Merge pull request #12831 from github/release-prep/2.13.0

Release preparation for version 2.13.0

.github/workflows/atm-check-query-suite.yml

@@ -1,102 +0,0 @@
-name: "ATM - Check query suite"
-
-env:
-  QUERY_PACK: javascript/ql/experimental/adaptivethreatmodeling/src
-  QUERY_SUITE: codeql-suites/javascript-atm-code-scanning.qls
-
-on:
-  pull_request:
-    paths:
-      - ".github/workflows/atm-check-query-suite.yml"
-      - "javascript/ql/experimental/adaptivethreatmodeling/**"
-  workflow_dispatch:
-
-jobs:
-  atm-check-query-suite:
-    runs-on: ubuntu-latest-xl
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Setup CodeQL
-        uses: ./.github/actions/fetch-codeql
-        with:
-          channel: release
-
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: atm-suite
-
-      - name: Install ATM model
-        run: |
-          set -exu
-
-          # Install dependencies of ATM query pack, i.e. the ATM model
-          codeql pack install "${QUERY_PACK}"
-
-          # Retrieve model checksum
-          model_checksum=$(codeql resolve extensions "${QUERY_PACK}/${QUERY_SUITE}" | jq -r '.models[0].checksum')
-
-          # Trust the model so that we can use it in the ATM boosted queries
-          mkdir -p "$HOME/.config/codeql"
-          echo "--insecurely-execute-ml-model-checksums ${model_checksum}" >> "$HOME/.config/codeql/config"
-
-      - name: Create test DB
-        run: |
-          DB_PATH="${RUNNER_TEMP}/db"
-          echo "DB_PATH=${DB_PATH}" >> "${GITHUB_ENV}"
-
-          codeql database create "${DB_PATH}" --source-root config/atm --language javascript 
-
-      - name: Run ATM query suite
-        run: |
-          SARIF_PATH="${RUNNER_TEMP}/sarif.json"
-          echo "SARIF_PATH=${SARIF_PATH}" >> "${GITHUB_ENV}"
-
-          codeql database analyze \
-            --threads=0 \
-            --ram 50000 \
-            --format sarif-latest \
-            --output "${SARIF_PATH}" \
-            --sarif-group-rules-by-pack \
-            -vv \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
-            -- \
-            "${DB_PATH}" \
-            "${QUERY_PACK}/${QUERY_SUITE}"
-
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
-        with:
-          name: javascript-ml-powered-queries.sarif
-          path: "${{ env.SARIF_PATH }}"
-          retention-days: 5
-
-      - name: Check results
-        run: |
-          # We should run at least the ML-powered queries in `expected_rules`.
-          expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
-
-          for rule in ${expected_rules}; do
-            found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
-              flatten | .[].id] | any(. == $rule)' "${SARIF_PATH}")
-            if [[ "${found_rule}" != "true" ]]; then
-              echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
-              exit 1
-            else
-              echo "Found rule '${rule}'."
-            fi
-          done
-
-          # We should have at least one alert from an ML-powered query.
-          num_alerts=$(jq '[.runs[0].results[] |
-            select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
-            "${SARIF_PATH}")
-          if [[ "${num_alerts}" -eq 0 ]]; then
-            echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
-            exit 1
-          else
-            echo "Found ${num_alerts} alerts from ML-powered queries.";
-          fi

.github/workflows/atm-model-integration-tests.yml

@@ -1,12 +0,0 @@
-name: ATM Model Integration Tests
-
-on:
-  workflow_dispatch:
-
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: foo
-        run: echo "Hello world"

.github/workflows/check-change-note.yml

@@ -8,6 +8,7 @@ on:
       - "*/ql/src/**/*.qll"
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
+      - "*/ql/lib/**/*.yml"
       - "!**/experimental/**"
       - "!ql/**"
       - "!swift/**"

.github/workflows/close-stale.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@v8
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'

.github/workflows/fast-forward.yml

@@ -0,0 +1,50 @@
+# Fast-forwards the branch specified in BRANCH_NAME
+# to the github.ref/sha that this workflow is run on.
+# Used as part of the release process, to ensure
+# external query writers can always access a branch of github/codeql
+# that is compatible with the latest stable release.
+name: Fast-forward tracking branch for selected CodeQL version
+on:
+  workflow_dispatch:
+
+jobs:
+  fast-forward:
+    name: Fast-forward tracking branch for selected CodeQL version
+    runs-on: ubuntu-latest
+    if: github.repository == 'github/codeql'
+    permissions:
+      contents: write
+    env:
+      BRANCH_NAME: 'lgtm.com'
+    steps:
+      - name: Validate chosen branch
+        if: ${{ !startsWith(github.ref_name, 'codeql-cli-') }}
+        shell: bash
+        run: |
+          echo "::error ::The $BRANCH_NAME tracking branch should only be fast-forwarded to the tip of a codeql-cli-* branch, got $GITHUB_REF_NAME instead."
+          exit 1
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Git config
+        shell: bash
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch
+        shell: bash
+        run: |
+          set -x
+          echo "Fetching $BRANCH_NAME"
+          # Explicitly unshallow and fetch to ensure the remote ref is available.
+          git fetch --unshallow origin "$BRANCH_NAME"
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+
+      - name: Fast-forward
+        shell: bash
+        run: |
+          echo "Fast-forwarding $BRANCH_NAME to ${GITHUB_REF}@${GITHUB_SHA}"
+          git merge --ff-only "$GITHUB_SHA"
+          git push origin "$BRANCH_NAME"

.github/workflows/go-tests-other-os.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Set up Go 1.20
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.20.0
         id: go
@@ -48,7 +48,7 @@ jobs:
     runs-on: windows-latest-xl
     steps:
       - name: Set up Go 1.20
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.20.0
         id: go

.github/workflows/go-tests.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       - name: Set up Go 1.20
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.20.0
         id: go

.github/workflows/ruby-build.yml

@@ -48,6 +48,9 @@ jobs:
         run: |
           brew install gnu-tar
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - name: Install cargo-cross
+        if: runner.os == 'Linux'
+        run: cargo install cross --version 0.2.5
       - uses: ./.github/actions/os-version
         id: os_version
       - name: Cache entire extractor
@@ -78,8 +81,18 @@ jobs:
       - name: Run tests
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cd extractor && cargo test --verbose
-      - name: Release build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+      # On linux, build the extractor via cross in a centos7 container.
+      # This ensures we don't depend on glibc > 2.17.
+      - name: Release build (linux)
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
+        run: |
+          cd extractor
+          cross build --release
+          mv target/x86_64-unknown-linux-gnu/release/extractor target/release/
+          mv target/x86_64-unknown-linux-gnu/release/autobuilder target/release/
+          mv target/x86_64-unknown-linux-gnu/release/generator target/release/
+      - name: Release build (windows and macos)
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
         run: cd extractor && cargo build --release
       - name: Generate dbscheme
         if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
@@ -227,3 +240,54 @@ jobs:
         shell: bash
         run: |
           codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
+
+  # This is a copy of the 'test' job that runs in a centos7 container.
+  # This tests that the extractor works correctly on systems with an old glibc.
+  test-centos7:
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    container:
+      image: centos:centos7
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    needs: [package]
+    steps:
+      - name: Install gh cli
+        run: |
+          yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
+          # fetch-codeql requires unzip and jq
+          # jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/)
+          yum install -y gh unzip epel-release
+          yum install -y jq
+      - uses: actions/checkout@v3
+      - name: Fetch CodeQL
+        uses: ./.github/actions/fetch-codeql
+
+      # Due to a bug in Actions, we can't use runner.temp in the run blocks here.
+      # https://github.com/actions/runner/issues/2185
+
+      - name: Download Ruby bundle
+        uses: actions/download-artifact@v3
+        with:
+          name: codeql-ruby-bundle
+          path: ${{ runner.temp }}
+      - name: Unzip Ruby bundle
+        shell: bash
+        run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip
+
+      - name: Run QL test
+        shell: bash
+        run: |
+          codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/
+      - name: Create database
+        shell: bash
+        run: |
+          codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
+      - name: Analyze database
+        shell: bash
+        run: |
+          codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls

.github/workflows/ruby-qltest.yml

@@ -4,6 +4,7 @@ on:
   push:
     paths:
       - "ruby/**"
+      - "shared/**"
       - .github/workflows/ruby-build.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml

.pre-commit-config.yaml

@@ -19,7 +19,7 @@ repos:
     rev: v1.6.0
     hooks:
       - id: autopep8
-        files: ^swift/.*\.py
+        files: ^misc/codegen/.*\.py
 
   - repo: local
     hooks:

config/identical-files.json

@@ -123,6 +123,10 @@
     "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
     "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
   ],
+  "Model as Data Generation Java/C# - CaptureModelsPrinting": [
+    "java/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll",
+    "csharp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll"
+  ],
   "Sign Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
@@ -279,6 +283,11 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
   ],
+  "C++ IR IRConsistencyImports": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConsistencyImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRConsistencyImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRConsistencyImports.qll"
+  ],
   "C++ IR IRFunctionImports": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
@@ -591,4 +600,4 @@
     "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
     "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
   ]
-}
+}

cpp/downgrades/19887dbd33327fb07d54251786e0cb2578539775/upgrade.properties

@@ -0,0 +1,4 @@
+description: Revert support for repeated initializers, which are allowed in C with designated initializers.
+compatibility: full
+aggregate_field_init.rel: reorder aggregate_field_init.rel (int aggregate, int initializer, int field, int position) aggregate initializer field
+aggregate_array_init.rel: reorder aggregate_array_init.rel (int aggregate, int initializer, int element_index, int position) aggregate initializer element_index

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,33 @@
+## 0.7.0
+
+### Breaking Changes
+
+* The internal `SsaConsistency` module has been moved from `SSAConstruction` to `SSAConsitency`, and the deprecated `SSAConsistency` module has been removed.
+
+### Deprecated APIs
+
+* The single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
+* The recently introduced new data flow and taint tracking APIs have had a
+  number of module and predicate renamings. The old APIs remain in place for
+  now.
+* The `SslContextCallAbstractConfig`, `SslContextCallConfig`, `SslContextCallBannedProtocolConfig`, `SslContextCallTls12ProtocolConfig`, `SslContextCallTls13ProtocolConfig`, `SslContextCallTlsProtocolConfig`, `SslContextFlowsToSetOptionConfig`, `SslOptionConfig` dataflow configurations from `BoostorgAsio` have been deprecated. Please use `SslContextCallConfigSig`, `SslContextCallGlobal`, `SslContextCallFlow`, `SslContextCallBannedProtocolFlow`, `SslContextCallTls12ProtocolFlow`, `SslContextCallTls13ProtocolFlow`, `SslContextCallTlsProtocolFlow`, `SslContextFlowsToSetOptionFlow`.
+
+### New Features
+
+* Added overridable predicates `getSizeExpr` and `getSizeMult` to the `BufferAccess` class (`semmle.code.cpp.security.BufferAccess.qll`). This makes it possible to model a larger class of buffer reads and writes using the library.
+
+### Minor Analysis Improvements
+
+* The `BufferAccess` library (`semmle.code.cpp.security.BufferAccess`) no longer matches buffer accesses inside unevaluated contexts (such as inside `sizeof` or `decltype` expressions). As a result, queries using this library may see fewer false positives.
+
+### Bug Fixes
+
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+
+## 0.6.1
+
+No user-facing changes.
+
 ## 0.6.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/released/0.6.1.md

@@ -0,0 +1,3 @@
+## 0.6.1
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/0.7.0.md

@@ -0,0 +1,25 @@
+## 0.7.0
+
+### Breaking Changes
+
+* The internal `SsaConsistency` module has been moved from `SSAConstruction` to `SSAConsitency`, and the deprecated `SSAConsistency` module has been removed.
+
+### Deprecated APIs
+
+* The single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
+* The recently introduced new data flow and taint tracking APIs have had a
+  number of module and predicate renamings. The old APIs remain in place for
+  now.
+* The `SslContextCallAbstractConfig`, `SslContextCallConfig`, `SslContextCallBannedProtocolConfig`, `SslContextCallTls12ProtocolConfig`, `SslContextCallTls13ProtocolConfig`, `SslContextCallTlsProtocolConfig`, `SslContextFlowsToSetOptionConfig`, `SslOptionConfig` dataflow configurations from `BoostorgAsio` have been deprecated. Please use `SslContextCallConfigSig`, `SslContextCallGlobal`, `SslContextCallFlow`, `SslContextCallBannedProtocolFlow`, `SslContextCallTls12ProtocolFlow`, `SslContextCallTls13ProtocolFlow`, `SslContextCallTlsProtocolFlow`, `SslContextFlowsToSetOptionFlow`.
+
+### New Features
+
+* Added overridable predicates `getSizeExpr` and `getSizeMult` to the `BufferAccess` class (`semmle.code.cpp.security.BufferAccess.qll`). This makes it possible to model a larger class of buffer reads and writes using the library.
+
+### Minor Analysis Improvements
+
+* The `BufferAccess` library (`semmle.code.cpp.security.BufferAccess`) no longer matches buffer accesses inside unevaluated contexts (such as inside `sizeof` or `decltype` expressions). As a result, queries using this library may see fewer false positives.
+
+### Bug Fixes
+
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.0
+lastReleaseVersion: 0.7.0

cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll

@@ -1,17 +1,146 @@
 import semmle.code.cpp.ir.dataflow.DataFlow
-import semmle.code.cpp.ir.dataflow.DataFlow2
+private import codeql.util.Unit
 
 module ProductFlow {
-  abstract class Configuration extends string {
-    bindingset[this]
-    Configuration() { any() }
-
+  signature module ConfigSig {
     /**
      * Holds if `(source1, source2)` is a relevant data flow source.
      *
      * `source1` and `source2` must belong to the same callable.
      */
-    predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) { none() }
+    predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2);
+
+    /**
+     * Holds if `(sink1, sink2)` is a relevant data flow sink.
+     *
+     * `sink1` and `sink2` must belong to the same callable.
+     */
+    predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2);
+
+    /**
+     * Holds if data flow through `node` is prohibited through the first projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrier1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow through `node` is prohibited through the second projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrier2(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow out of `node` is prohibited in the first projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrierOut1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow out of `node` is prohibited in the second projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrierOut2(DataFlow::Node node) { none() }
+
+    /*
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
+     * the first projection of the product dataflow graph.
+     */
+
+    default predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+    /**
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
+     * the second projection of the product dataflow graph.
+     */
+    default predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+    /**
+     * Holds if data flow into `node` is prohibited in the first projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrierIn1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow into `node` is prohibited in the second projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrierIn2(DataFlow::Node node) { none() }
+  }
+
+  module Global<ConfigSig Config> {
+    private module StateConfig implements StateConfigSig {
+      class FlowState1 = Unit;
+
+      class FlowState2 = Unit;
+
+      predicate isSourcePair(
+        DataFlow::Node source1, FlowState1 state1, DataFlow::Node source2, FlowState2 state2
+      ) {
+        exists(state1) and
+        exists(state2) and
+        Config::isSourcePair(source1, source2)
+      }
+
+      predicate isSinkPair(
+        DataFlow::Node sink1, FlowState1 state1, DataFlow::Node sink2, FlowState2 state2
+      ) {
+        exists(state1) and
+        exists(state2) and
+        Config::isSinkPair(sink1, sink2)
+      }
+
+      predicate isBarrier1(DataFlow::Node node, FlowState1 state) {
+        exists(state) and
+        Config::isBarrier1(node)
+      }
+
+      predicate isBarrier2(DataFlow::Node node, FlowState2 state) {
+        exists(state) and
+        Config::isBarrier2(node)
+      }
+
+      predicate isBarrier1 = Config::isBarrier1/1;
+
+      predicate isBarrier2 = Config::isBarrier2/1;
+
+      predicate isBarrierOut1 = Config::isBarrierOut1/1;
+
+      predicate isBarrierOut2 = Config::isBarrierOut2/1;
+
+      predicate isAdditionalFlowStep1 = Config::isAdditionalFlowStep1/2;
+
+      predicate isAdditionalFlowStep1(
+        DataFlow::Node node1, FlowState1 state1, DataFlow::Node node2, FlowState1 state2
+      ) {
+        exists(state1) and
+        exists(state2) and
+        Config::isAdditionalFlowStep1(node1, node2)
+      }
+
+      predicate isAdditionalFlowStep2 = Config::isAdditionalFlowStep2/2;
+
+      predicate isAdditionalFlowStep2(
+        DataFlow::Node node1, FlowState2 state1, DataFlow::Node node2, FlowState2 state2
+      ) {
+        exists(state1) and
+        exists(state2) and
+        Config::isAdditionalFlowStep2(node1, node2)
+      }
+
+      predicate isBarrierIn1 = Config::isBarrierIn1/1;
+
+      predicate isBarrierIn2 = Config::isBarrierIn2/1;
+    }
+
+    import GlobalWithState<StateConfig>
+  }
+
+  signature module StateConfigSig {
+    bindingset[this]
+    class FlowState1;
+
+    bindingset[this]
+    class FlowState2;
 
     /**
      * Holds if `(source1, source2)` is a relevant data flow source with initial states `state1`
@@ -20,20 +149,8 @@ module ProductFlow {
      * `source1` and `source2` must belong to the same callable.
      */
     predicate isSourcePair(
-      DataFlow::Node source1, DataFlow::FlowState state1, DataFlow::Node source2,
-      DataFlow::FlowState state2
-    ) {
-      state1 = "" and
-      state2 = "" and
-      this.isSourcePair(source1, source2)
-    }
-
-    /**
-     * Holds if `(sink1, sink2)` is a relevant data flow sink.
-     *
-     * `sink1` and `sink2` must belong to the same callable.
-     */
-    predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2) { none() }
+      DataFlow::Node source1, FlowState1 state1, DataFlow::Node source2, FlowState2 state2
+    );
 
     /**
      * Holds if `(sink1, sink2)` is a relevant data flow sink with final states `state1`
@@ -42,60 +159,51 @@ module ProductFlow {
      * `sink1` and `sink2` must belong to the same callable.
      */
     predicate isSinkPair(
-      DataFlow::Node sink1, DataFlow::FlowState state1, DataFlow::Node sink2,
-      DataFlow::FlowState state2
-    ) {
-      state1 = "" and
-      state2 = "" and
-      this.isSinkPair(sink1, sink2)
-    }
+      DataFlow::Node sink1, FlowState1 state1, DataFlow::Node sink2, FlowState2 state2
+    );
 
     /**
      * Holds if data flow through `node` is prohibited through the first projection of the product
      * dataflow graph when the flow state is `state`.
      */
-    predicate isBarrier1(DataFlow::Node node, DataFlow::FlowState state) {
-      this.isBarrier1(node) and state = ""
-    }
+    predicate isBarrier1(DataFlow::Node node, FlowState1 state);
 
     /**
      * Holds if data flow through `node` is prohibited through the second projection of the product
      * dataflow graph when the flow state is `state`.
      */
-    predicate isBarrier2(DataFlow::Node node, DataFlow::FlowState state) {
-      this.isBarrier2(node) and state = ""
-    }
+    predicate isBarrier2(DataFlow::Node node, FlowState2 state);
 
     /**
      * Holds if data flow through `node` is prohibited through the first projection of the product
      * dataflow graph.
      */
-    predicate isBarrier1(DataFlow::Node node) { none() }
+    default predicate isBarrier1(DataFlow::Node node) { none() }
 
     /**
      * Holds if data flow through `node` is prohibited through the second projection of the product
      * dataflow graph.
      */
-    predicate isBarrier2(DataFlow::Node node) { none() }
+    default predicate isBarrier2(DataFlow::Node node) { none() }
 
     /**
      * Holds if data flow out of `node` is prohibited in the first projection of the product
      * dataflow graph.
      */
-    predicate isBarrierOut1(DataFlow::Node node) { none() }
+    default predicate isBarrierOut1(DataFlow::Node node) { none() }
 
     /**
      * Holds if data flow out of `node` is prohibited in the second projection of the product
      * dataflow graph.
      */
-    predicate isBarrierOut2(DataFlow::Node node) { none() }
+    default predicate isBarrierOut2(DataFlow::Node node) { none() }
 
     /*
      * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
      * the first projection of the product dataflow graph.
      */
 
-    predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }
+    default predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }
 
     /**
      * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
@@ -104,19 +212,14 @@ module ProductFlow {
      * This step is only applicable in `state1` and updates the flow state to `state2`.
      */
     predicate isAdditionalFlowStep1(
-      DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-      DataFlow::FlowState state2
-    ) {
-      state1 instanceof DataFlow::FlowStateEmpty and
-      state2 instanceof DataFlow::FlowStateEmpty and
-      this.isAdditionalFlowStep1(node1, node2)
-    }
+      DataFlow::Node node1, FlowState1 state1, DataFlow::Node node2, FlowState1 state2
+    );
 
     /**
      * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
      * the second projection of the product dataflow graph.
      */
-    predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }
+    default predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }
 
     /**
      * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
@@ -125,177 +228,168 @@ module ProductFlow {
      * This step is only applicable in `state1` and updates the flow state to `state2`.
      */
     predicate isAdditionalFlowStep2(
-      DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-      DataFlow::FlowState state2
-    ) {
-      state1 instanceof DataFlow::FlowStateEmpty and
-      state2 instanceof DataFlow::FlowStateEmpty and
-      this.isAdditionalFlowStep2(node1, node2)
-    }
+      DataFlow::Node node1, FlowState2 state1, DataFlow::Node node2, FlowState2 state2
+    );
 
     /**
      * Holds if data flow into `node` is prohibited in the first projection of the product
      * dataflow graph.
      */
-    predicate isBarrierIn1(DataFlow::Node node) { none() }
+    default predicate isBarrierIn1(DataFlow::Node node) { none() }
 
     /**
      * Holds if data flow into `node` is prohibited in the second projection of the product
      * dataflow graph.
      */
-    predicate isBarrierIn2(DataFlow::Node node) { none() }
+    default predicate isBarrierIn2(DataFlow::Node node) { none() }
+  }
 
-    predicate hasFlowPath(
-      DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1,
-      DataFlow2::PathNode sink2
+  module GlobalWithState<StateConfigSig Config> {
+    class PathNode1 = Flow1::PathNode;
+
+    class PathNode2 = Flow2::PathNode;
+
+    module PathGraph1 = Flow1::PathGraph;
+
+    module PathGraph2 = Flow2::PathGraph;
+
+    class FlowState1 = Config::FlowState1;
+
+    class FlowState2 = Config::FlowState2;
+
+    predicate flowPath(
+      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode sink1, Flow2::PathNode sink2
     ) {
-      reachable(this, source1, source2, sink1, sink2)
+      reachable(source1, source2, sink1, sink2)
     }
-  }
 
-  private import Internal
+    private module Config1 implements DataFlow::StateConfigSig {
+      class FlowState = FlowState1;
 
-  module Internal {
-    class Conf1 extends DataFlow::Configuration {
-      Conf1() { this = "Conf1" }
-
-      override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isSourcePair(source, state, _, _))
+      predicate isSource(DataFlow::Node source, FlowState state) {
+        Config::isSourcePair(source, state, _, _)
       }
 
-      override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isSinkPair(sink, state, _, _))
+      predicate isSink(DataFlow::Node sink, FlowState state) {
+        Config::isSinkPair(sink, state, _, _)
       }
 
-      override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isBarrier1(node, state))
-      }
+      predicate isBarrier(DataFlow::Node node, FlowState state) { Config::isBarrier1(node, state) }
 
-      override predicate isBarrierOut(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierOut1(node))
-      }
+      predicate isBarrierOut(DataFlow::Node node) { Config::isBarrierOut1(node) }
 
-      override predicate isAdditionalFlowStep(
-        DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-        DataFlow::FlowState state2
+      predicate isAdditionalFlowStep(
+        DataFlow::Node node1, FlowState1 state1, DataFlow::Node node2, FlowState state2
       ) {
-        exists(Configuration conf | conf.isAdditionalFlowStep1(node1, state1, node2, state2))
+        Config::isAdditionalFlowStep1(node1, state1, node2, state2)
       }
 
-      override predicate isBarrierIn(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierIn1(node))
-      }
+      predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn1(node) }
     }
 
-    class Conf2 extends DataFlow2::Configuration {
-      Conf2() { this = "Conf2" }
+    module Flow1 = DataFlow::GlobalWithState<Config1>;
 
-      override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-        exists(Configuration conf, DataFlow::PathNode source1 |
-          conf.isSourcePair(source1.getNode(), source1.getState(), source, state) and
-          any(Conf1 c).hasFlowPath(source1, _)
+    module Config2 implements DataFlow::StateConfigSig {
+      class FlowState = FlowState2;
+
+      predicate isSource(DataFlow::Node source, FlowState state) {
+        exists(Flow1::PathNode source1 |
+          Config::isSourcePair(source1.getNode(), source1.getState(), source, state) and
+          Flow1::flowPath(source1, _)
         )
       }
 
-      override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-        exists(Configuration conf, DataFlow::PathNode sink1 |
-          conf.isSinkPair(sink1.getNode(), sink1.getState(), sink, state) and
-          any(Conf1 c).hasFlowPath(_, sink1)
+      predicate isSink(DataFlow::Node sink, FlowState state) {
+        exists(Flow1::PathNode sink1 |
+          Config::isSinkPair(sink1.getNode(), sink1.getState(), sink, state) and
+          Flow1::flowPath(_, sink1)
         )
       }
 
-      override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isBarrier2(node, state))
-      }
+      predicate isBarrier(DataFlow::Node node, FlowState state) { Config::isBarrier2(node, state) }
 
-      override predicate isBarrierOut(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierOut2(node))
-      }
+      predicate isBarrierOut(DataFlow::Node node) { Config::isBarrierOut2(node) }
 
-      override predicate isAdditionalFlowStep(
-        DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-        DataFlow::FlowState state2
+      predicate isAdditionalFlowStep(
+        DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
       ) {
-        exists(Configuration conf | conf.isAdditionalFlowStep2(node1, state1, node2, state2))
+        Config::isAdditionalFlowStep2(node1, state1, node2, state2)
       }
 
-      override predicate isBarrierIn(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierIn2(node))
-      }
+      predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn2(node) }
     }
-  }
 
-  pragma[nomagic]
-  private predicate reachableInterprocEntry(
-    Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
-    DataFlow::PathNode node1, DataFlow2::PathNode node2
-  ) {
-    conf.isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState()) and
-    node1 = source1 and
-    node2 = source2
-    or
-    exists(
-      DataFlow::PathNode midEntry1, DataFlow2::PathNode midEntry2, DataFlow::PathNode midExit1,
-      DataFlow2::PathNode midExit2
-    |
-      reachableInterprocEntry(conf, source1, source2, midEntry1, midEntry2) and
-      interprocEdgePair(midExit1, midExit2, node1, node2) and
-      localPathStep1*(midEntry1, midExit1) and
-      localPathStep2*(midEntry2, midExit2)
-    )
-  }
+    module Flow2 = DataFlow::GlobalWithState<Config2>;
 
-  private predicate localPathStep1(DataFlow::PathNode pred, DataFlow::PathNode succ) {
-    DataFlow::PathGraph::edges(pred, succ) and
-    pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
-      pragma[only_bind_out](succ.getNode().getEnclosingCallable())
-  }
+    pragma[nomagic]
+    private predicate reachableInterprocEntry(
+      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode node1, Flow2::PathNode node2
+    ) {
+      Config::isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState()) and
+      node1 = source1 and
+      node2 = source2
+      or
+      exists(
+        Flow1::PathNode midEntry1, Flow2::PathNode midEntry2, Flow1::PathNode midExit1,
+        Flow2::PathNode midExit2
+      |
+        reachableInterprocEntry(source1, source2, midEntry1, midEntry2) and
+        interprocEdgePair(midExit1, midExit2, node1, node2) and
+        localPathStep1*(midEntry1, midExit1) and
+        localPathStep2*(midEntry2, midExit2)
+      )
+    }
 
-  private predicate localPathStep2(DataFlow2::PathNode pred, DataFlow2::PathNode succ) {
-    DataFlow2::PathGraph::edges(pred, succ) and
-    pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
-      pragma[only_bind_out](succ.getNode().getEnclosingCallable())
-  }
+    private predicate localPathStep1(Flow1::PathNode pred, Flow1::PathNode succ) {
+      Flow1::PathGraph::edges(pred, succ) and
+      pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
+        pragma[only_bind_out](succ.getNode().getEnclosingCallable())
+    }
 
-  pragma[nomagic]
-  private predicate interprocEdge1(
-    Declaration predDecl, Declaration succDecl, DataFlow::PathNode pred1, DataFlow::PathNode succ1
-  ) {
-    DataFlow::PathGraph::edges(pred1, succ1) and
-    predDecl != succDecl and
-    pred1.getNode().getEnclosingCallable() = predDecl and
-    succ1.getNode().getEnclosingCallable() = succDecl
-  }
+    private predicate localPathStep2(Flow2::PathNode pred, Flow2::PathNode succ) {
+      Flow2::PathGraph::edges(pred, succ) and
+      pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
+        pragma[only_bind_out](succ.getNode().getEnclosingCallable())
+    }
 
-  pragma[nomagic]
-  private predicate interprocEdge2(
-    Declaration predDecl, Declaration succDecl, DataFlow2::PathNode pred2, DataFlow2::PathNode succ2
-  ) {
-    DataFlow2::PathGraph::edges(pred2, succ2) and
-    predDecl != succDecl and
-    pred2.getNode().getEnclosingCallable() = predDecl and
-    succ2.getNode().getEnclosingCallable() = succDecl
-  }
+    pragma[nomagic]
+    private predicate interprocEdge1(
+      Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1
+    ) {
+      Flow1::PathGraph::edges(pred1, succ1) and
+      predDecl != succDecl and
+      pred1.getNode().getEnclosingCallable() = predDecl and
+      succ1.getNode().getEnclosingCallable() = succDecl
+    }
 
-  private predicate interprocEdgePair(
-    DataFlow::PathNode pred1, DataFlow2::PathNode pred2, DataFlow::PathNode succ1,
-    DataFlow2::PathNode succ2
-  ) {
-    exists(Declaration predDecl, Declaration succDecl |
-      interprocEdge1(predDecl, succDecl, pred1, succ1) and
-      interprocEdge2(predDecl, succDecl, pred2, succ2)
-    )
-  }
+    pragma[nomagic]
+    private predicate interprocEdge2(
+      Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2
+    ) {
+      Flow2::PathGraph::edges(pred2, succ2) and
+      predDecl != succDecl and
+      pred2.getNode().getEnclosingCallable() = predDecl and
+      succ2.getNode().getEnclosingCallable() = succDecl
+    }
 
-  private predicate reachable(
-    Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
-    DataFlow::PathNode sink1, DataFlow2::PathNode sink2
-  ) {
-    exists(DataFlow::PathNode mid1, DataFlow2::PathNode mid2 |
-      reachableInterprocEntry(conf, source1, source2, mid1, mid2) and
-      conf.isSinkPair(sink1.getNode(), sink1.getState(), sink2.getNode(), sink2.getState()) and
-      localPathStep1*(mid1, sink1) and
-      localPathStep2*(mid2, sink2)
-    )
+    private predicate interprocEdgePair(
+      Flow1::PathNode pred1, Flow2::PathNode pred2, Flow1::PathNode succ1, Flow2::PathNode succ2
+    ) {
+      exists(Declaration predDecl, Declaration succDecl |
+        interprocEdge1(predDecl, succDecl, pred1, succ1) and
+        interprocEdge2(predDecl, succDecl, pred2, succ2)
+      )
+    }
+
+    private predicate reachable(
+      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode sink1, Flow2::PathNode sink2
+    ) {
+      exists(Flow1::PathNode mid1, Flow2::PathNode mid2 |
+        reachableInterprocEntry(source1, source2, mid1, mid2) and
+        Config::isSinkPair(sink1.getNode(), sink1.getState(), sink2.getNode(), sink2.getState()) and
+        localPathStep1*(mid1, sink1) and
+        localPathStep2*(mid2, sink2)
+      )
+    }
   }
 }

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/Bound.qll

@@ -1,86 +1 @@
-import cpp
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.ValueNumbering
-
-private newtype TBound =
-  TBoundZero() or
-  TBoundValueNumber(ValueNumber vn) {
-    exists(Instruction i |
-      vn.getAnInstruction() = i and
-      (
-        i.getResultIRType() instanceof IRIntegerType or
-        i.getResultIRType() instanceof IRAddressType
-      ) and
-      not vn.getAnInstruction() instanceof ConstantInstruction
-    |
-      i instanceof PhiInstruction
-      or
-      i instanceof InitializeParameterInstruction
-      or
-      i instanceof CallInstruction
-      or
-      i instanceof VariableAddressInstruction
-      or
-      i instanceof FieldAddressInstruction
-      or
-      i.(LoadInstruction).getSourceAddress() instanceof VariableAddressInstruction
-      or
-      i.(LoadInstruction).getSourceAddress() instanceof FieldAddressInstruction
-      or
-      i.getAUse() instanceof ArgumentOperand
-      or
-      i instanceof PointerArithmeticInstruction
-      or
-      i.getAUse() instanceof AddressOperand
-    )
-  }
-
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  abstract string toString();
-
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Instruction getInstruction(int delta);
-
-  /** Gets an expression that equals this bound. */
-  Instruction getInstruction() { result = getInstruction(0) }
-
-  abstract Location getLocation();
-}
-
-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
-
-  override Instruction getInstruction(int delta) {
-    result.(ConstantValueInstruction).getValue().toInt() = delta
-  }
-
-  override Location getLocation() { result instanceof UnknownDefaultLocation }
-}
-
-/**
- * A bound corresponding to the value of an `Instruction`.
- */
-class ValueNumberBound extends Bound, TBoundValueNumber {
-  ValueNumber vn;
-
-  ValueNumberBound() { this = TBoundValueNumber(vn) }
-
-  /** Gets an `Instruction` that equals this bound. */
-  override Instruction getInstruction(int delta) {
-    this = TBoundValueNumber(valueNumber(result)) and delta = 0
-  }
-
-  override string toString() { result = "ValueNumberBound" }
-
-  override Location getLocation() { result = vn.getLocation() }
-
-  /** Gets the value number that equals this bound. */
-  ValueNumber getValueNumber() { result = vn }
-}
+import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.Bound

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ExtendedRangeAnalysis.qll

@@ -3,3 +3,4 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 // Import each extension we want to enable
 import extensions.SubtractSelf
 import extensions.ConstantBitwiseAndExprRange
+import extensions.StrlenLiteralRangeExpr

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll

@@ -0,0 +1,115 @@
+/**
+ * This module implements subclasses for various DataFlow nodes that extends
+ * their `toString()` predicates with range information, if applicable. By
+ * including this module in a `path-problem` query, this range information
+ * will be displayed at each step in the query results.
+ *
+ * This is currently implemented for `DataFlow::ExprNode` and `DataFlow::DefinitionByReferenceNode`,
+ * but it is not yet implemented for `DataFlow::ParameterNode`.
+ */
+
+private import cpp
+private import semmle.code.cpp.dataflow.DataFlow
+private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+string getExprBoundAsString(Expr e) {
+  if exists(lowerBound(e)) and exists(upperBound(e))
+  then result = "[" + lowerBound(e) + ", " + upperBound(e) + "]"
+  else result = "[unknown range]"
+}
+
+/**
+ * Holds for any integer type after resolving typedefs and stripping `const`
+ * specifiers, such as for `const size_t`
+ */
+predicate isIntegralType(Type t) {
+  // We use `getUnspecifiedType` here because without it things like
+  // `const size_t` aren't considered to be integral
+  t.getUnspecifiedType() instanceof IntegralType
+}
+
+/**
+ * Holds for any reference to an integer type after resolving typedefs and
+ * stripping `const` specifiers, such as for `const size_t&`
+ */
+predicate isIntegralReferenceType(Type t) { isIntegralType(t.(ReferenceType).stripType()) }
+
+/**
+ * Holds for any pointer to an integer type after resolving typedefs and
+ * stripping `const` specifiers, such as for `const size_t*`. This predicate
+ * holds for any pointer depth, such as for `const size_t**`.
+ */
+predicate isIntegralPointerType(Type t) { isIntegralType(t.(PointerType).stripType()) }
+
+predicate hasIntegralOrReferenceIntegralType(Locatable e) {
+  exists(Type t |
+    (
+      t = e.(Expr).getUnspecifiedType()
+      or
+      // This will cover variables, parameters, type declarations, etc.
+      t = e.(DeclarationEntry).getUnspecifiedType()
+    ) and
+    (isIntegralType(t) or isIntegralReferenceType(t))
+  )
+}
+
+Expr getLOp(Operation o) {
+  result = o.(BinaryOperation).getLeftOperand() or
+  result = o.(Assignment).getLValue()
+}
+
+Expr getROp(Operation o) {
+  result = o.(BinaryOperation).getRightOperand() or
+  result = o.(Assignment).getRValue()
+}
+
+/**
+ * Display the ranges of expressions in the path view
+ */
+private class ExprRangeNode extends DataFlow::ExprNode {
+  pragma[inline]
+  private string getIntegralBounds(Expr arg) {
+    if hasIntegralOrReferenceIntegralType(arg)
+    then result = getExprBoundAsString(arg)
+    else result = ""
+  }
+
+  private string getOperationBounds(Operation e) {
+    result =
+      getExprBoundAsString(e) + " = " + getExprBoundAsString(getLOp(e)) + e.getOperator() +
+        getExprBoundAsString(getROp(e))
+  }
+
+  private string getCallBounds(Call e) {
+    result =
+      getExprBoundAsString(e) + "(" +
+        concat(Expr arg, int i | arg = e.getArgument(i) | getIntegralBounds(arg) order by i, ",") +
+        ")"
+  }
+
+  override string toString() {
+    exists(Expr e | e = getExpr() |
+      if hasIntegralOrReferenceIntegralType(e)
+      then
+        result = super.toString() + ": " + getOperationBounds(e)
+        or
+        result = super.toString() + ": " + getCallBounds(e)
+        or
+        not exists(getOperationBounds(e)) and
+        not exists(getCallBounds(e)) and
+        result = super.toString() + ": " + getExprBoundAsString(e)
+      else result = super.toString()
+    )
+  }
+}
+
+/**
+ * Display the ranges of expressions in the path view
+ */
+private class ReferenceArgumentRangeNode extends DataFlow::DefinitionByReferenceNode {
+  override string toString() {
+    if hasIntegralOrReferenceIntegralType(asDefiningArgument())
+    then result = super.toString() + ": " + getExprBoundAsString(getArgument())
+    else result = super.toString()
+  }
+}

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll

@@ -0,0 +1,18 @@
+private import cpp
+private import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysisExpr
+
+/**
+ * Provides range analysis information for calls to `strlen` on literal strings.
+ * For example, the range of `strlen("literal")` will be 7.
+ */
+class StrlenLiteralRangeExpr extends SimpleRangeAnalysisExpr, FunctionCall {
+  StrlenLiteralRangeExpr() {
+    getTarget().hasGlobalOrStdName("strlen") and getArgument(0).isConstant()
+  }
+
+  override int getLowerBounds() { result = getArgument(0).getValue().length() }
+
+  override int getUpperBounds() { result = getArgument(0).getValue().length() }
+
+  override predicate dependsOnChild(Expr e) { none() }
+}

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -54,7 +54,7 @@ module PrivateCleartextWrite {
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
   }
 
-  module WriteFlow = TaintTracking::Make<WriteConfig>;
+  module WriteFlow = TaintTracking::Global<WriteConfig>;
 
   class PrivateDataSource extends Source {
     PrivateDataSource() { this.getExpr() instanceof PrivateDataExpr }

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll

@@ -1,24 +0,0 @@
-private import RangeAnalysisStage
-private import RangeAnalysisSpecific
-private import experimental.semmle.code.cpp.semantic.analysis.FloatDelta
-private import RangeUtils
-private import experimental.semmle.code.cpp.semantic.SemanticBound as SemanticBound
-
-module Bounds implements BoundSig<FloatDelta> {
-  class SemBound instanceof SemanticBound::SemBound {
-    string toString() { result = super.toString() }
-
-    SemExpr getExpr(float delta) { result = super.getExpr(delta) }
-  }
-
-  class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
-
-  class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
-  }
-}
-
-private module CppRangeAnalysis =
-  RangeStage<FloatDelta, Bounds, CppLangImpl, RangeUtil<FloatDelta, CppLangImpl>>;
-
-import CppRangeAnalysis

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.6.0
+version: 0.7.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -8,3 +8,4 @@ upgrades: upgrades
 dependencies:
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
+  codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -752,13 +752,13 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     expr.(VariableAccess).getQualifier() = ele and pred = "getQualifier()"
     or
     exists(Field f |
-      expr.(ClassAggregateLiteral).getFieldExpr(f) = ele and
-      pred = "getFieldExpr(" + f.toString() + ")"
+      expr.(ClassAggregateLiteral).getAFieldExpr(f) = ele and
+      pred = "getAFieldExpr(" + f.toString() + ")"
     )
     or
     exists(int n |
-      expr.(ArrayOrVectorAggregateLiteral).getElementExpr(n) = ele and
-      pred = "getElementExpr(" + n.toString() + ")"
+      expr.(ArrayOrVectorAggregateLiteral).getAnElementExpr(n) = ele and
+      pred = "getAnElementExpr(" + n.toString() + ")"
     )
     or
     expr.(AlignofExprOperator).getExprOperand() = ele and pred = "getExprOperand()"

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -133,7 +133,7 @@ class Variable extends Declaration, @variable {
     or
     exists(AssignExpr ae | ae.getLValue().(Access).getTarget() = this and result = ae.getRValue())
     or
-    exists(ClassAggregateLiteral l | result = l.getFieldExpr(this))
+    exists(ClassAggregateLiteral l | result = l.getAFieldExpr(this))
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll

@@ -2,7 +2,7 @@
  * Provides an implementation of global (interprocedural) data flow. This file
  * re-exports the local (intraprocedural) data flow analysis from
  * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Make` and `MakeWithState` modules.
+ * through the `Global` and `GlobalWithState` modules.
  */
 
 private import DataFlowImplCommon
@@ -73,10 +73,10 @@ signature module ConfigSig {
    */
   default FlowFeature getAFeature() { none() }
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   default predicate sourceGrouping(Node source, string sourceGroup) { none() }
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
 
   /**
@@ -166,10 +166,10 @@ signature module StateConfigSig {
    */
   default FlowFeature getAFeature() { none() }
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   default predicate sourceGrouping(Node source, string sourceGroup) { none() }
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
 
   /**
@@ -182,15 +182,15 @@ signature module StateConfigSig {
 }
 
 /**
- * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+ * Gets the exploration limit for `partialFlow` and `partialFlowRev`
  * measured in approximate number of interprocedural steps.
  */
 signature int explorationLimitSig();
 
 /**
- * The output of a data flow computation.
+ * The output of a global data flow computation.
  */
-signature module DataFlowSig {
+signature module GlobalFlowSig {
   /**
    * A `Node` augmented with a call context (except for sinks) and an access path.
    * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
@@ -203,28 +203,28 @@ signature module DataFlowSig {
    * The corresponding paths are generated from the end-points and the graph
    * included in the module `PathGraph`.
    */
-  predicate hasFlowPath(PathNode source, PathNode sink);
+  predicate flowPath(PathNode source, PathNode sink);
 
   /**
    * Holds if data can flow from `source` to `sink`.
    */
-  predicate hasFlow(Node source, Node sink);
+  predicate flow(Node source, Node sink);
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowTo(Node sink);
+  predicate flowTo(Node sink);
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink);
+  predicate flowToExpr(DataFlowExpr sink);
 }
 
 /**
- * Constructs a standard data flow computation.
+ * Constructs a global data flow computation.
  */
-module Make<ConfigSig Config> implements DataFlowSig {
+module Global<ConfigSig Config> implements GlobalFlowSig {
   private module C implements FullStateConfigSig {
     import DefaultState<Config>
     import Config
@@ -233,10 +233,15 @@ module Make<ConfigSig Config> implements DataFlowSig {
   import Impl<C>
 }
 
+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a data flow computation using flow state.
+ * Constructs a global data flow computation using flow state.
  */
-module MakeWithState<StateConfigSig Config> implements DataFlowSig {
+module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
   private module C implements FullStateConfigSig {
     import Config
   }
@@ -244,6 +249,11 @@ module MakeWithState<StateConfigSig Config> implements DataFlowSig {
   import Impl<C>
 }
 
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
+  import GlobalWithState<Config>
+}
+
 signature class PathNodeSig {
   /** Gets a textual representation of this element. */
   string toString();

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll

@@ -79,3 +79,13 @@ class ArgumentPosition extends int {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a temporary hook to support technical debt in the Go language; do not use.
+ */
+pragma[inline]
+predicate golangSpecificParamArgFilter(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  any()
+}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow
 
 /**
@@ -91,10 +92,10 @@ signature module FullStateConfigSig {
    */
   FlowFeature getAFeature();
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   predicate sourceGrouping(Node source, string sourceGroup);
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   predicate sinkGrouping(Node sink, string sinkGroup);
 
   /**
@@ -418,6 +419,10 @@ module Impl<FullStateConfigSig Config> {
     )
   }
 
+  private predicate sourceCallCtx(CallContext cc) {
+    if hasSourceCallCtx() then cc instanceof CallContextSomeCall else cc instanceof CallContextAny
+  }
+
   private predicate hasSinkCallCtx() {
     exists(FlowFeature feature | feature = Config::getAFeature() |
       feature instanceof FeatureHasSinkCallContext or
@@ -441,11 +446,7 @@ module Impl<FullStateConfigSig Config> {
   }
 
   private module Stage1 implements StageSig {
-    class Ap extends int {
-      // workaround for bad functionality-induced joins (happens when using `Unit`)
-      pragma[nomagic]
-      Ap() { this in [0 .. 1] and this < 1 }
-    }
+    class Ap = Unit;
 
     private class Cc = boolean;
 
@@ -1141,19 +1142,13 @@ module Impl<FullStateConfigSig Config> {
       import Param
 
       /* Begin: Stage logic. */
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      private predicate revFlowApAlias(NodeEx node, ApApprox apa) {
-        PrevStage::revFlowAp(node, apa)
-      }
-
       pragma[nomagic]
       private predicate flowIntoCallApa(
         DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, ApApprox apa
       ) {
         flowIntoCall(call, arg, p, allowsFieldFlow) and
         PrevStage::revFlowAp(p, pragma[only_bind_into](apa)) and
-        revFlowApAlias(arg, pragma[only_bind_into](apa))
+        PrevStage::revFlowAp(arg, pragma[only_bind_into](apa))
       }
 
       pragma[nomagic]
@@ -1163,7 +1158,7 @@ module Impl<FullStateConfigSig Config> {
       ) {
         flowOutOfCall(call, ret, kind, out, allowsFieldFlow) and
         PrevStage::revFlowAp(out, pragma[only_bind_into](apa)) and
-        revFlowApAlias(ret, pragma[only_bind_into](apa))
+        PrevStage::revFlowAp(ret, pragma[only_bind_into](apa))
       }
 
       pragma[nomagic]
@@ -1691,16 +1686,6 @@ module Impl<FullStateConfigSig Config> {
       pragma[nomagic]
       predicate revFlowAp(NodeEx node, Ap ap) { revFlow(node, _, _, _, ap) }
 
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      additional predicate revFlowAlias(NodeEx node) { revFlow(node, _, _, _, _) }
-
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap) {
-        revFlow(node, state, ap)
-      }
-
       private predicate fwdConsCand(TypedContent tc, Ap ap) { storeStepFwd(_, ap, tc, _, _) }
 
       private predicate revConsCand(TypedContent tc, Ap ap) { storeStepCand(_, ap, tc, _, _) }
@@ -1974,7 +1959,7 @@ module Impl<FullStateConfigSig Config> {
   ) {
     flowOutOfCallNodeCand1(call, node1, kind, node2, allowsFieldFlow) and
     Stage2::revFlow(node2) and
-    Stage2::revFlowAlias(node1)
+    Stage2::revFlow(node1)
   }
 
   pragma[nomagic]
@@ -1983,7 +1968,7 @@ module Impl<FullStateConfigSig Config> {
   ) {
     flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow) and
     Stage2::revFlow(node2) and
-    Stage2::revFlowAlias(node1)
+    Stage2::revFlow(node1)
   }
 
   private module LocalFlowBigStep {
@@ -2065,11 +2050,11 @@ module Impl<FullStateConfigSig Config> {
       additionalLocalFlowStepNodeCand1(node1, node2) and
       state1 = state2 and
       Stage2::revFlow(node1, pragma[only_bind_into](state1), false) and
-      Stage2::revFlowAlias(node2, pragma[only_bind_into](state2), false)
+      Stage2::revFlow(node2, pragma[only_bind_into](state2), false)
       or
       additionalLocalStateStep(node1, state1, node2, state2) and
       Stage2::revFlow(node1, state1, false) and
-      Stage2::revFlowAlias(node2, state2, false)
+      Stage2::revFlow(node2, state2, false)
     }
 
     /**
@@ -2262,7 +2247,7 @@ module Impl<FullStateConfigSig Config> {
     ) {
       localFlowBigStep(node1, state1, node2, state2, preservesValue, ap.getType(), _) and
       PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-      PrevStage::revFlowAlias(node2, pragma[only_bind_into](state2), _) and
+      PrevStage::revFlow(node2, pragma[only_bind_into](state2), _) and
       exists(lcc)
     }
 
@@ -2273,7 +2258,7 @@ module Impl<FullStateConfigSig Config> {
       exists(FlowState state |
         flowOutOfCallNodeCand2(call, node1, kind, node2, allowsFieldFlow) and
         PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
       )
     }
 
@@ -2284,7 +2269,7 @@ module Impl<FullStateConfigSig Config> {
       exists(FlowState state |
         flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow) and
         PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
       )
     }
 
@@ -2586,7 +2571,7 @@ module Impl<FullStateConfigSig Config> {
     ) {
       localFlowBigStep(node1, state1, node2, state2, preservesValue, ap.getType(), lcc) and
       PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-      PrevStage::revFlowAlias(node2, pragma[only_bind_into](state2), _)
+      PrevStage::revFlow(node2, pragma[only_bind_into](state2), _)
     }
 
     pragma[nomagic]
@@ -2596,7 +2581,7 @@ module Impl<FullStateConfigSig Config> {
       exists(FlowState state |
         flowOutOfCallNodeCand2(call, node1, kind, node2, allowsFieldFlow) and
         PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
       )
     }
 
@@ -2607,7 +2592,7 @@ module Impl<FullStateConfigSig Config> {
       exists(FlowState state |
         flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow) and
         PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
       )
     }
 
@@ -2804,11 +2789,7 @@ module Impl<FullStateConfigSig Config> {
       // A PathNode is introduced by a source ...
       Stage5::revFlow(node, state) and
       sourceNode(node, state) and
-      (
-        if hasSourceCallCtx()
-        then cc instanceof CallContextSomeCall
-        else cc instanceof CallContextAny
-      ) and
+      sourceCallCtx(cc) and
       sc instanceof SummaryCtxNone and
       ap = TAccessPathNil(node.getDataFlowType())
       or
@@ -3214,11 +3195,7 @@ module Impl<FullStateConfigSig Config> {
 
     override predicate isSource() {
       sourceNode(node, state) and
-      (
-        if hasSourceCallCtx()
-        then cc instanceof CallContextSomeCall
-        else cc instanceof CallContextAny
-      ) and
+      sourceCallCtx(cc) and
       sc instanceof SummaryCtxNone and
       ap = TAccessPathNil(node.getDataFlowType())
     }
@@ -3653,7 +3630,7 @@ module Impl<FullStateConfigSig Config> {
    * The corresponding paths are generated from the end-points and the graph
    * included in the module `PathGraph`.
    */
-  predicate hasFlowPath(PathNode source, PathNode sink) {
+  predicate flowPath(PathNode source, PathNode sink) {
     exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
       source = flowsource and sink = flowsink
     |
@@ -3663,6 +3640,9 @@ module Impl<FullStateConfigSig Config> {
     )
   }
 
+  /** DEPRECATED: Use `flowPath` instead. */
+  deprecated predicate hasFlowPath = flowPath/2;
+
   private predicate flowsTo(PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink) {
     flowsource.isSource() and
     flowsource.getNodeEx().asNode() = source and
@@ -3673,17 +3653,26 @@ module Impl<FullStateConfigSig Config> {
   /**
    * Holds if data can flow from `source` to `sink`.
    */
-  predicate hasFlow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+  predicate flow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+
+  /** DEPRECATED: Use `flow` instead. */
+  deprecated predicate hasFlow = flow/2;
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+  predicate flowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+
+  /** DEPRECATED: Use `flowTo` instead. */
+  deprecated predicate hasFlowTo = flowTo/1;
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) }
+
+  /** DEPRECATED: Use `flowToExpr` instead. */
+  deprecated predicate hasFlowToExpr = flowToExpr/1;
 
   private predicate finalStats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples
@@ -4594,7 +4583,7 @@ module Impl<FullStateConfigSig Config> {
      *
      * To use this in a `path-problem` query, import the module `PartialPathGraph`.
      */
-    predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
+    predicate partialFlow(PartialPathNode source, PartialPathNode node, int dist) {
       partialFlow(source, node) and
       dist = node.getSourceDistance()
     }
@@ -4614,7 +4603,7 @@ module Impl<FullStateConfigSig Config> {
      * Note that reverse flow has slightly lower precision than the corresponding
      * forward flow, as reverse flow disregards type pruning among other features.
      */
-    predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
+    predicate partialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
       revPartialFlow(node, sink) and
       dist = node.getSinkDistance()
     }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -140,10 +140,8 @@ private module LambdaFlow {
   }
 
   pragma[nomagic]
-  private TReturnPositionSimple viableReturnPosLambda(
-    DataFlowCall call, DataFlowCallOption lastCall, ReturnKind kind
-  ) {
-    result = TReturnPositionSimple0(viableCallableLambda(call, lastCall), kind)
+  private TReturnPositionSimple viableReturnPosLambda(DataFlowCall call, ReturnKind kind) {
+    result = TReturnPositionSimple0(viableCallableLambda(call, _), kind)
   }
 
   private predicate viableReturnPosOutNonLambda(
@@ -155,11 +153,12 @@ private module LambdaFlow {
     )
   }
 
+  pragma[nomagic]
   private predicate viableReturnPosOutLambda(
-    DataFlowCall call, DataFlowCallOption lastCall, TReturnPositionSimple pos, OutNode out
+    DataFlowCall call, TReturnPositionSimple pos, OutNode out
   ) {
     exists(ReturnKind kind |
-      pos = viableReturnPosLambda(call, lastCall, kind) and
+      pos = viableReturnPosLambda(call, kind) and
       out = getAnOutNode(call, kind)
     )
   }
@@ -188,6 +187,7 @@ private module LambdaFlow {
     else any()
   }
 
+  pragma[assume_small_delta]
   pragma[nomagic]
   predicate revLambdaFlow0(
     DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,6 +274,7 @@ private module LambdaFlow {
     )
   }
 
+  pragma[assume_small_delta]
   pragma[nomagic]
   predicate revLambdaFlowOut(
     DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,
@@ -285,7 +286,7 @@ private module LambdaFlow {
       or
       // non-linear recursion
       revLambdaFlowOutLambdaCall(lambdaCall, kind, out, t, toJump, call, lastCall) and
-      viableReturnPosOutLambda(call, _, pos, out)
+      viableReturnPosOutLambda(call, pos, out)
     )
   }
 
@@ -424,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      golangSpecificParamArgFilter(call, p, arg)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -3,6 +3,7 @@ private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
 private import DataFlowImplConsistency
+private import codeql.util.Unit
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
@@ -158,7 +159,7 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
     // `PostUpdateNode`, which means it must be an `ObjectInitializerNode`.
     node2.asExpr() = aggr and
     f.(FieldContent).getField() = field and
-    aggr.getFieldExpr(field) = node1.asExpr()
+    aggr.getAFieldExpr(field) = node1.asExpr()
   )
   or
   exists(FieldAccess fa |
@@ -264,15 +265,6 @@ int accessPathLimit() { result = 5 }
  */
 predicate forceHighPrecision(Content c) { none() }
 
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) { none() }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll

@@ -33,9 +33,9 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
 }
 
 /**
- * Constructs a standard taint tracking computation.
+ * Constructs a global taint tracking computation.
  */
-module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
+module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
   private module Config0 implements DataFlowInternal::FullStateConfigSig {
     import DataFlowInternal::DefaultState<Config>
     import Config
@@ -48,10 +48,15 @@ module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
   import DataFlowInternal::Impl<C>
 }
 
+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a taint tracking computation using flow state.
+ * Constructs a global taint tracking computation using flow state.
  */
-module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataFlowSig {
+module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
   private module Config0 implements DataFlowInternal::FullStateConfigSig {
     import Config
   }
@@ -62,3 +67,8 @@ module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataF
 
   import DataFlowInternal::Impl<C>
 }
+
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import GlobalWithState<Config>
+}

cpp/ql/lib/semmle/code/cpp/exprs/Lambda.qll

@@ -147,7 +147,7 @@ class LambdaCapture extends Locatable, @lambdacapture {
    */
   Expr getInitializer() {
     exists(LambdaExpression lambda | this = lambda.getCapture(_) |
-      result = lambda.getInitializer().getFieldExpr(this.getField())
+      result = lambda.getInitializer().getAFieldExpr(this.getField())
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll

@@ -187,12 +187,44 @@ class ClassAggregateLiteral extends AggregateLiteral {
   override string getAPrimaryQlClass() { result = "ClassAggregateLiteral" }
 
   /**
+   * Gets an expression within the aggregate literal that is used to initialize
+   * field `field`, if present.
+   *
+   * This predicate may have multiple results since a field can be initialized
+   * multiple times in the same initializer.
+   */
+  Expr getAFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
+
+  /**
+   * DEPRECATED: Use `getAFieldExpr` instead.
+   *
    * Gets the expression within the aggregate literal that is used to initialize
    * field `field`, if present.
+   *
+   * This predicate may have multiple results since a field can be initialized
+   * multiple times in the same initializer.
    */
-  Expr getFieldExpr(Field field) {
+  deprecated Expr getFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
+
+  /**
+   * Gets the expression within the aggregate literal that is used to initialize
+   * field `field`, if present. The expression is the `position`'th entry in the
+   * aggregate literal.
+   *
+   * For example, if `aggr` represents the initialization literal `{.x = 123, .y = 456 .x = 789}` in
+   * ```cpp
+   * struct Foo { int x; int y; };
+   * struct Foo foo = {.x = 123, .y = 456 .x = 789};
+   * ```
+   * then:
+   * - `aggr.getFieldExpr(x, 0)` gives `123`.
+   * - `aggr.getFieldExpr(y, 1)` gives `456`.
+   * - `aggr.getFieldExpr(x, 2)` gives `789`.
+   */
+  Expr getFieldExpr(Field field, int position) {
     field = classType.getAField() and
-    aggregate_field_init(underlyingElement(this), unresolveElement(result), unresolveElement(field))
+    aggregate_field_init(underlyingElement(this), unresolveElement(result), unresolveElement(field),
+      position)
   }
 
   /**
@@ -206,7 +238,7 @@ class ClassAggregateLiteral extends AggregateLiteral {
     (
       // If the field has an explicit initializer expression, then the field is
       // initialized.
-      exists(this.getFieldExpr(field))
+      exists(this.getAFieldExpr(field))
       or
       // If the type is not a union, all fields without initializers are value
       // initialized.
@@ -230,7 +262,7 @@ class ClassAggregateLiteral extends AggregateLiteral {
   pragma[inline]
   predicate isValueInitialized(Field field) {
     this.isInitialized(field) and
-    not exists(this.getFieldExpr(field))
+    not exists(this.getAFieldExpr(field))
   }
 }
 
@@ -260,11 +292,41 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
   Type getElementType() { none() }
 
   /**
+   * Gets an expression within the aggregate literal that is used to initialize
+   * element `elementIndex`, if present.
+   *
+   * This predicate may have multiple results since an element can be initialized
+   * multiple times in the same initializer.
+   */
+  Expr getAnElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
+
+  /**
+   * DEPRECATED: Use `getAnElementExpr` instead.
+   *
    * Gets the expression within the aggregate literal that is used to initialize
    * element `elementIndex`, if present.
+   *
+   * This predicate may have multiple results since an element can be initialized
+   * multiple times in the same initializer.
    */
-  Expr getElementExpr(int elementIndex) {
-    aggregate_array_init(underlyingElement(this), unresolveElement(result), elementIndex)
+  deprecated Expr getElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
+
+  /**
+   * Gets the expression within the aggregate literal that is used to initialize
+   * element `elementIndex`, if present. The expression is the `position`'th entry
+   * in the aggregate literal.
+   *
+   * For example, if `a` represents the initialization literal `{[0] = 123, [1] = 456, [0] = 789 }` in
+   * ```cpp
+   * int x[2] = {[0] = 123, [1] = 456, [0] = 789 };
+   * ```
+   * then:
+   * - `a.getElementExpr(0, 0)` gives `123`.
+   * - `a.getElementExpr(1, 1)` gives `456`.
+   * - `a.getElementExpr(0, 2)` gives `789`.
+   */
+  Expr getElementExpr(int elementIndex, int position) {
+    aggregate_array_init(underlyingElement(this), unresolveElement(result), elementIndex, position)
   }
 
   /**
@@ -289,7 +351,7 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
   bindingset[elementIndex]
   predicate isValueInitialized(int elementIndex) {
     this.isInitialized(elementIndex) and
-    not exists(this.getElementExpr(elementIndex))
+    not exists(this.getAnElementExpr(elementIndex))
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll

@@ -2,7 +2,7 @@
  * Provides an implementation of global (interprocedural) data flow. This file
  * re-exports the local (intraprocedural) data flow analysis from
  * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Make` and `MakeWithState` modules.
+ * through the `Global` and `GlobalWithState` modules.
  */
 
 private import DataFlowImplCommon
@@ -73,10 +73,10 @@ signature module ConfigSig {
    */
   default FlowFeature getAFeature() { none() }
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   default predicate sourceGrouping(Node source, string sourceGroup) { none() }
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
 
   /**
@@ -166,10 +166,10 @@ signature module StateConfigSig {
    */
   default FlowFeature getAFeature() { none() }
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   default predicate sourceGrouping(Node source, string sourceGroup) { none() }
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
 
   /**
@@ -182,15 +182,15 @@ signature module StateConfigSig {
 }
 
 /**
- * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+ * Gets the exploration limit for `partialFlow` and `partialFlowRev`
  * measured in approximate number of interprocedural steps.
  */
 signature int explorationLimitSig();
 
 /**
- * The output of a data flow computation.
+ * The output of a global data flow computation.
  */
-signature module DataFlowSig {
+signature module GlobalFlowSig {
   /**
    * A `Node` augmented with a call context (except for sinks) and an access path.
    * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
@@ -203,28 +203,28 @@ signature module DataFlowSig {
    * The corresponding paths are generated from the end-points and the graph
    * included in the module `PathGraph`.
    */
-  predicate hasFlowPath(PathNode source, PathNode sink);
+  predicate flowPath(PathNode source, PathNode sink);
 
   /**
    * Holds if data can flow from `source` to `sink`.
    */
-  predicate hasFlow(Node source, Node sink);
+  predicate flow(Node source, Node sink);
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowTo(Node sink);
+  predicate flowTo(Node sink);
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink);
+  predicate flowToExpr(DataFlowExpr sink);
 }
 
 /**
- * Constructs a standard data flow computation.
+ * Constructs a global data flow computation.
  */
-module Make<ConfigSig Config> implements DataFlowSig {
+module Global<ConfigSig Config> implements GlobalFlowSig {
   private module C implements FullStateConfigSig {
     import DefaultState<Config>
     import Config
@@ -233,10 +233,15 @@ module Make<ConfigSig Config> implements DataFlowSig {
   import Impl<C>
 }
 
+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a data flow computation using flow state.
+ * Constructs a global data flow computation using flow state.
  */
-module MakeWithState<StateConfigSig Config> implements DataFlowSig {
+module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
   private module C implements FullStateConfigSig {
     import Config
   }
@@ -244,6 +249,11 @@ module MakeWithState<StateConfigSig Config> implements DataFlowSig {
   import Impl<C>
 }
 
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
+  import GlobalWithState<Config>
+}
+
 signature class PathNodeSig {
   /** Gets a textual representation of this element. */
   string toString();

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -271,3 +271,13 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a temporary hook to support technical debt in the Go language; do not use.
+ */
+pragma[inline]
+predicate golangSpecificParamArgFilter(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  any()
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow
 
 /**
@@ -91,10 +92,10 @@ signature module FullStateConfigSig {
    */
   FlowFeature getAFeature();
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   predicate sourceGrouping(Node source, string sourceGroup);
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   predicate sinkGrouping(Node sink, string sinkGroup);
 
   /**
@@ -418,6 +419,10 @@ module Impl<FullStateConfigSig Config> {
     )
   }
 
+  private predicate sourceCallCtx(CallContext cc) {
+    if hasSourceCallCtx() then cc instanceof CallContextSomeCall else cc instanceof CallContextAny
+  }
+
   private predicate hasSinkCallCtx() {
     exists(FlowFeature feature | feature = Config::getAFeature() |
       feature instanceof FeatureHasSinkCallContext or
@@ -441,11 +446,7 @@ module Impl<FullStateConfigSig Config> {
   }
 
   private module Stage1 implements StageSig {
-    class Ap extends int {
-      // workaround for bad functionality-induced joins (happens when using `Unit`)
-      pragma[nomagic]
-      Ap() { this in [0 .. 1] and this < 1 }
-    }
+    class Ap = Unit;
 
     private class Cc = boolean;
 
@@ -1141,19 +1142,13 @@ module Impl<FullStateConfigSig Config> {
       import Param
 
       /* Begin: Stage logic. */
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      private predicate revFlowApAlias(NodeEx node, ApApprox apa) {
-        PrevStage::revFlowAp(node, apa)
-      }
-
       pragma[nomagic]
       private predicate flowIntoCallApa(
         DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, ApApprox apa
       ) {
         flowIntoCall(call, arg, p, allowsFieldFlow) and
         PrevStage::revFlowAp(p, pragma[only_bind_into](apa)) and
-        revFlowApAlias(arg, pragma[only_bind_into](apa))
+        PrevStage::revFlowAp(arg, pragma[only_bind_into](apa))
       }
 
       pragma[nomagic]
@@ -1163,7 +1158,7 @@ module Impl<FullStateConfigSig Config> {
       ) {
         flowOutOfCall(call, ret, kind, out, allowsFieldFlow) and
         PrevStage::revFlowAp(out, pragma[only_bind_into](apa)) and
-        revFlowApAlias(ret, pragma[only_bind_into](apa))
+        PrevStage::revFlowAp(ret, pragma[only_bind_into](apa))
       }
 
       pragma[nomagic]
@@ -1691,16 +1686,6 @@ module Impl<FullStateConfigSig Config> {
       pragma[nomagic]
       predicate revFlowAp(NodeEx node, Ap ap) { revFlow(node, _, _, _, ap) }
 
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      additional predicate revFlowAlias(NodeEx node) { revFlow(node, _, _, _, _) }
-
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap) {
-        revFlow(node, state, ap)
-      }
-
       private predicate fwdConsCand(TypedContent tc, Ap ap) { storeStepFwd(_, ap, tc, _, _) }
 
       private predicate revConsCand(TypedContent tc, Ap ap) { storeStepCand(_, ap, tc, _, _) }
@@ -1974,7 +1959,7 @@ module Impl<FullStateConfigSig Config> {
   ) {
     flowOutOfCallNodeCand1(call, node1, kind, node2, allowsFieldFlow) and
     Stage2::revFlow(node2) and
-    Stage2::revFlowAlias(node1)
+    Stage2::revFlow(node1)
   }
 
   pragma[nomagic]
@@ -1983,7 +1968,7 @@ module Impl<FullStateConfigSig Config> {
   ) {
     flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow) and
     Stage2::revFlow(node2) and
-    Stage2::revFlowAlias(node1)
+    Stage2::revFlow(node1)
   }
 
   private module LocalFlowBigStep {
@@ -2065,11 +2050,11 @@ module Impl<FullStateConfigSig Config> {
       additionalLocalFlowStepNodeCand1(node1, node2) and
       state1 = state2 and
       Stage2::revFlow(node1, pragma[only_bind_into](state1), false) and
-      Stage2::revFlowAlias(node2, pragma[only_bind_into](state2), false)
+      Stage2::revFlow(node2, pragma[only_bind_into](state2), false)
       or
       additionalLocalStateStep(node1, state1, node2, state2) and
       Stage2::revFlow(node1, state1, false) and
-      Stage2::revFlowAlias(node2, state2, false)
+      Stage2::revFlow(node2, state2, false)
     }
 
     /**
@@ -2262,7 +2247,7 @@ module Impl<FullStateConfigSig Config> {
     ) {
       localFlowBigStep(node1, state1, node2, state2, preservesValue, ap.getType(), _) and
       PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-      PrevStage::revFlowAlias(node2, pragma[only_bind_into](state2), _) and
+      PrevStage::revFlow(node2, pragma[only_bind_into](state2), _) and
       exists(lcc)
     }
 
@@ -2273,7 +2258,7 @@ module Impl<FullStateConfigSig Config> {
       exists(FlowState state |
         flowOutOfCallNodeCand2(call, node1, kind, node2, allowsFieldFlow) and
         PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
       )
     }
 
@@ -2284,7 +2269,7 @@ module Impl<FullStateConfigSig Config> {
       exists(FlowState state |
         flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow) and
         PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
       )
     }
 
@@ -2586,7 +2571,7 @@ module Impl<FullStateConfigSig Config> {
     ) {
       localFlowBigStep(node1, state1, node2, state2, preservesValue, ap.getType(), lcc) and
       PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-      PrevStage::revFlowAlias(node2, pragma[only_bind_into](state2), _)
+      PrevStage::revFlow(node2, pragma[only_bind_into](state2), _)
     }
 
     pragma[nomagic]
@@ -2596,7 +2581,7 @@ module Impl<FullStateConfigSig Config> {
       exists(FlowState state |
         flowOutOfCallNodeCand2(call, node1, kind, node2, allowsFieldFlow) and
         PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
       )
     }
 
@@ -2607,7 +2592,7 @@ module Impl<FullStateConfigSig Config> {
       exists(FlowState state |
         flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow) and
         PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
       )
     }
 
@@ -2804,11 +2789,7 @@ module Impl<FullStateConfigSig Config> {
       // A PathNode is introduced by a source ...
       Stage5::revFlow(node, state) and
       sourceNode(node, state) and
-      (
-        if hasSourceCallCtx()
-        then cc instanceof CallContextSomeCall
-        else cc instanceof CallContextAny
-      ) and
+      sourceCallCtx(cc) and
       sc instanceof SummaryCtxNone and
       ap = TAccessPathNil(node.getDataFlowType())
       or
@@ -3214,11 +3195,7 @@ module Impl<FullStateConfigSig Config> {
 
     override predicate isSource() {
       sourceNode(node, state) and
-      (
-        if hasSourceCallCtx()
-        then cc instanceof CallContextSomeCall
-        else cc instanceof CallContextAny
-      ) and
+      sourceCallCtx(cc) and
       sc instanceof SummaryCtxNone and
       ap = TAccessPathNil(node.getDataFlowType())
     }
@@ -3653,7 +3630,7 @@ module Impl<FullStateConfigSig Config> {
    * The corresponding paths are generated from the end-points and the graph
    * included in the module `PathGraph`.
    */
-  predicate hasFlowPath(PathNode source, PathNode sink) {
+  predicate flowPath(PathNode source, PathNode sink) {
     exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
       source = flowsource and sink = flowsink
     |
@@ -3663,6 +3640,9 @@ module Impl<FullStateConfigSig Config> {
     )
   }
 
+  /** DEPRECATED: Use `flowPath` instead. */
+  deprecated predicate hasFlowPath = flowPath/2;
+
   private predicate flowsTo(PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink) {
     flowsource.isSource() and
     flowsource.getNodeEx().asNode() = source and
@@ -3673,17 +3653,26 @@ module Impl<FullStateConfigSig Config> {
   /**
    * Holds if data can flow from `source` to `sink`.
    */
-  predicate hasFlow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+  predicate flow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+
+  /** DEPRECATED: Use `flow` instead. */
+  deprecated predicate hasFlow = flow/2;
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+  predicate flowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+
+  /** DEPRECATED: Use `flowTo` instead. */
+  deprecated predicate hasFlowTo = flowTo/1;
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) }
+
+  /** DEPRECATED: Use `flowToExpr` instead. */
+  deprecated predicate hasFlowToExpr = flowToExpr/1;
 
   private predicate finalStats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples
@@ -4594,7 +4583,7 @@ module Impl<FullStateConfigSig Config> {
      *
      * To use this in a `path-problem` query, import the module `PartialPathGraph`.
      */
-    predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
+    predicate partialFlow(PartialPathNode source, PartialPathNode node, int dist) {
       partialFlow(source, node) and
       dist = node.getSourceDistance()
     }
@@ -4614,7 +4603,7 @@ module Impl<FullStateConfigSig Config> {
      * Note that reverse flow has slightly lower precision than the corresponding
      * forward flow, as reverse flow disregards type pruning among other features.
      */
-    predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
+    predicate partialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
       revPartialFlow(node, sink) and
       dist = node.getSinkDistance()
     }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }
 
 private import Impl<Config> as I
-import I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -140,10 +140,8 @@ private module LambdaFlow {
   }
 
   pragma[nomagic]
-  private TReturnPositionSimple viableReturnPosLambda(
-    DataFlowCall call, DataFlowCallOption lastCall, ReturnKind kind
-  ) {
-    result = TReturnPositionSimple0(viableCallableLambda(call, lastCall), kind)
+  private TReturnPositionSimple viableReturnPosLambda(DataFlowCall call, ReturnKind kind) {
+    result = TReturnPositionSimple0(viableCallableLambda(call, _), kind)
   }
 
   private predicate viableReturnPosOutNonLambda(
@@ -155,11 +153,12 @@ private module LambdaFlow {
     )
   }
 
+  pragma[nomagic]
   private predicate viableReturnPosOutLambda(
-    DataFlowCall call, DataFlowCallOption lastCall, TReturnPositionSimple pos, OutNode out
+    DataFlowCall call, TReturnPositionSimple pos, OutNode out
   ) {
     exists(ReturnKind kind |
-      pos = viableReturnPosLambda(call, lastCall, kind) and
+      pos = viableReturnPosLambda(call, kind) and
       out = getAnOutNode(call, kind)
     )
   }
@@ -188,6 +187,7 @@ private module LambdaFlow {
     else any()
   }
 
+  pragma[assume_small_delta]
   pragma[nomagic]
   predicate revLambdaFlow0(
     DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,6 +274,7 @@ private module LambdaFlow {
     )
   }
 
+  pragma[assume_small_delta]
   pragma[nomagic]
   predicate revLambdaFlowOut(
     DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,
@@ -285,7 +286,7 @@ private module LambdaFlow {
       or
       // non-linear recursion
       revLambdaFlowOutLambdaCall(lambdaCall, kind, out, t, toJump, call, lastCall) and
-      viableReturnPosOutLambda(call, _, pos, out)
+      viableReturnPosOutLambda(call, pos, out)
     )
   }
 
@@ -424,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      golangSpecificParamArgFilter(call, p, arg)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -6,6 +6,7 @@ private import DataFlowImplConsistency
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
+private import codeql.util.Unit
 
 cached
 private module Cached {
@@ -799,15 +800,6 @@ int accessPathLimit() { result = 5 }
  */
 predicate forceHighPrecision(Content c) { none() }
 
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
   n instanceof OperandNode and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll

@@ -9,7 +9,6 @@ import cpp
 import semmle.code.cpp.security.Security
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.DataFlow3
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.ResolveCall
 private import semmle.code.cpp.controlflow.IRGuards
@@ -90,65 +89,64 @@ private predicate conflatePointerAndPointee(DataFlow::Node nodeFrom, DataFlow::N
   )
 }
 
-private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
-  DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
+private module DefaultTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
 
-  override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
+  predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
 
-  override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
 
-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
 
-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     conflatePointerAndPointee(nodeFrom, nodeTo)
   }
 }
 
-private class ToGlobalVarTaintTrackingCfg extends TaintTracking::Configuration {
-  ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
+private module DefaultTaintTrackingFlow = TaintTracking::Global<DefaultTaintTrackingConfig>;
 
-  override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
+private module ToGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asVariable() instanceof GlobalOrNamespaceVariable
-  }
+  predicate isSink(DataFlow::Node sink) { sink.asVariable() instanceof GlobalOrNamespaceVariable }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
     or
     readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
   }
 
-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
 
-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
 }
 
-private class FromGlobalVarTaintTrackingCfg extends TaintTracking2::Configuration {
-  FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
+private module ToGlobalVarTaintTrackingFlow = TaintTracking::Global<ToGlobalVarTaintTrackingConfig>;
 
-  override predicate isSource(DataFlow::Node source) {
+private module FromGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     // This set of sources should be reasonably small, which is good for
     // performance since the set of sinks is very large.
-    exists(ToGlobalVarTaintTrackingCfg otherCfg | otherCfg.hasFlowTo(source))
+    ToGlobalVarTaintTrackingFlow::flowTo(source)
   }
 
-  override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
+  predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     // Additional step for flow out of variables. There is no flow _into_
     // variables in this configuration, so this step only serves to take flow
     // out of a variable that's a source.
     readsVariable(n2.asInstruction(), n1.asVariable())
   }
 
-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
 
-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
 }
 
+private module FromGlobalVarTaintTrackingFlow =
+  TaintTracking::Global<FromGlobalVarTaintTrackingConfig>;
+
 private predicate readsVariable(LoadInstruction load, Variable var) {
   load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
 }
@@ -332,8 +330,8 @@ private import Cached
  */
 cached
 predicate tainted(Expr source, Element tainted) {
-  exists(DefaultTaintTrackingCfg cfg, DataFlow::Node sink |
-    cfg.hasFlow(getNodeForSource(source), sink) and
+  exists(DataFlow::Node sink |
+    DefaultTaintTrackingFlow::flow(getNodeForSource(source), sink) and
     tainted = adjustedSink(sink)
   )
 }
@@ -359,12 +357,11 @@ predicate taintedIncludingGlobalVars(Expr source, Element tainted, string global
   globalVar = ""
   or
   exists(
-    ToGlobalVarTaintTrackingCfg toCfg, FromGlobalVarTaintTrackingCfg fromCfg,
     DataFlow::VariableNode variableNode, GlobalOrNamespaceVariable global, DataFlow::Node sink
   |
     global = variableNode.getVariable() and
-    toCfg.hasFlow(getNodeForSource(source), variableNode) and
-    fromCfg.hasFlow(variableNode, sink) and
+    ToGlobalVarTaintTrackingFlow::flow(getNodeForSource(source), variableNode) and
+    FromGlobalVarTaintTrackingFlow::flow(variableNode, sink) and
     tainted = adjustedSink(sink) and
     global = globalVarFromId(globalVar)
   )
@@ -422,20 +419,18 @@ module TaintedWithPath {
     string toString() { result = "TaintTrackingConfiguration" }
   }
 
-  private class AdjustedConfiguration extends TaintTracking3::Configuration {
-    AdjustedConfiguration() { this = "AdjustedConfiguration" }
-
-    override predicate isSource(DataFlow::Node source) {
+  private module AdjustedConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
       exists(TaintTrackingConfiguration cfg, Expr e |
         cfg.isSource(e) and source = getNodeForExpr(e)
       )
     }
 
-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
       exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
     }
 
-    override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
       conflatePointerAndPointee(n1, n2)
       or
       // Steps into and out of global variables
@@ -448,13 +443,15 @@ module TaintedWithPath {
       additionalTaintStep(n1, n2)
     }
 
-    override predicate isSanitizer(DataFlow::Node node) {
+    predicate isBarrier(DataFlow::Node node) {
       exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
     }
 
-    override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+    predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
   }
 
+  private module AdjustedFlow = TaintTracking::Global<AdjustedConfig>;
+
   /*
    * A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
    * inverse of) `adjustedSink`. For example, an `Expr` maps to all its
@@ -470,12 +467,12 @@ module TaintedWithPath {
    */
 
   private newtype TPathNode =
-    TWrapPathNode(DataFlow3::PathNode n) or
+    TWrapPathNode(AdjustedFlow::PathNode n) or
     // There's a single newtype constructor for both sources and sinks since
     // that makes it easiest to deal with the case where source = sink.
     TEndpointPathNode(Element e) {
-      exists(AdjustedConfiguration cfg, DataFlow3::Node sourceNode, DataFlow3::Node sinkNode |
-        cfg.hasFlow(sourceNode, sinkNode)
+      exists(DataFlow::Node sourceNode, DataFlow::Node sinkNode |
+        AdjustedFlow::flow(sourceNode, sinkNode)
       |
         sourceNode = getNodeForExpr(e) and
         exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
@@ -524,7 +521,7 @@ module TaintedWithPath {
   }
 
   private class WrapPathNode extends PathNode, TWrapPathNode {
-    DataFlow3::PathNode inner() { this = TWrapPathNode(result) }
+    AdjustedFlow::PathNode inner() { this = TWrapPathNode(result) }
 
     override string toString() { result = this.inner().toString() }
 
@@ -561,25 +558,25 @@ module TaintedWithPath {
 
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
   query predicate edges(PathNode a, PathNode b) {
-    DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
+    AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
     or
     // To avoid showing trivial-looking steps, we _replace_ the last node instead
     // of adding an edge out of it.
     exists(WrapPathNode sinkNode |
-      DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
+      AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
       b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
     )
     or
     // Same for the first node
     exists(WrapPathNode sourceNode |
-      DataFlow3::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
+      AdjustedFlow::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
       sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner())
     )
     or
     // Finally, handle the case where the path goes directly from a source to a
     // sink, meaning that they both need to be translated.
     exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      DataFlow3::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
+      AdjustedFlow::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
       sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner()) and
       b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
     )
@@ -590,20 +587,20 @@ module TaintedWithPath {
    * from `par` to `ret` within it, in the graph of data flow path explanations.
    */
   query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
+    AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
       ret.(WrapPathNode).inner(), out.(WrapPathNode).inner())
     or
     // To avoid showing trivial-looking steps, we _replace_ the last node instead
     // of adding an edge out of it.
     exists(WrapPathNode sinkNode |
-      DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
+      AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
         ret.(WrapPathNode).inner(), sinkNode.inner()) and
       out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
     )
     or
     // Same for the first node
     exists(WrapPathNode sourceNode |
-      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
+      AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
         ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
       sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
     )
@@ -611,7 +608,7 @@ module TaintedWithPath {
     // Finally, handle the case where the path goes directly from a source to a
     // sink, meaning that they both need to be translated.
     exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
+      AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
         ret.(WrapPathNode).inner(), sinkNode.inner()) and
       sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
       out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
@@ -634,10 +631,10 @@ module TaintedWithPath {
    * the computation.
    */
   predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
-    exists(AdjustedConfiguration cfg, DataFlow3::Node flowSource, DataFlow3::Node flowSink |
+    exists(DataFlow::Node flowSource, DataFlow::Node flowSink |
       source = sourceNode.(InitialPathNode).inner() and
       flowSource = getNodeForExpr(source) and
-      cfg.hasFlow(flowSource, flowSink) and
+      AdjustedFlow::flow(flowSource, flowSink) and
       tainted = adjustedSink(flowSink) and
       tainted = sinkNode.(FinalPathNode).inner()
     )
@@ -660,8 +657,8 @@ module TaintedWithPath {
    * through a global variable.
    */
   predicate taintedWithoutGlobals(Element tainted) {
-    exists(AdjustedConfiguration cfg, PathNode sourceNode, FinalPathNode sinkNode |
-      cfg.isSource(sourceNode.(WrapPathNode).inner().getNode()) and
+    exists(PathNode sourceNode, FinalPathNode sinkNode |
+      AdjustedConfig::isSource(sourceNode.(WrapPathNode).inner().getNode()) and
       edgesWithoutGlobals+(sourceNode, sinkNode) and
       tainted = sinkNode.inner()
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll

@@ -33,9 +33,9 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
 }
 
 /**
- * Constructs a standard taint tracking computation.
+ * Constructs a global taint tracking computation.
  */
-module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
+module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
   private module Config0 implements DataFlowInternal::FullStateConfigSig {
     import DataFlowInternal::DefaultState<Config>
     import Config
@@ -48,10 +48,15 @@ module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
   import DataFlowInternal::Impl<C>
 }
 
+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a taint tracking computation using flow state.
+ * Constructs a global taint tracking computation using flow state.
  */
-module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataFlowSig {
+module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
   private module Config0 implements DataFlowInternal::FullStateConfigSig {
     import Config
   }
@@ -62,3 +67,8 @@ module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataF
 
   import DataFlowInternal::Impl<C>
 }
+
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import GlobalWithState<Config>
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll

@@ -1,6 +1,7 @@
 private import IR
 import InstructionConsistency // module is below
 import IRTypeConsistency // module is in IRType.qll
+import internal.IRConsistencyImports
 
 module InstructionConsistency {
   private import internal.InstructionImports as Imports
@@ -28,7 +29,7 @@ module InstructionConsistency {
     PresentIRFunction() { this = TPresentIRFunction(irFunc) }
 
     override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
+      result = concat(LanguageDebug::getIdentityString(irFunc.getFunction()), "; ")
     }
 
     override Language::Location getLocation() {

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll

@@ -149,7 +149,9 @@ private class PrintableIRFunction extends PrintableIRNode, TPrintableIRFunction
 
   override Language::Location getLocation() { result = irFunc.getLocation() }
 
-  override string getLabel() { result = Language::getIdentityString(irFunc.getFunction()) }
+  override string getLabel() {
+    result = Imports::LanguageDebug::getIdentityString(irFunc.getFunction())
+  }
 
   override int getOrder() {
     this =

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll

@@ -159,26 +159,56 @@ private predicate fieldAddressValueNumber(
   tvalueNumber(instr.getObjectAddress()) = objectAddress
 }
 
+pragma[nomagic]
+private predicate binaryValueNumber0(
+  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, boolean isLeft,
+  TValueNumber valueNumber
+) {
+  not instr instanceof PointerArithmeticInstruction and
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getOpcode() = opcode and
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate binaryValueNumber(
   BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
   TValueNumber rightOperand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  not instr instanceof PointerArithmeticInstruction and
-  instr.getOpcode() = opcode and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  binaryValueNumber0(instr, irFunc, opcode, true, leftOperand) and
+  binaryValueNumber0(instr, irFunc, opcode, false, rightOperand)
 }
 
-private predicate pointerArithmeticValueNumber(
+pragma[nomagic]
+private predicate pointerArithmeticValueNumber0(
   PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
-  TValueNumber leftOperand, TValueNumber rightOperand
+  boolean isLeft, TValueNumber valueNumber
 ) {
   instr.getEnclosingIRFunction() = irFunc and
   instr.getOpcode() = opcode and
   instr.getElementSize() = elementSize and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
+private predicate pointerArithmeticValueNumber(
+  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
+  TValueNumber leftOperand, TValueNumber rightOperand
+) {
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, true, leftOperand) and
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, false, rightOperand)
 }
 
 private predicate unaryValueNumber(
@@ -203,14 +233,29 @@ private predicate inheritanceConversionValueNumber(
   unique( | | instr.getDerivedClass()) = derivedClass
 }
 
+pragma[nomagic]
+private predicate loadTotalOverlapValueNumber0(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
+  boolean isAddress
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  (
+    isAddress = true and
+    tvalueNumberOfOperand(instr.getSourceAddressOperand()) = valueNumber
+    or
+    isAddress = false and
+    tvalueNumber(instr.getSourceValueOperand().getAnyDef()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate loadTotalOverlapValueNumber(
   LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
   TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  tvalueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
-  tvalueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand and
-  instr.getResultIRType() = type
+  loadTotalOverlapValueNumber0(instr, irFunc, type, operand, true) and
+  loadTotalOverlapValueNumber0(instr, irFunc, type, memOperand, false)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -1,7 +1,7 @@
 import AliasAnalysis
+import semmle.code.cpp.Location
 import semmle.code.cpp.ir.internal.Overlap
 private import semmle.code.cpp.ir.internal.IRCppLanguage as Language
-private import semmle.code.cpp.Print
 private import semmle.code.cpp.ir.implementation.unaliased_ssa.IR
 private import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSAConstruction as OldSsa
 private import semmle.code.cpp.ir.internal.IntegerConstant as Ints

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRConsistencyImports.qll

@@ -0,0 +1 @@
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll

@@ -1 +1,2 @@
 import semmle.code.cpp.ir.IRConfiguration as IRConfiguration
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll

@@ -1,2 +1,55 @@
-private import SSAConstruction as Ssa
-import Ssa::SsaConsistency
+import SsaConsistency
+import SSAConsistencyImports
+
+module SsaConsistency {
+  /**
+   * Holds if a `MemoryOperand` has more than one `MemoryLocation` assigned by alias analysis.
+   */
+  query predicate multipleOperandMemoryLocations(
+    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int locationCount |
+      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
+      locationCount > 1 and
+      func = operand.getEnclosingIRFunction() and
+      funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
+    )
+  }
+
+  /**
+   * Holds if a `MemoryLocation` does not have an associated `VirtualVariable`.
+   */
+  query predicate missingVirtualVariableForMemoryLocation(
+    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
+  ) {
+    not exists(location.getVirtualVariable()) and
+    func = location.getIRFunction() and
+    funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+    message = "Memory location has no virtual variable in function '$@'."
+  }
+
+  /**
+   * Holds if a `MemoryLocation` is a member of more than one `VirtualVariable`.
+   */
+  query predicate multipleVirtualVariablesForMemoryLocation(
+    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int vvarCount |
+      vvarCount = strictcount(location.getVirtualVariable()) and
+      vvarCount > 1 and
+      func = location.getIRFunction() and
+      funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+      message =
+        "Memory location has " + vvarCount.toString() + " virtual variables in function '$@': (" +
+          concat(Alias::VirtualVariable vvar |
+            vvar = location.getVirtualVariable()
+          |
+            vvar.toString(), ", "
+          ) + ")."
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistencyImports.qll

@@ -0,0 +1,3 @@
+import semmle.code.cpp.ir.implementation.raw.IR as OldIR
+import AliasedSSA as Alias
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -996,7 +996,7 @@ deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
 
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
- * `DebugSSA` module, which is then imported by PrintSSA.
+ * `DebugSsa` module, which is then imported by PrintSSA.
  */
 module DebugSsa {
   import PhiInsertion
@@ -1063,62 +1063,6 @@ private module CachedForDebugging {
   int maxValue() { result = 2147483647 }
 }
 
-module SsaConsistency {
-  /**
-   * Holds if a `MemoryOperand` has more than one `MemoryLocation` assigned by alias analysis.
-   */
-  query predicate multipleOperandMemoryLocations(
-    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
-  ) {
-    exists(int locationCount |
-      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
-      locationCount > 1 and
-      func = operand.getEnclosingIRFunction() and
-      funcText = Language::getIdentityString(func.getFunction()) and
-      message =
-        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
-          " memory accesses in function '$@': " +
-          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
-    )
-  }
-
-  /**
-   * Holds if a `MemoryLocation` does not have an associated `VirtualVariable`.
-   */
-  query predicate missingVirtualVariableForMemoryLocation(
-    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
-  ) {
-    not exists(location.getVirtualVariable()) and
-    func = location.getIRFunction() and
-    funcText = Language::getIdentityString(func.getFunction()) and
-    message = "Memory location has no virtual variable in function '$@'."
-  }
-
-  /**
-   * Holds if a `MemoryLocation` is a member of more than one `VirtualVariable`.
-   */
-  query predicate multipleVirtualVariablesForMemoryLocation(
-    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
-  ) {
-    exists(int vvarCount |
-      vvarCount = strictcount(location.getVirtualVariable()) and
-      vvarCount > 1 and
-      func = location.getIRFunction() and
-      funcText = Language::getIdentityString(func.getFunction()) and
-      message =
-        "Memory location has " + vvarCount.toString() + " virtual variables in function '$@': (" +
-          concat(Alias::VirtualVariable vvar |
-            vvar = location.getVirtualVariable()
-          |
-            vvar.toString(), ", "
-          ) + ")."
-    )
-  }
-}
-
-/** DEPRECATED: Alias for SsaConsistency */
-deprecated module SSAConsistency = SsaConsistency;
-
 /**
  * Provides the portion of the parameterized IR interface that is used to construct the SSA stages
  * of the IR. The raw stage of the IR does not expose these predicates.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll

@@ -1,6 +1,7 @@
 private import IR
 import InstructionConsistency // module is below
 import IRTypeConsistency // module is in IRType.qll
+import internal.IRConsistencyImports
 
 module InstructionConsistency {
   private import internal.InstructionImports as Imports
@@ -28,7 +29,7 @@ module InstructionConsistency {
     PresentIRFunction() { this = TPresentIRFunction(irFunc) }
 
     override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
+      result = concat(LanguageDebug::getIdentityString(irFunc.getFunction()), "; ")
     }
 
     override Language::Location getLocation() {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll

@@ -149,7 +149,9 @@ private class PrintableIRFunction extends PrintableIRNode, TPrintableIRFunction
 
   override Language::Location getLocation() { result = irFunc.getLocation() }
 
-  override string getLabel() { result = Language::getIdentityString(irFunc.getFunction()) }
+  override string getLabel() {
+    result = Imports::LanguageDebug::getIdentityString(irFunc.getFunction())
+  }
 
   override int getOrder() {
     this =

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll

@@ -159,26 +159,56 @@ private predicate fieldAddressValueNumber(
   tvalueNumber(instr.getObjectAddress()) = objectAddress
 }
 
+pragma[nomagic]
+private predicate binaryValueNumber0(
+  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, boolean isLeft,
+  TValueNumber valueNumber
+) {
+  not instr instanceof PointerArithmeticInstruction and
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getOpcode() = opcode and
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate binaryValueNumber(
   BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
   TValueNumber rightOperand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  not instr instanceof PointerArithmeticInstruction and
-  instr.getOpcode() = opcode and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  binaryValueNumber0(instr, irFunc, opcode, true, leftOperand) and
+  binaryValueNumber0(instr, irFunc, opcode, false, rightOperand)
 }
 
-private predicate pointerArithmeticValueNumber(
+pragma[nomagic]
+private predicate pointerArithmeticValueNumber0(
   PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
-  TValueNumber leftOperand, TValueNumber rightOperand
+  boolean isLeft, TValueNumber valueNumber
 ) {
   instr.getEnclosingIRFunction() = irFunc and
   instr.getOpcode() = opcode and
   instr.getElementSize() = elementSize and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
+private predicate pointerArithmeticValueNumber(
+  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
+  TValueNumber leftOperand, TValueNumber rightOperand
+) {
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, true, leftOperand) and
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, false, rightOperand)
 }
 
 private predicate unaryValueNumber(
@@ -203,14 +233,29 @@ private predicate inheritanceConversionValueNumber(
   unique( | | instr.getDerivedClass()) = derivedClass
 }
 
+pragma[nomagic]
+private predicate loadTotalOverlapValueNumber0(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
+  boolean isAddress
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  (
+    isAddress = true and
+    tvalueNumberOfOperand(instr.getSourceAddressOperand()) = valueNumber
+    or
+    isAddress = false and
+    tvalueNumber(instr.getSourceValueOperand().getAnyDef()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate loadTotalOverlapValueNumber(
   LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
   TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  tvalueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
-  tvalueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand and
-  instr.getResultIRType() = type
+  loadTotalOverlapValueNumber0(instr, irFunc, type, operand, true) and
+  loadTotalOverlapValueNumber0(instr, irFunc, type, memOperand, false)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConsistencyImports.qll

@@ -0,0 +1 @@
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll

@@ -1 +1,2 @@
 import semmle.code.cpp.ir.IRConfiguration as IRConfiguration
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -606,9 +606,9 @@ newtype TTranslatedElement =
     not ignoreExpr(expr) and
     (
       exists(Initializer init | init.getExpr().getFullyConverted() = expr) or
-      exists(ClassAggregateLiteral initList | initList.getFieldExpr(_).getFullyConverted() = expr) or
+      exists(ClassAggregateLiteral initList | initList.getAFieldExpr(_).getFullyConverted() = expr) or
       exists(ArrayOrVectorAggregateLiteral initList |
-        initList.getElementExpr(_).getFullyConverted() = expr
+        initList.getAnElementExpr(_).getFullyConverted() = expr
       ) or
       exists(ReturnStmt returnStmt | returnStmt.getExpr().getFullyConverted() = expr) or
       exists(ConstructorFieldInit fieldInit | fieldInit.getExpr().getFullyConverted() = expr) or
@@ -619,18 +619,19 @@ newtype TTranslatedElement =
     )
   } or
   // The initialization of a field via a member of an initializer list.
-  TTranslatedExplicitFieldInitialization(Expr ast, Field field, Expr expr) {
+  TTranslatedExplicitFieldInitialization(Expr ast, Field field, Expr expr, int position) {
     exists(ClassAggregateLiteral initList |
       not ignoreExpr(initList) and
       ast = initList and
-      expr = initList.getFieldExpr(field).getFullyConverted()
+      expr = initList.getFieldExpr(field, position).getFullyConverted()
     )
     or
     exists(ConstructorFieldInit init |
       not ignoreExpr(init) and
       ast = init and
       field = init.getTarget() and
-      expr = init.getExpr().getFullyConverted()
+      expr = init.getExpr().getFullyConverted() and
+      position = -1
     )
   } or
   // The value initialization of a field due to an omitted member of an
@@ -643,9 +644,11 @@ newtype TTranslatedElement =
     )
   } or
   // The initialization of an array element via a member of an initializer list.
-  TTranslatedExplicitElementInitialization(ArrayOrVectorAggregateLiteral initList, int elementIndex) {
+  TTranslatedExplicitElementInitialization(
+    ArrayOrVectorAggregateLiteral initList, int elementIndex, int position
+  ) {
     not ignoreExpr(initList) and
-    exists(initList.getElementExpr(elementIndex))
+    exists(initList.getElementExpr(elementIndex, position))
   } or
   // The value initialization of a range of array elements that were omitted
   // from an initializer list.
@@ -782,7 +785,7 @@ private int getNextExplicitlyInitializedElementAfter(
   ArrayOrVectorAggregateLiteral initList, int afterElementIndex
 ) {
   isFirstValueInitializedElementInRange(initList, afterElementIndex) and
-  result = min(int i | exists(initList.getElementExpr(i)) and i > afterElementIndex)
+  result = min(int i | exists(initList.getAnElementExpr(i)) and i > afterElementIndex)
 }
 
 /**
@@ -795,7 +798,7 @@ private predicate isFirstValueInitializedElementInRange(
   initList.isValueInitialized(elementIndex) and
   (
     elementIndex = 0 or
-    exists(initList.getElementExpr(elementIndex - 1))
+    exists(initList.getAnElementExpr(elementIndex - 1))
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -201,11 +201,13 @@ class TranslatedClassListInitialization extends TranslatedListInitialization {
   override ClassAggregateLiteral expr;
 
   override TranslatedElement getChild(int id) {
-    exists(TranslatedFieldInitialization fieldInit |
-      result = fieldInit and
-      fieldInit = getTranslatedFieldInitialization(expr, _) and
-      fieldInit.getOrder() = id
-    )
+    result =
+      rank[id + 1](TranslatedFieldInitialization fieldInit, int ord |
+        fieldInit = getTranslatedFieldInitialization(expr, _) and
+        fieldInit.getOrder() = ord
+      |
+        fieldInit order by ord, fieldInit.getPosition()
+      )
   }
 }
 
@@ -222,7 +224,7 @@ class TranslatedArrayListInitialization extends TranslatedListInitialization {
       rank[id + 1](TranslatedElementInitialization init |
         init.getInitList() = expr
       |
-        init order by init.getElementIndex()
+        init order by init.getElementIndex(), init.getPosition()
       )
   }
 }
@@ -522,6 +524,9 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
   final InstructionTag getFieldAddressTag() { result = InitializerFieldAddressTag() }
 
   final Field getField() { result = field }
+
+  /** Gets the position in the initializer list, or `-1` if the initialization is implicit. */
+  int getPosition() { result = -1 }
 }
 
 /**
@@ -532,9 +537,10 @@ class TranslatedExplicitFieldInitialization extends TranslatedFieldInitializatio
   InitializationContext, TTranslatedExplicitFieldInitialization
 {
   Expr expr;
+  int position;
 
   TranslatedExplicitFieldInitialization() {
-    this = TTranslatedExplicitFieldInitialization(ast, field, expr)
+    this = TTranslatedExplicitFieldInitialization(ast, field, expr, position)
   }
 
   override Instruction getTargetAddress() { result = getInstruction(getFieldAddressTag()) }
@@ -556,6 +562,8 @@ class TranslatedExplicitFieldInitialization extends TranslatedFieldInitializatio
   private TranslatedInitialization getInitialization() {
     result = getTranslatedInitialization(expr)
   }
+
+  override int getPosition() { result = position }
 }
 
 private string getZeroValue(Type type) {
@@ -689,6 +697,8 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
 
   abstract int getElementIndex();
 
+  int getPosition() { result = -1 }
+
   final InstructionTag getElementAddressTag() { result = InitializerElementAddressTag() }
 
   final InstructionTag getElementIndexTag() { result = InitializerElementIndexTag() }
@@ -706,9 +716,10 @@ class TranslatedExplicitElementInitialization extends TranslatedElementInitializ
   TTranslatedExplicitElementInitialization, InitializationContext
 {
   int elementIndex;
+  int position;
 
   TranslatedExplicitElementInitialization() {
-    this = TTranslatedExplicitElementInitialization(initList, elementIndex)
+    this = TTranslatedExplicitElementInitialization(initList, elementIndex, position)
   }
 
   override Instruction getTargetAddress() { result = getInstruction(getElementAddressTag()) }
@@ -731,8 +742,13 @@ class TranslatedExplicitElementInitialization extends TranslatedElementInitializ
 
   override int getElementIndex() { result = elementIndex }
 
+  override int getPosition() { result = position }
+
   TranslatedInitialization getInitialization() {
-    result = getTranslatedInitialization(initList.getElementExpr(elementIndex).getFullyConverted())
+    result =
+      getTranslatedInitialization(initList
+            .getElementExpr(elementIndex, position)
+            .getFullyConverted())
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -1105,3 +1105,49 @@ class TranslatedAsmStmt extends TranslatedStmt {
     )
   }
 }
+
+class TranslatedVlaDimensionStmt extends TranslatedStmt {
+  override VlaDimensionStmt stmt;
+
+  override TranslatedExpr getChild(int id) {
+    id = 0 and
+    result = getTranslatedExpr(stmt.getDimensionExpr().getFullyConverted())
+  }
+
+  override Instruction getFirstInstruction() { result = this.getChild(0).getFirstInstruction() }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    none()
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = this.getChild(0) and
+    result = this.getParent().getChildSuccessor(this)
+  }
+}
+
+class TranslatedVlaDeclarationStmt extends TranslatedStmt {
+  override VlaDeclStmt stmt;
+
+  override TranslatedExpr getChild(int id) { none() }
+
+  override Instruction getFirstInstruction() { result = this.getInstruction(OnlyInstructionTag()) }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    // TODO: This needs a new kind of instruction that represents initialization of a VLA.
+    // For now we just emit a `NoOp` instruction so that the CFG isn't incomplete.
+    tag = OnlyInstructionTag() and
+    opcode instanceof Opcode::NoOp and
+    resultType = getVoidType()
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = OnlyInstructionTag() and
+    result = this.getParent().getChildSuccessor(this) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) { none() }
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll

@@ -1,6 +1,7 @@
 private import IR
 import InstructionConsistency // module is below
 import IRTypeConsistency // module is in IRType.qll
+import internal.IRConsistencyImports
 
 module InstructionConsistency {
   private import internal.InstructionImports as Imports
@@ -28,7 +29,7 @@ module InstructionConsistency {
     PresentIRFunction() { this = TPresentIRFunction(irFunc) }
 
     override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
+      result = concat(LanguageDebug::getIdentityString(irFunc.getFunction()), "; ")
     }
 
     override Language::Location getLocation() {

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll

@@ -149,7 +149,9 @@ private class PrintableIRFunction extends PrintableIRNode, TPrintableIRFunction
 
   override Language::Location getLocation() { result = irFunc.getLocation() }
 
-  override string getLabel() { result = Language::getIdentityString(irFunc.getFunction()) }
+  override string getLabel() {
+    result = Imports::LanguageDebug::getIdentityString(irFunc.getFunction())
+  }
 
   override int getOrder() {
     this =

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll

@@ -159,26 +159,56 @@ private predicate fieldAddressValueNumber(
   tvalueNumber(instr.getObjectAddress()) = objectAddress
 }
 
+pragma[nomagic]
+private predicate binaryValueNumber0(
+  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, boolean isLeft,
+  TValueNumber valueNumber
+) {
+  not instr instanceof PointerArithmeticInstruction and
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getOpcode() = opcode and
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate binaryValueNumber(
   BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
   TValueNumber rightOperand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  not instr instanceof PointerArithmeticInstruction and
-  instr.getOpcode() = opcode and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  binaryValueNumber0(instr, irFunc, opcode, true, leftOperand) and
+  binaryValueNumber0(instr, irFunc, opcode, false, rightOperand)
 }
 
-private predicate pointerArithmeticValueNumber(
+pragma[nomagic]
+private predicate pointerArithmeticValueNumber0(
   PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
-  TValueNumber leftOperand, TValueNumber rightOperand
+  boolean isLeft, TValueNumber valueNumber
 ) {
   instr.getEnclosingIRFunction() = irFunc and
   instr.getOpcode() = opcode and
   instr.getElementSize() = elementSize and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
+private predicate pointerArithmeticValueNumber(
+  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
+  TValueNumber leftOperand, TValueNumber rightOperand
+) {
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, true, leftOperand) and
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, false, rightOperand)
 }
 
 private predicate unaryValueNumber(
@@ -203,14 +233,29 @@ private predicate inheritanceConversionValueNumber(
   unique( | | instr.getDerivedClass()) = derivedClass
 }
 
+pragma[nomagic]
+private predicate loadTotalOverlapValueNumber0(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
+  boolean isAddress
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  (
+    isAddress = true and
+    tvalueNumberOfOperand(instr.getSourceAddressOperand()) = valueNumber
+    or
+    isAddress = false and
+    tvalueNumber(instr.getSourceValueOperand().getAnyDef()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate loadTotalOverlapValueNumber(
   LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
   TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  tvalueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
-  tvalueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand and
-  instr.getResultIRType() = type
+  loadTotalOverlapValueNumber0(instr, irFunc, type, operand, true) and
+  loadTotalOverlapValueNumber0(instr, irFunc, type, memOperand, false)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRConsistencyImports.qll

@@ -0,0 +1 @@
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll

@@ -1 +1,2 @@
 import semmle.code.cpp.ir.IRConfiguration as IRConfiguration
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll

@@ -1,2 +1,55 @@
-private import SSAConstruction as Ssa
-import Ssa::SsaConsistency
+import SsaConsistency
+import SSAConsistencyImports
+
+module SsaConsistency {
+  /**
+   * Holds if a `MemoryOperand` has more than one `MemoryLocation` assigned by alias analysis.
+   */
+  query predicate multipleOperandMemoryLocations(
+    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int locationCount |
+      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
+      locationCount > 1 and
+      func = operand.getEnclosingIRFunction() and
+      funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
+    )
+  }
+
+  /**
+   * Holds if a `MemoryLocation` does not have an associated `VirtualVariable`.
+   */
+  query predicate missingVirtualVariableForMemoryLocation(
+    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
+  ) {
+    not exists(location.getVirtualVariable()) and
+    func = location.getIRFunction() and
+    funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+    message = "Memory location has no virtual variable in function '$@'."
+  }
+
+  /**
+   * Holds if a `MemoryLocation` is a member of more than one `VirtualVariable`.
+   */
+  query predicate multipleVirtualVariablesForMemoryLocation(
+    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int vvarCount |
+      vvarCount = strictcount(location.getVirtualVariable()) and
+      vvarCount > 1 and
+      func = location.getIRFunction() and
+      funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+      message =
+        "Memory location has " + vvarCount.toString() + " virtual variables in function '$@': (" +
+          concat(Alias::VirtualVariable vvar |
+            vvar = location.getVirtualVariable()
+          |
+            vvar.toString(), ", "
+          ) + ")."
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistencyImports.qll

@@ -0,0 +1,3 @@
+import semmle.code.cpp.ir.implementation.raw.IR as OldIR
+import SimpleSSA as Alias
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -996,7 +996,7 @@ deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
 
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
- * `DebugSSA` module, which is then imported by PrintSSA.
+ * `DebugSsa` module, which is then imported by PrintSSA.
  */
 module DebugSsa {
   import PhiInsertion
@@ -1063,62 +1063,6 @@ private module CachedForDebugging {
   int maxValue() { result = 2147483647 }
 }
 
-module SsaConsistency {
-  /**
-   * Holds if a `MemoryOperand` has more than one `MemoryLocation` assigned by alias analysis.
-   */
-  query predicate multipleOperandMemoryLocations(
-    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
-  ) {
-    exists(int locationCount |
-      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
-      locationCount > 1 and
-      func = operand.getEnclosingIRFunction() and
-      funcText = Language::getIdentityString(func.getFunction()) and
-      message =
-        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
-          " memory accesses in function '$@': " +
-          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
-    )
-  }
-
-  /**
-   * Holds if a `MemoryLocation` does not have an associated `VirtualVariable`.
-   */
-  query predicate missingVirtualVariableForMemoryLocation(
-    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
-  ) {
-    not exists(location.getVirtualVariable()) and
-    func = location.getIRFunction() and
-    funcText = Language::getIdentityString(func.getFunction()) and
-    message = "Memory location has no virtual variable in function '$@'."
-  }
-
-  /**
-   * Holds if a `MemoryLocation` is a member of more than one `VirtualVariable`.
-   */
-  query predicate multipleVirtualVariablesForMemoryLocation(
-    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
-  ) {
-    exists(int vvarCount |
-      vvarCount = strictcount(location.getVirtualVariable()) and
-      vvarCount > 1 and
-      func = location.getIRFunction() and
-      funcText = Language::getIdentityString(func.getFunction()) and
-      message =
-        "Memory location has " + vvarCount.toString() + " virtual variables in function '$@': (" +
-          concat(Alias::VirtualVariable vvar |
-            vvar = location.getVirtualVariable()
-          |
-            vvar.toString(), ", "
-          ) + ")."
-    )
-  }
-}
-
-/** DEPRECATED: Alias for SsaConsistency */
-deprecated module SSAConsistency = SsaConsistency;
-
 /**
  * Provides the portion of the parameterized IR interface that is used to construct the SSA stages
  * of the IR. The raw stage of the IR does not expose these predicates.

cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll

@@ -1,5 +1,4 @@
 private import cpp
-private import semmle.code.cpp.Print
 private import semmle.code.cpp.ir.implementation.IRType
 private import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction::Raw as Raw
 
@@ -538,12 +537,14 @@ CppType getCanonicalOpaqueType(Type tag, int byteSize) {
 }
 
 /**
- * Gets a string that uniquely identifies an `IROpaqueType` tag. This may be different from the usual
- * `toString()` of the tag in order to ensure uniqueness.
+ * Gets a string that uniquely identifies an `IROpaqueType` tag. Using `toString` here might
+ * not be sufficient to ensure uniqueness, but suffices for our current debugging purposes.
+ * To ensure uniqueness `getOpaqueTagIdentityString` from `semmle.code.cpp.Print` could be used,
+ * but that comes at the cost of importing all the `Dump` classes defined in that library.
  */
 string getOpaqueTagIdentityString(Type tag) {
   hasOpaqueType(tag, _) and
-  result = getTypeIdentityString(tag)
+  result = tag.toString()
 }
 
 module LanguageTypeConsistency {

cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll

@@ -1,5 +1,4 @@
 private import cpp as Cpp
-private import semmle.code.cpp.Print as Print
 private import IRUtilities
 private import semmle.code.cpp.ir.implementation.IRType
 private import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as IRConstruction
@@ -65,8 +64,6 @@ class Expr = Cpp::Expr;
 
 class Class = Cpp::Class; // Used for inheritance conversions
 
-predicate getIdentityString = Print::getIdentityString/1;
-
 predicate hasCaseEdge(string minValue, string maxValue) { hasCaseEdge(_, minValue, maxValue) }
 
 predicate hasPositionalArgIndex(int argIndex) {

cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguageDebug.qll

@@ -0,0 +1,3 @@
+private import semmle.code.cpp.Print as Print
+
+predicate getIdentityString = Print::getIdentityString/1;

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/SimpleRangeAnalysis.qll

@@ -5,9 +5,9 @@
 
 private import cpp
 private import semmle.code.cpp.ir.IR
-private import experimental.semmle.code.cpp.semantic.SemanticBound
-private import experimental.semmle.code.cpp.semantic.SemanticExprSpecific
-private import RangeAnalysis
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticBound
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
 
 /**
  * Gets the lower bound of the expression.

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticBound.qll

@@ -5,6 +5,7 @@
 private import SemanticExpr
 private import SemanticExprSpecific::SemanticExprConfig as Specific
 private import SemanticSSA
+private import SemanticLocation
 
 /**
  * A valid base for an expression bound.
@@ -14,6 +15,8 @@ private import SemanticSSA
 class SemBound instanceof Specific::Bound {
   final string toString() { result = super.toString() }
 
+  final SemLocation getLocation() { result = super.getLocation() }
+
   final SemExpr getExpr(int delta) { result = Specific::getBoundExpr(this, delta) }
 }
 

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll

@@ -5,19 +5,99 @@
 private import cpp as Cpp
 private import semmle.code.cpp.ir.IR as IR
 private import Semantic
-private import experimental.semmle.code.cpp.rangeanalysis.Bound as IRBound
+private import analysis.Bound as IRBound
 private import semmle.code.cpp.controlflow.IRGuards as IRGuards
 private import semmle.code.cpp.ir.ValueNumbering
 
 module SemanticExprConfig {
   class Location = Cpp::Location;
 
-  class Expr = IR::Instruction;
+  /** A `ConvertInstruction` or a `CopyValueInstruction`. */
+  private class Conversion extends IR::UnaryInstruction {
+    Conversion() {
+      this instanceof IR::CopyValueInstruction
+      or
+      this instanceof IR::ConvertInstruction
+    }
+
+    /** Holds if this instruction converts a value of type `tFrom` to a value of type `tTo`. */
+    predicate converts(SemType tFrom, SemType tTo) {
+      tFrom = getSemanticType(this.getUnary().getResultIRType()) and
+      tTo = getSemanticType(this.getResultIRType())
+    }
+  }
+
+  /**
+   * Gets a conversion-like instruction that consumes `op`, and
+   * which is guaranteed to not overflow.
+   */
+  private IR::Instruction safeConversion(IR::Operand op) {
+    exists(Conversion conv, SemType tFrom, SemType tTo |
+      conv.converts(tFrom, tTo) and
+      conversionCannotOverflow(tFrom, tTo) and
+      conv.getUnaryOperand() = op and
+      result = conv
+    )
+  }
+
+  /** Holds if `i1 = i2` or if `i2` is a safe conversion that consumes `i1`. */
+  private predicate idOrSafeConversion(IR::Instruction i1, IR::Instruction i2) {
+    not i1.getResultIRType() instanceof IR::IRVoidType and
+    (
+      i1 = i2
+      or
+      i2 = safeConversion(i1.getAUse()) and
+      i1.getBlock() = i2.getBlock()
+    )
+  }
+
+  module Equiv = QlBuiltins::EquivalenceRelation<IR::Instruction, idOrSafeConversion/2>;
+
+  /**
+   * The expressions on which we perform range analysis.
+   */
+  class Expr extends Equiv::EquivalenceClass {
+    /** Gets the n'th instruction in this equivalence class. */
+    private IR::Instruction getInstruction(int n) {
+      result =
+        rank[n + 1](IR::Instruction instr, int i, IR::IRBlock block |
+          this = Equiv::getEquivalenceClass(instr) and block.getInstruction(i) = instr
+        |
+          instr order by i
+        )
+    }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = this.getUnconverted().toString() }
+
+    /** Gets the basic block of this expression. */
+    IR::IRBlock getBlock() { result = this.getUnconverted().getBlock() }
+
+    /** Gets the unconverted instruction associated with this expression. */
+    IR::Instruction getUnconverted() { result = this.getInstruction(0) }
+
+    /**
+     * Gets the final instruction associated with this expression. This
+     * represents the result after applying all the safe conversions.
+     */
+    IR::Instruction getConverted() {
+      exists(int n |
+        result = this.getInstruction(n) and
+        not exists(this.getInstruction(n + 1))
+      )
+    }
+
+    /** Gets the type of the result produced by this instruction. */
+    IR::IRType getResultIRType() { result = this.getConverted().getResultIRType() }
+
+    /** Gets the location of the source code for this expression. */
+    Location getLocation() { result = this.getUnconverted().getLocation() }
+  }
 
   SemBasicBlock getExprBasicBlock(Expr e) { result = getSemanticBasicBlock(e.getBlock()) }
 
   private predicate anyConstantExpr(Expr expr, SemType type, string value) {
-    exists(IR::ConstantInstruction instr | instr = expr |
+    exists(IR::ConstantInstruction instr | getSemanticExpr(instr) = expr |
       type = getSemanticType(instr.getResultIRType()) and
       value = instr.getValue()
     )
@@ -58,41 +138,46 @@ module SemanticExprConfig {
   predicate nullLiteral(Expr expr, SemAddressType type) { anyConstantExpr(expr, type, _) }
 
   predicate stringLiteral(Expr expr, SemType type, string value) {
-    anyConstantExpr(expr, type, value) and expr instanceof IR::StringConstantInstruction
+    anyConstantExpr(expr, type, value) and
+    expr.getUnconverted() instanceof IR::StringConstantInstruction
   }
 
   predicate binaryExpr(Expr expr, Opcode opcode, SemType type, Expr leftOperand, Expr rightOperand) {
-    exists(IR::BinaryInstruction instr | instr = expr |
+    exists(IR::BinaryInstruction instr |
+      instr = expr.getUnconverted() and
       type = getSemanticType(instr.getResultIRType()) and
-      leftOperand = instr.getLeft() and
-      rightOperand = instr.getRight() and
+      leftOperand = getSemanticExpr(instr.getLeft()) and
+      rightOperand = getSemanticExpr(instr.getRight()) and
       // REVIEW: Merge the two `Opcode` types.
       opcode.toString() = instr.getOpcode().toString()
     )
   }
 
   predicate unaryExpr(Expr expr, Opcode opcode, SemType type, Expr operand) {
-    type = getSemanticType(expr.getResultIRType()) and
-    (
-      exists(IR::UnaryInstruction instr | instr = expr |
-        operand = instr.getUnary() and
-        // REVIEW: Merge the two operand types.
-        opcode.toString() = instr.getOpcode().toString()
-      )
-      or
-      exists(IR::StoreInstruction instr | instr = expr |
-        operand = instr.getSourceValue() and
-        opcode instanceof Opcode::Store
-      )
+    exists(IR::UnaryInstruction instr | instr = expr.getUnconverted() |
+      type = getSemanticType(instr.getResultIRType()) and
+      operand = getSemanticExpr(instr.getUnary()) and
+      // REVIEW: Merge the two operand types.
+      opcode.toString() = instr.getOpcode().toString()
+    )
+    or
+    exists(IR::StoreInstruction instr | instr = expr.getUnconverted() |
+      type = getSemanticType(instr.getResultIRType()) and
+      operand = getSemanticExpr(instr.getSourceValue()) and
+      opcode instanceof Opcode::Store
     )
   }
 
   predicate nullaryExpr(Expr expr, Opcode opcode, SemType type) {
-    type = getSemanticType(expr.getResultIRType()) and
-    (
-      expr instanceof IR::LoadInstruction and opcode instanceof Opcode::Load
-      or
-      expr instanceof IR::InitializeParameterInstruction and
+    exists(IR::LoadInstruction load |
+      load = expr.getUnconverted() and
+      type = getSemanticType(load.getResultIRType()) and
+      opcode instanceof Opcode::Load
+    )
+    or
+    exists(IR::InitializeParameterInstruction init |
+      init = expr.getUnconverted() and
+      type = getSemanticType(init.getResultIRType()) and
       opcode instanceof Opcode::InitializeParameter
     )
   }
@@ -122,8 +207,10 @@ module SemanticExprConfig {
   newtype TSsaVariable =
     TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
     TSsaOperand(IR::Operand op) { op.isDefinitionInexact() } or
-    TSsaPointerArithmeticGuard(IR::PointerArithmeticInstruction instr) {
-      exists(Guard g, IR::Operand use | use = instr.getAUse() |
+    TSsaPointerArithmeticGuard(ValueNumber instr) {
+      exists(Guard g, IR::Operand use |
+        use = instr.getAUse() and use.getIRType() instanceof IR::IRAddressType
+      |
         g.comparesLt(use, _, _, _, _) or
         g.comparesLt(_, use, _, _, _) or
         g.comparesEq(use, _, _, _, _) or
@@ -138,7 +225,7 @@ module SemanticExprConfig {
 
     IR::Instruction asInstruction() { none() }
 
-    IR::PointerArithmeticInstruction asPointerArithGuard() { none() }
+    ValueNumber asPointerArithGuard() { none() }
 
     IR::Operand asOperand() { none() }
   }
@@ -156,15 +243,15 @@ module SemanticExprConfig {
   }
 
   class SsaPointerArithmeticGuard extends SsaVariable, TSsaPointerArithmeticGuard {
-    IR::PointerArithmeticInstruction instr;
+    ValueNumber vn;
 
-    SsaPointerArithmeticGuard() { this = TSsaPointerArithmeticGuard(instr) }
+    SsaPointerArithmeticGuard() { this = TSsaPointerArithmeticGuard(vn) }
 
-    final override string toString() { result = instr.toString() }
+    final override string toString() { result = vn.toString() }
 
-    final override Location getLocation() { result = instr.getLocation() }
+    final override Location getLocation() { result = vn.getLocation() }
 
-    final override IR::PointerArithmeticInstruction asPointerArithGuard() { result = instr }
+    final override ValueNumber asPointerArithGuard() { result = vn }
   }
 
   class SsaOperand extends SsaVariable, TSsaOperand {
@@ -179,7 +266,9 @@ module SemanticExprConfig {
     final override IR::Operand asOperand() { result = op }
   }
 
-  predicate explicitUpdate(SsaVariable v, Expr sourceExpr) { v.asInstruction() = sourceExpr }
+  predicate explicitUpdate(SsaVariable v, Expr sourceExpr) {
+    getSemanticExpr(v.asInstruction()) = sourceExpr
+  }
 
   predicate phi(SsaVariable v) { v.asInstruction() instanceof IR::PhiInstruction }
 
@@ -192,9 +281,9 @@ module SemanticExprConfig {
   }
 
   Expr getAUse(SsaVariable v) {
-    result.(IR::LoadInstruction).getSourceValue() = v.asInstruction()
+    result.getUnconverted().(IR::LoadInstruction).getSourceValue() = v.asInstruction()
     or
-    result = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+    result.getUnconverted() = v.asPointerArithGuard().getAnInstruction()
   }
 
   SemType getSsaVariableType(SsaVariable v) {
@@ -236,7 +325,7 @@ module SemanticExprConfig {
     final override predicate hasRead(SsaVariable v) {
       exists(IR::Operand operand |
         operand.getDef() = v.asInstruction() or
-        operand.getDef() = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+        operand.getDef() = v.asPointerArithGuard().getAnInstruction()
       |
         not operand instanceof IR::PhiInputOperand and
         operand.getUse().getBlock() = block
@@ -257,7 +346,7 @@ module SemanticExprConfig {
     final override predicate hasRead(SsaVariable v) {
       exists(IR::PhiInputOperand operand |
         operand.getDef() = v.asInstruction() or
-        operand.getDef() = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+        operand.getDef() = v.asPointerArithGuard().getAnInstruction()
       |
         operand.getPredecessorBlock() = pred and
         operand.getUse().getBlock() = succ
@@ -303,17 +392,21 @@ module SemanticExprConfig {
   }
 
   Expr getBoundExpr(Bound bound, int delta) {
-    result = bound.(IRBound::Bound).getInstruction(delta)
+    result = getSemanticExpr(bound.(IRBound::Bound).getInstruction(delta))
   }
 
   class Guard = IRGuards::IRGuardCondition;
 
   predicate guard(Guard guard, BasicBlock block) { block = guard.getBlock() }
 
-  Expr getGuardAsExpr(Guard guard) { result = guard }
+  Expr getGuardAsExpr(Guard guard) { result = getSemanticExpr(guard) }
 
   predicate equalityGuard(Guard guard, Expr e1, Expr e2, boolean polarity) {
-    guard.comparesEq(e1.getAUse(), e2.getAUse(), 0, true, polarity)
+    exists(IR::Instruction left, IR::Instruction right |
+      getSemanticExpr(left) = e1 and
+      getSemanticExpr(right) = e2 and
+      guard.comparesEq(left.getAUse(), right.getAUse(), 0, true, polarity)
+    )
   }
 
   predicate guardDirectlyControlsBlock(Guard guard, BasicBlock controlled, boolean branch) {
@@ -324,16 +417,17 @@ module SemanticExprConfig {
     guard.controlsEdge(bb1, bb2, branch)
   }
 
-  Guard comparisonGuard(Expr e) { result = e }
+  Guard comparisonGuard(Expr e) { getSemanticExpr(result) = e }
 
   predicate implies_v2(Guard g1, boolean b1, Guard g2, boolean b2) {
     none() // TODO
   }
+
+  /** Gets the expression associated with `instr`. */
+  SemExpr getSemanticExpr(IR::Instruction instr) { result = Equiv::getEquivalenceClass(instr) }
 }
 
-SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
-
-IR::Instruction getCppInstruction(SemExpr e) { e = result }
+predicate getSemanticExpr = SemanticExprConfig::getSemanticExpr/1;
 
 SemBasicBlock getSemanticBasicBlock(IR::IRBlock block) { result = block }
 

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticLocation.qll

@@ -0,0 +1,23 @@
+private import semmle.code.cpp.Location
+
+class SemLocation instanceof Location {
+  /**
+   * Gets a textual representation of this element.
+   *
+   * The format is "file://filePath:startLine:startColumn:endLine:endColumn".
+   */
+  string toString() { result = super.toString() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticType.qll

@@ -250,16 +250,26 @@ SemType getSemanticType(Specific::Type type) {
   Specific::unknownType(type) and result = TSemUnknownType()
 }
 
+private class SemNumericOrBooleanType extends SemSizedType {
+  SemNumericOrBooleanType() {
+    this instanceof SemNumericType
+    or
+    this instanceof SemBooleanType
+  }
+}
+
 /**
  * Holds if the conversion from `fromType` to `toType` can never overflow or underflow.
  */
-predicate conversionCannotOverflow(SemNumericType fromType, SemNumericType toType) {
+predicate conversionCannotOverflow(SemNumericOrBooleanType fromType, SemNumericOrBooleanType toType) {
   // Identity cast
   fromType = toType
   or
   // Treat any cast to an FP type as safe. It can lose precision, but not overflow.
   toType instanceof SemFloatingPointType and fromType = any(SemNumericType n)
   or
+  fromType instanceof SemBooleanType and toType instanceof SemIntegerType
+  or
   exists(SemIntegerType fromInteger, SemIntegerType toInteger, int fromSize, int toSize |
     fromInteger = fromType and
     toInteger = toType and

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/Bound.qll

@@ -0,0 +1,86 @@
+import cpp
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.ValueNumbering
+
+private newtype TBound =
+  TBoundZero() or
+  TBoundValueNumber(ValueNumber vn) {
+    exists(Instruction i |
+      vn.getAnInstruction() = i and
+      (
+        i.getResultIRType() instanceof IRIntegerType or
+        i.getResultIRType() instanceof IRAddressType
+      ) and
+      not vn.getAnInstruction() instanceof ConstantInstruction
+    |
+      i instanceof PhiInstruction
+      or
+      i instanceof InitializeParameterInstruction
+      or
+      i instanceof CallInstruction
+      or
+      i instanceof VariableAddressInstruction
+      or
+      i instanceof FieldAddressInstruction
+      or
+      i.(LoadInstruction).getSourceAddress() instanceof VariableAddressInstruction
+      or
+      i.(LoadInstruction).getSourceAddress() instanceof FieldAddressInstruction
+      or
+      i.getAUse() instanceof ArgumentOperand
+      or
+      i instanceof PointerArithmeticInstruction
+      or
+      i.getAUse() instanceof AddressOperand
+    )
+  }
+
+/**
+ * A bound that may be inferred for an expression plus/minus an integer delta.
+ */
+abstract class Bound extends TBound {
+  abstract string toString();
+
+  /** Gets an expression that equals this bound plus `delta`. */
+  abstract Instruction getInstruction(int delta);
+
+  /** Gets an expression that equals this bound. */
+  Instruction getInstruction() { result = getInstruction(0) }
+
+  abstract Location getLocation();
+}
+
+/**
+ * The bound that corresponds to the integer 0. This is used to represent all
+ * integer bounds as bounds are always accompanied by an added integer delta.
+ */
+class ZeroBound extends Bound, TBoundZero {
+  override string toString() { result = "0" }
+
+  override Instruction getInstruction(int delta) {
+    result.(ConstantValueInstruction).getValue().toInt() = delta
+  }
+
+  override Location getLocation() { result instanceof UnknownDefaultLocation }
+}
+
+/**
+ * A bound corresponding to the value of an `Instruction`.
+ */
+class ValueNumberBound extends Bound, TBoundValueNumber {
+  ValueNumber vn;
+
+  ValueNumberBound() { this = TBoundValueNumber(vn) }
+
+  /** Gets an `Instruction` that equals this bound. */
+  override Instruction getInstruction(int delta) {
+    this = TBoundValueNumber(valueNumber(result)) and delta = 0
+  }
+
+  override string toString() { result = "ValueNumberBound" }
+
+  override Location getLocation() { result = vn.getLocation() }
+
+  /** Gets the value number that equals this bound. */
+  ValueNumber getValueNumber() { result = vn }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ConstantAnalysis.qll

@@ -2,7 +2,7 @@
  * Simple constant analysis using the Semantic interface.
  */
 
-private import experimental.semmle.code.cpp.semantic.Semantic
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 private import ConstantAnalysisSpecific as Specific
 
 /** An expression that always has the same integer value. */

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ConstantAnalysisSpecific.qll

@@ -2,7 +2,7 @@
  * C++-specific implementation of constant analysis.
  */
 
-private import experimental.semmle.code.cpp.semantic.Semantic
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 
 /**
  * Gets the constant integer value of the specified expression, if any.

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/FloatDelta.qll

@@ -0,0 +1,20 @@
+private import RangeAnalysisStage
+
+module FloatDelta implements DeltaSig {
+  class Delta = float;
+
+  bindingset[d]
+  bindingset[result]
+  float toFloat(Delta d) { result = d }
+
+  bindingset[d]
+  bindingset[result]
+  int toInt(Delta d) { result = d }
+
+  bindingset[n]
+  bindingset[result]
+  Delta fromInt(int n) { result = n }
+
+  bindingset[f]
+  Delta fromFloat(float f) { result = f }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/IntDelta.qll

@@ -1,7 +1,7 @@
 private import RangeAnalysisStage
 
-module FloatDelta implements DeltaSig {
-  class Delta = float;
+module IntDelta implements DeltaSig {
+  class Delta = int;
 
   bindingset[d]
   bindingset[result]

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysis.qll

@@ -11,7 +11,7 @@
  */
 
 private import ModulusAnalysisSpecific::Private
-private import experimental.semmle.code.cpp.semantic.Semantic
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 private import ConstantAnalysis
 private import RangeUtils
 private import RangeAnalysisStage

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysisSpecific.qll

@@ -2,7 +2,7 @@
  * C++-specific implementation of modulus analysis.
  */
 module Private {
-  private import experimental.semmle.code.cpp.semantic.Semantic
+  private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 
   predicate ignoreExprModulus(SemExpr e) { none() }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysis.qll

@@ -0,0 +1,2 @@
+import RangeAnalysisImpl
+import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticBound