use ATM model from training run classification_1659313637_335f5d4e

Kotlin: Fix the type of TypeResultGeneric.cast

.github/labeler.yml

@@ -42,3 +42,4 @@ documentation:
 
 "QL-for-QL":
   - ql/**/*
+  - .github/workflows/ql-for-ql*

.github/workflows/go-tests.yml

@@ -11,10 +11,10 @@ jobs:
     name: Test Linux (Ubuntu)
     runs-on: ubuntu-latest
     steps:
-      - name: Set up Go 1.18.1
+      - name: Set up Go 1.19
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.1
+          go-version: 1.19
         id: go
 
       - name: Check out code
@@ -57,10 +57,10 @@ jobs:
     name: Test MacOS
     runs-on: macos-latest
     steps:
-      - name: Set up Go 1.18.1
+      - name: Set up Go 1.19
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.1
+          go-version: 1.19
         id: go
 
       - name: Check out code
@@ -87,10 +87,10 @@ jobs:
     name: Test Windows
     runs-on: windows-2019
     steps:
-      - name: Set up Go 1.18.1
+      - name: Set up Go 1.19
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.1
+          go-version: 1.19
         id: go
 
       - name: Check out code

.github/workflows/ql-for-ql-build.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
+        uses: github/codeql-action/init@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
         with:
           languages: javascript # does not matter
       - name: Get CodeQL version
@@ -27,30 +27,37 @@ jobs:
         shell: bash
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Cache entire pack
+        id: cache-pack
+        uses: actions/cache@v3
+        with:
+          path: ${{ runner.temp }}/pack
+          key: ${{ runner.os }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
       - name: Cache queries
+        if: steps.cache-pack.outputs.cache-hit != 'true'
         id: cache-queries
         uses: actions/cache@v3
         with:
-          path: ${{ runner.temp }}/query-pack.zip
-          key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}
+          path: ${{ runner.temp }}/queries
+          key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
       - name: Build query pack
-        if: steps.cache-queries.outputs.cache-hit != 'true'
+        if: steps.cache-queries.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         run: |
           cd ql/ql/src
-          "${CODEQL}" pack create
-          cd .codeql/pack/codeql/ql/0.0.0
-          zip "${PACKZIP}" -r .
+          "${CODEQL}" pack create -j 16
+          mv .codeql/pack/codeql/ql/0.0.0 ${{ runner.temp }}/queries
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-          PACKZIP: ${{ runner.temp }}/query-pack.zip
-      - name: Upload query pack
-        uses: actions/upload-artifact@v3
-        with:
-          name: query-pack-zip
-          path: ${{ runner.temp }}/query-pack.zip
-
+      - name: Move cache queries to pack
+        if: steps.cache-pack.outputs.cache-hit != 'true'
+        run: |
+          cp -r ${{ runner.temp }}/queries ${{ runner.temp }}/pack
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      
       ### Build the extractor ###
       - name: Cache entire extractor
+        if: steps.cache-pack.outputs.cache-hit != 'true'
         id: cache-extractor
         uses: actions/cache@v3
         with:
@@ -61,7 +68,7 @@ jobs:
             ql/target/release/ql-extractor.exe
           key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
       - name: Cache cargo
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         uses: actions/cache@v3
         with:
           path: |
@@ -70,72 +77,35 @@ jobs:
             ql/target
           key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Check formatting
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         run: cd ql; cargo fmt --all -- --check
       - name: Build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         run: cd ql; cargo build --verbose
       - name: Run tests
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         run: cd ql; cargo test --verbose
       - name: Release build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         run: cd ql; cargo build --release
       - name: Generate dbscheme
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         run: ql/target/release/ql-generator --dbscheme ql/ql/src/ql.dbscheme --library ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v3
-        with:
-          name: extractor-ubuntu-latest
-          path: |
-            ql/target/release/ql-autobuilder
-            ql/target/release/ql-autobuilder.exe
-            ql/target/release/ql-extractor
-            ql/target/release/ql-extractor.exe
-          retention-days: 1
 
       ### Package the queries and extractor ###
-      - uses: actions/download-artifact@v3
-        with:
-          name: query-pack-zip
-          path: query-pack-zip
-      - uses: actions/download-artifact@v3
-        with:
-          name: extractor-ubuntu-latest
-          path: linux64
-      - run: |
-          unzip query-pack-zip/*.zip -d pack
-          cp -r ql/codeql-extractor.yml ql/tools ql/ql/src/ql.dbscheme.stats pack/
-          mkdir -p pack/tools/linux64
-          if [[ -f linux64/ql-autobuilder ]]; then
-            cp linux64/ql-autobuilder pack/tools/linux64/autobuilder
-            chmod +x pack/tools/linux64/autobuilder
-          fi
-          if [[ -f linux64/ql-extractor ]]; then
-            cp linux64/ql-extractor pack/tools/linux64/extractor
-            chmod +x pack/tools/linux64/extractor
-          fi
-          cd pack
-          zip -rq ../codeql-ql.zip .
-      - uses: actions/upload-artifact@v3
-        with:
-          name: codeql-ql-pack
-          path: codeql-ql.zip
-          retention-days: 1
+      - name: Package pack
+        if: steps.cache-pack.outputs.cache-hit != 'true'
+        run: |
+          cp -r ql/codeql-extractor.yml ql/tools ql/ql/src/ql.dbscheme.stats ${PACK}/
+          mkdir -p ${PACK}/tools/linux64
+          cp ql/target/release/ql-autobuilder  ${PACK}/tools/linux64/autobuilder
+          cp ql/target/release/ql-extractor ${PACK}/tools/linux64/extractor
+          chmod +x ${PACK}/tools/linux64/autobuilder
+          chmod +x ${PACK}/tools/linux64/extractor
+        env:
+          PACK: ${{ runner.temp }}/pack
 
       ### Run the analysis ###
-      - name: Download pack
-        uses: actions/download-artifact@v3
-        with:
-          name: codeql-ql-pack
-          path: ${{ runner.temp }}/codeql-ql-pack-artifact
-
-      - name: Prepare pack
-        run: |
-          unzip "${PACK_ARTIFACT}/*.zip" -d "${PACK}"
-        env:
-          PACK_ARTIFACT: ${{ runner.temp }}/codeql-ql-pack-artifact
-          PACK: ${{ runner.temp }}/pack
       - name: Hack codeql-action options
         run: |
           JSON=$(jq -nc --arg pack "${PACK}" '.database."run-queries"=["--search-path", $pack] | .resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]')
@@ -149,21 +119,26 @@ jobs:
           echo "  - ql/ql/test" >> ${CONF} 
           echo "  - \"*/ql/lib/upgrades/\"" >> ${CONF} 
           echo "disable-default-queries: true" >> ${CONF}
-          echo "packs:" >> ${CONF}
-          echo "  - codeql/ql" >> ${CONF}
+          echo "queries:" >> ${CONF}
+          echo "  - uses: ./ql/ql/src/codeql-suites/ql-code-scanning.qls" >> ${CONF}
           echo "Config file: "
           cat ${CONF}
         env: 
           CONF: ./ql-for-ql-config.yml
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
+        uses: github/codeql-action/init@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
         with:
           languages: ql
           db-location: ${{ runner.temp }}/db
           config-file: ./ql-for-ql-config.yml
+      - name: Move pack cache
+        run: |
+          cp -r ${PACK}/.cache ql/ql/src/.cache
+        env:
+          PACK: ${{ runner.temp }}/pack
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa93aea877e5fb8841bcb1193f672abf6e9f2980
+        uses: github/codeql-action/analyze@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
         with: 
           category: "ql-for-ql"
       - name: Copy sarif file to CWD

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -25,7 +25,7 @@ jobs:
 
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
+        uses: github/codeql-action/init@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
         with:
           languages: javascript # does not matter
       - uses: actions/cache@v3

.github/workflows/ql-for-ql-tests.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
+        uses: github/codeql-action/init@71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca
         with:
           languages: javascript # does not matter
       - uses: actions/cache@v3
@@ -44,7 +44,7 @@ jobs:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Check QL formatting
         run: |
-          find ql/ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
+          find ql/ql/src "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Check QL compilation

config/identical-files.json

@@ -462,9 +462,6 @@
   ],
   "SSA C#": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/SsaImplCommon.qll"
@@ -485,28 +482,39 @@
     "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll"
   ],
   "ReDoS Util Python/JS/Ruby/Java": [
-    "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
-    "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll",
-    "ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtil.qll",
-    "java/ql/lib/semmle/code/java/security/performance/ReDoSUtil.qll"
+    "javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll",
+    "python/ql/lib/semmle/python/security/regexp/NfaUtils.qll",
+    "ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll",
+    "java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll"
   ],
   "ReDoS Exponential Python/JS/Ruby/Java": [
-    "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll",
-    "ruby/ql/lib/codeql/ruby/security/performance/ExponentialBackTracking.qll",
-    "java/ql/lib/semmle/code/java/security/performance/ExponentialBackTracking.qll"
+    "javascript/ql/lib/semmle/javascript/security/regexp/ExponentialBackTracking.qll",
+    "python/ql/lib/semmle/python/security/regexp/ExponentialBackTracking.qll",
+    "ruby/ql/lib/codeql/ruby/security/regexp/ExponentialBackTracking.qll",
+    "java/ql/lib/semmle/code/java/security/regexp/ExponentialBackTracking.qll"
   ],
   "ReDoS Polynomial Python/JS/Ruby/Java": [
-    "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll",
-    "ruby/ql/lib/codeql/ruby/security/performance/SuperlinearBackTracking.qll",
-    "java/ql/lib/semmle/code/java/security/performance/SuperlinearBackTracking.qll"
+    "javascript/ql/lib/semmle/javascript/security/regexp/SuperlinearBackTracking.qll",
+    "python/ql/lib/semmle/python/security/regexp/SuperlinearBackTracking.qll",
+    "ruby/ql/lib/codeql/ruby/security/regexp/SuperlinearBackTracking.qll",
+    "java/ql/lib/semmle/code/java/security/regexp/SuperlinearBackTracking.qll"
+  ],
+  "RegexpMatching Python/JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/regexp/RegexpMatching.qll",
+    "python/ql/lib/semmle/python/security/regexp/RegexpMatching.qll",
+    "ruby/ql/lib/codeql/ruby/security/regexp/RegexpMatching.qll"
   ],
   "BadTagFilterQuery Python/JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll",
     "python/ql/lib/semmle/python/security/BadTagFilterQuery.qll",
     "ruby/ql/lib/codeql/ruby/security/BadTagFilterQuery.qll"
   ],
+  "OverlyLargeRange Python/JS/Ruby/Java": [
+    "javascript/ql/lib/semmle/javascript/security/OverlyLargeRangeQuery.qll",
+    "python/ql/lib/semmle/python/security/OverlyLargeRangeQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/OverlyLargeRangeQuery.qll",
+    "java/ql/lib/semmle/code/java/security/OverlyLargeRangeQuery.qll"
+  ],
   "CFG": [
     "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
     "ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll",
@@ -573,18 +581,22 @@
   ],
   "Swift declarations test file": [
     "swift/ql/test/extractor-tests/declarations/declarations.swift",
-    "swift/ql/test/library-tests/parent/declarations.swift"
+    "swift/ql/test/library-tests/ast/declarations.swift"
   ],
   "Swift statements test file": [
     "swift/ql/test/extractor-tests/statements/statements.swift",
-    "swift/ql/test/library-tests/parent/statements.swift"
+    "swift/ql/test/library-tests/ast/statements.swift"
   ],
   "Swift expressions test file": [
     "swift/ql/test/extractor-tests/expressions/expressions.swift",
-    "swift/ql/test/library-tests/parent/expressions.swift"
+    "swift/ql/test/library-tests/ast/expressions.swift"
   ],
   "Swift patterns test file": [
     "swift/ql/test/extractor-tests/patterns/patterns.swift",
-    "swift/ql/test/library-tests/parent/patterns.swift"
+    "swift/ql/test/library-tests/ast/patterns.swift"
+  ],
+  "IncompleteMultiCharacterSanitization JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll"
   ]
-}
+}

cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/exprs.ql

@@ -0,0 +1,13 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_expr {
+  string toString() { none() }
+}
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if expr instanceof @blockassignexpr then kind_new = 0 else kind_new = kind
+select expr, kind_new, location

cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/upgrade.properties

@@ -0,0 +1,3 @@
+description: Support block assignment
+compatibility: partial
+exprs.rel: run exprs.qlo

cpp/downgrades/f96ad9b2da43bbc9e55a72a165febd270ae07981/upgrade.properties

@@ -0,0 +1,3 @@
+description: Add relation for orphaned local variables
+compatibility: full
+orphaned_variables.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 0.3.4
+
+### Deprecated APIs
+
+* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### New Features
+
+* Added support for getting the link targets of global and namespace variables.
+* Added a `BlockAssignExpr` class, which models a `memcpy`-like operation used in compiler generated copy/move constructors and assignment operations.
+
+### Minor Analysis Improvements
+
+* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
 ## 0.3.3
 
 ### New Features

cpp/ql/lib/change-notes/released/0.3.4.md

@@ -0,0 +1,15 @@
+## 0.3.4
+
+### Deprecated APIs
+
+* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### New Features
+
+* Added support for getting the link targets of global and namespace variables.
+* Added a `BlockAssignExpr` class, which models a `memcpy`-like operation used in compiler generated copy/move constructors and assignment operations.
+
+### Minor Analysis Improvements
+
+* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.3
+lastReleaseVersion: 0.3.4

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticExprSpecific.qll

@@ -119,27 +119,67 @@ module SemanticExprConfig {
     result = block.getDisplayIndex()
   }
 
-  class SsaVariable instanceof IR::Instruction {
-    SsaVariable() { super.hasMemoryResult() }
+  newtype TSsaVariable =
+    TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
+    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() }
 
-    final string toString() { result = super.toString() }
+  class SsaVariable extends TSsaVariable {
+    string toString() { none() }
 
-    final Location getLocation() { result = super.getLocation() }
+    Location getLocation() { none() }
+
+    IR::Instruction asInstruction() { none() }
+
+    IR::Operand asOperand() { none() }
   }
 
-  predicate explicitUpdate(SsaVariable v, Expr sourceExpr) { v = sourceExpr }
+  class SsaInstructionVariable extends SsaVariable, TSsaInstruction {
+    IR::Instruction instr;
 
-  predicate phi(SsaVariable v) { v instanceof IR::PhiInstruction }
+    SsaInstructionVariable() { this = TSsaInstruction(instr) }
 
-  SsaVariable getAPhiInput(SsaVariable v) { result = v.(IR::PhiInstruction).getAnInput() }
+    final override string toString() { result = instr.toString() }
 
-  Expr getAUse(SsaVariable v) { result.(IR::LoadInstruction).getSourceValue() = v }
+    final override Location getLocation() { result = instr.getLocation() }
+
+    final override IR::Instruction asInstruction() { result = instr }
+  }
+
+  class SsaOperand extends SsaVariable, TSsaOperand {
+    IR::Operand op;
+
+    SsaOperand() { this = TSsaOperand(op) }
+
+    final override string toString() { result = op.toString() }
+
+    final override Location getLocation() { result = op.getLocation() }
+
+    final override IR::Operand asOperand() { result = op }
+  }
+
+  predicate explicitUpdate(SsaVariable v, Expr sourceExpr) { v.asInstruction() = sourceExpr }
+
+  predicate phi(SsaVariable v) { v.asInstruction() instanceof IR::PhiInstruction }
+
+  SsaVariable getAPhiInput(SsaVariable v) {
+    exists(IR::PhiInstruction instr |
+      result.asInstruction() = instr.getAnInput()
+      or
+      result.asOperand() = instr.getAnInputOperand()
+    )
+  }
+
+  Expr getAUse(SsaVariable v) { result.(IR::LoadInstruction).getSourceValue() = v.asInstruction() }
 
   SemType getSsaVariableType(SsaVariable v) {
-    result = getSemanticType(v.(IR::Instruction).getResultIRType())
+    result = getSemanticType(v.asInstruction().getResultIRType())
   }
 
-  BasicBlock getSsaVariableBasicBlock(SsaVariable v) { result = v.(IR::Instruction).getBlock() }
+  BasicBlock getSsaVariableBasicBlock(SsaVariable v) {
+    result = v.asInstruction().getBlock()
+    or
+    result = v.asOperand().getUse().getBlock()
+  }
 
   private newtype TReadPosition =
     TReadPositionBlock(IR::IRBlock block) or
@@ -169,7 +209,9 @@ module SemanticExprConfig {
 
     final override predicate hasRead(SsaVariable v) {
       exists(IR::Operand operand |
-        operand.getDef() = v and not operand instanceof IR::PhiInputOperand
+        operand.getDef() = v.asInstruction() and
+        not operand instanceof IR::PhiInputOperand and
+        operand.getUse().getBlock() = block
       )
     }
   }
@@ -186,7 +228,7 @@ module SemanticExprConfig {
 
     final override predicate hasRead(SsaVariable v) {
       exists(IR::PhiInputOperand operand |
-        operand.getDef() = v and
+        operand.getDef() = v.asInstruction() and
         operand.getPredecessorBlock() = pred and
         operand.getUse().getBlock() = succ
       )
@@ -205,17 +247,16 @@ module SemanticExprConfig {
     exists(IR::PhiInputOperand operand |
       pos = TReadPositionPhiInputEdge(operand.getPredecessorBlock(), operand.getUse().getBlock())
     |
-      phi = operand.getUse() and input = operand.getDef()
+      phi.asInstruction() = operand.getUse() and
+      (
+        input.asInstruction() = operand.getDef()
+        or
+        input.asOperand() = operand
+      )
     )
   }
 
   class Bound instanceof IRBound::Bound {
-    Bound() {
-      this instanceof IRBound::ZeroBound
-      or
-      this.(IRBound::ValueNumberBound).getValueNumber().getAnInstruction() instanceof SsaVariable
-    }
-
     string toString() { result = super.toString() }
 
     final Location getLocation() { result = super.getLocation() }
@@ -228,13 +269,13 @@ module SemanticExprConfig {
 
     override string toString() {
       result =
-        min(SsaVariable instr |
-          instr = bound.getValueNumber().getAnInstruction()
+        min(SsaVariable v |
+          v.asInstruction() = bound.getValueNumber().getAnInstruction()
         |
-          instr
+          v
           order by
-            instr.(IR::Instruction).getBlock().getDisplayIndex(),
-            instr.(IR::Instruction).getDisplayIndexInBlock()
+            v.asInstruction().getBlock().getDisplayIndex(),
+            v.asInstruction().getDisplayIndexInBlock()
         ).toString()
     }
   }
@@ -242,7 +283,7 @@ module SemanticExprConfig {
   predicate zeroBound(Bound bound) { bound instanceof IRBound::ZeroBound }
 
   predicate ssaBound(Bound bound, SsaVariable v) {
-    v = bound.(IRBound::ValueNumberBound).getValueNumber().getAnInstruction()
+    v.asInstruction() = bound.(IRBound::ValueNumberBound).getValueNumber().getAnInstruction()
   }
 
   Expr getBoundExpr(Bound bound, int delta) {
@@ -251,22 +292,20 @@ module SemanticExprConfig {
 
   class Guard = IRGuards::IRGuardCondition;
 
-  predicate guard(Guard guard, BasicBlock block) {
-    block = guard.(IRGuards::IRGuardCondition).getBlock()
-  }
+  predicate guard(Guard guard, BasicBlock block) { block = guard.getBlock() }
 
   Expr getGuardAsExpr(Guard guard) { result = guard }
 
   predicate equalityGuard(Guard guard, Expr e1, Expr e2, boolean polarity) {
-    guard.(IRGuards::IRGuardCondition).comparesEq(e1.getAUse(), e2.getAUse(), 0, true, polarity)
+    guard.comparesEq(e1.getAUse(), e2.getAUse(), 0, true, polarity)
   }
 
   predicate guardDirectlyControlsBlock(Guard guard, BasicBlock controlled, boolean branch) {
-    guard.(IRGuards::IRGuardCondition).controls(controlled, branch)
+    guard.controls(controlled, branch)
   }
 
   predicate guardHasBranchEdge(Guard guard, BasicBlock bb1, BasicBlock bb2, boolean branch) {
-    guard.(IRGuards::IRGuardCondition).controlsEdge(bb1, bb2, branch)
+    guard.controlsEdge(bb1, bb2, branch)
   }
 
   Guard comparisonGuard(Expr e) { result = e }
@@ -284,9 +323,13 @@ SemBasicBlock getSemanticBasicBlock(IR::IRBlock block) { result = block }
 
 IR::IRBlock getCppBasicBlock(SemBasicBlock block) { block = result }
 
-SemSsaVariable getSemanticSsaVariable(IR::Instruction instr) { result = instr }
+SemSsaVariable getSemanticSsaVariable(IR::Instruction instr) {
+  result.(SemanticExprConfig::SsaVariable).asInstruction() = instr
+}
 
-IR::Instruction getCppSsaVariableInstruction(SemSsaVariable v) { v = result }
+IR::Instruction getCppSsaVariableInstruction(SemSsaVariable var) {
+  var.(SemanticExprConfig::SsaVariable).asInstruction() = result
+}
 
 SemBound getSemanticBound(IRBound::Bound bound) { result = bound }
 

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/ModulusAnalysis.qll

@@ -160,6 +160,7 @@ private predicate phiModulusInit(SemSsaPhiNode phi, SemBound b, int val, int mod
 /**
  * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
  */
+pragma[nomagic]
 private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int mod, int rix) {
   rix = 0 and
   phiModulusInit(phi, b, val, mod)
@@ -169,7 +170,7 @@ private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int
     val = remainder(v1, mod)
   |
     exists(int v2, int m2 |
-      rankedPhiInput(phi, inp, edge, rix) and
+      rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
       phiModulusRankStep(phi, b, v1, m1, rix - 1) and
       ssaModulus(inp, edge, b, v2, m2) and
       mod = m1.gcd(m2).gcd(v1 - v2)

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll

@@ -342,7 +342,10 @@ private class ConvertOrBoxExpr extends SemUnaryExpr {
  * A cast that can be ignored for the purpose of range analysis.
  */
 private class SafeCastExpr extends ConvertOrBoxExpr {
-  SafeCastExpr() { conversionCannotOverflow(getTrackedType(getOperand()), getTrackedType(this)) }
+  SafeCastExpr() {
+    conversionCannotOverflow(getTrackedType(pragma[only_bind_into](getOperand())),
+      getTrackedType(this))
+  }
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SignAnalysisCommon.qll

@@ -189,9 +189,12 @@ private class BinarySignExpr extends FlowSignExpr {
   BinarySignExpr() { binary = this }
 
   override Sign getSignRestriction() {
-    result =
-      semExprSign(binary.getLeftOperand())
-          .applyBinaryOp(semExprSign(binary.getRightOperand()), binary.getOpcode())
+    exists(SemExpr left, SemExpr right |
+      binaryExprOperands(binary, left, right) and
+      result =
+        semExprSign(pragma[only_bind_out](left))
+            .applyBinaryOp(semExprSign(pragma[only_bind_out](right)), binary.getOpcode())
+    )
     or
     exists(SemDivExpr div | div = binary |
       result = semExprSign(div.getLeftOperand()) and
@@ -201,6 +204,11 @@ private class BinarySignExpr extends FlowSignExpr {
   }
 }
 
+pragma[nomagic]
+private predicate binaryExprOperands(SemBinaryExpr binary, SemExpr left, SemExpr right) {
+  binary.getLeftOperand() = left and binary.getRightOperand() = right
+}
+
 /**
  * A `Convert`, `Box`, or `Unbox` expression.
  */
@@ -221,7 +229,7 @@ private class UnarySignExpr extends FlowSignExpr {
   UnarySignExpr() { unary = this and not this instanceof SemCastExpr }
 
   override Sign getSignRestriction() {
-    result = semExprSign(unary.getOperand()).applyUnaryOp(unary.getOpcode())
+    result = semExprSign(pragma[only_bind_out](unary.getOperand())).applyUnaryOp(unary.getOpcode())
   }
 }
 

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.3.3
+version: 0.3.5-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -404,7 +404,10 @@ class Class extends UserType {
    * compiled for. For this reason, the `is_pod_class` predicate is
    * generated by the extractor.
    */
-  predicate isPOD() { is_pod_class(underlyingElement(this)) }
+  predicate isPod() { is_pod_class(underlyingElement(this)) }
+
+  /** DEPRECATED: Alias for isPod */
+  deprecated predicate isPOD() { this.isPod() }
 
   /**
    * Holds if this class, struct or union is a standard-layout class

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -218,8 +218,6 @@ class Folder extends Container, @folder {
 class File extends Container, @file {
   override string getAbsolutePath() { files(underlyingElement(this), result) }
 
-  override string toString() { result = Container.super.toString() }
-
   override string getAPrimaryQlClass() { result = "File" }
 
   override Location getLocation() {

cpp/ql/lib/semmle/code/cpp/Linkage.qll

@@ -41,6 +41,15 @@ class LinkTarget extends @link_target {
    * translation units which contributed to this link target.
    */
   Class getAClass() { link_parent(unresolveElement(result), this) }
+
+  /**
+   * Gets a global or namespace variable which was compiled into this
+   * link target, or had its declaration included by one of the translation
+   * units which contributed to this link target.
+   */
+  GlobalOrNamespaceVariable getAGlobalOrNamespaceVariable() {
+    link_parent(unresolveElement(result), this)
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/PODType03.qll

@@ -79,17 +79,17 @@ predicate isAggregateType03(Type t) {
  *   user-defined copy assignment operator and no user-defined destructor.
  *   A POD class is a class that is either a POD-struct or a POD-union.
  */
-predicate isPODClass03(Class c) {
+predicate isPodClass03(Class c) {
   isAggregateClass03(c) and
   not exists(Variable v |
     v.getDeclaringType() = c and
     not v.isStatic()
   |
-    not isPODType03(v.getType())
+    not isPodType03(v.getType())
     or
     exists(ArrayType at |
       at = v.getType() and
-      not isPODType03(at.getBaseType())
+      not isPodType03(at.getBaseType())
     )
     or
     v.getType() instanceof ReferenceType
@@ -104,6 +104,9 @@ predicate isPODClass03(Class c) {
   )
 }
 
+/** DEPRECATED: Alias for isPodClass03 */
+deprecated predicate isPODClass03 = isPodClass03/1;
+
 /**
  * Holds if `t` is a POD type, according to the rules specified in
  * C++03 3.9(10):
@@ -112,14 +115,17 @@ predicate isPODClass03(Class c) {
  *   such types and cv-qualified versions of these types (3.9.3) are
  *   collectively called POD types.
  */
-predicate isPODType03(Type t) {
+predicate isPodType03(Type t) {
   exists(Type ut | ut = t.getUnderlyingType() |
     isScalarType03(ut)
     or
-    isPODClass03(ut)
+    isPodClass03(ut)
     or
-    exists(ArrayType at | at = ut and isPODType03(at.getBaseType()))
+    exists(ArrayType at | at = ut and isPodType03(at.getBaseType()))
     or
-    isPODType03(ut.(SpecifiedType).getUnspecifiedType())
+    isPodType03(ut.(SpecifiedType).getUnspecifiedType())
   )
 }
+
+/** DEPRECATED: Alias for isPodType03 */
+deprecated predicate isPODType03 = isPodType03/1;

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -256,7 +256,7 @@ class AttributeArgument extends Element, @attribute_arg {
 
   /**
    * Gets the text for the value of this argument, if its value is
-   * a constant or token.
+   * a constant or a token.
    */
   string getValueText() {
     if underlyingElement(this) instanceof @attribute_arg_constant_expr

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -398,6 +398,8 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
     exists(DeclStmt s | s.getADeclaration() = this and s.getEnclosingFunction() = result)
     or
     exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
+    or
+    orphaned_variables(underlyingElement(this), unresolveElement(result))
   }
 }
 
@@ -471,6 +473,9 @@ class GlobalOrNamespaceVariable extends Variable, @globalvariable {
   override Type getType() { globalvariables(underlyingElement(this), unresolveElement(result), _) }
 
   override Element getEnclosingElement() { none() }
+
+  /** Gets a link target which compiled or referenced this global or namespace variable. */
+  LinkTarget getALinkTarget() { this = result.getAGlobalOrNamespaceVariable() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/XML.qll

@@ -8,7 +8,7 @@ private class TXmlLocatable =
   @xmldtd or @xmlelement or @xmlattribute or @xmlnamespace or @xmlcomment or @xmlcharacters;
 
 /** An XML element that has a location. */
-class XMLLocatable extends @xmllocatable, TXmlLocatable {
+class XmlLocatable extends @xmllocatable, TXmlLocatable {
   /** Gets the source location for this element. */
   Location getLocation() { xmllocations(this, result) }
 
@@ -32,13 +32,16 @@ class XMLLocatable extends @xmllocatable, TXmlLocatable {
   string toString() { none() } // overridden in subclasses
 }
 
+/** DEPRECATED: Alias for XmlLocatable */
+deprecated class XMLLocatable = XmlLocatable;
+
 /**
- * An `XMLParent` is either an `XMLElement` or an `XMLFile`,
+ * An `XmlParent` is either an `XmlElement` or an `XmlFile`,
  * both of which can contain other elements.
  */
-class XMLParent extends @xmlparent {
-  XMLParent() {
-    // explicitly restrict `this` to be either an `XMLElement` or an `XMLFile`;
+class XmlParent extends @xmlparent {
+  XmlParent() {
+    // explicitly restrict `this` to be either an `XmlElement` or an `XmlFile`;
     // the type `@xmlparent` currently also includes non-XML files
     this instanceof @xmlelement or xmlEncoding(this, _)
   }
@@ -50,28 +53,28 @@ class XMLParent extends @xmlparent {
   string getName() { none() } // overridden in subclasses
 
   /** Gets the file to which this XML parent belongs. */
-  XMLFile getFile() { result = this or xmlElements(this, _, _, _, result) }
+  XmlFile getFile() { result = this or xmlElements(this, _, _, _, result) }
 
   /** Gets the child element at a specified index of this XML parent. */
-  XMLElement getChild(int index) { xmlElements(result, _, this, index, _) }
+  XmlElement getChild(int index) { xmlElements(result, _, this, index, _) }
 
   /** Gets a child element of this XML parent. */
-  XMLElement getAChild() { xmlElements(result, _, this, _, _) }
+  XmlElement getAChild() { xmlElements(result, _, this, _, _) }
 
   /** Gets a child element of this XML parent with the given `name`. */
-  XMLElement getAChild(string name) { xmlElements(result, _, this, _, _) and result.hasName(name) }
+  XmlElement getAChild(string name) { xmlElements(result, _, this, _, _) and result.hasName(name) }
 
   /** Gets a comment that is a child of this XML parent. */
-  XMLComment getAComment() { xmlComments(result, _, this, _) }
+  XmlComment getAComment() { xmlComments(result, _, this, _) }
 
   /** Gets a character sequence that is a child of this XML parent. */
-  XMLCharacters getACharactersSet() { xmlChars(result, _, this, _, _, _) }
+  XmlCharacters getACharactersSet() { xmlChars(result, _, this, _, _, _) }
 
-  /** Gets the depth in the tree. (Overridden in XMLElement.) */
+  /** Gets the depth in the tree. (Overridden in XmlElement.) */
   int getDepth() { result = 0 }
 
   /** Gets the number of child XML elements of this XML parent. */
-  int getNumberOfChildren() { result = count(XMLElement e | xmlElements(e, _, this, _, _)) }
+  int getNumberOfChildren() { result = count(XmlElement e | xmlElements(e, _, this, _, _)) }
 
   /** Gets the number of places in the body of this XML parent where text occurs. */
   int getNumberOfCharacterSets() { result = count(int pos | xmlChars(_, _, this, pos, _, _)) }
@@ -92,9 +95,12 @@ class XMLParent extends @xmlparent {
   string toString() { result = this.getName() }
 }
 
+/** DEPRECATED: Alias for XmlParent */
+deprecated class XMLParent = XmlParent;
+
 /** An XML file. */
-class XMLFile extends XMLParent, File {
-  XMLFile() { xmlEncoding(this, _) }
+class XmlFile extends XmlParent, File {
+  XmlFile() { xmlEncoding(this, _) }
 
   /** Gets a printable representation of this XML file. */
   override string toString() { result = this.getName() }
@@ -120,15 +126,21 @@ class XMLFile extends XMLParent, File {
   string getEncoding() { xmlEncoding(this, result) }
 
   /** Gets the XML file itself. */
-  override XMLFile getFile() { result = this }
+  override XmlFile getFile() { result = this }
 
   /** Gets a top-most element in an XML file. */
-  XMLElement getARootElement() { result = this.getAChild() }
+  XmlElement getARootElement() { result = this.getAChild() }
 
   /** Gets a DTD associated with this XML file. */
-  XMLDTD getADTD() { xmlDTDs(result, _, _, _, this) }
+  XmlDtd getADtd() { xmlDTDs(result, _, _, _, this) }
+
+  /** DEPRECATED: Alias for getADtd */
+  deprecated XmlDtd getADTD() { result = this.getADtd() }
 }
 
+/** DEPRECATED: Alias for XmlFile */
+deprecated class XMLFile = XmlFile;
+
 /**
  * An XML document type definition (DTD).
  *
@@ -140,7 +152,7 @@ class XMLFile extends XMLParent, File {
  * <!ELEMENT lastName (#PCDATA)>
  * ```
  */
-class XMLDTD extends XMLLocatable, @xmldtd {
+class XmlDtd extends XmlLocatable, @xmldtd {
   /** Gets the name of the root element of this DTD. */
   string getRoot() { xmlDTDs(this, result, _, _, _) }
 
@@ -154,7 +166,7 @@ class XMLDTD extends XMLLocatable, @xmldtd {
   predicate isPublic() { not xmlDTDs(this, _, "", _, _) }
 
   /** Gets the parent of this DTD. */
-  XMLParent getParent() { xmlDTDs(this, _, _, _, result) }
+  XmlParent getParent() { xmlDTDs(this, _, _, _, result) }
 
   override string toString() {
     this.isPublic() and
@@ -165,6 +177,9 @@ class XMLDTD extends XMLLocatable, @xmldtd {
   }
 }
 
+/** DEPRECATED: Alias for XmlDtd */
+deprecated class XMLDTD = XmlDtd;
+
 /**
  * An XML element in an XML file.
  *
@@ -176,7 +191,7 @@ class XMLDTD extends XMLLocatable, @xmldtd {
  * </manifest>
  * ```
  */
-class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
+class XmlElement extends @xmlelement, XmlParent, XmlLocatable {
   /** Holds if this XML element has the given `name`. */
   predicate hasName(string name) { name = this.getName() }
 
@@ -184,10 +199,10 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
   override string getName() { xmlElements(this, result, _, _, _) }
 
   /** Gets the XML file in which this XML element occurs. */
-  override XMLFile getFile() { xmlElements(this, _, _, _, result) }
+  override XmlFile getFile() { xmlElements(this, _, _, _, result) }
 
   /** Gets the parent of this XML element. */
-  XMLParent getParent() { xmlElements(this, _, result, _, _) }
+  XmlParent getParent() { xmlElements(this, _, result, _, _) }
 
   /** Gets the index of this XML element among its parent's children. */
   int getIndex() { xmlElements(this, _, _, result, _) }
@@ -196,7 +211,7 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
   predicate hasNamespace() { xmlHasNs(this, _, _) }
 
   /** Gets the namespace of this XML element, if any. */
-  XMLNamespace getNamespace() { xmlHasNs(this, result, _) }
+  XmlNamespace getNamespace() { xmlHasNs(this, result, _) }
 
   /** Gets the index of this XML element among its parent's children. */
   int getElementPositionIndex() { xmlElements(this, _, _, result, _) }
@@ -205,10 +220,10 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
   override int getDepth() { result = this.getParent().getDepth() + 1 }
 
   /** Gets an XML attribute of this XML element. */
-  XMLAttribute getAnAttribute() { result.getElement() = this }
+  XmlAttribute getAnAttribute() { result.getElement() = this }
 
   /** Gets the attribute with the specified `name`, if any. */
-  XMLAttribute getAttribute(string name) { result.getElement() = this and result.getName() = name }
+  XmlAttribute getAttribute(string name) { result.getElement() = this and result.getName() = name }
 
   /** Holds if this XML element has an attribute with the specified `name`. */
   predicate hasAttribute(string name) { exists(this.getAttribute(name)) }
@@ -220,6 +235,9 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
   override string toString() { result = this.getName() }
 }
 
+/** DEPRECATED: Alias for XmlElement */
+deprecated class XMLElement = XmlElement;
+
 /**
  * An attribute that occurs inside an XML element.
  *
@@ -230,18 +248,18 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
  * android:versionCode="1"
  * ```
  */
-class XMLAttribute extends @xmlattribute, XMLLocatable {
+class XmlAttribute extends @xmlattribute, XmlLocatable {
   /** Gets the name of this attribute. */
   string getName() { xmlAttrs(this, _, result, _, _, _) }
 
   /** Gets the XML element to which this attribute belongs. */
-  XMLElement getElement() { xmlAttrs(this, result, _, _, _, _) }
+  XmlElement getElement() { xmlAttrs(this, result, _, _, _, _) }
 
   /** Holds if this attribute has a namespace. */
   predicate hasNamespace() { xmlHasNs(this, _, _) }
 
   /** Gets the namespace of this attribute, if any. */
-  XMLNamespace getNamespace() { xmlHasNs(this, result, _) }
+  XmlNamespace getNamespace() { xmlHasNs(this, result, _) }
 
   /** Gets the value of this attribute. */
   string getValue() { xmlAttrs(this, _, _, result, _, _) }
@@ -250,6 +268,9 @@ class XMLAttribute extends @xmlattribute, XMLLocatable {
   override string toString() { result = this.getName() + "=" + this.getValue() }
 }
 
+/** DEPRECATED: Alias for XmlAttribute */
+deprecated class XMLAttribute = XmlAttribute;
+
 /**
  * A namespace used in an XML file.
  *
@@ -259,23 +280,29 @@ class XMLAttribute extends @xmlattribute, XMLLocatable {
  * xmlns:android="http://schemas.android.com/apk/res/android"
  * ```
  */
-class XMLNamespace extends XMLLocatable, @xmlnamespace {
+class XmlNamespace extends XmlLocatable, @xmlnamespace {
   /** Gets the prefix of this namespace. */
   string getPrefix() { xmlNs(this, result, _, _) }
 
   /** Gets the URI of this namespace. */
-  string getURI() { xmlNs(this, _, result, _) }
+  string getUri() { xmlNs(this, _, result, _) }
+
+  /** DEPRECATED: Alias for getUri */
+  deprecated string getURI() { result = this.getUri() }
 
   /** Holds if this namespace has no prefix. */
   predicate isDefault() { this.getPrefix() = "" }
 
   override string toString() {
-    this.isDefault() and result = this.getURI()
+    this.isDefault() and result = this.getUri()
     or
-    not this.isDefault() and result = this.getPrefix() + ":" + this.getURI()
+    not this.isDefault() and result = this.getPrefix() + ":" + this.getUri()
   }
 }
 
+/** DEPRECATED: Alias for XmlNamespace */
+deprecated class XMLNamespace = XmlNamespace;
+
 /**
  * A comment in an XML file.
  *
@@ -285,17 +312,20 @@ class XMLNamespace extends XMLLocatable, @xmlnamespace {
  * <!-- This is a comment. -->
  * ```
  */
-class XMLComment extends @xmlcomment, XMLLocatable {
+class XmlComment extends @xmlcomment, XmlLocatable {
   /** Gets the text content of this XML comment. */
   string getText() { xmlComments(this, result, _, _) }
 
   /** Gets the parent of this XML comment. */
-  XMLParent getParent() { xmlComments(this, _, result, _) }
+  XmlParent getParent() { xmlComments(this, _, result, _) }
 
   /** Gets a printable representation of this XML comment. */
   override string toString() { result = this.getText() }
 }
 
+/** DEPRECATED: Alias for XmlComment */
+deprecated class XMLComment = XmlComment;
+
 /**
  * A sequence of characters that occurs between opening and
  * closing tags of an XML element, excluding other elements.
@@ -306,12 +336,12 @@ class XMLComment extends @xmlcomment, XMLLocatable {
  * <content>This is a sequence of characters.</content>
  * ```
  */
-class XMLCharacters extends @xmlcharacters, XMLLocatable {
+class XmlCharacters extends @xmlcharacters, XmlLocatable {
   /** Gets the content of this character sequence. */
   string getCharacters() { xmlChars(this, result, _, _, _, _) }
 
   /** Gets the parent of this character sequence. */
-  XMLParent getParent() { xmlChars(this, _, result, _, _, _) }
+  XmlParent getParent() { xmlChars(this, _, result, _, _, _) }
 
   /** Holds if this character sequence is CDATA. */
   predicate isCDATA() { xmlChars(this, _, _, _, 1, _) }
@@ -319,3 +349,6 @@ class XMLCharacters extends @xmlcharacters, XMLLocatable {
   /** Gets a printable representation of this XML character sequence. */
   override string toString() { result = this.getCharacters() }
 }
+
+/** DEPRECATED: Alias for XmlCharacters */
+deprecated class XMLCharacters = XmlCharacters;

cpp/ql/lib/semmle/code/cpp/commons/Dependency.qll

@@ -238,7 +238,7 @@ predicate dependsOnTransitive(DependsSource src, Element dest) {
 /**
  * A dependency that targets a TypeDeclarationEntry.
  */
-private predicate dependsOnTDE(Element src, Type t, TypeDeclarationEntry dest) {
+private predicate dependsOnTde(Element src, Type t, TypeDeclarationEntry dest) {
   dependsOnTransitive(src, t) and
   getDeclarationEntries(t, dest)
 }
@@ -247,8 +247,8 @@ private predicate dependsOnTDE(Element src, Type t, TypeDeclarationEntry dest) {
  * A dependency that targets a visible TypeDeclarationEntry.
  */
 pragma[noopt]
-private predicate dependsOnVisibleTDE(Element src, Type t, TypeDeclarationEntry dest) {
-  dependsOnTDE(src, t, dest) and
+private predicate dependsOnVisibleTde(Element src, Type t, TypeDeclarationEntry dest) {
+  dependsOnTde(src, t, dest) and
   exists(File g | g = dest.getFile() |
     exists(File f | f = src.getFile() | f.getAnIncludedFile*() = g)
   )
@@ -260,8 +260,8 @@ private predicate dependsOnVisibleTDE(Element src, Type t, TypeDeclarationEntry
 private predicate dependsOnDeclarationEntry(Element src, DeclarationEntry dest) {
   exists(Type t |
     // dependency from a Type use -> unique visible TDE
-    dependsOnVisibleTDE(src, t, dest) and
-    strictcount(TypeDeclarationEntry alt | dependsOnVisibleTDE(src, t, alt)) = 1
+    dependsOnVisibleTde(src, t, dest) and
+    strictcount(TypeDeclarationEntry alt | dependsOnVisibleTde(src, t, alt)) = 1
   )
   or
   exists(TypedefType mid |

cpp/ql/lib/semmle/code/cpp/commons/NULL.qll

@@ -1,11 +1,14 @@
 import semmle.code.cpp.Macro
 
 /** A macro defining NULL. */
-class NULLMacro extends Macro {
-  NULLMacro() { this.getHead() = "NULL" }
+class NullMacro extends Macro {
+  NullMacro() { this.getHead() = "NULL" }
 }
 
+/** DEPRECATED: Alias for NullMacro */
+deprecated class NULLMacro = NullMacro;
+
 /** A use of the NULL macro. */
 class NULL extends Literal {
-  NULL() { exists(NULLMacro nm | this = nm.getAnInvocation().getAnExpandedElement()) }
+  NULL() { exists(NullMacro nm | this = nm.getAnInvocation().getAnExpandedElement()) }
 }

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -143,6 +143,28 @@ class ScanfFunctionCall extends FunctionCall {
    * (rather than a `char*`).
    */
   predicate isWideCharDefault() { this.getScanfFunction().isWideCharDefault() }
+
+  /**
+   * Gets the output argument at position `n` in the vararg list of this call.
+   *
+   * The range of `n` is from `0` to `this.getNumberOfOutputArguments() - 1`.
+   */
+  Expr getOutputArgument(int n) {
+    result = this.getArgument(this.getTarget().getNumberOfParameters() + n) and
+    n >= 0
+  }
+
+  /**
+   * Gets an output argument given to this call in vararg position.
+   */
+  Expr getAnOutputArgument() { result = this.getOutputArgument(_) }
+
+  /**
+   * Gets the number of output arguments present in this call.
+   */
+  int getNumberOfOutputArguments() {
+    result = this.getNumberOfArguments() - this.getTarget().getNumberOfParameters()
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/controlflow/BasicBlocks.qll

@@ -231,7 +231,7 @@ class BasicBlock extends ControlFlowNodeBase {
     exists(Function f | f.getBlock() = this)
     or
     exists(TryStmt t, BasicBlock tryblock |
-      // a `Handler` preceeds the `CatchBlock`, and is always the beginning
+      // a `Handler` precedes the `CatchBlock`, and is always the beginning
       // of a new `BasicBlock` (see `primitive_basic_block_entry_node`).
       this.(Handler).getTryStmt() = t and
       tryblock.isReachable() and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll

@@ -474,7 +474,7 @@ module FlowVar_internal {
   }
 
   /** Type-specialized version of `getEnclosingElement`. */
-  private ControlFlowNode getCFNParent(ControlFlowNode node) { result = node.getEnclosingElement() }
+  private ControlFlowNode getCfnParent(ControlFlowNode node) { result = node.getEnclosingElement() }
 
   /**
    * A for-loop or while-loop whose condition is always true upon entry but not
@@ -526,7 +526,7 @@ module FlowVar_internal {
     }
 
     private predicate bbInLoopCondition(BasicBlock bb) {
-      getCFNParent*(bb.getANode()) = this.(Loop).getCondition()
+      getCfnParent*(bb.getANode()) = this.(Loop).getCondition()
     }
 
     private predicate bbInLoop(BasicBlock bb) {

cpp/ql/lib/semmle/code/cpp/exprs/Assignment.qll

@@ -47,6 +47,20 @@ class AssignExpr extends Assignment, @assignexpr {
   override string toString() { result = "... = ..." }
 }
 
+/**
+ * A compiler generated assignment operation that may occur in a compiler generated
+ * copy/move constructor or assignment operator, and which functions like `memcpy`
+ * where the size argument is based on the type of the rvalue of the assignment.
+ */
+class BlockAssignExpr extends Assignment, @blockassignexpr {
+  override string getOperator() { result = "=" }
+
+  override string getAPrimaryQlClass() { result = "BlockAssignExpr" }
+
+  /** Gets a textual representation of this assignment. */
+  override string toString() { result = "... = ..." }
+}
+
 /**
  * A non-overloaded binary assignment operation other than `=`.
  *

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -3061,7 +3061,7 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
       else cc instanceof CallContextAny
     ) and
     sc instanceof SummaryCtxNone and
-    ap instanceof AccessPathNil
+    ap = TAccessPathNil(node.getDataFlowType())
   }
 
   predicate isAtSink() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplSpecific.qll

@@ -1,18 +0,0 @@
-private import semmle.code.cpp.ir.IR
-private import SsaInternals as Ssa
-
-class BasicBlock = IRBlock;
-
-class SourceVariable = Ssa::SourceVariable;
-
-BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
-
-BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
-
-class ExitBasicBlock extends IRBlock {
-  ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
-}
-
-predicate variableWrite = Ssa::variableWrite/4;
-
-predicate variableRead = Ssa::variableRead/4;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -1,10 +1,10 @@
-import SsaImplCommon
 private import cpp as Cpp
 private import semmle.code.cpp.ir.IR
 private import DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
 private import semmle.code.cpp.models.interfaces.Allocation as Alloc
 private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
+private import SsaImplCommon as SsaImplCommon
 
 private module SourceVariables {
   private newtype TSourceVariable =
@@ -38,8 +38,6 @@ private module SourceVariables {
   }
 }
 
-import SourceVariables
-
 cached
 private newtype TDefOrUse =
   TExplicitDef(Instruction store) { explicitWrite(_, store, _) } or
@@ -86,7 +84,7 @@ abstract class Def extends DefOrUse {
   Instruction getInstruction() { result = store }
 
   /** Gets the variable that is defined by this definition. */
-  abstract SourceVariable getSourceVariable();
+  abstract SourceVariables::SourceVariable getSourceVariable();
 
   /** Holds if this definition is guaranteed to happen. */
   abstract predicate isCertain();
@@ -103,10 +101,10 @@ abstract class Def extends DefOrUse {
 private class ExplicitDef extends Def, TExplicitDef {
   ExplicitDef() { this = TExplicitDef(store) }
 
-  override SourceVariable getSourceVariable() {
+  override SourceVariables::SourceVariable getSourceVariable() {
     exists(VariableInstruction var |
       explicitWrite(_, this.getInstruction(), var) and
-      result.(SourceIRVariable).getIRVariable() = var.getIRVariable()
+      result.(SourceVariables::SourceIRVariable).getIRVariable() = var.getIRVariable()
     )
   }
 
@@ -116,11 +114,11 @@ private class ExplicitDef extends Def, TExplicitDef {
 private class ParameterDef extends Def, TInitializeParam {
   ParameterDef() { this = TInitializeParam(store) }
 
-  override SourceVariable getSourceVariable() {
-    result.(SourceIRVariable).getIRVariable() =
+  override SourceVariables::SourceVariable getSourceVariable() {
+    result.(SourceVariables::SourceIRVariable).getIRVariable() =
       store.(InitializeParameterInstruction).getIRVariable()
     or
-    result.(SourceIRVariableIndirection).getUnderlyingIRVariable() =
+    result.(SourceVariables::SourceIRVariableIndirection).getUnderlyingIRVariable() =
       store.(InitializeIndirectionInstruction).getIRVariable()
   }
 
@@ -138,7 +136,7 @@ abstract class Use extends DefOrUse {
   override string toString() { result = "Use" }
 
   /** Gets the variable that is used by this use. */
-  abstract SourceVariable getSourceVariable();
+  abstract SourceVariables::SourceVariable getSourceVariable();
 
   override IRBlock getBlock() { result = use.getUse().getBlock() }
 
@@ -148,12 +146,14 @@ abstract class Use extends DefOrUse {
 private class ExplicitUse extends Use, TExplicitUse {
   ExplicitUse() { this = TExplicitUse(use) }
 
-  override SourceVariable getSourceVariable() {
+  override SourceVariables::SourceVariable getSourceVariable() {
     exists(VariableInstruction var |
       use.getDef() = var and
       if use.getUse() instanceof ReadSideEffectInstruction
-      then result.(SourceIRVariableIndirection).getUnderlyingIRVariable() = var.getIRVariable()
-      else result.(SourceIRVariable).getIRVariable() = var.getIRVariable()
+      then
+        result.(SourceVariables::SourceIRVariableIndirection).getUnderlyingIRVariable() =
+          var.getIRVariable()
+      else result.(SourceVariables::SourceIRVariable).getIRVariable() = var.getIRVariable()
     )
   }
 }
@@ -161,10 +161,11 @@ private class ExplicitUse extends Use, TExplicitUse {
 private class ReturnParameterIndirection extends Use, TReturnParamIndirection {
   ReturnParameterIndirection() { this = TReturnParamIndirection(use) }
 
-  override SourceVariable getSourceVariable() {
+  override SourceVariables::SourceVariable getSourceVariable() {
     exists(ReturnIndirectionInstruction ret |
       returnParameterIndirection(use, ret) and
-      result.(SourceIRVariableIndirection).getUnderlyingIRVariable() = ret.getIRVariable()
+      result.(SourceVariables::SourceIRVariableIndirection).getUnderlyingIRVariable() =
+        ret.getIRVariable()
     )
   }
 }
@@ -610,27 +611,45 @@ private module Cached {
 
 import Cached
 
-/**
- * Holds if the `i`'th write in block `bb` writes to the variable `v`.
- * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
- */
-predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
-  DataFlowImplCommon::forceCachingInSameStage() and
-  exists(Def def |
-    def.hasIndexInBlock(bb, i) and
-    v = def.getSourceVariable() and
-    (if def.isCertain() then certain = true else certain = false)
-  )
+private module SsaInput implements SsaImplCommon::InputSig {
+  private import semmle.code.cpp.ir.IR
+
+  class BasicBlock = IRBlock;
+
+  class SourceVariable = SourceVariables::SourceVariable;
+
+  BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
+
+  BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
+
+  class ExitBasicBlock extends IRBlock {
+    ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
+  }
+
+  /**
+   * Holds if the `i`'th write in block `bb` writes to the variable `v`.
+   * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
+   */
+  predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+    DataFlowImplCommon::forceCachingInSameStage() and
+    exists(Def def |
+      def.hasIndexInBlock(bb, i) and
+      v = def.getSourceVariable() and
+      (if def.isCertain() then certain = true else certain = false)
+    )
+  }
+
+  /**
+   * Holds if the `i`'th read in block `bb` reads to the variable `v`.
+   * `certain` is `true` if the read is guaranteed. For C++, this is always the case.
+   */
+  predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
+    exists(Use use |
+      use.hasIndexInBlock(bb, i) and
+      v = use.getSourceVariable() and
+      certain = true
+    )
+  }
 }
 
-/**
- * Holds if the `i`'th read in block `bb` reads to the variable `v`.
- * `certain` is `true` if the read is guaranteed. For C++, this is always the case.
- */
-predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
-  exists(Use use |
-    use.hasIndexInBlock(bb, i) and
-    v = use.getSourceVariable() and
-    certain = true
-  )
-}
+import SsaImplCommon::Make<SsaInput>

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll

@@ -22,7 +22,7 @@ module InstructionConsistency {
     abstract Language::Location getLocation();
   }
 
-  private class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
+  class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
     private IRFunction irFunc;
 
     PresentIRFunction() { this = TPresentIRFunction(irFunc) }
@@ -37,6 +37,8 @@ module InstructionConsistency {
       result =
         min(Language::Location loc | loc = irFunc.getLocation() | loc order by loc.toString())
     }
+
+    IRFunction getIRFunction() { result = irFunc }
   }
 
   private class MissingIRFunction extends OptionalIRFunction, TMissingIRFunction {

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -3,7 +3,7 @@ import semmle.code.cpp.ir.internal.Overlap
 private import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 private import semmle.code.cpp.Print
 private import semmle.code.cpp.ir.implementation.unaliased_ssa.IR
-private import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSAConstruction as OldSSA
+private import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSAConstruction as OldSsa
 private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
 private import semmle.code.cpp.ir.internal.IntegerInterval as Interval
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
@@ -572,7 +572,7 @@ private Overlap getVariableMemoryLocationOverlap(
  * Holds if the def/use information for the result of `instr` can be reused from the previous
  * iteration of the IR.
  */
-predicate canReuseSsaForOldResult(Instruction instr) { OldSSA::canReuseSsaForMemoryResult(instr) }
+predicate canReuseSsaForOldResult(Instruction instr) { OldSsa::canReuseSsaForMemoryResult(instr) }
 
 /** DEPRECATED: Alias for canReuseSsaForOldResult */
 deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1;

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -5,8 +5,8 @@ private import Imports::OperandTag
 private import Imports::Overlap
 private import Imports::TInstruction
 private import Imports::RawIR as RawIR
-private import SSAInstructions
-private import SSAOperands
+private import SsaInstructions
+private import SsaOperands
 private import NewIR
 
 private class OldBlock = Reachability::ReachableBlock;

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionInternal.qll

@@ -2,7 +2,14 @@ import semmle.code.cpp.ir.implementation.unaliased_ssa.IR as OldIR
 import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.reachability.ReachableBlock as Reachability
 import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.reachability.Dominance as Dominance
 import semmle.code.cpp.ir.implementation.aliased_ssa.IR as NewIR
-import semmle.code.cpp.ir.implementation.internal.TInstruction::AliasedSsaInstructions as SSAInstructions
+import semmle.code.cpp.ir.implementation.internal.TInstruction::AliasedSsaInstructions as SsaInstructions
+
+/** DEPRECATED: Alias for SsaInstructions */
+deprecated module SSAInstructions = SsaInstructions;
+
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import AliasedSSA as Alias
-import semmle.code.cpp.ir.implementation.internal.TOperand::AliasedSsaOperands as SSAOperands
+import semmle.code.cpp.ir.implementation.internal.TOperand::AliasedSsaOperands as SsaOperands
+
+/** DEPRECATED: Alias for SsaOperands */
+deprecated module SSAOperands = SsaOperands;

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll

@@ -29,15 +29,15 @@ newtype TInstruction =
     UnaliasedSsa::SSA::hasUnreachedInstruction(irFunc)
   } or
   TAliasedSsaPhiInstruction(
-    TRawInstruction blockStartInstr, AliasedSSA::SSA::MemoryLocation memoryLocation
+    TRawInstruction blockStartInstr, AliasedSsa::SSA::MemoryLocation memoryLocation
   ) {
-    AliasedSSA::SSA::hasPhiInstruction(blockStartInstr, memoryLocation)
+    AliasedSsa::SSA::hasPhiInstruction(blockStartInstr, memoryLocation)
   } or
   TAliasedSsaChiInstruction(TRawInstruction primaryInstruction) {
-    AliasedSSA::SSA::hasChiInstruction(primaryInstruction)
+    AliasedSsa::SSA::hasChiInstruction(primaryInstruction)
   } or
   TAliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
-    AliasedSSA::SSA::hasUnreachedInstruction(irFunc)
+    AliasedSsa::SSA::hasUnreachedInstruction(irFunc)
   }
 
 /**
@@ -83,7 +83,7 @@ module AliasedSsaInstructions {
   class TPhiInstruction = TAliasedSsaPhiInstruction or TUnaliasedSsaPhiInstruction;
 
   TPhiInstruction phiInstruction(
-    TRawInstruction blockStartInstr, AliasedSSA::SSA::MemoryLocation memoryLocation
+    TRawInstruction blockStartInstr, AliasedSsa::SSA::MemoryLocation memoryLocation
   ) {
     result = TAliasedSsaPhiInstruction(blockStartInstr, memoryLocation)
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstructionInternal.qll

@@ -1,4 +1,7 @@
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as IRConstruction
 import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSAConstruction as UnaliasedSsa
-import semmle.code.cpp.ir.implementation.aliased_ssa.internal.SSAConstruction as AliasedSSA
+import semmle.code.cpp.ir.implementation.aliased_ssa.internal.SSAConstruction as AliasedSsa
+
+/** DEPRECATED: Alias for AliasedSsa */
+deprecated module AliasedSSA = AliasedSsa;

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll

@@ -22,7 +22,7 @@ module InstructionConsistency {
     abstract Language::Location getLocation();
   }
 
-  private class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
+  class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
     private IRFunction irFunc;
 
     PresentIRFunction() { this = TPresentIRFunction(irFunc) }
@@ -37,6 +37,8 @@ module InstructionConsistency {
       result =
         min(Language::Location loc | loc = irFunc.getLocation() | loc order by loc.toString())
     }
+
+    IRFunction getIRFunction() { result = irFunc }
   }
 
   private class MissingIRFunction extends OptionalIRFunction, TMissingIRFunction {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -1450,8 +1450,6 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
       result = this.getLeftOperand().getResult()
   }
 
-  abstract Instruction getStoredValue();
-
   final TranslatedExpr getLeftOperand() {
     result = getTranslatedExpr(expr.getLValue().getFullyConverted())
   }
@@ -1493,6 +1491,75 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
   }
 }
 
+class TranslatedBlockAssignExpr extends TranslatedNonConstantExpr {
+  override BlockAssignExpr expr;
+
+  final override TranslatedElement getChild(int id) {
+    id = 0 and result = this.getLeftOperand()
+    or
+    id = 1 and result = this.getRightOperand()
+  }
+
+  final override Instruction getFirstInstruction() {
+    // The operand evaluation order should not matter since block assignments behave like memcpy.
+    result = this.getLeftOperand().getFirstInstruction()
+  }
+
+  final override Instruction getResult() { result = this.getInstruction(AssignmentStoreTag()) }
+
+  final TranslatedExpr getLeftOperand() {
+    result = getTranslatedExpr(expr.getLValue().getFullyConverted())
+  }
+
+  final TranslatedExpr getRightOperand() {
+    result = getTranslatedExpr(expr.getRValue().getFullyConverted())
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = LoadTag() and
+    result = this.getInstruction(AssignmentStoreTag()) and
+    kind instanceof GotoEdge
+    or
+    tag = AssignmentStoreTag() and
+    result = this.getParent().getChildSuccessor(this) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = this.getLeftOperand() and
+    result = this.getRightOperand().getFirstInstruction()
+    or
+    child = this.getRightOperand() and
+    result = this.getInstruction(LoadTag())
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    tag = LoadTag() and
+    opcode instanceof Opcode::Load and
+    resultType = getTypeForPRValue(expr.getRValue().getType())
+    or
+    tag = AssignmentStoreTag() and
+    opcode instanceof Opcode::Store and
+    // The frontend specifies that the relevant type is the one of the source.
+    resultType = getTypeForPRValue(expr.getRValue().getType())
+  }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    tag = LoadTag() and
+    operandTag instanceof AddressOperandTag and
+    result = this.getRightOperand().getResult()
+    or
+    tag = AssignmentStoreTag() and
+    (
+      operandTag instanceof AddressOperandTag and
+      result = this.getLeftOperand().getResult()
+      or
+      operandTag instanceof StoreValueOperandTag and
+      result = this.getInstruction(LoadTag())
+    )
+  }
+}
+
 class TranslatedAssignOperation extends TranslatedNonConstantExpr {
   override AssignOperation expr;
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll

@@ -22,7 +22,7 @@ module InstructionConsistency {
     abstract Language::Location getLocation();
   }
 
-  private class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
+  class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
     private IRFunction irFunc;
 
     PresentIRFunction() { this = TPresentIRFunction(irFunc) }
@@ -37,6 +37,8 @@ module InstructionConsistency {
       result =
         min(Language::Location loc | loc = irFunc.getLocation() | loc order by loc.toString())
     }
+
+    IRFunction getIRFunction() { result = irFunc }
   }
 
   private class MissingIRFunction extends OptionalIRFunction, TMissingIRFunction {

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -5,8 +5,8 @@ private import Imports::OperandTag
 private import Imports::Overlap
 private import Imports::TInstruction
 private import Imports::RawIR as RawIR
-private import SSAInstructions
-private import SSAOperands
+private import SsaInstructions
+private import SsaOperands
 private import NewIR
 
 private class OldBlock = Reachability::ReachableBlock;

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll

@@ -3,7 +3,14 @@ import semmle.code.cpp.ir.implementation.raw.internal.reachability.ReachableBloc
 import semmle.code.cpp.ir.implementation.raw.internal.reachability.Dominance as Dominance
 import semmle.code.cpp.ir.implementation.unaliased_ssa.IR as NewIR
 import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as RawStage
-import semmle.code.cpp.ir.implementation.internal.TInstruction::UnaliasedSsaInstructions as SSAInstructions
+import semmle.code.cpp.ir.implementation.internal.TInstruction::UnaliasedSsaInstructions as SsaInstructions
+
+/** DEPRECATED: Alias for SsaInstructions */
+deprecated module SSAInstructions = SsaInstructions;
+
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import SimpleSSA as Alias
-import semmle.code.cpp.ir.implementation.internal.TOperand::UnaliasedSsaOperands as SSAOperands
+import semmle.code.cpp.ir.implementation.internal.TOperand::UnaliasedSsaOperands as SsaOperands
+
+/** DEPRECATED: Alias for SsaOperands */
+deprecated module SSAOperands = SsaOperands;

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -218,7 +218,7 @@ private class CallAllocationExpr extends AllocationExpr, FunctionCall {
       exists(target.getReallocPtrArg()) and
       this.getArgument(target.getSizeArg()).getValue().toInt() = 0
     ) and
-    // these are modelled directly (and more accurately), avoid duplication
+    // these are modeled directly (and more accurately), avoid duplication
     not exists(NewOrNewArrayExpr new | new.getAllocatorCall() = this)
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/StdPair.qll

@@ -11,12 +11,6 @@ private class StdPair extends ClassTemplateInstantiation {
   StdPair() { this.hasQualifiedName(["std", "bsl"], "pair") }
 }
 
-/**
- * DEPRECATED: This is now called `StdPair` and is a private part of the
- * library implementation.
- */
-deprecated class StdPairClass = StdPair;
-
 /**
  * Any of the single-parameter constructors of `std::pair` that takes a reference to an
  * instantiation of `std::pair`. These constructors allow conversion between pair types when the

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -27,13 +27,6 @@ abstract class RemoteFlowSourceFunction extends Function {
   predicate hasSocketInput(FunctionInput input) { none() }
 }
 
-/**
- * DEPRECATED: Use `RemoteFlowSourceFunction` instead.
- *
- * A library function that returns data that may be read from a network connection.
- */
-deprecated class RemoteFlowFunction = RemoteFlowSourceFunction;
-
 /**
  * A library function that returns data that is directly controlled by a user.
  */
@@ -44,13 +37,6 @@ abstract class LocalFlowSourceFunction extends Function {
   abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
 }
 
-/**
- * DEPRECATED: Use `LocalFlowSourceFunction` instead.
- *
- * A library function that returns data that is directly controlled by a user.
- */
-deprecated class LocalFlowFunction = LocalFlowSourceFunction;
-
 /** A library function that sends data over a network connection. */
 abstract class RemoteFlowSinkFunction extends Function {
   /**

cpp/ql/lib/semmle/code/cpp/security/Overflow.qll

@@ -50,7 +50,7 @@ VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }
  * Holds if `e` potentially overflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
-  // Since `e` is guarenteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
+  // Since `e` is guaranteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
   // an `AssignArithmeticOperation` by the other constraints in this predicate, we know that
   // `convertedExprMightOverflowPositively` will have a result even when `e` is not analyzable
   // by `SimpleRangeAnalysis`.
@@ -80,7 +80,7 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
  * Holds if `e` potentially underflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
-  // Since `e` is guarenteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
+  // Since `e` is guaranteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
   // an `AssignArithmeticOperation` by the other constraints in this predicate, we know that
   // `convertedExprMightOverflowNegatively` will have a result even when `e` is not analyzable
   // by `SimpleRangeAnalysis`.

cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll

@@ -165,7 +165,7 @@ private ControlFlowNode mostRecentSideEffect(ControlFlowNode node) {
 
 /** Used to represent the "global value number" of an expression. */
 cached
-private newtype GVNBase =
+private newtype GvnBase =
   GVN_IntConst(int val, Type t) { mk_IntConst(val, t, _) } or
   GVN_FloatConst(float val, Type t) { mk_FloatConst(val, t, _) } or
   // If the local variable does not have a defining value, then
@@ -221,8 +221,8 @@ private newtype GVNBase =
  * expression with this `GVN` and using its `toString` and `getLocation`
  * methods.
  */
-class GVN extends GVNBase {
-  GVN() { this instanceof GVNBase }
+class GVN extends GvnBase {
+  GVN() { this instanceof GvnBase }
 
   /** Gets an expression that has this GVN. */
   Expr getAnExpr() { this = globalValueNumber(result) }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -523,6 +523,11 @@ autoderivation(
     int derivation_type: @type ref
 );
 
+orphaned_variables(
+    int var: @localvariable ref,
+    int function: @function ref
+)
+
 enumconstants(
     unique int id: @enumconstant,
     int parent: @usertype ref,
@@ -1302,7 +1307,7 @@ funbind(
 
 @assign_op_expr = @assign_arith_expr | @assign_bitwise_expr
 
-@assign_expr = @assignexpr | @assign_op_expr
+@assign_expr = @assignexpr | @assign_op_expr | @blockassignexpr
 
 /*
   case @allocator.form of
@@ -1660,6 +1665,7 @@ case @expr.kind of
 | 332 = @hasuniqueobjectrepresentations
 | 333 = @builtinbitcast
 | 334 = @builtinshuffle
+| 335 = @blockassignexpr
 ;
 
 @var_args_expr = @vastartexpr

cpp/ql/lib/upgrades/34549c3b0937002f11037d01822ebe99442c1402/upgrade.properties

@@ -0,0 +1,2 @@
+description: Support block assignment
+compatibility: backwards

cpp/ql/lib/upgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add relation for orphaned local variables
+compatibility: partial

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql

@@ -63,17 +63,17 @@ class VariableDeclarationLine extends TVariableDeclarationInfo {
   /**
    * Gets a `VariableDeclarationEntry` on this line.
    */
-  VariableDeclarationEntry getAVDE() { vdeInfo(result, c, f, line) }
+  VariableDeclarationEntry getAVde() { vdeInfo(result, c, f, line) }
 
   /**
    * Gets the start column of the first `VariableDeclarationEntry` on this line.
    */
-  int getStartColumn() { result = min(this.getAVDE().getLocation().getStartColumn()) }
+  int getStartColumn() { result = min(this.getAVde().getLocation().getStartColumn()) }
 
   /**
    * Gets the end column of the last `VariableDeclarationEntry` on this line.
    */
-  int getEndColumn() { result = max(this.getAVDE().getLocation().getEndColumn()) }
+  int getEndColumn() { result = max(this.getAVde().getLocation().getEndColumn()) }
 
   /**
    * Gets the rank of this `VariableDeclarationLine` in its file and class
@@ -134,13 +134,13 @@ class VariableDeclarationGroup extends VariableDeclarationLine {
       count(VariableDeclarationLine l |
         l = this.getProximateNext*()
       |
-        l.getAVDE().getVariable().getName()
+        l.getAVde().getVariable().getName()
       )
   }
 
   override string toString() {
     this.getCount() = 1 and
-    result = "declaration of " + this.getAVDE().getVariable().getName()
+    result = "declaration of " + this.getAVde().getVariable().getName()
     or
     this.getCount() > 1 and
     result = "group of " + this.getCount() + " fields here"

cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql

@@ -29,7 +29,4 @@ where
   n = strictcount(ComplexStmt s | s = b.getAStmt()) and
   n > 3 and
   complexStmt = b.getAStmt()
-select b,
-  "Block with too many statements (" + n.toString() +
-    " complex statements in the block). Complex statements at: $@", complexStmt,
-  complexStmt.toString()
+select b, "Block with too many statements (" + n.toString() + " complex statements in the block)."

cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql

@@ -110,4 +110,4 @@ where
   emptyBlock(s, eb) and
   not emptyBlockContainsNonchild(eb) and
   not lineComment(eb)
-select eb, "Empty block without comment"
+select eb, "Empty block without comment."

cpp/ql/src/Best Practices/UseOfGoto.ql

@@ -16,7 +16,7 @@ import cpp
 class JumpTarget extends Stmt {
   JumpTarget() { exists(GotoStmt g | g.getTarget() = this) }
 
-  FunctionDeclarationEntry getFDE() { result.getBlock() = this.getParentStmt+() }
+  FunctionDeclarationEntry getFde() { result.getBlock() = this.getParentStmt+() }
 
   predicate isForward() {
     exists(GotoStmt g | g.getTarget() = this |
@@ -33,8 +33,8 @@ class JumpTarget extends Stmt {
 
 from FunctionDeclarationEntry fde, int nforward, int nbackward
 where
-  nforward = strictcount(JumpTarget t | t.getFDE() = fde and t.isForward()) and
-  nbackward = strictcount(JumpTarget t | t.getFDE() = fde and t.isBackward()) and
+  nforward = strictcount(JumpTarget t | t.getFde() = fde and t.isForward()) and
+  nbackward = strictcount(JumpTarget t | t.getFde() = fde and t.isBackward()) and
   nforward != 1 and
   nbackward != 1
 select fde,

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.3.3
+
+### Minor Analysis Improvements
+
+* The "Cleartext storage of sensitive information in buffer" (`cpp/cleartext-storage-buffer`) query has been improved to produce fewer false positives.
+
 ## 0.3.2
 
 ### Minor Analysis Improvements

cpp/ql/src/Critical/MissingCheckScanf.cpp

@@ -0,0 +1,17 @@
+{
+  int i, j, r;
+
+  r = scanf("%d %d", &i, &j);
+
+  use(i); // BAD: i is not guarded
+
+  if (r >= 1) {
+    use(i); // GOOD: i is guarded correctly
+    use(j); // BAD: j is guarded incorrectly
+  }
+
+  if (r != 2)
+    return;
+
+  use(j); // GOOD: j is guarded correctly
+}

cpp/ql/src/Critical/MissingCheckScanf.qhelp

@@ -0,0 +1,51 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>
+This query finds calls of <tt>scanf</tt>-like functions with missing or
+improper return-value checking.
+</p>
+<p>
+Specifically, the query flags uses of variables that may have been modified by
+<tt>scanf</tt> and subsequently are used without being guarded by a correct
+return-value check. A proper check is one that ensures that the corresponding
+<tt>scanf</tt> has returned (at least) a certain minimum constant.
+</p>
+<p>
+Functions in the <tt>scanf</tt> family return either EOF (a negative value)
+in case of IO failure, or the number of items successfully read from the
+input. Consequently, a simple check that the return value is truthy (nonzero)
+is not enough.
+</p>
+<warning>
+This query has medium precision because, in the current implementation, it
+takes a strict stance on unguarded uses of output variables, and flags them
+as problematic even if they have already been initialized.
+</warning>
+</overview>
+
+<recommendation>
+<p>
+Ensure that all subsequent uses of <tt>scanf</tt> output arguments occur in a
+branch of an <tt>if</tt> statement (or similar), in which it is known that the
+corresponding <tt>scanf</tt> call has in fact read all possible items from its
+input. This can be done by comparing the return value to a numerical constant.
+</p>
+</recommendation>
+
+<example>
+<p>This example shows different ways of guarding a <tt>scanf</tt> output:
+</p>
+<sample src="MissingCheckScanf.cpp" />
+</example>
+
+<references>
+<li>SEI CERT C++ Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/ERR62-CPP.+Detect+errors+when+converting+a+string+to+a+number">ERR62-CPP. Detect errors when converting a string to a number</a>.</li>
+<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/ERR33-C.+Detect+and+handle+standard+library+errors">ERR33-C. Detect and handle standard library errors</a>.</li>
+<li>cppreference.com: <a href="https://en.cppreference.com/w/c/io/fscanf">scanf, fscanf, sscanf, scanf_s, fscanf_s, sscanf_s</a>.</li>
+</references>
+</qhelp>

cpp/ql/src/Critical/MissingCheckScanf.ql

@@ -0,0 +1,122 @@
+/**
+ * @name Missing return-value check for a 'scanf'-like function
+ * @description Failing to check that a call to 'scanf' actually writes to an
+ *              output variable can lead to unexpected behavior at reading time.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id cpp/missing-check-scanf
+ * @tags security
+ *       correctness
+ *       external/cwe/cwe-252
+ *       external/cwe/cwe-253
+ */
+
+import cpp
+import semmle.code.cpp.commons.Scanf
+import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.ir.ValueNumbering
+
+/** An expression appearing as an output argument to a `scanf`-like call */
+class ScanfOutput extends Expr {
+  ScanfFunctionCall call;
+  int varargIndex;
+  Instruction instr;
+  ValueNumber valNum;
+
+  ScanfOutput() {
+    this = call.getOutputArgument(varargIndex).getFullyConverted() and
+    instr.getConvertedResultExpression() = this and
+    valueNumber(instr) = valNum
+  }
+
+  ScanfFunctionCall getCall() { result = call }
+
+  /**
+   * Returns the smallest possible `scanf` return value that would indicate
+   * success in writing this output argument.
+   */
+  int getMinimumGuardConstant() {
+    result =
+      varargIndex + 1 -
+        count(ScanfFormatLiteral f, int n |
+          // Special case: %n writes to an argument without reading any input.
+          // It does not increase the count returned by `scanf`.
+          n <= varargIndex and f.getUse() = call and f.getConversionChar(n) = "n"
+        )
+  }
+
+  predicate hasGuardedAccess(Access e, boolean isGuarded) {
+    e = this.getAnAccess() and
+    if
+      exists(int value, int minGuard | minGuard = this.getMinimumGuardConstant() |
+        e.getBasicBlock() = blockGuardedBy(value, "==", call) and minGuard <= value
+        or
+        e.getBasicBlock() = blockGuardedBy(value, "<", call) and minGuard - 1 <= value
+        or
+        e.getBasicBlock() = blockGuardedBy(value, "<=", call) and minGuard <= value
+      )
+    then isGuarded = true
+    else isGuarded = false
+  }
+
+  /**
+   * Get a subsequent access of the same underlying storage,
+   * but before it gets reset or reused in another `scanf` call.
+   */
+  Access getAnAccess() {
+    exists(Instruction dst |
+      this.bigStep() = dst and
+      dst.getAst() = result and
+      valueNumber(dst) = valNum
+    )
+  }
+
+  private Instruction bigStep() {
+    result = this.smallStep(instr)
+    or
+    exists(Instruction i | i = this.bigStep() | result = this.smallStep(i))
+  }
+
+  private Instruction smallStep(Instruction i) {
+    instr.getASuccessor*() = i and
+    i.getASuccessor() = result and
+    not this.isBarrier(result)
+  }
+
+  private predicate isBarrier(Instruction i) {
+    valueNumber(i) = valNum and
+    exists(Expr e | i.getAst() = e |
+      i = any(StoreInstruction s).getDestinationAddress()
+      or
+      [e, e.getParent().(AddressOfExpr)] instanceof ScanfOutput
+    )
+  }
+}
+
+/** Returns a block guarded by the assertion of `value op call` */
+BasicBlock blockGuardedBy(int value, string op, ScanfFunctionCall call) {
+  exists(GuardCondition g, Expr left, Expr right |
+    right = g.getAChild() and
+    value = left.getValue().toInt() and
+    DataFlow::localExprFlow(call, right)
+  |
+    g.ensuresEq(left, right, 0, result, true) and op = "=="
+    or
+    g.ensuresLt(left, right, 0, result, true) and op = "<"
+    or
+    g.ensuresLt(left, right, 1, result, true) and op = "<="
+  )
+}
+
+from ScanfOutput output, ScanfFunctionCall call, Access access
+where
+  output.getCall() = call and
+  output.hasGuardedAccess(access, false)
+select access,
+  "$@ is read here, but may not have been written. " +
+    "It should be guarded by a check that the $@ returns at least " +
+    output.getMinimumGuardConstant() + ".", access, access.toString(), call, call.toString()

cpp/ql/src/Documentation/CommentedOutCode.ql

@@ -12,4 +12,4 @@
 import CommentedOutCode
 
 from CommentedOutCode comment
-select comment, "This comment appears to contain commented-out code"
+select comment, "This comment appears to contain commented-out code."

cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.ql

@@ -1,7 +1,6 @@
 /**
  * @name Sign check of bitwise operation
- * @description Checking the sign of a bitwise operation often has surprising
- *              edge cases.
+ * @description Checking the sign of the result of a bitwise operation may yield unexpected results.
  * @kind problem
  * @problem.severity warning
  * @precision high
@@ -26,4 +25,4 @@ where
   forall(int op | op = lhs.(BitwiseAndExpr).getAnOperand().getValue().toInt() | op < 0) and
   // exception for cases involving macros
   not e.isAffectedByMacro()
-select e, "Potential unsafe sign check of a bitwise operation."
+select e, "Potentially unsafe sign check of a bitwise operation."

cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.ql

@@ -21,4 +21,4 @@ where
     FloatingPointType and
   not ro.getAnOperand().isConstant() and // comparisons to constants generate too many false positives
   not left.(VariableAccess).getTarget() = right.(VariableAccess).getTarget() // skip self comparison
-select ro, "Equality test on floating point values may not behave as expected."
+select ro, "Equality checks on floating point values can yield unexpected results."

cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql

@@ -68,7 +68,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
     // if((a = b) && use_value(a)) { ... }
     // ```
     // where the assignment is meant to update the value of `a` before it's used in some other boolean
-    // subexpression that is guarenteed to be evaluate _after_ the assignment.
+    // subexpression that is guaranteed to be evaluate _after_ the assignment.
     this.isParenthesised() and
     exists(LogicalAndExpr parent, Variable var, VariableAccess access |
       var = this.getLValue().(VariableAccess).getTarget() and

cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql

@@ -13,10 +13,11 @@
 
 import cpp
 
-from EnumSwitch es, float missing, float total
+from EnumSwitch es, float missing, float total, EnumConstant case
 where
   not es.hasDefaultCase() and
   missing = count(es.getAMissingCase()) and
   total = missing + count(es.getASwitchCase()) and
-  missing / total < 0.3
-select es, "Switch statement is missing case for " + es.getAMissingCase().getName()
+  missing / total < 0.3 and
+  case = es.getAMissingCase()
+select es, "Switch statement does not have a case for $@.", case, case.getName()

cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql

@@ -51,7 +51,7 @@ predicate illDefinedDecrForStmt(
     (
       upperBound(initialCondition) < lowerBound(terminalCondition) and
       (
-        // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
+        // exclude cases where the loop counter is `unsigned` (where wrapping behavior can be used deliberately)
         v.getUnspecifiedType().(IntegralType).isSigned() or
         initialCondition.getValue().toInt() = 0
       )

cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql

@@ -106,6 +106,26 @@ predicate inheritanceConversionTypes(
   toType = convert.getResultType()
 }
 
+private signature class ConversionInstruction extends UnaryInstruction;
+
+module Conversion<ConversionInstruction I> {
+  signature predicate hasTypes(I instr, Type fromType, Type toType);
+
+  module Using<hasTypes/3 project> {
+    pragma[nomagic]
+    predicate hasOperandAndTypes(I convert, Instruction unary, Type fromType, Type toType) {
+      project(convert, fromType, toType) and
+      unary = convert.getUnary()
+    }
+  }
+}
+
+pragma[nomagic]
+predicate hasObjectAndField(FieldAddressInstruction fai, Instruction object, Field f) {
+  fai.getObjectAddress() = object and
+  fai.getField() = f
+}
+
 /** Gets the HashCons value of an address computed by `instr`, if any. */
 TGlobalAddress globalAddress(Instruction instr) {
   result = TGlobalVariable(instr.(VariableAddressInstruction).getAstVariable())
@@ -117,25 +137,27 @@ TGlobalAddress globalAddress(Instruction instr) {
     result = TLoad(globalAddress(load.getSourceAddress()))
   )
   or
-  exists(ConvertInstruction convert, Type fromType, Type toType | instr = convert |
-    uncheckedConversionTypes(convert, fromType, toType) and
-    result = TConversion("unchecked", globalAddress(convert.getUnary()), fromType, toType)
+  exists(Type fromType, Type toType, Instruction unary |
+    Conversion<ConvertInstruction>::Using<uncheckedConversionTypes/3>::hasOperandAndTypes(instr,
+      unary, fromType, toType) and
+    result = TConversion("unchecked", globalAddress(unary), fromType, toType)
   )
   or
-  exists(CheckedConvertOrNullInstruction convert, Type fromType, Type toType | instr = convert |
-    checkedConversionTypes(convert, fromType, toType) and
-    result = TConversion("checked", globalAddress(convert.getUnary()), fromType, toType)
+  exists(Type fromType, Type toType, Instruction unary |
+    Conversion<CheckedConvertOrNullInstruction>::Using<checkedConversionTypes/3>::hasOperandAndTypes(instr,
+      unary, fromType, toType) and
+    result = TConversion("checked", globalAddress(unary), fromType, toType)
   )
   or
-  exists(InheritanceConversionInstruction convert, Type fromType, Type toType | instr = convert |
-    inheritanceConversionTypes(convert, fromType, toType) and
-    result = TConversion("inheritance", globalAddress(convert.getUnary()), fromType, toType)
+  exists(Type fromType, Type toType, Instruction unary |
+    Conversion<InheritanceConversionInstruction>::Using<inheritanceConversionTypes/3>::hasOperandAndTypes(instr,
+      unary, fromType, toType) and
+    result = TConversion("inheritance", globalAddress(unary), fromType, toType)
   )
   or
-  exists(FieldAddressInstruction fai | instr = fai |
-    result =
-      TFieldAddress(globalAddress(pragma[only_bind_into](fai.getObjectAddress())),
-        pragma[only_bind_out](fai.getField()))
+  exists(FieldAddressInstruction fai, Instruction object, Field f | instr = fai |
+    hasObjectAndField(fai, object, f) and
+    result = TFieldAddress(globalAddress(object), f)
   )
   or
   result = globalAddress(instr.(PointerOffsetInstruction).getLeft())
@@ -268,7 +290,11 @@ class PathElement extends TPathElement {
   predicate isSink(IRBlock block) { exists(this.asSink(block)) }
 
   string toString() {
-    result = [asStore().toString(), asCall(_).toString(), asMid().toString(), asSink(_).toString()]
+    result =
+      [
+        this.asStore().toString(), this.asCall(_).toString(), this.asMid().toString(),
+        this.asSink(_).toString()
+      ]
   }
 
   predicate hasLocationInfo(

cpp/ql/src/Likely Bugs/OO/NonVirtualDestructorInBaseClass.qhelp

@@ -30,7 +30,7 @@ Make sure that all classes with virtual functions also have a virtual destructor
   S. Meyers. <em>Effective C++ 3d ed.</em> pp 40-44. Addison-Wesley Professional, 2005.
 </li>
 <li>
-  <a href="http://blogs.msdn.com/b/oldnewthing/archive/2004/05/07/127826.aspx">When should your destructor be virtual?</a>
+  <a href="https://devblogs.microsoft.com/oldnewthing/20040507-00/?p=39443">When should your destructor be virtual?</a>
 </li>
 
 

cpp/ql/src/Metrics/Internal/IRConsistency.ql

@@ -0,0 +1,43 @@
+/**
+ * @name Count IR inconsistencies
+ * @description Counts the various IR inconsistencies that may occur.
+ *              This query is for internal use only and may change without notice.
+ * @kind table
+ * @id cpp/count-ir-inconsistencies
+ */
+
+import cpp
+import semmle.code.cpp.ir.implementation.aliased_ssa.IR
+import semmle.code.cpp.ir.implementation.aliased_ssa.IRConsistency as IRConsistency
+
+class PresentIRFunction extends IRConsistency::PresentIRFunction {
+  override string toString() {
+    result = min(string name | name = this.getIRFunction().getFunction().getQualifiedName() | name)
+  }
+}
+
+select count(Instruction i | IRConsistency::missingOperand(i, _, _, _) | i) as missingOperand,
+  count(Instruction i | IRConsistency::unexpectedOperand(i, _, _, _) | i) as unexpectedOperand,
+  count(Instruction i | IRConsistency::duplicateOperand(i, _, _, _) | i) as duplicateOperand,
+  count(PhiInstruction i | IRConsistency::missingPhiOperand(i, _, _, _) | i) as missingPhiOperand,
+  count(Operand o | IRConsistency::missingOperandType(o, _, _, _) | o) as missingOperandType,
+  count(ChiInstruction i | IRConsistency::duplicateChiOperand(i, _, _, _) | i) as duplicateChiOperand,
+  count(Instruction i | IRConsistency::sideEffectWithoutPrimary(i, _, _, _) | i) as sideEffectWithoutPrimary,
+  count(Instruction i | IRConsistency::instructionWithoutSuccessor(i, _, _, _) | i) as instructionWithoutSuccessor,
+  count(Instruction i | IRConsistency::ambiguousSuccessors(i, _, _, _) | i) as ambiguousSuccessors,
+  count(Instruction i | IRConsistency::unexplainedLoop(i, _, _, _) | i) as unexplainedLoop,
+  count(PhiInstruction i | IRConsistency::unnecessaryPhiInstruction(i, _, _, _) | i) as unnecessaryPhiInstruction,
+  count(Instruction i | IRConsistency::memoryOperandDefinitionIsUnmodeled(i, _, _, _) | i) as memoryOperandDefinitionIsUnmodeled,
+  count(Operand o | IRConsistency::operandAcrossFunctions(o, _, _, _, _, _) | o) as operandAcrossFunctions,
+  count(IRFunction f | IRConsistency::containsLoopOfForwardEdges(f, _) | f) as containsLoopOfForwardEdges,
+  count(IRBlock i | IRConsistency::lostReachability(i, _, _, _) | i) as lostReachability,
+  count(string m | IRConsistency::backEdgeCountMismatch(_, m) | m) as backEdgeCountMismatch,
+  count(Operand o | IRConsistency::useNotDominatedByDefinition(o, _, _, _) | o) as useNotDominatedByDefinition,
+  count(SwitchInstruction i | IRConsistency::switchInstructionWithoutDefaultEdge(i, _, _, _) | i) as switchInstructionWithoutDefaultEdge,
+  count(Instruction i | IRConsistency::notMarkedAsConflated(i, _, _, _) | i) as notMarkedAsConflated,
+  count(Instruction i | IRConsistency::wronglyMarkedAsConflated(i, _, _, _) | i) as wronglyMarkedAsConflated,
+  count(MemoryOperand o | IRConsistency::invalidOverlap(o, _, _, _) | o) as invalidOverlap,
+  count(Instruction i | IRConsistency::nonUniqueEnclosingIRFunction(i, _, _, _) | i) as nonUniqueEnclosingIRFunction,
+  count(FieldAddressInstruction i | IRConsistency::fieldAddressOnNonPointer(i, _, _, _) | i) as fieldAddressOnNonPointer,
+  count(Instruction i | IRConsistency::thisArgumentIsNonPointer(i, _, _, _) | i) as thisArgumentIsNonPointer,
+  count(Instruction i | IRConsistency::nonUniqueIRVariable(i, _, _, _) | i) as nonUniqueIRVariable

cpp/ql/src/Microsoft/CallWithNullSAL.ql

@@ -13,7 +13,7 @@ import SAL
 
 from Parameter p, Call c, Expr arg
 where
-  any(SALNotNull a).getDeclaration() = p and
+  any(SalNotNull a).getDeclaration() = p and
   c.getTarget() = p.getFunction() and
   arg = c.getArgument(p.getIndex()) and
   nullValue(arg)

cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql

@@ -18,7 +18,7 @@ from Function f, FunctionCall call
 where
   call.getTarget() = f and
   call instanceof ExprInVoidContext and
-  any(SALCheckReturn a).getDeclaration() = f and
+  any(SalCheckReturn a).getDeclaration() = f and
   not getOptions().okToIgnoreReturnValue(call)
 select call, "Return value of $@ discarded although a SAL annotation " + "requires inspecting it.",
   f, f.getName()

cpp/ql/src/Microsoft/InconsistentSAL.ql

@@ -11,7 +11,7 @@ import SAL
 
 /** Holds if `e` has SAL annotation `name`. */
 predicate hasAnnotation(DeclarationEntry e, string name) {
-  exists(SALAnnotation a |
+  exists(SalAnnotation a |
     a.getMacro().getName() = name and
     a.getDeclarationEntry() = e
   )
@@ -21,7 +21,7 @@ predicate hasAnnotation(DeclarationEntry e, string name) {
 predicate inheritsDeclAnnotations(DeclarationEntry e) {
   // Is directly annotated
   e.isDefinition() and
-  exists(SALAnnotation a | a.getMacro().getName() = "_Use_decl_annotations_" |
+  exists(SalAnnotation a | a.getMacro().getName() = "_Use_decl_annotations_" |
     a.getDeclarationEntry() = e
   )
   or

cpp/ql/src/Microsoft/SAL.qll

@@ -8,8 +8,8 @@ import cpp
 /**
  * A SAL macro defined in `sal.h` or a similar header file.
  */
-class SALMacro extends Macro {
-  SALMacro() {
+class SalMacro extends Macro {
+  SalMacro() {
     this.getFile().getBaseName() =
       ["sal.h", "specstrings_strict.h", "specstrings.h", "w32p.h", "minwindef.h"] and
     (
@@ -22,15 +22,18 @@ class SALMacro extends Macro {
   }
 }
 
+/** DEPRECATED: Alias for SalMacro */
+deprecated class SALMacro = SalMacro;
+
 pragma[noinline]
 private predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
 
 /**
  * An invocation of a SAL macro (excluding invocations inside other macros).
  */
-class SALAnnotation extends MacroInvocation {
-  SALAnnotation() {
-    this.getMacro() instanceof SALMacro and
+class SalAnnotation extends MacroInvocation {
+  SalAnnotation() {
+    this.getMacro() instanceof SalMacro and
     isTopLevelMacroAccess(this)
   }
 
@@ -47,23 +50,29 @@ class SALAnnotation extends MacroInvocation {
   }
 }
 
+/** DEPRECATED: Alias for SalAnnotation */
+deprecated class SALAnnotation = SalAnnotation;
+
 /**
  * A SAL macro indicating that the return value of a function should always be
  * checked.
  */
-class SALCheckReturn extends SALAnnotation {
-  SALCheckReturn() {
-    this.getMacro().(SALMacro).getName() = ["_Check_return_", "_Must_inspect_result_"]
+class SalCheckReturn extends SalAnnotation {
+  SalCheckReturn() {
+    this.getMacro().(SalMacro).getName() = ["_Check_return_", "_Must_inspect_result_"]
   }
 }
 
+/** DEPRECATED: Alias for SalCheckReturn */
+deprecated class SALCheckReturn = SalCheckReturn;
+
 /**
  * A SAL macro indicating that a pointer variable or return value should not be
  * `NULL`.
  */
-class SALNotNull extends SALAnnotation {
-  SALNotNull() {
-    exists(SALMacro m | m = this.getMacro() |
+class SalNotNull extends SalAnnotation {
+  SalNotNull() {
+    exists(SalMacro m | m = this.getMacro() |
       not m.getName().matches("%\\_opt\\_%") and
       (
         m.getName().matches("_In%") or
@@ -80,12 +89,15 @@ class SALNotNull extends SALAnnotation {
   }
 }
 
+/** DEPRECATED: Alias for SalNotNull */
+deprecated class SALNotNull = SalNotNull;
+
 /**
  * A SAL macro indicating that a value may be `NULL`.
  */
-class SALMaybeNull extends SALAnnotation {
-  SALMaybeNull() {
-    exists(SALMacro m | m = this.getMacro() |
+class SalMaybeNull extends SalAnnotation {
+  SalMaybeNull() {
+    exists(SalMacro m | m = this.getMacro() |
       m.getName().matches("%\\_opt\\_%") or
       m.getName().matches("\\_Ret_maybenull\\_%") or
       m.getName() = "_Result_nullonfailure_"
@@ -93,14 +105,17 @@ class SALMaybeNull extends SALAnnotation {
   }
 }
 
+/** DEPRECATED: Alias for SalMaybeNull */
+deprecated class SALMaybeNull = SalMaybeNull;
+
 /**
  * A parameter annotated by one or more SAL annotations.
  */
-class SALParameter extends Parameter {
+class SalParameter extends Parameter {
   /** One of this parameter's annotations. */
-  SALAnnotation a;
+  SalAnnotation a;
 
-  SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
+  SalParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
 
   predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
 
@@ -109,14 +124,17 @@ class SALParameter extends Parameter {
   predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
 }
 
+/** DEPRECATED: Alias for SalParameter */
+deprecated class SALParameter = SalParameter;
+
 ///////////////////////////////////////////////////////////////////////////////
 // Implementation details
 /**
  * Holds if `a` annotates the declaration entry `d` and
  * its start position is the `idx`th position in `file` that holds a SAL element.
  */
-private predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
-  annotatesAtPosition(a.(SALElement).getStartPosition(), d, file, idx)
+private predicate annotatesAt(SalAnnotation a, DeclarationEntry d, File file, int idx) {
+  annotatesAtPosition(a.(SalElement).getStartPosition(), d, file, idx)
 }
 
 /**
@@ -127,12 +145,12 @@ private predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, in
 // For performance reasons, do not mention the annotation itself here,
 // but compute with positions instead. This performs better on databases
 // with many annotations at the same position.
-private predicate annotatesAtPosition(SALPosition pos, DeclarationEntry d, File file, int idx) {
+private predicate annotatesAtPosition(SalPosition pos, DeclarationEntry d, File file, int idx) {
   pos = salRelevantPositionAt(file, idx) and
   salAnnotationPos(pos) and
   (
     // Base case: `pos` right before `d`
-    d.(SALElement).getStartPosition() = salRelevantPositionAt(file, idx + 1)
+    d.(SalElement).getStartPosition() = salRelevantPositionAt(file, idx + 1)
     or
     // Recursive case: `pos` right before some annotation on `d`
     annotatesAtPosition(_, d, file, idx + 1)
@@ -143,10 +161,10 @@ private predicate annotatesAtPosition(SALPosition pos, DeclarationEntry d, File
  * A SAL element, that is, a SAL annotation or a declaration entry
  * that may have SAL annotations.
  */
-library class SALElement extends Element {
-  SALElement() {
-    containsSALAnnotation(this.(DeclarationEntry).getFile()) or
-    this instanceof SALAnnotation
+library class SalElement extends Element {
+  SalElement() {
+    containsSalAnnotation(this.(DeclarationEntry).getFile()) or
+    this instanceof SalAnnotation
   }
 
   predicate hasStartPosition(File file, int line, int col) {
@@ -173,25 +191,28 @@ library class SALElement extends Element {
     )
   }
 
-  SALPosition getStartPosition() {
+  SalPosition getStartPosition() {
     exists(File file, int line, int col |
       this.hasStartPosition(file, line, col) and
-      result = MkSALPosition(file, line, col)
+      result = MkSalPosition(file, line, col)
     )
   }
 }
 
+/** DEPRECATED: Alias for SalElement */
+deprecated class SALElement = SalElement;
+
 /** Holds if `file` contains a SAL annotation. */
 pragma[noinline]
-private predicate containsSALAnnotation(File file) { any(SALAnnotation a).getFile() = file }
+private predicate containsSalAnnotation(File file) { any(SalAnnotation a).getFile() = file }
 
 /**
  * A source-file position of a `SALElement`. Unlike location, this denotes a
  * point in the file rather than a range.
  */
-private newtype SALPosition =
-  MkSALPosition(File file, int line, int col) {
-    exists(SALElement e |
+private newtype SalPosition =
+  MkSalPosition(File file, int line, int col) {
+    exists(SalElement e |
       e.hasStartPosition(file, line, col)
       or
       e.hasEndPosition(file, line, col)
@@ -200,18 +221,18 @@ private newtype SALPosition =
 
 /** Holds if `pos` is the start position of a SAL annotation. */
 pragma[noinline]
-private predicate salAnnotationPos(SALPosition pos) {
-  any(SALAnnotation a).(SALElement).getStartPosition() = pos
+private predicate salAnnotationPos(SalPosition pos) {
+  any(SalAnnotation a).(SalElement).getStartPosition() = pos
 }
 
 /**
  * Gets the `idx`th position in `file` that holds a SAL element,
  * ordering positions lexicographically by their start line and start column.
  */
-private SALPosition salRelevantPositionAt(File file, int idx) {
+private SalPosition salRelevantPositionAt(File file, int idx) {
   result =
-    rank[idx](SALPosition pos, int line, int col |
-      pos = MkSALPosition(file, line, col)
+    rank[idx](SalPosition pos, int line, int col |
+      pos = MkSalPosition(file, line, col)
     |
       pos order by line, col
     )

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll

@@ -21,7 +21,9 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
 /** DEPRECATED: Alias for UntrustedExternalApiDataNode */
 deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
 
+/** An external API which is used with untrusted data. */
 private newtype TExternalApi =
+  /** An untrusted API method `m` where untrusted data is passed at `index`. */
   TExternalApiParameter(Function f, int index) {
     exists(UntrustedExternalApiDataNode n |
       f = n.getExternalFunction() and

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll

@@ -21,7 +21,9 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
 /** DEPRECATED: Alias for UntrustedExternalApiDataNode */
 deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
 
+/** An external API which is used with untrusted data. */
 private newtype TExternalApi =
+  /** An untrusted API method `m` where untrusted data is passed at `index`. */
   TExternalApiParameter(Function f, int index) {
     exists(UntrustedExternalApiDataNode n |
       f = n.getExternalFunction() and

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -19,6 +19,7 @@ import semmle.code.cpp.security.Security
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.dataflow.TaintTracking2
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.models.implementations.Strcat
 import DataFlow::PathGraph
@@ -83,6 +84,32 @@ class ExecState extends DataFlow::FlowState {
   DataFlow::Node getFstNode() { result = fst }
 
   DataFlow::Node getSndNode() { result = snd }
+
+  /** Holds if this is a possible `ExecState` for `sink`. */
+  predicate isFeasibleForSink(DataFlow::Node sink) {
+    any(ExecStateConfiguration conf).hasFlow(snd, sink)
+  }
+}
+
+/**
+ * A `TaintTracking` configuration that's used to find the relevant `ExecState`s for a
+ * given sink. This avoids a cartesian product between all sinks and all `ExecState`s in
+ * `ExecTaintConfiguration::isSink`.
+ */
+class ExecStateConfiguration extends TaintTracking2::Configuration {
+  ExecStateConfiguration() { this = "ExecStateConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(ExecState state | state.getSndNode() = source)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    shellCommand(sinkAsArgumentIndirection(sink), _)
+  }
+
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
+  }
 }
 
 class ExecTaintConfiguration extends TaintTracking::Configuration {
@@ -94,8 +121,8 @@ class ExecTaintConfiguration extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    shellCommand(sinkAsArgumentIndirection(sink), _) and
-    state instanceof ExecState
+    any(ExecStateConfiguration conf).isSink(sink) and
+    state.(ExecState).isFeasibleForSink(sink)
   }
 
   override predicate isAdditionalTaintStep(

cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql

@@ -17,8 +17,8 @@ import semmle.code.cpp.dataflow.DataFlow
 /**
  * A call to `SSL_get_verify_result`.
  */
-class SSLGetVerifyResultCall extends FunctionCall {
-  SSLGetVerifyResultCall() { getTarget().getName() = "SSL_get_verify_result" }
+class SslGetVerifyResultCall extends FunctionCall {
+  SslGetVerifyResultCall() { getTarget().getName() = "SSL_get_verify_result" }
 }
 
 /**
@@ -29,7 +29,7 @@ class VerifyResultConfig extends DataFlow::Configuration {
   VerifyResultConfig() { this = "VerifyResultConfig" }
 
   override predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof SSLGetVerifyResultCall
+    source.asExpr() instanceof SslGetVerifyResultCall
   }
 
   override predicate isSink(DataFlow::Node sink) {

cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql

@@ -17,33 +17,33 @@ import semmle.code.cpp.controlflow.IRGuards
 /**
  * A call to `SSL_get_peer_certificate`.
  */
-class SSLGetPeerCertificateCall extends FunctionCall {
-  SSLGetPeerCertificateCall() {
+class SslGetPeerCertificateCall extends FunctionCall {
+  SslGetPeerCertificateCall() {
     getTarget().getName() = "SSL_get_peer_certificate" // SSL_get_peer_certificate(ssl)
   }
 
-  Expr getSSLArgument() { result = getArgument(0) }
+  Expr getSslArgument() { result = getArgument(0) }
 }
 
 /**
  * A call to `SSL_get_verify_result`.
  */
-class SSLGetVerifyResultCall extends FunctionCall {
-  SSLGetVerifyResultCall() {
+class SslGetVerifyResultCall extends FunctionCall {
+  SslGetVerifyResultCall() {
     getTarget().getName() = "SSL_get_verify_result" // SSL_get_peer_certificate(ssl)
   }
 
-  Expr getSSLArgument() { result = getArgument(0) }
+  Expr getSslArgument() { result = getArgument(0) }
 }
 
 /**
  * Holds if the SSL object passed into `SSL_get_peer_certificate` is checked with
  * `SSL_get_verify_result` entering `node`.
  */
-predicate resultIsChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
-  exists(Expr ssl, SSLGetVerifyResultCall check |
-    ssl = globalValueNumber(getCertCall.getSSLArgument()).getAnExpr() and
-    ssl = check.getSSLArgument() and
+predicate resultIsChecked(SslGetPeerCertificateCall getCertCall, ControlFlowNode node) {
+  exists(Expr ssl, SslGetVerifyResultCall check |
+    ssl = globalValueNumber(getCertCall.getSslArgument()).getAnExpr() and
+    ssl = check.getSslArgument() and
     node = check
   )
 }
@@ -53,7 +53,7 @@ predicate resultIsChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode
  * `0` on the edge `node1` to `node2`.
  */
 predicate certIsZero(
-  SSLGetPeerCertificateCall getCertCall, ControlFlowNode node1, ControlFlowNode node2
+  SslGetPeerCertificateCall getCertCall, ControlFlowNode node1, ControlFlowNode node2
 ) {
   exists(Expr cert | cert = globalValueNumber(getCertCall).getAnExpr() |
     exists(GuardCondition guard, Expr zero |
@@ -87,7 +87,7 @@ predicate certIsZero(
  * `SSL_get_verify_result` at `node`. Note that this is only computed at the call to
  * `SSL_get_peer_certificate` and at the start and end of `BasicBlock`s.
  */
-predicate certNotChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
+predicate certNotChecked(SslGetPeerCertificateCall getCertCall, ControlFlowNode node) {
   // cert is not checked at the call to `SSL_get_peer_certificate`
   node = getCertCall
   or
@@ -112,7 +112,7 @@ predicate certNotChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode
   )
 }
 
-from SSLGetPeerCertificateCall getCertCall, ControlFlowNode node
+from SslGetPeerCertificateCall getCertCall, ControlFlowNode node
 where
   certNotChecked(getCertCall, node) and
   node instanceof Function // (function exit)

cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql

@@ -26,6 +26,10 @@ class ToBufferConfiguration extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
 
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().getUnspecifiedType() instanceof IntegralType
+  }
+
   override predicate isSink(DataFlow::Node sink) {
     exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
   }

cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql

@@ -24,7 +24,7 @@ where
     if e = DefinitionInSnapshot()
     then defined = ""
     else
-      if e = SuggestiveSALAnnotation()
+      if e = SuggestiveSalAnnotation()
       then defined = "externally defined (SAL) "
       else defined = "externally defined (CSV) "
   )

cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll

@@ -149,7 +149,7 @@ newtype Evidence =
    * The function is externally defined, but the parameter has an `_out` SAL annotation which
    * suggests that it is initialized in the function.
    */
-  SuggestiveSALAnnotation() or
+  SuggestiveSalAnnotation() or
   /**
    * We have been given a CSV file which indicates this parameter is conditionally initialized.
    */
@@ -198,8 +198,8 @@ class InitializationFunction extends Function {
     or
     // If we have no definition, we look at SAL annotations
     not this.hasDefinition() and
-    this.getParameter(i).(SALParameter).isOut() and
-    evidence = SuggestiveSALAnnotation()
+    this.getParameter(i).(SalParameter).isOut() and
+    evidence = SuggestiveSalAnnotation()
     or
     // We have some external information that this function conditionally initializes
     not this.hasDefinition() and

cpp/ql/src/Security/CWE/CWE-497/SystemData.qll

@@ -47,14 +47,17 @@ class EnvData extends SystemData {
 /**
  * Data originating from a call to `mysql_get_client_info()`.
  */
-class SQLClientInfo extends SystemData {
-  SQLClientInfo() { this.(FunctionCall).getTarget().hasName("mysql_get_client_info") }
+class SqlClientInfo extends SystemData {
+  SqlClientInfo() { this.(FunctionCall).getTarget().hasName("mysql_get_client_info") }
 
   override DataFlow::Node getAnExpr() { result.asConvertedExpr() = this }
 
   override predicate isSensitive() { any() }
 }
 
+/** DEPRECATED: Alias for SqlClientInfo */
+deprecated class SQLClientInfo = SqlClientInfo;
+
 private predicate sqlConnectInfo(FunctionCall source, Expr use) {
   (
     source.getTarget().hasName("mysql_connect") or
@@ -66,14 +69,17 @@ private predicate sqlConnectInfo(FunctionCall source, Expr use) {
 /**
  * Data passed into an SQL connect function.
  */
-class SQLConnectInfo extends SystemData {
-  SQLConnectInfo() { sqlConnectInfo(this, _) }
+class SqlConnectInfo extends SystemData {
+  SqlConnectInfo() { sqlConnectInfo(this, _) }
 
   override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asConvertedExpr()) }
 
   override predicate isSensitive() { any() }
 }
 
+/** DEPRECATED: Alias for SqlConnectInfo */
+deprecated class SQLConnectInfo = SqlConnectInfo;
+
 private predicate posixSystemInfo(FunctionCall source, DataFlow::Node use) {
   // size_t confstr(int name, char *buf, size_t len)
   //  - various OS / system strings, such as the libc version