getResultId() + ")"
+      )
    |
      kind, ", "
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -163,6 +163,12 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
 */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }

+/**
+ * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
+ * but not in local taint.
+ */
+predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
 /**
 * Holds if taint can flow from `instrIn` to `instrOut` through a call to a
 * modeled function.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -116,30 +116,20 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
   * Holds if taint propagation through nodes guarded by `guard` is prohibited
   * when the flow state is `state`.
   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }

-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
    this.isSanitizerGuard(guard, state)
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -116,30 +116,20 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
   * Holds if taint propagation through nodes guarded by `guard` is prohibited
   * when the flow state is `state`.
   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }

-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
    this.isSanitizerGuard(guard, state)
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -116,30 +116,20 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
   * Holds if taint propagation through nodes guarded by `guard` is prohibited
   * when the flow state is `state`.
   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
+  predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }

-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
+  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
    this.isSanitizerGuard(guard, state)
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll
@@ -16,7 +16,7 @@ class IRConfiguration extends TIRConfiguration {
  /**
   * Holds if IR should be created for function `func`. By default, holds for all functions.
   */
-  predicate shouldCreateIRForFunction(Language::Declaration func) { any() }
+  predicate shouldCreateIRForFunction(Language::Function func) { any() }

  /**
   * Holds if the strings used as part of an IR dump should be generated for function `func`.
@@ -25,7 +25,7 @@ class IRConfiguration extends TIRConfiguration {
   * of debug strings for IR that will not be dumped. We still generate the actual IR for these
   * functions, however, to preserve the results of any interprocedural analysis.
   */
-  predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) { any() }
+  predicate shouldEvaluateDebugStringsForFunction(Language::Function func) { any() }
 }

 private newtype TIREscapeAnalysisConfiguration = MkIREscapeAnalysisConfiguration()
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
  /**
   * Gets the `Function` that contains this block.
   */
-  final Language::Declaration getEnclosingFunction() {
+  final Language::Function getEnclosingFunction() {
    result = getFirstInstruction(this).getEnclosingFunction()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll
@@ -524,23 +524,4 @@ module InstructionConsistency {
        "' has a `this` argument operand that is not an address, in function '$@'." and
    irFunc = getInstructionIRFunction(instr, irFuncText)
  }
-
-  query predicate nonUniqueIRVariable(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(VariableInstruction vi, IRVariable v1, IRVariable v2 |
-      instr = vi and vi.getIRVariable() = v1 and vi.getIRVariable() = v2 and v1 != v2
-    ) and
-    message =
-      "Variable instruction '" + instr.toString() +
-        "' has multiple associated variables, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-    or
-    instr.getOpcode() instanceof Opcode::VariableAddress and
-    not instr instanceof VariableInstruction and
-    message =
-      "Variable address instruction '" + instr.toString() +
-        "' has no associated variable, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll
@@ -18,7 +18,7 @@ private import Imports::IRType
 * by the AST-to-IR translation (`IRTempVariable`).
 */
 class IRVariable extends TIRVariable {
-  Language::Declaration func;
+  Language::Function func;

  IRVariable() {
    this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
  /**
   * Gets the function that references this variable.
   */
-  final Language::Declaration getEnclosingFunction() { result = func }
+  final Language::Function getEnclosingFunction() { result = func }
 }

 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {

  final override string toString() { result = "#ellipsis" }

-  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
+  final override int getIndex() { result = func.getNumberOfParameters() }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
  /**
   * Gets the function that contains this instruction.
   */
-  final Language::Declaration getEnclosingFunction() {
+  final Language::Function getEnclosingFunction() {
    result = this.getEnclosingIRFunction().getFunction()
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   * Holds if the IR for `func` should be printed. By default, holds for all
   * functions.
   */
-  predicate shouldPrintFunction(Language::Declaration decl) { any() }
+  predicate shouldPrintFunction(Language::Function func) { any() }
 }

 /**
 * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
 */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
    shouldPrintFunction(func)
  }
 }

-private predicate shouldPrintFunction(Language::Declaration decl) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
+private predicate shouldPrintFunction(Language::Function func) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
 }

 private string getAdditionalInstructionProperty(Instruction instr, string key) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll
@@ -5,28 +5,23 @@
 private import IRFunctionBaseInternal

 private newtype TIRFunction =
-  TFunctionIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) } or
-  TVarInitIRFunction(Language::GlobalVariable var) { IRConstruction::Raw::varHasIRFunc(var) }
+  MkIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) }

 /**
 * The IR for a function. This base class contains only the predicates that are the same between all
 * phases of the IR. Each instantiation of `IRFunction` extends this class.
 */
 class IRFunctionBase extends TIRFunction {
-  Language::Declaration decl;
+  Language::Function func;

-  IRFunctionBase() {
-    this = TFunctionIRFunction(decl)
-    or
-    this = TVarInitIRFunction(decl)
-  }
+  IRFunctionBase() { this = MkIRFunction(func) }

  /** Gets a textual representation of this element. */
-  final string toString() { result = "IR: " + decl.toString() }
+  final string toString() { result = "IR: " + func.toString() }

  /** Gets the function whose IR is represented. */
-  final Language::Declaration getFunction() { result = decl }
+  final Language::Function getFunction() { result = func }

  /** Gets the location of the function. */
-  final Language::Location getLocation() { result = decl.getLocation() }
+  final Language::Location getLocation() { result = func.getLocation() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll
@@ -2,21 +2,21 @@ private import TIRVariableInternal
 private import Imports::TempVariableTag

 newtype TIRVariable =
-  TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Declaration func) {
+  TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Function func) {
    Construction::hasUserVariable(func, var, type)
  } or
  TIRTempVariable(
-    Language::Declaration func, Language::AST ast, TempVariableTag tag, Language::LanguageType type
+    Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type
  ) {
    Construction::hasTempVariable(func, ast, tag, type)
  } or
  TIRDynamicInitializationFlag(
-    Language::Declaration func, Language::Variable var, Language::LanguageType type
+    Language::Function func, Language::Variable var, Language::LanguageType type
  ) {
    Construction::hasDynamicInitializationFlag(func, var, type)
  } or
  TIRStringLiteral(
-    Language::Declaration func, Language::AST ast, Language::LanguageType type,
+    Language::Function func, Language::AST ast, Language::LanguageType type,
    Language::StringLiteral literal
  ) {
    Construction::hasStringLiteral(func, ast, type, literal)
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
  /**
   * Gets the `Function` that contains this block.
   */
-  final Language::Declaration getEnclosingFunction() {
+  final Language::Function getEnclosingFunction() {
    result = getFirstInstruction(this).getEnclosingFunction()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll
@@ -524,23 +524,4 @@ module InstructionConsistency {
        "' has a `this` argument operand that is not an address, in function '$@'." and
    irFunc = getInstructionIRFunction(instr, irFuncText)
  }
-
-  query predicate nonUniqueIRVariable(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(VariableInstruction vi, IRVariable v1, IRVariable v2 |
-      instr = vi and vi.getIRVariable() = v1 and vi.getIRVariable() = v2 and v1 != v2
-    ) and
-    message =
-      "Variable instruction '" + instr.toString() +
-        "' has multiple associated variables, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-    or
-    instr.getOpcode() instanceof Opcode::VariableAddress and
-    not instr instanceof VariableInstruction and
-    message =
-      "Variable address instruction '" + instr.toString() +
-        "' has no associated variable, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll
@@ -18,7 +18,7 @@ private import Imports::IRType
 * by the AST-to-IR translation (`IRTempVariable`).
 */
 class IRVariable extends TIRVariable {
-  Language::Declaration func;
+  Language::Function func;

  IRVariable() {
    this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
  /**
   * Gets the function that references this variable.
   */
-  final Language::Declaration getEnclosingFunction() { result = func }
+  final Language::Function getEnclosingFunction() { result = func }
 }

 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {

  final override string toString() { result = "#ellipsis" }

-  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
+  final override int getIndex() { result = func.getNumberOfParameters() }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
  /**
   * Gets the function that contains this instruction.
   */
-  final Language::Declaration getEnclosingFunction() {
+  final Language::Function getEnclosingFunction() {
    result = this.getEnclosingIRFunction().getFunction()
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   * Holds if the IR for `func` should be printed. By default, holds for all
   * functions.
   */
-  predicate shouldPrintFunction(Language::Declaration decl) { any() }
+  predicate shouldPrintFunction(Language::Function func) { any() }
 }

 /**
 * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
 */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
    shouldPrintFunction(func)
  }
 }

-private predicate shouldPrintFunction(Language::Declaration decl) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
+private predicate shouldPrintFunction(Language::Function func) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
 }

 private string getAdditionalInstructionProperty(Instruction instr, string key) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -13,7 +13,6 @@ private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedStmt
 private import TranslatedFunction
-private import TranslatedGlobalVar

 TranslatedElement getInstructionTranslatedElement(Instruction instruction) {
  instruction = TRawInstruction(result, _)
@@ -36,41 +35,29 @@ module Raw {
  cached
  predicate functionHasIR(Function func) { exists(getTranslatedFunction(func)) }

-  cached
-  predicate varHasIRFunc(GlobalOrNamespaceVariable var) {
-    var.hasInitializer() and
-    (
-      not var.getType().isDeeplyConst()
-      or
-      var.getInitializer().getExpr() instanceof StringLiteral
-    )
-  }
-
  cached
  predicate hasInstruction(TranslatedElement element, InstructionTag tag) {
    element.hasInstruction(_, tag, _)
  }

  cached
-  predicate hasUserVariable(Declaration decl, Variable var, CppType type) {
-    getTranslatedFunction(decl).hasUserVariable(var, type)
-    or
-    getTranslatedVarInit(decl).hasUserVariable(var, type)
+  predicate hasUserVariable(Function func, Variable var, CppType type) {
+    getTranslatedFunction(func).hasUserVariable(var, type)
  }

  cached
-  predicate hasTempVariable(Declaration decl, Locatable ast, TempVariableTag tag, CppType type) {
+  predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, CppType type) {
    exists(TranslatedElement element |
      element.getAst() = ast and
-      decl = element.getFunction() and
+      func = element.getFunction() and
      element.hasTempVariable(tag, type)
    )
  }

  cached
-  predicate hasStringLiteral(Declaration decl, Locatable ast, CppType type, StringLiteral literal) {
+  predicate hasStringLiteral(Function func, Locatable ast, CppType type, StringLiteral literal) {
    literal = ast and
-    literal.getEnclosingDeclaration() = decl and
+    literal.getEnclosingFunction() = func and
    getTypeForPRValue(literal.getType()) = type
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -180,7 +180,7 @@ abstract class TranslatedSideEffects extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = getAst() }

-  final override Declaration getFunction() { result = getExpr().getEnclosingDeclaration() }
+  final override Function getFunction() { result = getExpr().getEnclosingFunction() }

  final override TranslatedElement getChild(int i) {
    result =
@@ -375,7 +375,7 @@ abstract class TranslatedSideEffect extends TranslatedElement {
    kind instanceof GotoEdge
  }

-  final override Declaration getFunction() { result = getParent().getFunction() }
+  final override Function getFunction() { result = getParent().getFunction() }

  final override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
    tag = OnlyInstructionTag() and
@@ -436,6 +436,13 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
    result = index
  }

+  /**
+   * Gets the `TranslatedFunction` containing this expression.
+   */
+  final TranslatedFunction getEnclosingFunction() {
+    result = getTranslatedFunction(call.getEnclosingFunction())
+  }
+
  final override predicate sideEffectInstruction(Opcode opcode, CppType type) {
    opcode = sideEffectOpcode and
    (
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -25,9 +25,9 @@ private Element getRealParent(Expr expr) {
  result.(Destructor).getADestruction() = expr
 }

-IRUserVariable getIRUserVariable(Declaration decl, Variable var) {
+IRUserVariable getIRUserVariable(Function func, Variable var) {
  result.getVariable() = var and
-  result.getEnclosingFunction() = decl
+  result.getEnclosingFunction() = func
 }

 IRTempVariable getIRTempVariable(Locatable ast, TempVariableTag tag) {
@@ -67,8 +67,7 @@ private predicate ignoreExprAndDescendants(Expr expr) {
  exists(Initializer init, StaticStorageDurationVariable var |
    init = var.getInitializer() and
    not var.hasDynamicInitialization() and
-    expr = init.getExpr().getFullyConverted() and
-    not var instanceof GlobalOrNamespaceVariable
+    expr = init.getExpr().getFullyConverted()
  )
  or
  // Ignore descendants of `__assume` expressions, since we translated these to `NoOp`.
@@ -118,8 +117,7 @@ private predicate ignoreExprOnly(Expr expr) {
  // should not be translated.
  exists(NewOrNewArrayExpr new | expr = new.getAllocatorCall().getArgument(0))
  or
-  not translateFunction(expr.getEnclosingFunction()) and
-  not Raw::varHasIRFunc(expr.getEnclosingVariable())
+  not translateFunction(expr.getEnclosingFunction())
  or
  // We do not yet translate destructors properly, so for now we ignore the
  // destructor call. We do, however, translate the expression being
@@ -664,8 +662,7 @@ newtype TTranslatedElement =
    opcode = getASideEffectOpcode(call, -1)
  } or
  // The side effect that initializes newly-allocated memory.
-  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) } or
-  TTranslatedGlobalOrNamespaceVarInit(GlobalOrNamespaceVariable var) { Raw::varHasIRFunc(var) }
+  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) }

 /**
 * Gets the index of the first explicitly initialized element in `initList`
@@ -795,7 +792,7 @@ abstract class TranslatedElement extends TTranslatedElement {
  /**
   * Gets the `Function` that contains this element.
   */
-  abstract Declaration getFunction();
+  abstract Function getFunction();

  /**
   * Gets the successor instruction of the instruction that was generated by
@@ -945,14 +942,3 @@ abstract class TranslatedElement extends TTranslatedElement {
   */
  final TranslatedElement getParent() { result.getAChild() = this }
 }
-
-/**
- * Represents the IR translation of a root element, either a function or a global variable.
- */
-abstract class TranslatedRootElement extends TranslatedElement {
-  TranslatedRootElement() {
-    this instanceof TTranslatedFunction
-    or
-    this instanceof TTranslatedGlobalOrNamespaceVarInit
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -12,7 +12,6 @@ private import TranslatedElement
 private import TranslatedFunction
 private import TranslatedInitialization
 private import TranslatedStmt
-private import TranslatedGlobalVar
 import TranslatedCall

 /**
@@ -79,7 +78,7 @@ abstract class TranslatedExpr extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = this.getAst() }

-  final override Declaration getFunction() { result = expr.getEnclosingDeclaration() }
+  final override Function getFunction() { result = expr.getEnclosingFunction() }

  /**
   * Gets the expression from which this `TranslatedExpr` is generated.
@@ -89,10 +88,8 @@ abstract class TranslatedExpr extends TranslatedElement {
  /**
   * Gets the `TranslatedFunction` containing this expression.
   */
-  final TranslatedRootElement getEnclosingFunction() {
+  final TranslatedFunction getEnclosingFunction() {
    result = getTranslatedFunction(expr.getEnclosingFunction())
-    or
-    result = getTranslatedVarInit(expr.getEnclosingVariable())
  }
 }

@@ -790,7 +787,7 @@ class TranslatedThisExpr extends TranslatedNonConstantExpr {

  override IRVariable getInstructionVariable(InstructionTag tag) {
    tag = ThisAddressTag() and
-    result = this.getEnclosingFunction().(TranslatedFunction).getThisVariable()
+    result = this.getEnclosingFunction().getThisVariable()
  }
 }

@@ -841,7 +838,7 @@ class TranslatedNonFieldVariableAccess extends TranslatedVariableAccess {

  override IRVariable getInstructionVariable(InstructionTag tag) {
    tag = OnlyInstructionTag() and
-    result = getIRUserVariable(expr.getEnclosingDeclaration(), expr.getTarget())
+    result = getIRUserVariable(expr.getEnclosingFunction(), expr.getTarget())
  }
 }

@@ -2525,7 +2522,7 @@ class TranslatedVarArgsStart extends TranslatedNonConstantExpr {

  final override IRVariable getInstructionVariable(InstructionTag tag) {
    tag = VarArgsStartEllipsisAddressTag() and
-    result = this.getEnclosingFunction().(TranslatedFunction).getEllipsisVariable()
+    result = this.getEnclosingFunction().getEllipsisVariable()
  }

  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -58,7 +58,7 @@ predicate hasReturnValue(Function func) { not func.getUnspecifiedType() instance
 * Represents the IR translation of a function. This is the root elements for
 * all other elements associated with this function.
 */
-class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
+class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
  Function func;

  TranslatedFunction() { this = TTranslatedFunction(func) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
@@ -1,132 +0,0 @@
-import semmle.code.cpp.ir.implementation.raw.internal.TranslatedElement
-private import cpp
-private import semmle.code.cpp.ir.implementation.IRType
-private import semmle.code.cpp.ir.implementation.Opcode
-private import semmle.code.cpp.ir.implementation.internal.OperandTag
-private import semmle.code.cpp.ir.internal.CppType
-private import TranslatedInitialization
-private import InstructionTag
-private import semmle.code.cpp.ir.internal.IRUtilities
-
-class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
-  TTranslatedGlobalOrNamespaceVarInit, InitializationContext {
-  GlobalOrNamespaceVariable var;
-
-  TranslatedGlobalOrNamespaceVarInit() { this = TTranslatedGlobalOrNamespaceVarInit(var) }
-
-  override string toString() { result = var.toString() }
-
-  final override GlobalOrNamespaceVariable getAst() { result = var }
-
-  final override Declaration getFunction() { result = var }
-
-  final Location getLocation() { result = var.getLocation() }
-
-  override Instruction getFirstInstruction() { result = this.getInstruction(EnterFunctionTag()) }
-
-  override TranslatedElement getChild(int n) {
-    n = 1 and
-    result = getTranslatedInitialization(var.getInitializer().getExpr().getFullyConverted())
-  }
-
-  override predicate hasInstruction(Opcode op, InstructionTag tag, CppType type) {
-    op instanceof Opcode::EnterFunction and
-    tag = EnterFunctionTag() and
-    type = getVoidType()
-    or
-    op instanceof Opcode::AliasedDefinition and
-    tag = AliasedDefinitionTag() and
-    type = getUnknownType()
-    or
-    op instanceof Opcode::VariableAddress and
-    tag = InitializerVariableAddressTag() and
-    type = getTypeForGLValue(var.getType())
-    or
-    op instanceof Opcode::ReturnVoid and
-    tag = ReturnTag() and
-    type = getVoidType()
-    or
-    op instanceof Opcode::AliasedUse and
-    tag = AliasedUseTag() and
-    type = getVoidType()
-    or
-    op instanceof Opcode::ExitFunction and
-    tag = ExitFunctionTag() and
-    type = getVoidType()
-  }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    kind instanceof GotoEdge and
-    (
-      tag = EnterFunctionTag() and
-      result = this.getInstruction(AliasedDefinitionTag())
-      or
-      tag = AliasedDefinitionTag() and
-      result = this.getInstruction(InitializerVariableAddressTag())
-      or
-      tag = InitializerVariableAddressTag() and
-      result = getChild(1).getFirstInstruction()
-      or
-      tag = ReturnTag() and
-      result = this.getInstruction(AliasedUseTag())
-      or
-      tag = AliasedUseTag() and
-      result = this.getInstruction(ExitFunctionTag())
-    )
-  }
-
-  override Instruction getChildSuccessor(TranslatedElement child) {
-    child = this.getChild(1) and
-    result = this.getInstruction(ReturnTag())
-  }
-
-  final override CppType getInstructionMemoryOperandType(
-    InstructionTag tag, TypedOperandTag operandTag
-  ) {
-    tag = AliasedUseTag() and
-    operandTag instanceof SideEffectOperandTag and
-    result = getUnknownType()
-  }
-
-  override IRUserVariable getInstructionVariable(InstructionTag tag) {
-    tag = InitializerVariableAddressTag() and
-    result.getVariable() = var and
-    result.getEnclosingFunction() = var
-  }
-
-  override Instruction getTargetAddress() {
-    result = this.getInstruction(InitializerVariableAddressTag())
-  }
-
-  override Type getTargetType() { result = var.getUnspecifiedType() }
-
-  /**
-   * Holds if this variable defines or accesses variable `var` with type `type`. This includes all
-   * parameters and local variables, plus any global variables or static data members that are
-   * directly accessed by the function.
-   */
-  final predicate hasUserVariable(Variable varUsed, CppType type) {
-    (
-      (
-        varUsed instanceof GlobalOrNamespaceVariable
-        or
-        varUsed instanceof MemberVariable and not varUsed instanceof Field
-      ) and
-      exists(VariableAccess access |
-        access.getTarget() = varUsed and
-        access.getEnclosingVariable() = var
-      )
-      or
-      var = varUsed
-      or
-      varUsed.(LocalScopeVariable).getEnclosingElement*() = var
-      or
-      varUsed.(Parameter).getCatchBlock().getEnclosingElement*() = var
-    ) and
-    type = getTypeForPRValue(getVariableType(varUsed))
-  }
-}
-
-TranslatedGlobalOrNamespaceVarInit getTranslatedVarInit(GlobalOrNamespaceVariable var) {
-  result.getAst() = var
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
@@ -137,10 +137,7 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn

  final override string toString() { result = "init: " + expr.toString() }

-  final override Declaration getFunction() {
-    result = expr.getEnclosingFunction() or
-    result = expr.getEnclosingVariable().(GlobalOrNamespaceVariable)
-  }
+  final override Function getFunction() { result = expr.getEnclosingFunction() }

  final override Locatable getAst() { result = expr }

@@ -489,10 +486,7 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = getAst() }

-  final override Declaration getFunction() {
-    result = ast.getEnclosingFunction() or
-    result = ast.getEnclosingVariable().(GlobalOrNamespaceVariable)
-  }
+  final override Function getFunction() { result = ast.getEnclosingFunction() }

  final override Instruction getFirstInstruction() { result = getInstruction(getFieldAddressTag()) }

@@ -639,11 +633,7 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = getAst() }

-  final override Declaration getFunction() {
-    result = initList.getEnclosingFunction()
-    or
-    result = initList.getEnclosingVariable().(GlobalOrNamespaceVariable)
-  }
+  final override Function getFunction() { result = initList.getEnclosingFunction() }

  final override Instruction getFirstInstruction() { result = getInstruction(getElementIndexTag()) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
  /**
   * Gets the `Function` that contains this block.
   */
-  final Language::Declaration getEnclosingFunction() {
+  final Language::Function getEnclosingFunction() {
    result = getFirstInstruction(this).getEnclosingFunction()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll
@@ -524,23 +524,4 @@ module InstructionConsistency {
        "' has a `this` argument operand that is not an address, in function '$@'." and
    irFunc = getInstructionIRFunction(instr, irFuncText)
  }
-
-  query predicate nonUniqueIRVariable(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(VariableInstruction vi, IRVariable v1, IRVariable v2 |
-      instr = vi and vi.getIRVariable() = v1 and vi.getIRVariable() = v2 and v1 != v2
-    ) and
-    message =
-      "Variable instruction '" + instr.toString() +
-        "' has multiple associated variables, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-    or
-    instr.getOpcode() instanceof Opcode::VariableAddress and
-    not instr instanceof VariableInstruction and
-    message =
-      "Variable address instruction '" + instr.toString() +
-        "' has no associated variable, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll
@@ -18,7 +18,7 @@ private import Imports::IRType
 * by the AST-to-IR translation (`IRTempVariable`).
 */
 class IRVariable extends TIRVariable {
-  Language::Declaration func;
+  Language::Function func;

  IRVariable() {
    this = TIRUserVariable(_, _, func) or
@@ -79,7 +79,7 @@ class IRVariable extends TIRVariable {
  /**
   * Gets the function that references this variable.
   */
-  final Language::Declaration getEnclosingFunction() { result = func }
+  final Language::Function getEnclosingFunction() { result = func }
 }

 /**
@@ -246,7 +246,7 @@ class IREllipsisVariable extends IRTempVariable, IRParameter {

  final override string toString() { result = "#ellipsis" }

-  final override int getIndex() { result = func.(Language::Function).getNumberOfParameters() }
+  final override int getIndex() { result = func.getNumberOfParameters() }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
  /**
   * Gets the function that contains this instruction.
   */
-  final Language::Declaration getEnclosingFunction() {
+  final Language::Function getEnclosingFunction() {
    result = this.getEnclosingIRFunction().getFunction()
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll
@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   * Holds if the IR for `func` should be printed. By default, holds for all
   * functions.
   */
-  predicate shouldPrintFunction(Language::Declaration decl) { any() }
+  predicate shouldPrintFunction(Language::Function func) { any() }
 }

 /**
 * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
 */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
    shouldPrintFunction(func)
  }
 }

-private predicate shouldPrintFunction(Language::Declaration decl) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
+private predicate shouldPrintFunction(Language::Function func) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
 }

 private string getAdditionalInstructionProperty(Instruction instr, string key) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
@@ -50,16 +50,12 @@ class AutomaticVariable = Cpp::StackVariable;

 class StaticVariable = Cpp::Variable;

-class GlobalVariable = Cpp::GlobalOrNamespaceVariable;
-
 class Parameter = Cpp::Parameter;

 class Field = Cpp::Field;

 class BuiltInOperation = Cpp::BuiltInOperation;

-class Declaration = Cpp::Declaration;
-
 // TODO: Remove necessity for these.
 class Expr = Cpp::Expr;

--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -1436,10 +1436,6 @@ initialisers(
    int location: @location_expr ref
 );

-braced_initialisers(
-    int init: @initialiser ref
-);
-
 /**
 * An ancestor for the expression, for cases in which we cannot
 * otherwise find the expression's parent.
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/old.dbscheme
+++ b/cpp/ql/lib/upgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/old.dbscheme
--- a/cpp/ql/lib/upgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/upgrade.properties
+++ b/cpp/ql/lib/upgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/upgrade.properties
@@ -1,2 +0,0 @@
-description: Add relation for tracking C++ braced initializers
-compatibility: backwards
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,14 +1,3 @@
-## 0.2.0
-
-## 0.1.4
-
-## 0.1.3
-
-### Minor Analysis Improvements
-
-* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.
-* The `cpp/unused-local-variable` no longer ignores functions that include `if` and `switch` statements with C++17-style initializers.
-
 ## 0.1.2

 ### Minor Analysis Improvements
--- a/cpp/ql/src/change-notes/2022-04-12-unused-local-variable.md
+++ b/cpp/ql/src/change-notes/2022-04-12-unused-local-variable.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/unused-local-variable` no longer ignores functions that include `if` and `switch` statements with C++17-style initializers.
--- a/cpp/ql/src/change-notes/2022-05-12-external-entity-expansion.md
+++ b/cpp/ql/src/change-notes/2022-05-12-external-entity-expansion.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.
--- a/cpp/ql/src/change-notes/released/0.1.3.md
+++ b/cpp/ql/src/change-notes/released/0.1.3.md
@@ -1,6 +0,0 @@
-## 0.1.3
-
-### Minor Analysis Improvements
-
-* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.
-* The `cpp/unused-local-variable` no longer ignores functions that include `if` and `switch` statements with C++17-style initializers.
--- a/cpp/ql/src/change-notes/released/0.1.4.md
+++ b/cpp/ql/src/change-notes/released/0.1.4.md
@@ -1 +0,0 @@
-## 0.1.4
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
tombolton	d76916f9ce	remove Xss from ATM	2022-06-28 10:33:07 +01:00
tombolton	d515984929	remove CodeInjection from ATM	2022-06-21 15:57:28 +01:00
tombolton	75dc3322d3	add Xss endpoint filters to XssThroughDom	2022-06-21 14:41:57 +01:00
tombolton	2771d3471b	update XssThroughDom with Eriks recent changes	2022-05-25 14:44:14 +01:00
tombolton	07251ac35c	replace StoredXss with CodeInjection in alert counting query	2022-05-25 14:44:14 +01:00
tombolton	c397a98922	remove additional XssThroughDom import	2022-05-25 14:44:14 +01:00
tombolton	dadfbb886a	fix case in ExtractEndpointData.qll	2022-05-25 14:44:13 +01:00
tombolton	27f50d6118	update docstrings of CodeInjection and XssThroughDom queries	2022-05-25 14:44:13 +01:00
tombolton	a71f10494f	explicitly include individual boosted queries in the ATM suite	2022-05-25 14:44:13 +01:00
tombolton	63626fdc67	add XssThroughDomATM.ql	2022-05-25 14:44:13 +01:00
tombolton	be6f6f5298	use new module names based on depreciation warning	2022-05-25 14:44:12 +01:00
tombolton	9ef4bf5441	fix case in CodeInjectionATM.qll	2022-05-25 14:44:12 +01:00
tombolton	a7d385cf99	add XssThroughDom and CodeInjection to mapping query	2022-05-25 14:44:12 +01:00
tombolton	adb4fc324f	add XssThroughDom and CodeInjection to ExtractEndpointData.qll	2022-05-25 14:44:12 +01:00
tombolton	5f5e86c2b2	add XssThroughDom and CodeInjection to Queries.qll	2022-05-25 14:44:11 +01:00
tombolton	0c4dc1a143	add CodeInjection sink to the endpoint types	2022-05-25 14:44:11 +01:00
tombolton	de1bc89099	add CodeInjection extraction and evaluation queries	2022-05-25 14:44:11 +01:00
tombolton	f2f6379054	fix docstrings in XssThroughDom queries	2022-05-25 14:44:10 +01:00
tombolton	f2a0c38232	add XssThroughDom extraction and evaluation queries	2022-05-25 14:44:10 +01:00