Merge pull request #12968 from github/release-prep/2.13.1

Release preparation for version 2.13.1
2026-05-16 04:09:27 +02:00 · 2023-04-28 13:14:42 +01:00 · 2023-04-28 12:14:35 +00:00 · 2023-04-28 09:47:46 +01:00 · 2023-04-28 09:30:30 +01:00 · 2023-04-28 10:07:45 +02:00
3074 changed files with 289491 additions and 163098 deletions
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-5.0.0
+6.1.2
--- a/.github/workflows/atm-check-query-suite.yml
+++ b/.github/workflows/atm-check-query-suite.yml
@@ -1,102 +0,0 @@
-name: "ATM - Check query suite"
-
-env:
-  QUERY_PACK: javascript/ql/experimental/adaptivethreatmodeling/src
-  QUERY_SUITE: codeql-suites/javascript-atm-code-scanning.qls
-
-on:
-  pull_request:
-    paths:
-      - ".github/workflows/atm-check-query-suite.yml"
-      - "javascript/ql/experimental/adaptivethreatmodeling/**"
-  workflow_dispatch:
-
-jobs:
-  atm-check-query-suite:
-    runs-on: ubuntu-latest-xl
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Setup CodeQL
-        uses: ./.github/actions/fetch-codeql
-        with:
-          channel: release
-
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: atm-suite
-
-      - name: Install ATM model
-        run: |
-          set -exu
-
-          # Install dependencies of ATM query pack, i.e. the ATM model
-          codeql pack install "${QUERY_PACK}"
-
-          # Retrieve model checksum
-          model_checksum=$(codeql resolve extensions "${QUERY_PACK}/${QUERY_SUITE}" | jq -r '.models[0].checksum')
-
-          # Trust the model so that we can use it in the ATM boosted queries
-          mkdir -p "$HOME/.config/codeql"
-          echo "--insecurely-execute-ml-model-checksums ${model_checksum}" >> "$HOME/.config/codeql/config"
-
-      - name: Create test DB
-        run: |
-          DB_PATH="${RUNNER_TEMP}/db"
-          echo "DB_PATH=${DB_PATH}" >> "${GITHUB_ENV}"
-
-          codeql database create "${DB_PATH}" --source-root config/atm --language javascript 
-
-      - name: Run ATM query suite
-        run: |
-          SARIF_PATH="${RUNNER_TEMP}/sarif.json"
-          echo "SARIF_PATH=${SARIF_PATH}" >> "${GITHUB_ENV}"
-
-          codeql database analyze \
-            --threads=0 \
-            --ram 50000 \
-            --format sarif-latest \
-            --output "${SARIF_PATH}" \
-            --sarif-group-rules-by-pack \
-            -vv \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
-            -- \
-            "${DB_PATH}" \
-            "${QUERY_PACK}/${QUERY_SUITE}"
-
-      - name: Upload SARIF
-        uses: actions/upload-artifact@v3
-        with:
-          name: javascript-ml-powered-queries.sarif
-          path: "${{ env.SARIF_PATH }}"
-          retention-days: 5
-
-      - name: Check results
-        run: |
-          # We should run at least the ML-powered queries in `expected_rules`.
-          expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
-
-          for rule in ${expected_rules}; do
-            found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
-              flatten | .[].id] | any(. == $rule)' "${SARIF_PATH}")
-            if [[ "${found_rule}" != "true" ]]; then
-              echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
-              exit 1
-            else
-              echo "Found rule '${rule}'."
-            fi
-          done
-
-          # We should have at least one alert from an ML-powered query.
-          num_alerts=$(jq '[.runs[0].results[] |
-            select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
-            "${SARIF_PATH}")
-          if [[ "${num_alerts}" -eq 0 ]]; then
-            echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
-            exit 1
-          else
-            echo "Found ${num_alerts} alerts from ML-powered queries.";
-          fi
--- a/.github/workflows/atm-model-integration-tests.yml
+++ b/.github/workflows/atm-model-integration-tests.yml
@@ -1,12 +0,0 @@
-name: ATM Model Integration Tests
-
-on:
-  workflow_dispatch:
-
-jobs:
-  hello-world:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: foo
-        run: echo "Hello world"
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -8,6 +8,7 @@ on:
      - "*/ql/src/**/*.qll"
      - "*/ql/lib/**/*.ql"
      - "*/ql/lib/**/*.qll"
+      - "*/ql/lib/**/*.yml"
      - "!**/experimental/**"
      - "!ql/**"
      - "!swift/**"
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@v8
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
--- a/.github/workflows/fast-forward.yml
+++ b/.github/workflows/fast-forward.yml
@@ -0,0 +1,50 @@
+# Fast-forwards the branch specified in BRANCH_NAME
+# to the github.ref/sha that this workflow is run on.
+# Used as part of the release process, to ensure
+# external query writers can always access a branch of github/codeql
+# that is compatible with the latest stable release.
+name: Fast-forward tracking branch for selected CodeQL version
+on:
+  workflow_dispatch:
+
+jobs:
+  fast-forward:
+    name: Fast-forward tracking branch for selected CodeQL version
+    runs-on: ubuntu-latest
+    if: github.repository == 'github/codeql'
+    permissions:
+      contents: write
+    env:
+      BRANCH_NAME: 'lgtm.com'
+    steps:
+      - name: Validate chosen branch
+        if: ${{ !startsWith(github.ref_name, 'codeql-cli-') }}
+        shell: bash
+        run: |
+          echo "::error ::The $BRANCH_NAME tracking branch should only be fast-forwarded to the tip of a codeql-cli-* branch, got $GITHUB_REF_NAME instead."
+          exit 1
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Git config
+        shell: bash
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch
+        shell: bash
+        run: |
+          set -x
+          echo "Fetching $BRANCH_NAME"
+          # Explicitly unshallow and fetch to ensure the remote ref is available.
+          git fetch --unshallow origin "$BRANCH_NAME"
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+
+      - name: Fast-forward
+        shell: bash
+        run: |
+          echo "Fast-forwarding $BRANCH_NAME to ${GITHUB_REF}@${GITHUB_SHA}"
+          git merge --ff-only "$GITHUB_SHA"
+          git push origin "$BRANCH_NAME"
--- a/.github/workflows/go-tests-other-os.yml
+++ b/.github/workflows/go-tests-other-os.yml
@@ -13,9 +13,9 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Set up Go 1.20
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
-          go-version: 1.20.0
+          go-version: '1.20'
        id: go

      - name: Check out code
@@ -48,9 +48,9 @@ jobs:
    runs-on: windows-latest-xl
    steps:
      - name: Set up Go 1.20
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
-          go-version: 1.20.0
+          go-version: '1.20'
        id: go

      - name: Check out code
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -21,9 +21,9 @@ jobs:
    runs-on: ubuntu-latest-xl
    steps:
      - name: Set up Go 1.20
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
-          go-version: 1.20.0
+          go-version: '1.20'
        id: go

      - name: Check out code
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -48,6 +48,9 @@ jobs:
        run: |
          brew install gnu-tar
          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - name: Install cargo-cross
+        if: runner.os == 'Linux'
+        run: cargo install cross --version 0.2.5
      - uses: ./.github/actions/os-version
        id: os_version
      - name: Cache entire extractor
@@ -55,10 +58,8 @@ jobs:
        id: cache-extractor
        with:
          path: |
-            ruby/extractor/target/release/autobuilder
-            ruby/extractor/target/release/autobuilder.exe
-            ruby/extractor/target/release/extractor
-            ruby/extractor/target/release/extractor.exe
+            ruby/extractor/target/release/codeql-extractor-ruby
+            ruby/extractor/target/release/codeql-extractor-ruby.exe
            ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}--${{ hashFiles('ruby/extractor/**/*.rs') }}
      - uses: actions/cache@v3
@@ -78,12 +79,20 @@ jobs:
      - name: Run tests
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        run: cd extractor && cargo test --verbose
-      - name: Release build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+      # On linux, build the extractor via cross in a centos7 container.
+      # This ensures we don't depend on glibc > 2.17.
+      - name: Release build (linux)
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
+        run: |
+          cd extractor
+          cross build --release
+          mv target/x86_64-unknown-linux-gnu/release/codeql-extractor-ruby target/release/
+      - name: Release build (windows and macos)
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
        run: cd extractor && cargo build --release
      - name: Generate dbscheme
        if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
-        run: extractor/target/release/generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+        run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
      - uses: actions/upload-artifact@v3
        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
@@ -98,10 +107,8 @@ jobs:
        with:
          name: extractor-${{ matrix.os }}
          path: |
-            ruby/extractor/target/release/autobuilder
-            ruby/extractor/target/release/autobuilder.exe
-            ruby/extractor/target/release/extractor
-            ruby/extractor/target/release/extractor.exe
+            ruby/extractor/target/release/codeql-extractor-ruby
+            ruby/extractor/target/release/codeql-extractor-ruby.exe
          retention-days: 1
  compile-queries:
    runs-on: ubuntu-latest-xl
@@ -159,13 +166,10 @@ jobs:
          mkdir -p ruby
          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
          mkdir -p ruby/tools/{linux64,osx64,win64}
-          cp linux64/autobuilder ruby/tools/linux64/autobuilder
-          cp osx64/autobuilder ruby/tools/osx64/autobuilder
-          cp win64/autobuilder.exe ruby/tools/win64/autobuilder.exe
-          cp linux64/extractor ruby/tools/linux64/extractor
-          cp osx64/extractor ruby/tools/osx64/extractor
-          cp win64/extractor.exe ruby/tools/win64/extractor.exe
-          chmod +x ruby/tools/{linux64,osx64}/{autobuilder,extractor}
+          cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor
+          cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor
+          cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
+          chmod +x ruby/tools/{linux64,osx64}/extractor
          zip -rq codeql-ruby.zip ruby
      - uses: actions/upload-artifact@v3
        with:
@@ -227,3 +231,54 @@ jobs:
        shell: bash
        run: |
          codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
+
+  # This is a copy of the 'test' job that runs in a centos7 container.
+  # This tests that the extractor works correctly on systems with an old glibc.
+  test-centos7:
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    container:
+      image: centos:centos7
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    needs: [package]
+    steps:
+      - name: Install gh cli
+        run: |
+          yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
+          # fetch-codeql requires unzip and jq
+          # jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/)
+          yum install -y gh unzip epel-release
+          yum install -y jq
+      - uses: actions/checkout@v3
+      - name: Fetch CodeQL
+        uses: ./.github/actions/fetch-codeql
+
+      # Due to a bug in Actions, we can't use runner.temp in the run blocks here.
+      # https://github.com/actions/runner/issues/2185
+
+      - name: Download Ruby bundle
+        uses: actions/download-artifact@v3
+        with:
+          name: codeql-ruby-bundle
+          path: ${{ runner.temp }}
+      - name: Unzip Ruby bundle
+        shell: bash
+        run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip
+
+      - name: Run QL test
+        shell: bash
+        run: |
+          codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/
+      - name: Create database
+        shell: bash
+        run: |
+          codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
+      - name: Analyze database
+        shell: bash
+        run: |
+          codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -4,6 +4,7 @@ on:
  push:
    paths:
      - "ruby/**"
+      - "shared/**"
      - .github/workflows/ruby-build.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,7 +19,7 @@ repos:
    rev: v1.6.0
    hooks:
      - id: autopep8
-        files: ^swift/.*\.py
+        files: ^misc/codegen/.*\.py

  - repo: local
    hooks:
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -123,6 +123,10 @@
    "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
    "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
  ],
+  "Model as Data Generation Java/C# - CaptureModelsPrinting": [
+    "java/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll",
+    "csharp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll"
+  ],
  "Sign Java/C#": [
    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
@@ -279,6 +283,11 @@
    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
  ],
+  "C++ IR IRConsistencyImports": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConsistencyImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRConsistencyImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRConsistencyImports.qll"
+  ],
  "C++ IR IRFunctionImports": [
    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
@@ -591,4 +600,4 @@
    "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
    "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
  ]
-}
+}
--- a/cpp/downgrades/19887dbd33327fb07d54251786e0cb2578539775/old.dbscheme
+++ b/cpp/downgrades/19887dbd33327fb07d54251786e0cb2578539775/old.dbscheme
--- a/cpp/downgrades/19887dbd33327fb07d54251786e0cb2578539775/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/19887dbd33327fb07d54251786e0cb2578539775/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/19887dbd33327fb07d54251786e0cb2578539775/upgrade.properties
+++ b/cpp/downgrades/19887dbd33327fb07d54251786e0cb2578539775/upgrade.properties
@@ -0,0 +1,4 @@
+description: Revert support for repeated initializers, which are allowed in C with designated initializers.
+compatibility: full
+aggregate_field_init.rel: reorder aggregate_field_init.rel (int aggregate, int initializer, int field, int position) aggregate initializer field
+aggregate_array_init.rel: reorder aggregate_array_init.rel (int aggregate, int initializer, int element_index, int position) aggregate initializer element_index
--- a/cpp/ql/examples/queries.xml
+++ b/cpp/ql/examples/queries.xml
@@ -1 +0,0 @@
-<queries language="cpp"/>
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,33 @@
+## 0.7.1
+
+No user-facing changes.
+
+## 0.7.0
+
+### Breaking Changes
+
+* The internal `SsaConsistency` module has been moved from `SSAConstruction` to `SSAConsitency`, and the deprecated `SSAConsistency` module has been removed.
+
+### Deprecated APIs
+
+* The single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
+* The recently introduced new data flow and taint tracking APIs have had a
+  number of module and predicate renamings. The old APIs remain in place for
+  now.
+* The `SslContextCallAbstractConfig`, `SslContextCallConfig`, `SslContextCallBannedProtocolConfig`, `SslContextCallTls12ProtocolConfig`, `SslContextCallTls13ProtocolConfig`, `SslContextCallTlsProtocolConfig`, `SslContextFlowsToSetOptionConfig`, `SslOptionConfig` dataflow configurations from `BoostorgAsio` have been deprecated. Please use `SslContextCallConfigSig`, `SslContextCallGlobal`, `SslContextCallFlow`, `SslContextCallBannedProtocolFlow`, `SslContextCallTls12ProtocolFlow`, `SslContextCallTls13ProtocolFlow`, `SslContextCallTlsProtocolFlow`, `SslContextFlowsToSetOptionFlow`.
+
+### New Features
+
+* Added overridable predicates `getSizeExpr` and `getSizeMult` to the `BufferAccess` class (`semmle.code.cpp.security.BufferAccess.qll`). This makes it possible to model a larger class of buffer reads and writes using the library.
+
+### Minor Analysis Improvements
+
+* The `BufferAccess` library (`semmle.code.cpp.security.BufferAccess`) no longer matches buffer accesses inside unevaluated contexts (such as inside `sizeof` or `decltype` expressions). As a result, queries using this library may see fewer false positives.
+
+### Bug Fixes
+
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+
 ## 0.6.1

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/0.7.0.md
+++ b/cpp/ql/lib/change-notes/released/0.7.0.md
@@ -0,0 +1,25 @@
+## 0.7.0
+
+### Breaking Changes
+
+* The internal `SsaConsistency` module has been moved from `SSAConstruction` to `SSAConsitency`, and the deprecated `SSAConsistency` module has been removed.
+
+### Deprecated APIs
+
+* The single-parameter predicates `ArrayOrVectorAggregateLiteral.getElementExpr` and `ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of `ArrayOrVectorAggregateLiteral.getAnElementExpr` and `ClassAggregateLiteral.getAFieldExpr`.
+* The recently introduced new data flow and taint tracking APIs have had a
+  number of module and predicate renamings. The old APIs remain in place for
+  now.
+* The `SslContextCallAbstractConfig`, `SslContextCallConfig`, `SslContextCallBannedProtocolConfig`, `SslContextCallTls12ProtocolConfig`, `SslContextCallTls13ProtocolConfig`, `SslContextCallTlsProtocolConfig`, `SslContextFlowsToSetOptionConfig`, `SslOptionConfig` dataflow configurations from `BoostorgAsio` have been deprecated. Please use `SslContextCallConfigSig`, `SslContextCallGlobal`, `SslContextCallFlow`, `SslContextCallBannedProtocolFlow`, `SslContextCallTls12ProtocolFlow`, `SslContextCallTls13ProtocolFlow`, `SslContextCallTlsProtocolFlow`, `SslContextFlowsToSetOptionFlow`.
+
+### New Features
+
+* Added overridable predicates `getSizeExpr` and `getSizeMult` to the `BufferAccess` class (`semmle.code.cpp.security.BufferAccess.qll`). This makes it possible to model a larger class of buffer reads and writes using the library.
+
+### Minor Analysis Improvements
+
+* The `BufferAccess` library (`semmle.code.cpp.security.BufferAccess`) no longer matches buffer accesses inside unevaluated contexts (such as inside `sizeof` or `decltype` expressions). As a result, queries using this library may see fewer false positives.
+
+### Bug Fixes
+
+* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
--- a/cpp/ql/lib/change-notes/released/0.7.1.md
+++ b/cpp/ql/lib/change-notes/released/0.7.1.md
@@ -0,0 +1,3 @@
+## 0.7.1
+
+No user-facing changes.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.1
+lastReleaseVersion: 0.7.1
--- a/cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll
@@ -1,17 +1,146 @@
 import semmle.code.cpp.ir.dataflow.DataFlow
-import semmle.code.cpp.ir.dataflow.DataFlow2
+private import codeql.util.Unit

 module ProductFlow {
-  abstract class Configuration extends string {
-    bindingset[this]
-    Configuration() { any() }
-
+  signature module ConfigSig {
    /**
     * Holds if `(source1, source2)` is a relevant data flow source.
     *
     * `source1` and `source2` must belong to the same callable.
     */
-    predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) { none() }
+    predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2);
+
+    /**
+     * Holds if `(sink1, sink2)` is a relevant data flow sink.
+     *
+     * `sink1` and `sink2` must belong to the same callable.
+     */
+    predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2);
+
+    /**
+     * Holds if data flow through `node` is prohibited through the first projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrier1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow through `node` is prohibited through the second projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrier2(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow out of `node` is prohibited in the first projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrierOut1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow out of `node` is prohibited in the second projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrierOut2(DataFlow::Node node) { none() }
+
+    /*
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
+     * the first projection of the product dataflow graph.
+     */
+
+    default predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+    /**
+     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
+     * the second projection of the product dataflow graph.
+     */
+    default predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+    /**
+     * Holds if data flow into `node` is prohibited in the first projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrierIn1(DataFlow::Node node) { none() }
+
+    /**
+     * Holds if data flow into `node` is prohibited in the second projection of the product
+     * dataflow graph.
+     */
+    default predicate isBarrierIn2(DataFlow::Node node) { none() }
+  }
+
+  module Global<ConfigSig Config> {
+    private module StateConfig implements StateConfigSig {
+      class FlowState1 = Unit;
+
+      class FlowState2 = Unit;
+
+      predicate isSourcePair(
+        DataFlow::Node source1, FlowState1 state1, DataFlow::Node source2, FlowState2 state2
+      ) {
+        exists(state1) and
+        exists(state2) and
+        Config::isSourcePair(source1, source2)
+      }
+
+      predicate isSinkPair(
+        DataFlow::Node sink1, FlowState1 state1, DataFlow::Node sink2, FlowState2 state2
+      ) {
+        exists(state1) and
+        exists(state2) and
+        Config::isSinkPair(sink1, sink2)
+      }
+
+      predicate isBarrier1(DataFlow::Node node, FlowState1 state) {
+        exists(state) and
+        Config::isBarrier1(node)
+      }
+
+      predicate isBarrier2(DataFlow::Node node, FlowState2 state) {
+        exists(state) and
+        Config::isBarrier2(node)
+      }
+
+      predicate isBarrier1 = Config::isBarrier1/1;
+
+      predicate isBarrier2 = Config::isBarrier2/1;
+
+      predicate isBarrierOut1 = Config::isBarrierOut1/1;
+
+      predicate isBarrierOut2 = Config::isBarrierOut2/1;
+
+      predicate isAdditionalFlowStep1 = Config::isAdditionalFlowStep1/2;
+
+      predicate isAdditionalFlowStep1(
+        DataFlow::Node node1, FlowState1 state1, DataFlow::Node node2, FlowState1 state2
+      ) {
+        exists(state1) and
+        exists(state2) and
+        Config::isAdditionalFlowStep1(node1, node2)
+      }
+
+      predicate isAdditionalFlowStep2 = Config::isAdditionalFlowStep2/2;
+
+      predicate isAdditionalFlowStep2(
+        DataFlow::Node node1, FlowState2 state1, DataFlow::Node node2, FlowState2 state2
+      ) {
+        exists(state1) and
+        exists(state2) and
+        Config::isAdditionalFlowStep2(node1, node2)
+      }
+
+      predicate isBarrierIn1 = Config::isBarrierIn1/1;
+
+      predicate isBarrierIn2 = Config::isBarrierIn2/1;
+    }
+
+    import GlobalWithState<StateConfig>
+  }
+
+  signature module StateConfigSig {
+    bindingset[this]
+    class FlowState1;
+
+    bindingset[this]
+    class FlowState2;

    /**
     * Holds if `(source1, source2)` is a relevant data flow source with initial states `state1`
@@ -20,20 +149,8 @@ module ProductFlow {
     * `source1` and `source2` must belong to the same callable.
     */
    predicate isSourcePair(
-      DataFlow::Node source1, DataFlow::FlowState state1, DataFlow::Node source2,
-      DataFlow::FlowState state2
-    ) {
-      state1 = "" and
-      state2 = "" and
-      this.isSourcePair(source1, source2)
-    }
-
-    /**
-     * Holds if `(sink1, sink2)` is a relevant data flow sink.
-     *
-     * `sink1` and `sink2` must belong to the same callable.
-     */
-    predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2) { none() }
+      DataFlow::Node source1, FlowState1 state1, DataFlow::Node source2, FlowState2 state2
+    );

    /**
     * Holds if `(sink1, sink2)` is a relevant data flow sink with final states `state1`
@@ -42,60 +159,51 @@ module ProductFlow {
     * `sink1` and `sink2` must belong to the same callable.
     */
    predicate isSinkPair(
-      DataFlow::Node sink1, DataFlow::FlowState state1, DataFlow::Node sink2,
-      DataFlow::FlowState state2
-    ) {
-      state1 = "" and
-      state2 = "" and
-      this.isSinkPair(sink1, sink2)
-    }
+      DataFlow::Node sink1, FlowState1 state1, DataFlow::Node sink2, FlowState2 state2
+    );

    /**
     * Holds if data flow through `node` is prohibited through the first projection of the product
     * dataflow graph when the flow state is `state`.
     */
-    predicate isBarrier1(DataFlow::Node node, DataFlow::FlowState state) {
-      this.isBarrier1(node) and state = ""
-    }
+    predicate isBarrier1(DataFlow::Node node, FlowState1 state);

    /**
     * Holds if data flow through `node` is prohibited through the second projection of the product
     * dataflow graph when the flow state is `state`.
     */
-    predicate isBarrier2(DataFlow::Node node, DataFlow::FlowState state) {
-      this.isBarrier2(node) and state = ""
-    }
+    predicate isBarrier2(DataFlow::Node node, FlowState2 state);

    /**
     * Holds if data flow through `node` is prohibited through the first projection of the product
     * dataflow graph.
     */
-    predicate isBarrier1(DataFlow::Node node) { none() }
+    default predicate isBarrier1(DataFlow::Node node) { none() }

    /**
     * Holds if data flow through `node` is prohibited through the second projection of the product
     * dataflow graph.
     */
-    predicate isBarrier2(DataFlow::Node node) { none() }
+    default predicate isBarrier2(DataFlow::Node node) { none() }

    /**
     * Holds if data flow out of `node` is prohibited in the first projection of the product
     * dataflow graph.
     */
-    predicate isBarrierOut1(DataFlow::Node node) { none() }
+    default predicate isBarrierOut1(DataFlow::Node node) { none() }

    /**
     * Holds if data flow out of `node` is prohibited in the second projection of the product
     * dataflow graph.
     */
-    predicate isBarrierOut2(DataFlow::Node node) { none() }
+    default predicate isBarrierOut2(DataFlow::Node node) { none() }

    /*
     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
     * the first projection of the product dataflow graph.
     */

-    predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }
+    default predicate isAdditionalFlowStep1(DataFlow::Node node1, DataFlow::Node node2) { none() }

    /**
     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
@@ -104,19 +212,14 @@ module ProductFlow {
     * This step is only applicable in `state1` and updates the flow state to `state2`.
     */
    predicate isAdditionalFlowStep1(
-      DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-      DataFlow::FlowState state2
-    ) {
-      state1 instanceof DataFlow::FlowStateEmpty and
-      state2 instanceof DataFlow::FlowStateEmpty and
-      this.isAdditionalFlowStep1(node1, node2)
-    }
+      DataFlow::Node node1, FlowState1 state1, DataFlow::Node node2, FlowState1 state2
+    );

    /**
     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
     * the second projection of the product dataflow graph.
     */
-    predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }
+    default predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2) { none() }

    /**
     * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps in
@@ -125,177 +228,168 @@ module ProductFlow {
     * This step is only applicable in `state1` and updates the flow state to `state2`.
     */
    predicate isAdditionalFlowStep2(
-      DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-      DataFlow::FlowState state2
-    ) {
-      state1 instanceof DataFlow::FlowStateEmpty and
-      state2 instanceof DataFlow::FlowStateEmpty and
-      this.isAdditionalFlowStep2(node1, node2)
-    }
+      DataFlow::Node node1, FlowState2 state1, DataFlow::Node node2, FlowState2 state2
+    );

    /**
     * Holds if data flow into `node` is prohibited in the first projection of the product
     * dataflow graph.
     */
-    predicate isBarrierIn1(DataFlow::Node node) { none() }
+    default predicate isBarrierIn1(DataFlow::Node node) { none() }

    /**
     * Holds if data flow into `node` is prohibited in the second projection of the product
     * dataflow graph.
     */
-    predicate isBarrierIn2(DataFlow::Node node) { none() }
+    default predicate isBarrierIn2(DataFlow::Node node) { none() }
+  }

-    predicate hasFlowPath(
-      DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1,
-      DataFlow2::PathNode sink2
+  module GlobalWithState<StateConfigSig Config> {
+    class PathNode1 = Flow1::PathNode;
+
+    class PathNode2 = Flow2::PathNode;
+
+    module PathGraph1 = Flow1::PathGraph;
+
+    module PathGraph2 = Flow2::PathGraph;
+
+    class FlowState1 = Config::FlowState1;
+
+    class FlowState2 = Config::FlowState2;
+
+    predicate flowPath(
+      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode sink1, Flow2::PathNode sink2
    ) {
-      reachable(this, source1, source2, sink1, sink2)
+      reachable(source1, source2, sink1, sink2)
    }
-  }

-  private import Internal
+    private module Config1 implements DataFlow::StateConfigSig {
+      class FlowState = FlowState1;

-  module Internal {
-    class Conf1 extends DataFlow::Configuration {
-      Conf1() { this = "Conf1" }
-
-      override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isSourcePair(source, state, _, _))
+      predicate isSource(DataFlow::Node source, FlowState state) {
+        Config::isSourcePair(source, state, _, _)
      }

-      override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isSinkPair(sink, state, _, _))
+      predicate isSink(DataFlow::Node sink, FlowState state) {
+        Config::isSinkPair(sink, state, _, _)
      }

-      override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isBarrier1(node, state))
-      }
+      predicate isBarrier(DataFlow::Node node, FlowState state) { Config::isBarrier1(node, state) }

-      override predicate isBarrierOut(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierOut1(node))
-      }
+      predicate isBarrierOut(DataFlow::Node node) { Config::isBarrierOut1(node) }

-      override predicate isAdditionalFlowStep(
-        DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-        DataFlow::FlowState state2
+      predicate isAdditionalFlowStep(
+        DataFlow::Node node1, FlowState1 state1, DataFlow::Node node2, FlowState state2
      ) {
-        exists(Configuration conf | conf.isAdditionalFlowStep1(node1, state1, node2, state2))
+        Config::isAdditionalFlowStep1(node1, state1, node2, state2)
      }

-      override predicate isBarrierIn(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierIn1(node))
-      }
+      predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn1(node) }
    }

-    class Conf2 extends DataFlow2::Configuration {
-      Conf2() { this = "Conf2" }
+    module Flow1 = DataFlow::GlobalWithState<Config1>;

-      override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-        exists(Configuration conf, DataFlow::PathNode source1 |
-          conf.isSourcePair(source1.getNode(), source1.getState(), source, state) and
-          any(Conf1 c).hasFlowPath(source1, _)
+    module Config2 implements DataFlow::StateConfigSig {
+      class FlowState = FlowState2;
+
+      predicate isSource(DataFlow::Node source, FlowState state) {
+        exists(Flow1::PathNode source1 |
+          Config::isSourcePair(source1.getNode(), source1.getState(), source, state) and
+          Flow1::flowPath(source1, _)
        )
      }

-      override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-        exists(Configuration conf, DataFlow::PathNode sink1 |
-          conf.isSinkPair(sink1.getNode(), sink1.getState(), sink, state) and
-          any(Conf1 c).hasFlowPath(_, sink1)
+      predicate isSink(DataFlow::Node sink, FlowState state) {
+        exists(Flow1::PathNode sink1 |
+          Config::isSinkPair(sink1.getNode(), sink1.getState(), sink, state) and
+          Flow1::flowPath(_, sink1)
        )
      }

-      override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-        exists(Configuration conf | conf.isBarrier2(node, state))
-      }
+      predicate isBarrier(DataFlow::Node node, FlowState state) { Config::isBarrier2(node, state) }

-      override predicate isBarrierOut(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierOut2(node))
-      }
+      predicate isBarrierOut(DataFlow::Node node) { Config::isBarrierOut2(node) }

-      override predicate isAdditionalFlowStep(
-        DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-        DataFlow::FlowState state2
+      predicate isAdditionalFlowStep(
+        DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
      ) {
-        exists(Configuration conf | conf.isAdditionalFlowStep2(node1, state1, node2, state2))
+        Config::isAdditionalFlowStep2(node1, state1, node2, state2)
      }

-      override predicate isBarrierIn(DataFlow::Node node) {
-        exists(Configuration conf | conf.isBarrierIn2(node))
-      }
+      predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn2(node) }
    }
-  }

-  pragma[nomagic]
-  private predicate reachableInterprocEntry(
-    Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
-    DataFlow::PathNode node1, DataFlow2::PathNode node2
-  ) {
-    conf.isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState()) and
-    node1 = source1 and
-    node2 = source2
-    or
-    exists(
-      DataFlow::PathNode midEntry1, DataFlow2::PathNode midEntry2, DataFlow::PathNode midExit1,
-      DataFlow2::PathNode midExit2
-    |
-      reachableInterprocEntry(conf, source1, source2, midEntry1, midEntry2) and
-      interprocEdgePair(midExit1, midExit2, node1, node2) and
-      localPathStep1*(midEntry1, midExit1) and
-      localPathStep2*(midEntry2, midExit2)
-    )
-  }
+    module Flow2 = DataFlow::GlobalWithState<Config2>;

-  private predicate localPathStep1(DataFlow::PathNode pred, DataFlow::PathNode succ) {
-    DataFlow::PathGraph::edges(pred, succ) and
-    pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
-      pragma[only_bind_out](succ.getNode().getEnclosingCallable())
-  }
+    pragma[nomagic]
+    private predicate reachableInterprocEntry(
+      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode node1, Flow2::PathNode node2
+    ) {
+      Config::isSourcePair(node1.getNode(), node1.getState(), node2.getNode(), node2.getState()) and
+      node1 = source1 and
+      node2 = source2
+      or
+      exists(
+        Flow1::PathNode midEntry1, Flow2::PathNode midEntry2, Flow1::PathNode midExit1,
+        Flow2::PathNode midExit2
+      |
+        reachableInterprocEntry(source1, source2, midEntry1, midEntry2) and
+        interprocEdgePair(midExit1, midExit2, node1, node2) and
+        localPathStep1*(midEntry1, midExit1) and
+        localPathStep2*(midEntry2, midExit2)
+      )
+    }

-  private predicate localPathStep2(DataFlow2::PathNode pred, DataFlow2::PathNode succ) {
-    DataFlow2::PathGraph::edges(pred, succ) and
-    pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
-      pragma[only_bind_out](succ.getNode().getEnclosingCallable())
-  }
+    private predicate localPathStep1(Flow1::PathNode pred, Flow1::PathNode succ) {
+      Flow1::PathGraph::edges(pred, succ) and
+      pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
+        pragma[only_bind_out](succ.getNode().getEnclosingCallable())
+    }

-  pragma[nomagic]
-  private predicate interprocEdge1(
-    Declaration predDecl, Declaration succDecl, DataFlow::PathNode pred1, DataFlow::PathNode succ1
-  ) {
-    DataFlow::PathGraph::edges(pred1, succ1) and
-    predDecl != succDecl and
-    pred1.getNode().getEnclosingCallable() = predDecl and
-    succ1.getNode().getEnclosingCallable() = succDecl
-  }
+    private predicate localPathStep2(Flow2::PathNode pred, Flow2::PathNode succ) {
+      Flow2::PathGraph::edges(pred, succ) and
+      pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
+        pragma[only_bind_out](succ.getNode().getEnclosingCallable())
+    }

-  pragma[nomagic]
-  private predicate interprocEdge2(
-    Declaration predDecl, Declaration succDecl, DataFlow2::PathNode pred2, DataFlow2::PathNode succ2
-  ) {
-    DataFlow2::PathGraph::edges(pred2, succ2) and
-    predDecl != succDecl and
-    pred2.getNode().getEnclosingCallable() = predDecl and
-    succ2.getNode().getEnclosingCallable() = succDecl
-  }
+    pragma[nomagic]
+    private predicate interprocEdge1(
+      Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1
+    ) {
+      Flow1::PathGraph::edges(pred1, succ1) and
+      predDecl != succDecl and
+      pred1.getNode().getEnclosingCallable() = predDecl and
+      succ1.getNode().getEnclosingCallable() = succDecl
+    }

-  private predicate interprocEdgePair(
-    DataFlow::PathNode pred1, DataFlow2::PathNode pred2, DataFlow::PathNode succ1,
-    DataFlow2::PathNode succ2
-  ) {
-    exists(Declaration predDecl, Declaration succDecl |
-      interprocEdge1(predDecl, succDecl, pred1, succ1) and
-      interprocEdge2(predDecl, succDecl, pred2, succ2)
-    )
-  }
+    pragma[nomagic]
+    private predicate interprocEdge2(
+      Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2
+    ) {
+      Flow2::PathGraph::edges(pred2, succ2) and
+      predDecl != succDecl and
+      pred2.getNode().getEnclosingCallable() = predDecl and
+      succ2.getNode().getEnclosingCallable() = succDecl
+    }

-  private predicate reachable(
-    Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
-    DataFlow::PathNode sink1, DataFlow2::PathNode sink2
-  ) {
-    exists(DataFlow::PathNode mid1, DataFlow2::PathNode mid2 |
-      reachableInterprocEntry(conf, source1, source2, mid1, mid2) and
-      conf.isSinkPair(sink1.getNode(), sink1.getState(), sink2.getNode(), sink2.getState()) and
-      localPathStep1*(mid1, sink1) and
-      localPathStep2*(mid2, sink2)
-    )
+    private predicate interprocEdgePair(
+      Flow1::PathNode pred1, Flow2::PathNode pred2, Flow1::PathNode succ1, Flow2::PathNode succ2
+    ) {
+      exists(Declaration predDecl, Declaration succDecl |
+        interprocEdge1(predDecl, succDecl, pred1, succ1) and
+        interprocEdge2(predDecl, succDecl, pred2, succ2)
+      )
+    }
+
+    private predicate reachable(
+      Flow1::PathNode source1, Flow2::PathNode source2, Flow1::PathNode sink1, Flow2::PathNode sink2
+    ) {
+      exists(Flow1::PathNode mid1, Flow2::PathNode mid2 |
+        reachableInterprocEntry(source1, source2, mid1, mid2) and
+        Config::isSinkPair(sink1.getNode(), sink1.getState(), sink2.getNode(), sink2.getState()) and
+        localPathStep1*(mid1, sink1) and
+        localPathStep2*(mid2, sink2)
+      )
+    }
  }
 }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/Bound.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/Bound.qll
@@ -1,86 +1 @@
-import cpp
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.ValueNumbering
-
-private newtype TBound =
-  TBoundZero() or
-  TBoundValueNumber(ValueNumber vn) {
-    exists(Instruction i |
-      vn.getAnInstruction() = i and
-      (
-        i.getResultIRType() instanceof IRIntegerType or
-        i.getResultIRType() instanceof IRAddressType
-      ) and
-      not vn.getAnInstruction() instanceof ConstantInstruction
-    |
-      i instanceof PhiInstruction
-      or
-      i instanceof InitializeParameterInstruction
-      or
-      i instanceof CallInstruction
-      or
-      i instanceof VariableAddressInstruction
-      or
-      i instanceof FieldAddressInstruction
-      or
-      i.(LoadInstruction).getSourceAddress() instanceof VariableAddressInstruction
-      or
-      i.(LoadInstruction).getSourceAddress() instanceof FieldAddressInstruction
-      or
-      i.getAUse() instanceof ArgumentOperand
-      or
-      i instanceof PointerArithmeticInstruction
-      or
-      i.getAUse() instanceof AddressOperand
-    )
-  }
-
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  abstract string toString();
-
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Instruction getInstruction(int delta);
-
-  /** Gets an expression that equals this bound. */
-  Instruction getInstruction() { result = getInstruction(0) }
-
-  abstract Location getLocation();
-}
-
-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
-
-  override Instruction getInstruction(int delta) {
-    result.(ConstantValueInstruction).getValue().toInt() = delta
-  }
-
-  override Location getLocation() { result instanceof UnknownDefaultLocation }
-}
-
-/**
- * A bound corresponding to the value of an `Instruction`.
- */
-class ValueNumberBound extends Bound, TBoundValueNumber {
-  ValueNumber vn;
-
-  ValueNumberBound() { this = TBoundValueNumber(vn) }
-
-  /** Gets an `Instruction` that equals this bound. */
-  override Instruction getInstruction(int delta) {
-    this = TBoundValueNumber(valueNumber(result)) and delta = 0
-  }
-
-  override string toString() { result = "ValueNumberBound" }
-
-  override Location getLocation() { result = vn.getLocation() }
-
-  /** Gets the value number that equals this bound. */
-  ValueNumber getValueNumber() { result = vn }
-}
+import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.Bound
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ExtendedRangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ExtendedRangeAnalysis.qll
@@ -3,3 +3,4 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 // Import each extension we want to enable
 import extensions.SubtractSelf
 import extensions.ConstantBitwiseAndExprRange
+import extensions.StrlenLiteralRangeExpr
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/RangeNode.qll
@@ -0,0 +1,115 @@
+/**
+ * This module implements subclasses for various DataFlow nodes that extends
+ * their `toString()` predicates with range information, if applicable. By
+ * including this module in a `path-problem` query, this range information
+ * will be displayed at each step in the query results.
+ *
+ * This is currently implemented for `DataFlow::ExprNode` and `DataFlow::DefinitionByReferenceNode`,
+ * but it is not yet implemented for `DataFlow::ParameterNode`.
+ */
+
+private import cpp
+private import semmle.code.cpp.dataflow.DataFlow
+private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+string getExprBoundAsString(Expr e) {
+  if exists(lowerBound(e)) and exists(upperBound(e))
+  then result = "[" + lowerBound(e) + ", " + upperBound(e) + "]"
+  else result = "[unknown range]"
+}
+
+/**
+ * Holds for any integer type after resolving typedefs and stripping `const`
+ * specifiers, such as for `const size_t`
+ */
+predicate isIntegralType(Type t) {
+  // We use `getUnspecifiedType` here because without it things like
+  // `const size_t` aren't considered to be integral
+  t.getUnspecifiedType() instanceof IntegralType
+}
+
+/**
+ * Holds for any reference to an integer type after resolving typedefs and
+ * stripping `const` specifiers, such as for `const size_t&`
+ */
+predicate isIntegralReferenceType(Type t) { isIntegralType(t.(ReferenceType).stripType()) }
+
+/**
+ * Holds for any pointer to an integer type after resolving typedefs and
+ * stripping `const` specifiers, such as for `const size_t*`. This predicate
+ * holds for any pointer depth, such as for `const size_t**`.
+ */
+predicate isIntegralPointerType(Type t) { isIntegralType(t.(PointerType).stripType()) }
+
+predicate hasIntegralOrReferenceIntegralType(Locatable e) {
+  exists(Type t |
+    (
+      t = e.(Expr).getUnspecifiedType()
+      or
+      // This will cover variables, parameters, type declarations, etc.
+      t = e.(DeclarationEntry).getUnspecifiedType()
+    ) and
+    (isIntegralType(t) or isIntegralReferenceType(t))
+  )
+}
+
+Expr getLOp(Operation o) {
+  result = o.(BinaryOperation).getLeftOperand() or
+  result = o.(Assignment).getLValue()
+}
+
+Expr getROp(Operation o) {
+  result = o.(BinaryOperation).getRightOperand() or
+  result = o.(Assignment).getRValue()
+}
+
+/**
+ * Display the ranges of expressions in the path view
+ */
+private class ExprRangeNode extends DataFlow::ExprNode {
+  pragma[inline]
+  private string getIntegralBounds(Expr arg) {
+    if hasIntegralOrReferenceIntegralType(arg)
+    then result = getExprBoundAsString(arg)
+    else result = ""
+  }
+
+  private string getOperationBounds(Operation e) {
+    result =
+      getExprBoundAsString(e) + " = " + getExprBoundAsString(getLOp(e)) + e.getOperator() +
+        getExprBoundAsString(getROp(e))
+  }
+
+  private string getCallBounds(Call e) {
+    result =
+      getExprBoundAsString(e) + "(" +
+        concat(Expr arg, int i | arg = e.getArgument(i) | getIntegralBounds(arg) order by i, ",") +
+        ")"
+  }
+
+  override string toString() {
+    exists(Expr e | e = getExpr() |
+      if hasIntegralOrReferenceIntegralType(e)
+      then
+        result = super.toString() + ": " + getOperationBounds(e)
+        or
+        result = super.toString() + ": " + getCallBounds(e)
+        or
+        not exists(getOperationBounds(e)) and
+        not exists(getCallBounds(e)) and
+        result = super.toString() + ": " + getExprBoundAsString(e)
+      else result = super.toString()
+    )
+  }
+}
+
+/**
+ * Display the ranges of expressions in the path view
+ */
+private class ReferenceArgumentRangeNode extends DataFlow::DefinitionByReferenceNode {
+  override string toString() {
+    if hasIntegralOrReferenceIntegralType(asDefiningArgument())
+    then result = super.toString() + ": " + getExprBoundAsString(getArgument())
+    else result = super.toString()
+  }
+}
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll
@@ -0,0 +1,18 @@
+private import cpp
+private import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysisExpr
+
+/**
+ * Provides range analysis information for calls to `strlen` on literal strings.
+ * For example, the range of `strlen("literal")` will be 7.
+ */
+class StrlenLiteralRangeExpr extends SimpleRangeAnalysisExpr, FunctionCall {
+  StrlenLiteralRangeExpr() {
+    getTarget().hasGlobalOrStdName("strlen") and getArgument(0).isConstant()
+  }
+
+  override int getLowerBounds() { result = getArgument(0).getValue().length() }
+
+  override int getUpperBounds() { result = getArgument(0).getValue().length() }
+
+  override predicate dependsOnChild(Expr e) { none() }
+}
--- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
@@ -54,7 +54,7 @@ module PrivateCleartextWrite {
    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
  }

-  module WriteFlow = TaintTracking::Make<WriteConfig>;
+  module WriteFlow = TaintTracking::Global<WriteConfig>;

  class PrivateDataSource extends Source {
    PrivateDataSource() { this.getExpr() instanceof PrivateDataExpr }
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll
@@ -1,24 +0,0 @@
-private import RangeAnalysisStage
-private import RangeAnalysisSpecific
-private import experimental.semmle.code.cpp.semantic.analysis.FloatDelta
-private import RangeUtils
-private import experimental.semmle.code.cpp.semantic.SemanticBound as SemanticBound
-
-module Bounds implements BoundSig<FloatDelta> {
-  class SemBound instanceof SemanticBound::SemBound {
-    string toString() { result = super.toString() }
-
-    SemExpr getExpr(float delta) { result = super.getExpr(delta) }
-  }
-
-  class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
-
-  class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
-  }
-}
-
-private module CppRangeAnalysis =
-  RangeStage<FloatDelta, Bounds, CppLangImpl, RangeUtil<FloatDelta, CppLangImpl>>;
-
-import CppRangeAnalysis
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.6.1
+version: 0.7.1
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -8,3 +8,4 @@ upgrades: upgrades
 dependencies:
  codeql/ssa: ${workspace}
  codeql/tutorial: ${workspace}
+  codeql/util: ${workspace}
--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
@@ -752,13 +752,13 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
    expr.(VariableAccess).getQualifier() = ele and pred = "getQualifier()"
    or
    exists(Field f |
-      expr.(ClassAggregateLiteral).getFieldExpr(f) = ele and
-      pred = "getFieldExpr(" + f.toString() + ")"
+      expr.(ClassAggregateLiteral).getAFieldExpr(f) = ele and
+      pred = "getAFieldExpr(" + f.toString() + ")"
    )
    or
    exists(int n |
-      expr.(ArrayOrVectorAggregateLiteral).getElementExpr(n) = ele and
-      pred = "getElementExpr(" + n.toString() + ")"
+      expr.(ArrayOrVectorAggregateLiteral).getAnElementExpr(n) = ele and
+      pred = "getAnElementExpr(" + n.toString() + ")"
    )
    or
    expr.(AlignofExprOperator).getExprOperand() = ele and pred = "getExprOperand()"
--- a/cpp/ql/lib/semmle/code/cpp/Variable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Variable.qll
@@ -133,7 +133,7 @@ class Variable extends Declaration, @variable {
    or
    exists(AssignExpr ae | ae.getLValue().(Access).getTarget() = this and result = ae.getRValue())
    or
-    exists(ClassAggregateLiteral l | result = l.getFieldExpr(this))
+    exists(ClassAggregateLiteral l | result = l.getAFieldExpr(this))
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll
@@ -2,7 +2,7 @@
 * Provides an implementation of global (interprocedural) data flow. This file
 * re-exports the local (intraprocedural) data flow analysis from
 * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Make` and `MakeWithState` modules.
+ * through the `Global` and `GlobalWithState` modules.
 */

 private import DataFlowImplCommon
@@ -73,10 +73,10 @@ signature module ConfigSig {
   */
  default FlowFeature getAFeature() { none() }

-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
  default predicate sourceGrouping(Node source, string sourceGroup) { none() }

-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }

  /**
@@ -166,10 +166,10 @@ signature module StateConfigSig {
   */
  default FlowFeature getAFeature() { none() }

-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
  default predicate sourceGrouping(Node source, string sourceGroup) { none() }

-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }

  /**
@@ -182,15 +182,15 @@ signature module StateConfigSig {
 }

 /**
- * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+ * Gets the exploration limit for `partialFlow` and `partialFlowRev`
 * measured in approximate number of interprocedural steps.
 */
 signature int explorationLimitSig();

 /**
- * The output of a data flow computation.
+ * The output of a global data flow computation.
 */
-signature module DataFlowSig {
+signature module GlobalFlowSig {
  /**
   * A `Node` augmented with a call context (except for sinks) and an access path.
   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
@@ -203,28 +203,28 @@ signature module DataFlowSig {
   * The corresponding paths are generated from the end-points and the graph
   * included in the module `PathGraph`.
   */
-  predicate hasFlowPath(PathNode source, PathNode sink);
+  predicate flowPath(PathNode source, PathNode sink);

  /**
   * Holds if data can flow from `source` to `sink`.
   */
-  predicate hasFlow(Node source, Node sink);
+  predicate flow(Node source, Node sink);

  /**
   * Holds if data can flow from some source to `sink`.
   */
-  predicate hasFlowTo(Node sink);
+  predicate flowTo(Node sink);

  /**
   * Holds if data can flow from some source to `sink`.
   */
-  predicate hasFlowToExpr(DataFlowExpr sink);
+  predicate flowToExpr(DataFlowExpr sink);
 }

 /**
- * Constructs a standard data flow computation.
+ * Constructs a global data flow computation.
 */
-module Make<ConfigSig Config> implements DataFlowSig {
+module Global<ConfigSig Config> implements GlobalFlowSig {
  private module C implements FullStateConfigSig {
    import DefaultState<Config>
    import Config
@@ -233,10 +233,15 @@ module Make<ConfigSig Config> implements DataFlowSig {
  import Impl<C>
 }

+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a data flow computation using flow state.
+ * Constructs a global data flow computation using flow state.
 */
-module MakeWithState<StateConfigSig Config> implements DataFlowSig {
+module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
  private module C implements FullStateConfigSig {
    import Config
  }
@@ -244,6 +249,11 @@ module MakeWithState<StateConfigSig Config> implements DataFlowSig {
  import Impl<C>
 }

+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
+  import GlobalWithState<Config>
+}
+
 signature class PathNodeSig {
  /** Gets a textual representation of this element. */
  string toString();
@@ -351,3 +361,52 @@ module MergePathGraph<
    }
  }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
@@ -79,3 +79,13 @@ class ArgumentPosition extends int {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a temporary hook to support technical debt in the Go language; do not use.
+ */
+pragma[inline]
+predicate golangSpecificParamArgFilter(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  any()
+}
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow

 /**
@@ -91,10 +92,10 @@ signature module FullStateConfigSig {
   */
  FlowFeature getAFeature();

-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
  predicate sourceGrouping(Node source, string sourceGroup);

-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
  predicate sinkGrouping(Node sink, string sinkGroup);

  /**
@@ -418,6 +419,10 @@ module Impl<FullStateConfigSig Config> {
    )
  }

+  private predicate sourceCallCtx(CallContext cc) {
+    if hasSourceCallCtx() then cc instanceof CallContextSomeCall else cc instanceof CallContextAny
+  }
+
  private predicate hasSinkCallCtx() {
    exists(FlowFeature feature | feature = Config::getAFeature() |
      feature instanceof FeatureHasSinkCallContext or
@@ -441,11 +446,7 @@ module Impl<FullStateConfigSig Config> {
  }

  private module Stage1 implements StageSig {
-    class Ap extends int {
-      // workaround for bad functionality-induced joins (happens when using `Unit`)
-      pragma[nomagic]
-      Ap() { this in [0 .. 1] and this < 1 }
-    }
+    class Ap = Unit;

    private class Cc = boolean;

@@ -1141,19 +1142,13 @@ module Impl<FullStateConfigSig Config> {
      import Param

      /* Begin: Stage logic. */
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      private predicate revFlowApAlias(NodeEx node, ApApprox apa) {
-        PrevStage::revFlowAp(node, apa)
-      }
-
      pragma[nomagic]
      private predicate flowIntoCallApa(
        DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, ApApprox apa
      ) {
        flowIntoCall(call, arg, p, allowsFieldFlow) and
        PrevStage::revFlowAp(p, pragma[only_bind_into](apa)) and
-        revFlowApAlias(arg, pragma[only_bind_into](apa))
+        PrevStage::revFlowAp(arg, pragma[only_bind_into](apa))
      }

      pragma[nomagic]
@@ -1163,7 +1158,7 @@ module Impl<FullStateConfigSig Config> {
      ) {
        flowOutOfCall(call, ret, kind, out, allowsFieldFlow) and
        PrevStage::revFlowAp(out, pragma[only_bind_into](apa)) and
-        revFlowApAlias(ret, pragma[only_bind_into](apa))
+        PrevStage::revFlowAp(ret, pragma[only_bind_into](apa))
      }

      pragma[nomagic]
@@ -1691,16 +1686,6 @@ module Impl<FullStateConfigSig Config> {
      pragma[nomagic]
      predicate revFlowAp(NodeEx node, Ap ap) { revFlow(node, _, _, _, ap) }

-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      additional predicate revFlowAlias(NodeEx node) { revFlow(node, _, _, _, _) }
-
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap) {
-        revFlow(node, state, ap)
-      }
-
      private predicate fwdConsCand(TypedContent tc, Ap ap) { storeStepFwd(_, ap, tc, _, _) }

      private predicate revConsCand(TypedContent tc, Ap ap) { storeStepCand(_, ap, tc, _, _) }
@@ -1974,7 +1959,7 @@ module Impl<FullStateConfigSig Config> {
  ) {
    flowOutOfCallNodeCand1(call, node1, kind, node2, allowsFieldFlow) and
    Stage2::revFlow(node2) and
-    Stage2::revFlowAlias(node1)
+    Stage2::revFlow(node1)
  }

  pragma[nomagic]
@@ -1983,7 +1968,7 @@ module Impl<FullStateConfigSig Config> {
  ) {
    flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow) and
    Stage2::revFlow(node2) and
-    Stage2::revFlowAlias(node1)
+    Stage2::revFlow(node1)
  }

  private module LocalFlowBigStep {
@@ -2065,11 +2050,11 @@ module Impl<FullStateConfigSig Config> {
      additionalLocalFlowStepNodeCand1(node1, node2) and
      state1 = state2 and
      Stage2::revFlow(node1, pragma[only_bind_into](state1), false) and
-      Stage2::revFlowAlias(node2, pragma[only_bind_into](state2), false)
+      Stage2::revFlow(node2, pragma[only_bind_into](state2), false)
      or
      additionalLocalStateStep(node1, state1, node2, state2) and
      Stage2::revFlow(node1, state1, false) and
-      Stage2::revFlowAlias(node2, state2, false)
+      Stage2::revFlow(node2, state2, false)
    }

    /**
@@ -2262,7 +2247,7 @@ module Impl<FullStateConfigSig Config> {
    ) {
      localFlowBigStep(node1, state1, node2, state2, preservesValue, ap.getType(), _) and
      PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-      PrevStage::revFlowAlias(node2, pragma[only_bind_into](state2), _) and
+      PrevStage::revFlow(node2, pragma[only_bind_into](state2), _) and
      exists(lcc)
    }

@@ -2273,7 +2258,7 @@ module Impl<FullStateConfigSig Config> {
      exists(FlowState state |
        flowOutOfCallNodeCand2(call, node1, kind, node2, allowsFieldFlow) and
        PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
      )
    }

@@ -2284,7 +2269,7 @@ module Impl<FullStateConfigSig Config> {
      exists(FlowState state |
        flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow) and
        PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
      )
    }

@@ -2586,7 +2571,7 @@ module Impl<FullStateConfigSig Config> {
    ) {
      localFlowBigStep(node1, state1, node2, state2, preservesValue, ap.getType(), lcc) and
      PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-      PrevStage::revFlowAlias(node2, pragma[only_bind_into](state2), _)
+      PrevStage::revFlow(node2, pragma[only_bind_into](state2), _)
    }

    pragma[nomagic]
@@ -2596,7 +2581,7 @@ module Impl<FullStateConfigSig Config> {
      exists(FlowState state |
        flowOutOfCallNodeCand2(call, node1, kind, node2, allowsFieldFlow) and
        PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
      )
    }

@@ -2607,7 +2592,7 @@ module Impl<FullStateConfigSig Config> {
      exists(FlowState state |
        flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow) and
        PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
      )
    }

@@ -2804,11 +2789,7 @@ module Impl<FullStateConfigSig Config> {
      // A PathNode is introduced by a source ...
      Stage5::revFlow(node, state) and
      sourceNode(node, state) and
-      (
-        if hasSourceCallCtx()
-        then cc instanceof CallContextSomeCall
-        else cc instanceof CallContextAny
-      ) and
+      sourceCallCtx(cc) and
      sc instanceof SummaryCtxNone and
      ap = TAccessPathNil(node.getDataFlowType())
      or
@@ -3050,6 +3031,17 @@ module Impl<FullStateConfigSig Config> {
      this instanceof PathNodeSinkGroup
    }

+    private string ppType() {
+      this instanceof PathNodeSink and result = ""
+      or
+      this.(PathNodeMid).getAp() instanceof AccessPathNil and result = ""
+      or
+      exists(DataFlowType t | t = this.(PathNodeMid).getAp().getHead().getContainerType() |
+        // The `concat` becomes "" if `ppReprType` has no result.
+        result = concat(" : " + ppReprType(t))
+      )
+    }
+
    private string ppAp() {
      this instanceof PathNodeSink and result = ""
      or
@@ -3065,14 +3057,14 @@ module Impl<FullStateConfigSig Config> {
    }

    /** Gets a textual representation of this element. */
-    string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+    string toString() { result = this.getNodeEx().toString() + this.ppType() + this.ppAp() }

    /**
     * Gets a textual representation of this element, including a textual
     * representation of the call context.
     */
    string toStringWithContext() {
-      result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+      result = this.getNodeEx().toString() + this.ppType() + this.ppAp() + this.ppCtx()
    }

    /**
@@ -3214,11 +3206,7 @@ module Impl<FullStateConfigSig Config> {

    override predicate isSource() {
      sourceNode(node, state) and
-      (
-        if hasSourceCallCtx()
-        then cc instanceof CallContextSomeCall
-        else cc instanceof CallContextAny
-      ) and
+      sourceCallCtx(cc) and
      sc instanceof SummaryCtxNone and
      ap = TAccessPathNil(node.getDataFlowType())
    }
@@ -3653,7 +3641,7 @@ module Impl<FullStateConfigSig Config> {
   * The corresponding paths are generated from the end-points and the graph
   * included in the module `PathGraph`.
   */
-  predicate hasFlowPath(PathNode source, PathNode sink) {
+  predicate flowPath(PathNode source, PathNode sink) {
    exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
      source = flowsource and sink = flowsink
    |
@@ -3663,6 +3651,9 @@ module Impl<FullStateConfigSig Config> {
    )
  }

+  /** DEPRECATED: Use `flowPath` instead. */
+  deprecated predicate hasFlowPath = flowPath/2;
+
  private predicate flowsTo(PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink) {
    flowsource.isSource() and
    flowsource.getNodeEx().asNode() = source and
@@ -3673,17 +3664,26 @@ module Impl<FullStateConfigSig Config> {
  /**
   * Holds if data can flow from `source` to `sink`.
   */
-  predicate hasFlow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+  predicate flow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+
+  /** DEPRECATED: Use `flow` instead. */
+  deprecated predicate hasFlow = flow/2;

  /**
   * Holds if data can flow from some source to `sink`.
   */
-  predicate hasFlowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+  predicate flowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+
+  /** DEPRECATED: Use `flowTo` instead. */
+  deprecated predicate hasFlowTo = flowTo/1;

  /**
   * Holds if data can flow from some source to `sink`.
   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) }
+
+  /** DEPRECATED: Use `flowToExpr` instead. */
+  deprecated predicate hasFlowToExpr = flowToExpr/1;

  private predicate finalStats(
    boolean fwd, int nodes, int fields, int conscand, int states, int tuples
@@ -4009,14 +4009,14 @@ module Impl<FullStateConfigSig Config> {
     */
    class PartialPathNode extends TPartialPathNode {
      /** Gets a textual representation of this element. */
-      string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+      string toString() { result = this.getNodeEx().toString() + this.ppType() + this.ppAp() }

      /**
       * Gets a textual representation of this element, including a textual
       * representation of the call context.
       */
      string toStringWithContext() {
-        result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+        result = this.getNodeEx().toString() + this.ppType() + this.ppAp() + this.ppCtx()
      }

      /**
@@ -4057,6 +4057,19 @@ module Impl<FullStateConfigSig Config> {
       */
      int getSinkDistance() { result = distSink(this.getNodeEx().getEnclosingCallable()) }

+      private string ppType() {
+        this instanceof PartialPathNodeRev and result = ""
+        or
+        this.(PartialPathNodeFwd).getAp() instanceof PartialAccessPathNil and result = ""
+        or
+        exists(DataFlowType t |
+          t = this.(PartialPathNodeFwd).getAp().(PartialAccessPathCons).getType()
+        |
+          // The `concat` becomes "" if `ppReprType` has no result.
+          result = concat(" : " + ppReprType(t))
+        )
+      }
+
      private string ppAp() {
        exists(string s |
          s = this.(PartialPathNodeFwd).getAp().toString() or
@@ -4594,7 +4607,7 @@ module Impl<FullStateConfigSig Config> {
     *
     * To use this in a `path-problem` query, import the module `PartialPathGraph`.
     */
-    predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
+    predicate partialFlow(PartialPathNode source, PartialPathNode node, int dist) {
      partialFlow(source, node) and
      dist = node.getSourceDistance()
    }
@@ -4614,7 +4627,7 @@ module Impl<FullStateConfigSig Config> {
     * Note that reverse flow has slightly lower precision than the corresponding
     * forward flow, as reverse flow disregards type pruning among other features.
     */
-    predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
+    predicate partialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
      revPartialFlow(node, sink) and
      dist = node.getSinkDistance()
    }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -140,10 +140,8 @@ private module LambdaFlow {
  }

  pragma[nomagic]
-  private TReturnPositionSimple viableReturnPosLambda(
-    DataFlowCall call, DataFlowCallOption lastCall, ReturnKind kind
-  ) {
-    result = TReturnPositionSimple0(viableCallableLambda(call, lastCall), kind)
+  private TReturnPositionSimple viableReturnPosLambda(DataFlowCall call, ReturnKind kind) {
+    result = TReturnPositionSimple0(viableCallableLambda(call, _), kind)
  }

  private predicate viableReturnPosOutNonLambda(
@@ -155,11 +153,12 @@ private module LambdaFlow {
    )
  }

+  pragma[nomagic]
  private predicate viableReturnPosOutLambda(
-    DataFlowCall call, DataFlowCallOption lastCall, TReturnPositionSimple pos, OutNode out
+    DataFlowCall call, TReturnPositionSimple pos, OutNode out
  ) {
    exists(ReturnKind kind |
-      pos = viableReturnPosLambda(call, lastCall, kind) and
+      pos = viableReturnPosLambda(call, kind) and
      out = getAnOutNode(call, kind)
    )
  }
@@ -188,6 +187,7 @@ private module LambdaFlow {
    else any()
  }

+  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlow0(
    DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,6 +274,7 @@ private module LambdaFlow {
    )
  }

+  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlowOut(
    DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,
@@ -285,7 +286,7 @@ private module LambdaFlow {
      or
      // non-linear recursion
      revLambdaFlowOutLambdaCall(lambdaCall, kind, out, t, toJump, call, lastCall) and
-      viableReturnPosOutLambda(call, _, pos, out)
+      viableReturnPosOutLambda(call, pos, out)
    )
  }

@@ -424,7 +425,8 @@ private module Cached {
    exists(ParameterPosition ppos |
      viableParam(call, ppos, p) and
      argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      golangSpecificParamArgFilter(call, p, arg)
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -3,6 +3,7 @@ private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
 private import DataFlowImplConsistency
+private import codeql.util.Unit

 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
@@ -158,7 +159,7 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
    // `PostUpdateNode`, which means it must be an `ObjectInitializerNode`.
    node2.asExpr() = aggr and
    f.(FieldContent).getField() = field and
-    aggr.getFieldExpr(field) = node1.asExpr()
+    aggr.getAFieldExpr(field) = node1.asExpr()
  )
  or
  exists(FieldAccess fa |
@@ -264,15 +265,6 @@ int accessPathLimit() { result = 5 }
 */
 predicate forceHighPrecision(Content c) { none() }

-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) { none() }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -33,9 +33,9 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
 }

 /**
- * Constructs a standard taint tracking computation.
+ * Constructs a global taint tracking computation.
 */
-module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
+module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
  private module Config0 implements DataFlowInternal::FullStateConfigSig {
    import DataFlowInternal::DefaultState<Config>
    import Config
@@ -48,10 +48,15 @@ module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
  import DataFlowInternal::Impl<C>
 }

+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a taint tracking computation using flow state.
+ * Constructs a global taint tracking computation using flow state.
 */
-module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataFlowSig {
+module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
  private module Config0 implements DataFlowInternal::FullStateConfigSig {
    import Config
  }
@@ -62,3 +67,8 @@ module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataF

  import DataFlowInternal::Impl<C>
 }
+
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import GlobalWithState<Config>
+}
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Lambda.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Lambda.qll
@@ -147,7 +147,7 @@ class LambdaCapture extends Locatable, @lambdacapture {
   */
  Expr getInitializer() {
    exists(LambdaExpression lambda | this = lambda.getCapture(_) |
-      result = lambda.getInitializer().getFieldExpr(this.getField())
+      result = lambda.getInitializer().getAFieldExpr(this.getField())
    )
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll
@@ -187,12 +187,44 @@ class ClassAggregateLiteral extends AggregateLiteral {
  override string getAPrimaryQlClass() { result = "ClassAggregateLiteral" }

  /**
+   * Gets an expression within the aggregate literal that is used to initialize
+   * field `field`, if present.
+   *
+   * This predicate may have multiple results since a field can be initialized
+   * multiple times in the same initializer.
+   */
+  Expr getAFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
+
+  /**
+   * DEPRECATED: Use `getAFieldExpr` instead.
+   *
   * Gets the expression within the aggregate literal that is used to initialize
   * field `field`, if present.
+   *
+   * This predicate may have multiple results since a field can be initialized
+   * multiple times in the same initializer.
   */
-  Expr getFieldExpr(Field field) {
+  deprecated Expr getFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
+
+  /**
+   * Gets the expression within the aggregate literal that is used to initialize
+   * field `field`, if present. The expression is the `position`'th entry in the
+   * aggregate literal.
+   *
+   * For example, if `aggr` represents the initialization literal `{.x = 123, .y = 456 .x = 789}` in
+   * ```cpp
+   * struct Foo { int x; int y; };
+   * struct Foo foo = {.x = 123, .y = 456 .x = 789};
+   * ```
+   * then:
+   * - `aggr.getFieldExpr(x, 0)` gives `123`.
+   * - `aggr.getFieldExpr(y, 1)` gives `456`.
+   * - `aggr.getFieldExpr(x, 2)` gives `789`.
+   */
+  Expr getFieldExpr(Field field, int position) {
    field = classType.getAField() and
-    aggregate_field_init(underlyingElement(this), unresolveElement(result), unresolveElement(field))
+    aggregate_field_init(underlyingElement(this), unresolveElement(result), unresolveElement(field),
+      position)
  }

  /**
@@ -206,7 +238,7 @@ class ClassAggregateLiteral extends AggregateLiteral {
    (
      // If the field has an explicit initializer expression, then the field is
      // initialized.
-      exists(this.getFieldExpr(field))
+      exists(this.getAFieldExpr(field))
      or
      // If the type is not a union, all fields without initializers are value
      // initialized.
@@ -230,7 +262,7 @@ class ClassAggregateLiteral extends AggregateLiteral {
  pragma[inline]
  predicate isValueInitialized(Field field) {
    this.isInitialized(field) and
-    not exists(this.getFieldExpr(field))
+    not exists(this.getAFieldExpr(field))
  }
 }

@@ -260,11 +292,41 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
  Type getElementType() { none() }

  /**
+   * Gets an expression within the aggregate literal that is used to initialize
+   * element `elementIndex`, if present.
+   *
+   * This predicate may have multiple results since an element can be initialized
+   * multiple times in the same initializer.
+   */
+  Expr getAnElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
+
+  /**
+   * DEPRECATED: Use `getAnElementExpr` instead.
+   *
   * Gets the expression within the aggregate literal that is used to initialize
   * element `elementIndex`, if present.
+   *
+   * This predicate may have multiple results since an element can be initialized
+   * multiple times in the same initializer.
   */
-  Expr getElementExpr(int elementIndex) {
-    aggregate_array_init(underlyingElement(this), unresolveElement(result), elementIndex)
+  deprecated Expr getElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
+
+  /**
+   * Gets the expression within the aggregate literal that is used to initialize
+   * element `elementIndex`, if present. The expression is the `position`'th entry
+   * in the aggregate literal.
+   *
+   * For example, if `a` represents the initialization literal `{[0] = 123, [1] = 456, [0] = 789 }` in
+   * ```cpp
+   * int x[2] = {[0] = 123, [1] = 456, [0] = 789 };
+   * ```
+   * then:
+   * - `a.getElementExpr(0, 0)` gives `123`.
+   * - `a.getElementExpr(1, 1)` gives `456`.
+   * - `a.getElementExpr(0, 2)` gives `789`.
+   */
+  Expr getElementExpr(int elementIndex, int position) {
+    aggregate_array_init(underlyingElement(this), unresolveElement(result), elementIndex, position)
  }

  /**
@@ -289,7 +351,7 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
  bindingset[elementIndex]
  predicate isValueInitialized(int elementIndex) {
    this.isInitialized(elementIndex) and
-    not exists(this.getElementExpr(elementIndex))
+    not exists(this.getAnElementExpr(elementIndex))
  }
 }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll
@@ -2,7 +2,7 @@
 * Provides an implementation of global (interprocedural) data flow. This file
 * re-exports the local (intraprocedural) data flow analysis from
 * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Make` and `MakeWithState` modules.
+ * through the `Global` and `GlobalWithState` modules.
 */

 private import DataFlowImplCommon
@@ -73,10 +73,10 @@ signature module ConfigSig {
   */
  default FlowFeature getAFeature() { none() }

-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
  default predicate sourceGrouping(Node source, string sourceGroup) { none() }

-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }

  /**
@@ -166,10 +166,10 @@ signature module StateConfigSig {
   */
  default FlowFeature getAFeature() { none() }

-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
  default predicate sourceGrouping(Node source, string sourceGroup) { none() }

-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
  default predicate sinkGrouping(Node sink, string sinkGroup) { none() }

  /**
@@ -182,15 +182,15 @@ signature module StateConfigSig {
 }

 /**
- * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+ * Gets the exploration limit for `partialFlow` and `partialFlowRev`
 * measured in approximate number of interprocedural steps.
 */
 signature int explorationLimitSig();

 /**
- * The output of a data flow computation.
+ * The output of a global data flow computation.
 */
-signature module DataFlowSig {
+signature module GlobalFlowSig {
  /**
   * A `Node` augmented with a call context (except for sinks) and an access path.
   * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
@@ -203,28 +203,28 @@ signature module DataFlowSig {
   * The corresponding paths are generated from the end-points and the graph
   * included in the module `PathGraph`.
   */
-  predicate hasFlowPath(PathNode source, PathNode sink);
+  predicate flowPath(PathNode source, PathNode sink);

  /**
   * Holds if data can flow from `source` to `sink`.
   */
-  predicate hasFlow(Node source, Node sink);
+  predicate flow(Node source, Node sink);

  /**
   * Holds if data can flow from some source to `sink`.
   */
-  predicate hasFlowTo(Node sink);
+  predicate flowTo(Node sink);

  /**
   * Holds if data can flow from some source to `sink`.
   */
-  predicate hasFlowToExpr(DataFlowExpr sink);
+  predicate flowToExpr(DataFlowExpr sink);
 }

 /**
- * Constructs a standard data flow computation.
+ * Constructs a global data flow computation.
 */
-module Make<ConfigSig Config> implements DataFlowSig {
+module Global<ConfigSig Config> implements GlobalFlowSig {
  private module C implements FullStateConfigSig {
    import DefaultState<Config>
    import Config
@@ -233,10 +233,15 @@ module Make<ConfigSig Config> implements DataFlowSig {
  import Impl<C>
 }

+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a data flow computation using flow state.
+ * Constructs a global data flow computation using flow state.
 */
-module MakeWithState<StateConfigSig Config> implements DataFlowSig {
+module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
  private module C implements FullStateConfigSig {
    import Config
  }
@@ -244,6 +249,11 @@ module MakeWithState<StateConfigSig Config> implements DataFlowSig {
  import Impl<C>
 }

+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
+  import GlobalWithState<Config>
+}
+
 signature class PathNodeSig {
  /** Gets a textual representation of this element. */
  string toString();
@@ -351,3 +361,52 @@ module MergePathGraph<
    }
  }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -271,3 +271,13 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a temporary hook to support technical debt in the Go language; do not use.
+ */
+pragma[inline]
+predicate golangSpecificParamArgFilter(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  any()
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -8,6 +8,7 @@ private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 private import DataFlowImplCommonPublic
+private import codeql.util.Unit
 import DataFlow

 /**
@@ -91,10 +92,10 @@ signature module FullStateConfigSig {
   */
  FlowFeature getAFeature();

-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
  predicate sourceGrouping(Node source, string sourceGroup);

-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
  predicate sinkGrouping(Node sink, string sinkGroup);

  /**
@@ -418,6 +419,10 @@ module Impl<FullStateConfigSig Config> {
    )
  }

+  private predicate sourceCallCtx(CallContext cc) {
+    if hasSourceCallCtx() then cc instanceof CallContextSomeCall else cc instanceof CallContextAny
+  }
+
  private predicate hasSinkCallCtx() {
    exists(FlowFeature feature | feature = Config::getAFeature() |
      feature instanceof FeatureHasSinkCallContext or
@@ -441,11 +446,7 @@ module Impl<FullStateConfigSig Config> {
  }

  private module Stage1 implements StageSig {
-    class Ap extends int {
-      // workaround for bad functionality-induced joins (happens when using `Unit`)
-      pragma[nomagic]
-      Ap() { this in [0 .. 1] and this < 1 }
-    }
+    class Ap = Unit;

    private class Cc = boolean;

@@ -1141,19 +1142,13 @@ module Impl<FullStateConfigSig Config> {
      import Param

      /* Begin: Stage logic. */
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      private predicate revFlowApAlias(NodeEx node, ApApprox apa) {
-        PrevStage::revFlowAp(node, apa)
-      }
-
      pragma[nomagic]
      private predicate flowIntoCallApa(
        DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, ApApprox apa
      ) {
        flowIntoCall(call, arg, p, allowsFieldFlow) and
        PrevStage::revFlowAp(p, pragma[only_bind_into](apa)) and
-        revFlowApAlias(arg, pragma[only_bind_into](apa))
+        PrevStage::revFlowAp(arg, pragma[only_bind_into](apa))
      }

      pragma[nomagic]
@@ -1163,7 +1158,7 @@ module Impl<FullStateConfigSig Config> {
      ) {
        flowOutOfCall(call, ret, kind, out, allowsFieldFlow) and
        PrevStage::revFlowAp(out, pragma[only_bind_into](apa)) and
-        revFlowApAlias(ret, pragma[only_bind_into](apa))
+        PrevStage::revFlowAp(ret, pragma[only_bind_into](apa))
      }

      pragma[nomagic]
@@ -1691,16 +1686,6 @@ module Impl<FullStateConfigSig Config> {
      pragma[nomagic]
      predicate revFlowAp(NodeEx node, Ap ap) { revFlow(node, _, _, _, ap) }

-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      additional predicate revFlowAlias(NodeEx node) { revFlow(node, _, _, _, _) }
-
-      // use an alias as a workaround for bad functionality-induced joins
-      pragma[nomagic]
-      additional predicate revFlowAlias(NodeEx node, FlowState state, Ap ap) {
-        revFlow(node, state, ap)
-      }
-
      private predicate fwdConsCand(TypedContent tc, Ap ap) { storeStepFwd(_, ap, tc, _, _) }

      private predicate revConsCand(TypedContent tc, Ap ap) { storeStepCand(_, ap, tc, _, _) }
@@ -1974,7 +1959,7 @@ module Impl<FullStateConfigSig Config> {
  ) {
    flowOutOfCallNodeCand1(call, node1, kind, node2, allowsFieldFlow) and
    Stage2::revFlow(node2) and
-    Stage2::revFlowAlias(node1)
+    Stage2::revFlow(node1)
  }

  pragma[nomagic]
@@ -1983,7 +1968,7 @@ module Impl<FullStateConfigSig Config> {
  ) {
    flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow) and
    Stage2::revFlow(node2) and
-    Stage2::revFlowAlias(node1)
+    Stage2::revFlow(node1)
  }

  private module LocalFlowBigStep {
@@ -2065,11 +2050,11 @@ module Impl<FullStateConfigSig Config> {
      additionalLocalFlowStepNodeCand1(node1, node2) and
      state1 = state2 and
      Stage2::revFlow(node1, pragma[only_bind_into](state1), false) and
-      Stage2::revFlowAlias(node2, pragma[only_bind_into](state2), false)
+      Stage2::revFlow(node2, pragma[only_bind_into](state2), false)
      or
      additionalLocalStateStep(node1, state1, node2, state2) and
      Stage2::revFlow(node1, state1, false) and
-      Stage2::revFlowAlias(node2, state2, false)
+      Stage2::revFlow(node2, state2, false)
    }

    /**
@@ -2262,7 +2247,7 @@ module Impl<FullStateConfigSig Config> {
    ) {
      localFlowBigStep(node1, state1, node2, state2, preservesValue, ap.getType(), _) and
      PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-      PrevStage::revFlowAlias(node2, pragma[only_bind_into](state2), _) and
+      PrevStage::revFlow(node2, pragma[only_bind_into](state2), _) and
      exists(lcc)
    }

@@ -2273,7 +2258,7 @@ module Impl<FullStateConfigSig Config> {
      exists(FlowState state |
        flowOutOfCallNodeCand2(call, node1, kind, node2, allowsFieldFlow) and
        PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
      )
    }

@@ -2284,7 +2269,7 @@ module Impl<FullStateConfigSig Config> {
      exists(FlowState state |
        flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow) and
        PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
      )
    }

@@ -2586,7 +2571,7 @@ module Impl<FullStateConfigSig Config> {
    ) {
      localFlowBigStep(node1, state1, node2, state2, preservesValue, ap.getType(), lcc) and
      PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-      PrevStage::revFlowAlias(node2, pragma[only_bind_into](state2), _)
+      PrevStage::revFlow(node2, pragma[only_bind_into](state2), _)
    }

    pragma[nomagic]
@@ -2596,7 +2581,7 @@ module Impl<FullStateConfigSig Config> {
      exists(FlowState state |
        flowOutOfCallNodeCand2(call, node1, kind, node2, allowsFieldFlow) and
        PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
      )
    }

@@ -2607,7 +2592,7 @@ module Impl<FullStateConfigSig Config> {
      exists(FlowState state |
        flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow) and
        PrevStage::revFlow(node2, pragma[only_bind_into](state), _) and
-        PrevStage::revFlowAlias(node1, pragma[only_bind_into](state), _)
+        PrevStage::revFlow(node1, pragma[only_bind_into](state), _)
      )
    }

@@ -2804,11 +2789,7 @@ module Impl<FullStateConfigSig Config> {
      // A PathNode is introduced by a source ...
      Stage5::revFlow(node, state) and
      sourceNode(node, state) and
-      (
-        if hasSourceCallCtx()
-        then cc instanceof CallContextSomeCall
-        else cc instanceof CallContextAny
-      ) and
+      sourceCallCtx(cc) and
      sc instanceof SummaryCtxNone and
      ap = TAccessPathNil(node.getDataFlowType())
      or
@@ -3050,6 +3031,17 @@ module Impl<FullStateConfigSig Config> {
      this instanceof PathNodeSinkGroup
    }

+    private string ppType() {
+      this instanceof PathNodeSink and result = ""
+      or
+      this.(PathNodeMid).getAp() instanceof AccessPathNil and result = ""
+      or
+      exists(DataFlowType t | t = this.(PathNodeMid).getAp().getHead().getContainerType() |
+        // The `concat` becomes "" if `ppReprType` has no result.
+        result = concat(" : " + ppReprType(t))
+      )
+    }
+
    private string ppAp() {
      this instanceof PathNodeSink and result = ""
      or
@@ -3065,14 +3057,14 @@ module Impl<FullStateConfigSig Config> {
    }

    /** Gets a textual representation of this element. */
-    string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+    string toString() { result = this.getNodeEx().toString() + this.ppType() + this.ppAp() }

    /**
     * Gets a textual representation of this element, including a textual
     * representation of the call context.
     */
    string toStringWithContext() {
-      result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+      result = this.getNodeEx().toString() + this.ppType() + this.ppAp() + this.ppCtx()
    }

    /**
@@ -3214,11 +3206,7 @@ module Impl<FullStateConfigSig Config> {

    override predicate isSource() {
      sourceNode(node, state) and
-      (
-        if hasSourceCallCtx()
-        then cc instanceof CallContextSomeCall
-        else cc instanceof CallContextAny
-      ) and
+      sourceCallCtx(cc) and
      sc instanceof SummaryCtxNone and
      ap = TAccessPathNil(node.getDataFlowType())
    }
@@ -3653,7 +3641,7 @@ module Impl<FullStateConfigSig Config> {
   * The corresponding paths are generated from the end-points and the graph
   * included in the module `PathGraph`.
   */
-  predicate hasFlowPath(PathNode source, PathNode sink) {
+  predicate flowPath(PathNode source, PathNode sink) {
    exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
      source = flowsource and sink = flowsink
    |
@@ -3663,6 +3651,9 @@ module Impl<FullStateConfigSig Config> {
    )
  }

+  /** DEPRECATED: Use `flowPath` instead. */
+  deprecated predicate hasFlowPath = flowPath/2;
+
  private predicate flowsTo(PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink) {
    flowsource.isSource() and
    flowsource.getNodeEx().asNode() = source and
@@ -3673,17 +3664,26 @@ module Impl<FullStateConfigSig Config> {
  /**
   * Holds if data can flow from `source` to `sink`.
   */
-  predicate hasFlow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+  predicate flow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+
+  /** DEPRECATED: Use `flow` instead. */
+  deprecated predicate hasFlow = flow/2;

  /**
   * Holds if data can flow from some source to `sink`.
   */
-  predicate hasFlowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+  predicate flowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+
+  /** DEPRECATED: Use `flowTo` instead. */
+  deprecated predicate hasFlowTo = flowTo/1;

  /**
   * Holds if data can flow from some source to `sink`.
   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) }
+
+  /** DEPRECATED: Use `flowToExpr` instead. */
+  deprecated predicate hasFlowToExpr = flowToExpr/1;

  private predicate finalStats(
    boolean fwd, int nodes, int fields, int conscand, int states, int tuples
@@ -4009,14 +4009,14 @@ module Impl<FullStateConfigSig Config> {
     */
    class PartialPathNode extends TPartialPathNode {
      /** Gets a textual representation of this element. */
-      string toString() { result = this.getNodeEx().toString() + this.ppAp() }
+      string toString() { result = this.getNodeEx().toString() + this.ppType() + this.ppAp() }

      /**
       * Gets a textual representation of this element, including a textual
       * representation of the call context.
       */
      string toStringWithContext() {
-        result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+        result = this.getNodeEx().toString() + this.ppType() + this.ppAp() + this.ppCtx()
      }

      /**
@@ -4057,6 +4057,19 @@ module Impl<FullStateConfigSig Config> {
       */
      int getSinkDistance() { result = distSink(this.getNodeEx().getEnclosingCallable()) }

+      private string ppType() {
+        this instanceof PartialPathNodeRev and result = ""
+        or
+        this.(PartialPathNodeFwd).getAp() instanceof PartialAccessPathNil and result = ""
+        or
+        exists(DataFlowType t |
+          t = this.(PartialPathNodeFwd).getAp().(PartialAccessPathCons).getType()
+        |
+          // The `concat` becomes "" if `ppReprType` has no result.
+          result = concat(" : " + ppReprType(t))
+        )
+      }
+
      private string ppAp() {
        exists(string s |
          s = this.(PartialPathNodeFwd).getAp().toString() or
@@ -4594,7 +4607,7 @@ module Impl<FullStateConfigSig Config> {
     *
     * To use this in a `path-problem` query, import the module `PartialPathGraph`.
     */
-    predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
+    predicate partialFlow(PartialPathNode source, PartialPathNode node, int dist) {
      partialFlow(source, node) and
      dist = node.getSourceDistance()
    }
@@ -4614,7 +4627,7 @@ module Impl<FullStateConfigSig Config> {
     * Note that reverse flow has slightly lower precision than the corresponding
     * forward flow, as reverse flow disregards type pruning among other features.
     */
-    predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
+    predicate partialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
      revPartialFlow(node, sink) and
      dist = node.getSinkDistance()
    }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
 *
 * Provides a `Configuration` class backwards-compatible interface to the data
 * flow library.
@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
 import FlowStateString
+private import codeql.util.Unit

 /**
 * A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
 }

 private import Impl<Config> as I
-import I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

+module PathGraph = I::PathGraph;
+
 private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }

 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  I::flowPath(source, sink) and source.getConfiguration() = config
 }

 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -140,10 +140,8 @@ private module LambdaFlow {
  }

  pragma[nomagic]
-  private TReturnPositionSimple viableReturnPosLambda(
-    DataFlowCall call, DataFlowCallOption lastCall, ReturnKind kind
-  ) {
-    result = TReturnPositionSimple0(viableCallableLambda(call, lastCall), kind)
+  private TReturnPositionSimple viableReturnPosLambda(DataFlowCall call, ReturnKind kind) {
+    result = TReturnPositionSimple0(viableCallableLambda(call, _), kind)
  }

  private predicate viableReturnPosOutNonLambda(
@@ -155,11 +153,12 @@ private module LambdaFlow {
    )
  }

+  pragma[nomagic]
  private predicate viableReturnPosOutLambda(
-    DataFlowCall call, DataFlowCallOption lastCall, TReturnPositionSimple pos, OutNode out
+    DataFlowCall call, TReturnPositionSimple pos, OutNode out
  ) {
    exists(ReturnKind kind |
-      pos = viableReturnPosLambda(call, lastCall, kind) and
+      pos = viableReturnPosLambda(call, kind) and
      out = getAnOutNode(call, kind)
    )
  }
@@ -188,6 +187,7 @@ private module LambdaFlow {
    else any()
  }

+  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlow0(
    DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,6 +274,7 @@ private module LambdaFlow {
    )
  }

+  pragma[assume_small_delta]
  pragma[nomagic]
  predicate revLambdaFlowOut(
    DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,
@@ -285,7 +286,7 @@ private module LambdaFlow {
      or
      // non-linear recursion
      revLambdaFlowOutLambdaCall(lambdaCall, kind, out, t, toJump, call, lastCall) and
-      viableReturnPosOutLambda(call, _, pos, out)
+      viableReturnPosOutLambda(call, pos, out)
    )
  }

@@ -424,7 +425,8 @@ private module Cached {
    exists(ParameterPosition ppos |
      viableParam(call, ppos, p) and
      argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      golangSpecificParamArgFilter(call, p, arg)
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -6,6 +6,7 @@ private import DataFlowImplConsistency
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
+private import codeql.util.Unit

 cached
 private module Cached {
@@ -799,15 +800,6 @@ int accessPathLimit() { result = 5 }
 */
 predicate forceHighPrecision(Content c) { none() }

-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
  n instanceof OperandNode and
@@ -905,23 +897,6 @@ private class MyConsistencyConfiguration extends Consistency::ConsistencyConfigu
  }
 }

-/**
- * Gets the basic block of `node`.
- */
-IRBlock getBasicBlock(Node node) {
-  node.asInstruction().getBlock() = result
-  or
-  node.asOperand().getUse().getBlock() = result
-  or
-  node.(SsaPhiNode).getPhiNode().getBasicBlock() = result
-  or
-  node.(RawIndirectOperand).getOperand().getUse().getBlock() = result
-  or
-  node.(RawIndirectInstruction).getInstruction().getBlock() = result
-  or
-  result = getBasicBlock(node.(PostUpdateNode).getPreUpdateNode())
-}
-
 /**
 * A local flow relation that includes both local steps, read steps and
 * argument-to-return flow through summarized functions.
@@ -1007,7 +982,8 @@ private int countNumberOfBranchesUsingParameter(SwitchInstruction switch, Parame
    // we pick the one with the highest edge count.
    result =
      max(SsaPhiNode phi |
-        switch.getSuccessor(caseOrDefaultEdge()).getBlock().dominanceFrontier() = getBasicBlock(phi) and
+        switch.getSuccessor(caseOrDefaultEdge()).getBlock().dominanceFrontier() =
+          phi.getBasicBlock() and
        phi.getSourceVariable() = sv
      |
        strictcount(phi.getAnInput())
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -160,6 +160,28 @@ class Node extends TIRDataFlowNode {
  /** Gets the operands corresponding to this node, if any. */
  Operand asOperand() { result = this.(OperandNode).getOperand() }

+  /**
+   * Holds if this node is at index `i` in basic block `block`.
+   *
+   * Note: Phi nodes are considered to be at index `-1`.
+   */
+  final predicate hasIndexInBlock(IRBlock block, int i) {
+    this.asInstruction() = block.getInstruction(i)
+    or
+    this.asOperand().getUse() = block.getInstruction(i)
+    or
+    this.(SsaPhiNode).getPhiNode().getBasicBlock() = block and i = -1
+    or
+    this.(RawIndirectOperand).getOperand().getUse() = block.getInstruction(i)
+    or
+    this.(RawIndirectInstruction).getInstruction() = block.getInstruction(i)
+    or
+    this.(PostUpdateNode).getPreUpdateNode().hasIndexInBlock(block, i)
+  }
+
+  /** Gets the basic block of this node, if any. */
+  final IRBlock getBasicBlock() { this.hasIndexInBlock(result, _) }
+
  /**
   * Gets the non-conversion expression corresponding to this node, if any.
   * This predicate only has a result on nodes that represent the value of
@@ -530,7 +552,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
   */
  final Node getAnInput(boolean fromBackEdge) {
    localFlowStep(result, this) and
-    if phi.getBasicBlock().dominates(getBasicBlock(result))
+    if phi.getBasicBlock().dominates(result.getBasicBlock())
    then fromBackEdge = true
    else fromBackEdge = false
  }
@@ -1887,7 +1909,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
      e = value.getAnInstruction().getConvertedResultExpression() and
      result.getConvertedExpr() = e and
      guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
-      g.controls(getBasicBlock(result), edge)
+      g.controls(result.getBasicBlock(), edge)
    )
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll
@@ -9,7 +9,6 @@ import cpp
 import semmle.code.cpp.security.Security
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.DataFlow3
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.ResolveCall
 private import semmle.code.cpp.controlflow.IRGuards
@@ -90,65 +89,64 @@ private predicate conflatePointerAndPointee(DataFlow::Node nodeFrom, DataFlow::N
  )
 }

-private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
-  DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
+private module DefaultTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }

-  override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
+  predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }

-  override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }

-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }

-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
    conflatePointerAndPointee(nodeFrom, nodeTo)
  }
 }

-private class ToGlobalVarTaintTrackingCfg extends TaintTracking::Configuration {
-  ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
+private module DefaultTaintTrackingFlow = TaintTracking::Global<DefaultTaintTrackingConfig>;

-  override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
+private module ToGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }

-  override predicate isSink(DataFlow::Node sink) {
-    sink.asVariable() instanceof GlobalOrNamespaceVariable
-  }
+  predicate isSink(DataFlow::Node sink) { sink.asVariable() instanceof GlobalOrNamespaceVariable }

-  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
    writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
    or
    readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
  }

-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }

-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
 }

-private class FromGlobalVarTaintTrackingCfg extends TaintTracking2::Configuration {
-  FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
+private module ToGlobalVarTaintTrackingFlow = TaintTracking::Global<ToGlobalVarTaintTrackingConfig>;

-  override predicate isSource(DataFlow::Node source) {
+private module FromGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
    // This set of sources should be reasonably small, which is good for
    // performance since the set of sinks is very large.
-    exists(ToGlobalVarTaintTrackingCfg otherCfg | otherCfg.hasFlowTo(source))
+    ToGlobalVarTaintTrackingFlow::flowTo(source)
  }

-  override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
+  predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }

-  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
    // Additional step for flow out of variables. There is no flow _into_
    // variables in this configuration, so this step only serves to take flow
    // out of a variable that's a source.
    readsVariable(n2.asInstruction(), n1.asVariable())
  }

-  override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }

-  override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
 }

+private module FromGlobalVarTaintTrackingFlow =
+  TaintTracking::Global<FromGlobalVarTaintTrackingConfig>;
+
 private predicate readsVariable(LoadInstruction load, Variable var) {
  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
 }
@@ -332,8 +330,8 @@ private import Cached
 */
 cached
 predicate tainted(Expr source, Element tainted) {
-  exists(DefaultTaintTrackingCfg cfg, DataFlow::Node sink |
-    cfg.hasFlow(getNodeForSource(source), sink) and
+  exists(DataFlow::Node sink |
+    DefaultTaintTrackingFlow::flow(getNodeForSource(source), sink) and
    tainted = adjustedSink(sink)
  )
 }
@@ -359,12 +357,11 @@ predicate taintedIncludingGlobalVars(Expr source, Element tainted, string global
  globalVar = ""
  or
  exists(
-    ToGlobalVarTaintTrackingCfg toCfg, FromGlobalVarTaintTrackingCfg fromCfg,
    DataFlow::VariableNode variableNode, GlobalOrNamespaceVariable global, DataFlow::Node sink
  |
    global = variableNode.getVariable() and
-    toCfg.hasFlow(getNodeForSource(source), variableNode) and
-    fromCfg.hasFlow(variableNode, sink) and
+    ToGlobalVarTaintTrackingFlow::flow(getNodeForSource(source), variableNode) and
+    FromGlobalVarTaintTrackingFlow::flow(variableNode, sink) and
    tainted = adjustedSink(sink) and
    global = globalVarFromId(globalVar)
  )
@@ -422,20 +419,18 @@ module TaintedWithPath {
    string toString() { result = "TaintTrackingConfiguration" }
  }

-  private class AdjustedConfiguration extends TaintTracking3::Configuration {
-    AdjustedConfiguration() { this = "AdjustedConfiguration" }
-
-    override predicate isSource(DataFlow::Node source) {
+  private module AdjustedConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
      exists(TaintTrackingConfiguration cfg, Expr e |
        cfg.isSource(e) and source = getNodeForExpr(e)
      )
    }

-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
      exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
    }

-    override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
      conflatePointerAndPointee(n1, n2)
      or
      // Steps into and out of global variables
@@ -448,13 +443,15 @@ module TaintedWithPath {
      additionalTaintStep(n1, n2)
    }

-    override predicate isSanitizer(DataFlow::Node node) {
+    predicate isBarrier(DataFlow::Node node) {
      exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
    }

-    override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+    predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
  }

+  private module AdjustedFlow = TaintTracking::Global<AdjustedConfig>;
+
  /*
   * A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
   * inverse of) `adjustedSink`. For example, an `Expr` maps to all its
@@ -470,12 +467,12 @@ module TaintedWithPath {
   */

  private newtype TPathNode =
-    TWrapPathNode(DataFlow3::PathNode n) or
+    TWrapPathNode(AdjustedFlow::PathNode n) or
    // There's a single newtype constructor for both sources and sinks since
    // that makes it easiest to deal with the case where source = sink.
    TEndpointPathNode(Element e) {
-      exists(AdjustedConfiguration cfg, DataFlow3::Node sourceNode, DataFlow3::Node sinkNode |
-        cfg.hasFlow(sourceNode, sinkNode)
+      exists(DataFlow::Node sourceNode, DataFlow::Node sinkNode |
+        AdjustedFlow::flow(sourceNode, sinkNode)
      |
        sourceNode = getNodeForExpr(e) and
        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
@@ -524,7 +521,7 @@ module TaintedWithPath {
  }

  private class WrapPathNode extends PathNode, TWrapPathNode {
-    DataFlow3::PathNode inner() { this = TWrapPathNode(result) }
+    AdjustedFlow::PathNode inner() { this = TWrapPathNode(result) }

    override string toString() { result = this.inner().toString() }

@@ -561,25 +558,25 @@ module TaintedWithPath {

  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
  query predicate edges(PathNode a, PathNode b) {
-    DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
+    AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
    or
    // To avoid showing trivial-looking steps, we _replace_ the last node instead
    // of adding an edge out of it.
    exists(WrapPathNode sinkNode |
-      DataFlow3::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
+      AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
    )
    or
    // Same for the first node
    exists(WrapPathNode sourceNode |
-      DataFlow3::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
+      AdjustedFlow::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner())
    )
    or
    // Finally, handle the case where the path goes directly from a source to a
    // sink, meaning that they both need to be translated.
    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      DataFlow3::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
+      AdjustedFlow::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner()) and
      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
    )
@@ -590,20 +587,20 @@ module TaintedWithPath {
   * from `par` to `ret` within it, in the graph of data flow path explanations.
   */
  query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
+    AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
      ret.(WrapPathNode).inner(), out.(WrapPathNode).inner())
    or
    // To avoid showing trivial-looking steps, we _replace_ the last node instead
    // of adding an edge out of it.
    exists(WrapPathNode sinkNode |
-      DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
+      AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
        ret.(WrapPathNode).inner(), sinkNode.inner()) and
      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
    )
    or
    // Same for the first node
    exists(WrapPathNode sourceNode |
-      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
+      AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
        ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
    )
@@ -611,7 +608,7 @@ module TaintedWithPath {
    // Finally, handle the case where the path goes directly from a source to a
    // sink, meaning that they both need to be translated.
    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
+      AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
        ret.(WrapPathNode).inner(), sinkNode.inner()) and
      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
@@ -634,10 +631,10 @@ module TaintedWithPath {
   * the computation.
   */
  predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
-    exists(AdjustedConfiguration cfg, DataFlow3::Node flowSource, DataFlow3::Node flowSink |
+    exists(DataFlow::Node flowSource, DataFlow::Node flowSink |
      source = sourceNode.(InitialPathNode).inner() and
      flowSource = getNodeForExpr(source) and
-      cfg.hasFlow(flowSource, flowSink) and
+      AdjustedFlow::flow(flowSource, flowSink) and
      tainted = adjustedSink(flowSink) and
      tainted = sinkNode.(FinalPathNode).inner()
    )
@@ -660,8 +657,8 @@ module TaintedWithPath {
   * through a global variable.
   */
  predicate taintedWithoutGlobals(Element tainted) {
-    exists(AdjustedConfiguration cfg, PathNode sourceNode, FinalPathNode sinkNode |
-      cfg.isSource(sourceNode.(WrapPathNode).inner().getNode()) and
+    exists(PathNode sourceNode, FinalPathNode sinkNode |
+      AdjustedConfig::isSource(sourceNode.(WrapPathNode).inner().getNode()) and
      edgesWithoutGlobals+(sourceNode, sinkNode) and
      tainted = sinkNode.inner()
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -26,12 +26,17 @@ predicate ignoreOperand(Operand operand) {
 predicate ignoreInstruction(Instruction instr) {
  DataFlowImplCommon::forceCachingInSameStage() and
  (
+    instr instanceof CallSideEffectInstruction or
+    instr instanceof CallReadSideEffectInstruction or
+    instr instanceof ExitFunctionInstruction or
+    instr instanceof EnterFunctionInstruction or
    instr instanceof WriteSideEffectInstruction or
    instr instanceof PhiInstruction or
    instr instanceof ReadSideEffectInstruction or
    instr instanceof ChiInstruction or
    instr instanceof InitializeIndirectionInstruction or
    instr instanceof AliasedDefinitionInstruction or
+    instr instanceof AliasedUseInstruction or
    instr instanceof InitializeNonLocalInstruction or
    instr instanceof ReturnIndirectionInstruction
  )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -33,9 +33,9 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
 }

 /**
- * Constructs a standard taint tracking computation.
+ * Constructs a global taint tracking computation.
 */
-module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
+module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
  private module Config0 implements DataFlowInternal::FullStateConfigSig {
    import DataFlowInternal::DefaultState<Config>
    import Config
@@ -48,10 +48,15 @@ module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
  import DataFlowInternal::Impl<C>
 }

+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a taint tracking computation using flow state.
+ * Constructs a global taint tracking computation using flow state.
 */
-module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataFlowSig {
+module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
  private module Config0 implements DataFlowInternal::FullStateConfigSig {
    import Config
  }
@@ -62,3 +67,8 @@ module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataF

  import DataFlowInternal::Impl<C>
 }
+
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import GlobalWithState<Config>
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll
@@ -1,6 +1,7 @@
 private import IR
 import InstructionConsistency // module is below
 import IRTypeConsistency // module is in IRType.qll
+import internal.IRConsistencyImports

 module InstructionConsistency {
  private import internal.InstructionImports as Imports
@@ -28,7 +29,7 @@ module InstructionConsistency {
    PresentIRFunction() { this = TPresentIRFunction(irFunc) }

    override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
+      result = concat(LanguageDebug::getIdentityString(irFunc.getFunction()), "; ")
    }

    override Language::Location getLocation() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
@@ -149,7 +149,9 @@ private class PrintableIRFunction extends PrintableIRNode, TPrintableIRFunction

  override Language::Location getLocation() { result = irFunc.getLocation() }

-  override string getLabel() { result = Language::getIdentityString(irFunc.getFunction()) }
+  override string getLabel() {
+    result = Imports::LanguageDebug::getIdentityString(irFunc.getFunction())
+  }

  override int getOrder() {
    this =
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll
@@ -159,26 +159,56 @@ private predicate fieldAddressValueNumber(
  tvalueNumber(instr.getObjectAddress()) = objectAddress
 }

+pragma[nomagic]
+private predicate binaryValueNumber0(
+  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, boolean isLeft,
+  TValueNumber valueNumber
+) {
+  not instr instanceof PointerArithmeticInstruction and
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getOpcode() = opcode and
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate binaryValueNumber(
  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
  TValueNumber rightOperand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  not instr instanceof PointerArithmeticInstruction and
-  instr.getOpcode() = opcode and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  binaryValueNumber0(instr, irFunc, opcode, true, leftOperand) and
+  binaryValueNumber0(instr, irFunc, opcode, false, rightOperand)
 }

-private predicate pointerArithmeticValueNumber(
+pragma[nomagic]
+private predicate pointerArithmeticValueNumber0(
  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
-  TValueNumber leftOperand, TValueNumber rightOperand
+  boolean isLeft, TValueNumber valueNumber
 ) {
  instr.getEnclosingIRFunction() = irFunc and
  instr.getOpcode() = opcode and
  instr.getElementSize() = elementSize and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
+private predicate pointerArithmeticValueNumber(
+  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
+  TValueNumber leftOperand, TValueNumber rightOperand
+) {
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, true, leftOperand) and
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, false, rightOperand)
 }

 private predicate unaryValueNumber(
@@ -203,14 +233,29 @@ private predicate inheritanceConversionValueNumber(
  unique( | | instr.getDerivedClass()) = derivedClass
 }

+pragma[nomagic]
+private predicate loadTotalOverlapValueNumber0(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
+  boolean isAddress
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  (
+    isAddress = true and
+    tvalueNumberOfOperand(instr.getSourceAddressOperand()) = valueNumber
+    or
+    isAddress = false and
+    tvalueNumber(instr.getSourceValueOperand().getAnyDef()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate loadTotalOverlapValueNumber(
  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
  TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  tvalueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
-  tvalueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand and
-  instr.getResultIRType() = type
+  loadTotalOverlapValueNumber0(instr, irFunc, type, operand, true) and
+  loadTotalOverlapValueNumber0(instr, irFunc, type, memOperand, false)
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
@@ -1,7 +1,7 @@
 import AliasAnalysis
+import semmle.code.cpp.Location
 import semmle.code.cpp.ir.internal.Overlap
 private import semmle.code.cpp.ir.internal.IRCppLanguage as Language
-private import semmle.code.cpp.Print
 private import semmle.code.cpp.ir.implementation.unaliased_ssa.IR
 private import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSAConstruction as OldSsa
 private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRConsistencyImports.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRConsistencyImports.qll
@@ -0,0 +1 @@
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll
@@ -1 +1,2 @@
 import semmle.code.cpp.ir.IRConfiguration as IRConfiguration
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll
@@ -1,2 +1,55 @@
-private import SSAConstruction as Ssa
-import Ssa::SsaConsistency
+import SsaConsistency
+import SSAConsistencyImports
+
+module SsaConsistency {
+  /**
+   * Holds if a `MemoryOperand` has more than one `MemoryLocation` assigned by alias analysis.
+   */
+  query predicate multipleOperandMemoryLocations(
+    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int locationCount |
+      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
+      locationCount > 1 and
+      func = operand.getEnclosingIRFunction() and
+      funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
+    )
+  }
+
+  /**
+   * Holds if a `MemoryLocation` does not have an associated `VirtualVariable`.
+   */
+  query predicate missingVirtualVariableForMemoryLocation(
+    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
+  ) {
+    not exists(location.getVirtualVariable()) and
+    func = location.getIRFunction() and
+    funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+    message = "Memory location has no virtual variable in function '$@'."
+  }
+
+  /**
+   * Holds if a `MemoryLocation` is a member of more than one `VirtualVariable`.
+   */
+  query predicate multipleVirtualVariablesForMemoryLocation(
+    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int vvarCount |
+      vvarCount = strictcount(location.getVirtualVariable()) and
+      vvarCount > 1 and
+      func = location.getIRFunction() and
+      funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+      message =
+        "Memory location has " + vvarCount.toString() + " virtual variables in function '$@': (" +
+          concat(Alias::VirtualVariable vvar |
+            vvar = location.getVirtualVariable()
+          |
+            vvar.toString(), ", "
+          ) + ")."
+    )
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistencyImports.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistencyImports.qll
@@ -0,0 +1,3 @@
+import semmle.code.cpp.ir.implementation.raw.IR as OldIR
+import AliasedSSA as Alias
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -996,7 +996,7 @@ deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;

 /**
 * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
- * `DebugSSA` module, which is then imported by PrintSSA.
+ * `DebugSsa` module, which is then imported by PrintSSA.
 */
 module DebugSsa {
  import PhiInsertion
@@ -1063,62 +1063,6 @@ private module CachedForDebugging {
  int maxValue() { result = 2147483647 }
 }

-module SsaConsistency {
-  /**
-   * Holds if a `MemoryOperand` has more than one `MemoryLocation` assigned by alias analysis.
-   */
-  query predicate multipleOperandMemoryLocations(
-    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
-  ) {
-    exists(int locationCount |
-      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
-      locationCount > 1 and
-      func = operand.getEnclosingIRFunction() and
-      funcText = Language::getIdentityString(func.getFunction()) and
-      message =
-        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
-          " memory accesses in function '$@': " +
-          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
-    )
-  }
-
-  /**
-   * Holds if a `MemoryLocation` does not have an associated `VirtualVariable`.
-   */
-  query predicate missingVirtualVariableForMemoryLocation(
-    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
-  ) {
-    not exists(location.getVirtualVariable()) and
-    func = location.getIRFunction() and
-    funcText = Language::getIdentityString(func.getFunction()) and
-    message = "Memory location has no virtual variable in function '$@'."
-  }
-
-  /**
-   * Holds if a `MemoryLocation` is a member of more than one `VirtualVariable`.
-   */
-  query predicate multipleVirtualVariablesForMemoryLocation(
-    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
-  ) {
-    exists(int vvarCount |
-      vvarCount = strictcount(location.getVirtualVariable()) and
-      vvarCount > 1 and
-      func = location.getIRFunction() and
-      funcText = Language::getIdentityString(func.getFunction()) and
-      message =
-        "Memory location has " + vvarCount.toString() + " virtual variables in function '$@': (" +
-          concat(Alias::VirtualVariable vvar |
-            vvar = location.getVirtualVariable()
-          |
-            vvar.toString(), ", "
-          ) + ")."
-    )
-  }
-}
-
-/** DEPRECATED: Alias for SsaConsistency */
-deprecated module SSAConsistency = SsaConsistency;
-
 /**
 * Provides the portion of the parameterized IR interface that is used to construct the SSA stages
 * of the IR. The raw stage of the IR does not expose these predicates.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll
@@ -6,7 +6,7 @@ private import IRFunctionBaseInternal

 private newtype TIRFunction =
  TFunctionIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) } or
-  TVarInitIRFunction(Language::GlobalVariable var) { IRConstruction::Raw::varHasIRFunc(var) }
+  TVarInitIRFunction(Language::Variable var) { IRConstruction::Raw::varHasIRFunc(var) }

 /**
 * The IR for a function. This base class contains only the predicates that are the same between all
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll
@@ -1,6 +1,7 @@
 private import IR
 import InstructionConsistency // module is below
 import IRTypeConsistency // module is in IRType.qll
+import internal.IRConsistencyImports

 module InstructionConsistency {
  private import internal.InstructionImports as Imports
@@ -28,7 +29,7 @@ module InstructionConsistency {
    PresentIRFunction() { this = TPresentIRFunction(irFunc) }

    override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
+      result = concat(LanguageDebug::getIdentityString(irFunc.getFunction()), "; ")
    }

    override Language::Location getLocation() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
@@ -149,7 +149,9 @@ private class PrintableIRFunction extends PrintableIRNode, TPrintableIRFunction

  override Language::Location getLocation() { result = irFunc.getLocation() }

-  override string getLabel() { result = Language::getIdentityString(irFunc.getFunction()) }
+  override string getLabel() {
+    result = Imports::LanguageDebug::getIdentityString(irFunc.getFunction())
+  }

  override int getOrder() {
    this =
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll
@@ -159,26 +159,56 @@ private predicate fieldAddressValueNumber(
  tvalueNumber(instr.getObjectAddress()) = objectAddress
 }

+pragma[nomagic]
+private predicate binaryValueNumber0(
+  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, boolean isLeft,
+  TValueNumber valueNumber
+) {
+  not instr instanceof PointerArithmeticInstruction and
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getOpcode() = opcode and
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate binaryValueNumber(
  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
  TValueNumber rightOperand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  not instr instanceof PointerArithmeticInstruction and
-  instr.getOpcode() = opcode and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  binaryValueNumber0(instr, irFunc, opcode, true, leftOperand) and
+  binaryValueNumber0(instr, irFunc, opcode, false, rightOperand)
 }

-private predicate pointerArithmeticValueNumber(
+pragma[nomagic]
+private predicate pointerArithmeticValueNumber0(
  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
-  TValueNumber leftOperand, TValueNumber rightOperand
+  boolean isLeft, TValueNumber valueNumber
 ) {
  instr.getEnclosingIRFunction() = irFunc and
  instr.getOpcode() = opcode and
  instr.getElementSize() = elementSize and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
+private predicate pointerArithmeticValueNumber(
+  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
+  TValueNumber leftOperand, TValueNumber rightOperand
+) {
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, true, leftOperand) and
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, false, rightOperand)
 }

 private predicate unaryValueNumber(
@@ -203,14 +233,29 @@ private predicate inheritanceConversionValueNumber(
  unique( | | instr.getDerivedClass()) = derivedClass
 }

+pragma[nomagic]
+private predicate loadTotalOverlapValueNumber0(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
+  boolean isAddress
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  (
+    isAddress = true and
+    tvalueNumberOfOperand(instr.getSourceAddressOperand()) = valueNumber
+    or
+    isAddress = false and
+    tvalueNumber(instr.getSourceValueOperand().getAnyDef()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate loadTotalOverlapValueNumber(
  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
  TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  tvalueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
-  tvalueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand and
-  instr.getResultIRType() = type
+  loadTotalOverlapValueNumber0(instr, irFunc, type, operand, true) and
+  loadTotalOverlapValueNumber0(instr, irFunc, type, memOperand, false)
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConsistencyImports.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConsistencyImports.qll
@@ -0,0 +1 @@
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -37,7 +37,13 @@ module Raw {
  predicate functionHasIR(Function func) { exists(getTranslatedFunction(func)) }

  cached
-  predicate varHasIRFunc(GlobalOrNamespaceVariable var) {
+  predicate varHasIRFunc(Variable var) {
+    (
+      var instanceof GlobalOrNamespaceVariable
+      or
+      not var.isFromUninstantiatedTemplate(_) and
+      var instanceof StaticInitializedStaticLocalVariable
+    ) and
    var.hasInitializer() and
    (
      not var.getType().isDeeplyConst()
@@ -75,9 +81,10 @@ module Raw {
  }

  cached
-  predicate hasDynamicInitializationFlag(Function func, StaticLocalVariable var, CppType type) {
+  predicate hasDynamicInitializationFlag(
+    Function func, RuntimeInitializedStaticLocalVariable var, CppType type
+  ) {
    var.getFunction() = func and
-    var.hasDynamicInitialization() and
    type = getBoolType()
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll
@@ -1 +1,2 @@
 import semmle.code.cpp.ir.IRConfiguration as IRConfiguration
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -180,7 +180,7 @@ abstract class TranslatedSideEffects extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = getAst() }

-  final override Declaration getFunction() { result = getExpr().getEnclosingDeclaration() }
+  final override Declaration getFunction() { result = getEnclosingDeclaration(getExpr()) }

  final override TranslatedElement getChild(int i) {
    result =
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll
@@ -28,7 +28,11 @@ abstract class TranslatedCondition extends TranslatedElement {

  final Expr getExpr() { result = expr }

-  final override Function getFunction() { result = expr.getEnclosingFunction() }
+  final override Declaration getFunction() {
+    result = getEnclosingFunction(expr) or
+    result = getEnclosingVariable(expr).(GlobalOrNamespaceVariable) or
+    result = getEnclosingVariable(expr).(StaticInitializedStaticLocalVariable)
+  }

  final Type getResultType() { result = expr.getUnspecifiedType() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
@@ -28,9 +28,14 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated

  TranslatedDeclarationEntry() { this = TTranslatedDeclarationEntry(entry) }

-  final override Function getFunction() {
-    exists(DeclStmt stmt |
-      stmt = entry.getStmt() and
+  final override Declaration getFunction() {
+    exists(DeclStmt stmt | stmt = entry.getStmt() |
+      result = entry.getDeclaration().(StaticInitializedStaticLocalVariable)
+      or
+      result = entry.getDeclaration().(GlobalOrNamespaceVariable)
+      or
+      not entry.getDeclaration() instanceof StaticInitializedStaticLocalVariable and
+      not entry.getDeclaration() instanceof GlobalOrNamespaceVariable and
      result = stmt.getEnclosingFunction()
    )
  }
@@ -237,7 +242,7 @@ class TranslatedStaticLocalVariableInitialization extends TranslatedElement,

  final override LocalVariable getVariable() { result = var }

-  final override Function getFunction() { result = var.getFunction() }
+  final override Declaration getFunction() { result = var.getFunction() }
 }

 TranslatedConditionDecl getTranslatedConditionDecl(ConditionDeclExpr expr) {
@@ -264,7 +269,7 @@ class TranslatedConditionDecl extends TranslatedLocalVariableDeclaration, TTrans
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = getAst() }

-  override Function getFunction() { result = conditionDeclExpr.getEnclosingFunction() }
+  override Declaration getFunction() { result = getEnclosingFunction(conditionDeclExpr) }

  override LocalVariable getVariable() { result = conditionDeclExpr.getVariable() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -62,15 +62,6 @@ private predicate ignoreExprAndDescendants(Expr expr) {
  // constant value.
  isIRConstant(getRealParent(expr))
  or
-  // Only translate the initializer of a static local if it uses run-time data.
-  // Otherwise the initializer does not run in function scope.
-  exists(Initializer init, StaticStorageDurationVariable var |
-    init = var.getInitializer() and
-    not var.hasDynamicInitialization() and
-    expr = init.getExpr().getFullyConverted() and
-    not var instanceof GlobalOrNamespaceVariable
-  )
-  or
  // Ignore descendants of `__assume` expressions, since we translated these to `NoOp`.
  getRealParent(expr) instanceof AssumeExpr
  or
@@ -118,8 +109,8 @@ private predicate ignoreExprOnly(Expr expr) {
  // should not be translated.
  exists(NewOrNewArrayExpr new | expr = new.getAllocatorCall().getArgument(0))
  or
-  not translateFunction(expr.getEnclosingFunction()) and
-  not Raw::varHasIRFunc(expr.getEnclosingVariable())
+  not translateFunction(getEnclosingFunction(expr)) and
+  not Raw::varHasIRFunc(getEnclosingVariable(expr))
  or
  // We do not yet translate destructors properly, so for now we ignore the
  // destructor call. We do, however, translate the expression being
@@ -438,6 +429,17 @@ predicate hasTranslatedSyntheticTemporaryObject(Expr expr) {
  not expr.hasLValueToRValueConversion()
 }

+class StaticInitializedStaticLocalVariable extends StaticLocalVariable {
+  StaticInitializedStaticLocalVariable() {
+    this.hasInitializer() and
+    not this.hasDynamicInitialization()
+  }
+}
+
+class RuntimeInitializedStaticLocalVariable extends StaticLocalVariable {
+  RuntimeInitializedStaticLocalVariable() { this.hasDynamicInitialization() }
+}
+
 /**
 * Holds if the specified `DeclarationEntry` needs an IR translation. An IR translation is only
 * necessary for automatic local variables, or for static local variables with dynamic
@@ -453,7 +455,7 @@ private predicate translateDeclarationEntry(IRDeclarationEntry entry) {
      not var.isStatic()
      or
      // Ignore static variables unless they have a dynamic initializer.
-      var.(StaticLocalVariable).hasDynamicInitialization()
+      var instanceof RuntimeInitializedStaticLocalVariable
    )
  )
 }
@@ -606,9 +608,9 @@ newtype TTranslatedElement =
    not ignoreExpr(expr) and
    (
      exists(Initializer init | init.getExpr().getFullyConverted() = expr) or
-      exists(ClassAggregateLiteral initList | initList.getFieldExpr(_).getFullyConverted() = expr) or
+      exists(ClassAggregateLiteral initList | initList.getAFieldExpr(_).getFullyConverted() = expr) or
      exists(ArrayOrVectorAggregateLiteral initList |
-        initList.getElementExpr(_).getFullyConverted() = expr
+        initList.getAnElementExpr(_).getFullyConverted() = expr
      ) or
      exists(ReturnStmt returnStmt | returnStmt.getExpr().getFullyConverted() = expr) or
      exists(ConstructorFieldInit fieldInit | fieldInit.getExpr().getFullyConverted() = expr) or
@@ -619,18 +621,19 @@ newtype TTranslatedElement =
    )
  } or
  // The initialization of a field via a member of an initializer list.
-  TTranslatedExplicitFieldInitialization(Expr ast, Field field, Expr expr) {
+  TTranslatedExplicitFieldInitialization(Expr ast, Field field, Expr expr, int position) {
    exists(ClassAggregateLiteral initList |
      not ignoreExpr(initList) and
      ast = initList and
-      expr = initList.getFieldExpr(field).getFullyConverted()
+      expr = initList.getFieldExpr(field, position).getFullyConverted()
    )
    or
    exists(ConstructorFieldInit init |
      not ignoreExpr(init) and
      ast = init and
      field = init.getTarget() and
-      expr = init.getExpr().getFullyConverted()
+      expr = init.getExpr().getFullyConverted() and
+      position = -1
    )
  } or
  // The value initialization of a field due to an omitted member of an
@@ -643,9 +646,11 @@ newtype TTranslatedElement =
    )
  } or
  // The initialization of an array element via a member of an initializer list.
-  TTranslatedExplicitElementInitialization(ArrayOrVectorAggregateLiteral initList, int elementIndex) {
+  TTranslatedExplicitElementInitialization(
+    ArrayOrVectorAggregateLiteral initList, int elementIndex, int position
+  ) {
    not ignoreExpr(initList) and
-    exists(initList.getElementExpr(elementIndex))
+    exists(initList.getElementExpr(elementIndex, position))
  } or
  // The value initialization of a range of array elements that were omitted
  // from an initializer list.
@@ -752,7 +757,7 @@ newtype TTranslatedElement =
  } or
  // The side effect that initializes newly-allocated memory.
  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) } or
-  TTranslatedGlobalOrNamespaceVarInit(GlobalOrNamespaceVariable var) { Raw::varHasIRFunc(var) }
+  TTranslatedStaticStorageDurationVarInit(Variable var) { Raw::varHasIRFunc(var) }

 /**
 * Gets the index of the first explicitly initialized element in `initList`
@@ -782,7 +787,7 @@ private int getNextExplicitlyInitializedElementAfter(
  ArrayOrVectorAggregateLiteral initList, int afterElementIndex
 ) {
  isFirstValueInitializedElementInRange(initList, afterElementIndex) and
-  result = min(int i | exists(initList.getElementExpr(i)) and i > afterElementIndex)
+  result = min(int i | exists(initList.getAnElementExpr(i)) and i > afterElementIndex)
 }

 /**
@@ -795,7 +800,7 @@ private predicate isFirstValueInitializedElementInRange(
  initList.isValueInitialized(elementIndex) and
  (
    elementIndex = 0 or
-    exists(initList.getElementExpr(elementIndex - 1))
+    exists(initList.getAnElementExpr(elementIndex - 1))
  )
 }

@@ -1040,6 +1045,6 @@ abstract class TranslatedRootElement extends TranslatedElement {
  TranslatedRootElement() {
    this instanceof TTranslatedFunction
    or
-    this instanceof TTranslatedGlobalOrNamespaceVarInit
+    this instanceof TTranslatedStaticStorageDurationVarInit
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -79,7 +79,7 @@ abstract class TranslatedExpr extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = this.getAst() }

-  final override Declaration getFunction() { result = expr.getEnclosingDeclaration() }
+  final override Declaration getFunction() { result = getEnclosingDeclaration(expr) }

  /**
   * Gets the expression from which this `TranslatedExpr` is generated.
@@ -90,12 +90,57 @@ abstract class TranslatedExpr extends TranslatedElement {
   * Gets the `TranslatedFunction` containing this expression.
   */
  final TranslatedRootElement getEnclosingFunction() {
-    result = getTranslatedFunction(expr.getEnclosingFunction())
+    result = getTranslatedFunction(getEnclosingFunction(expr))
    or
-    result = getTranslatedVarInit(expr.getEnclosingVariable())
+    result = getTranslatedVarInit(getEnclosingVariable(expr))
  }
 }

+Function getEnclosingFunction(Expr e) {
+  not exists(getEnclosingVariable(e)) and
+  result = e.getEnclosingFunction()
+}
+
+Declaration getEnclosingDeclaration0(Expr e) {
+  result = getEnclosingDeclaration0(e.getParentWithConversions())
+  or
+  exists(Initializer i, Variable v |
+    i.getExpr().getFullyConverted() = e and
+    v = i.getDeclaration()
+  |
+    if v instanceof StaticInitializedStaticLocalVariable or v instanceof GlobalOrNamespaceVariable
+    then result = v
+    else result = e.getEnclosingDeclaration()
+  )
+}
+
+Declaration getEnclosingDeclaration(Expr e) {
+  result = getEnclosingDeclaration0(e)
+  or
+  not exists(getEnclosingDeclaration0(e)) and
+  result = e.getEnclosingDeclaration()
+}
+
+Variable getEnclosingVariable0(Expr e) {
+  result = getEnclosingVariable0(e.getParentWithConversions())
+  or
+  exists(Initializer i, Variable v |
+    i.getExpr().getFullyConverted() = e and
+    v = i.getDeclaration()
+  |
+    if v instanceof StaticInitializedStaticLocalVariable or v instanceof GlobalOrNamespaceVariable
+    then result = v
+    else result = e.getEnclosingVariable()
+  )
+}
+
+Variable getEnclosingVariable(Expr e) {
+  result = getEnclosingVariable0(e)
+  or
+  not exists(getEnclosingVariable0(e)) and
+  result = e.getEnclosingVariable()
+}
+
 /**
 * The IR translation of the "core"  part of an expression. This is the part of
 * the expression that produces the result value of the expression, before any
@@ -843,10 +888,21 @@ class TranslatedNonFieldVariableAccess extends TranslatedVariableAccess {

  override IRVariable getInstructionVariable(InstructionTag tag) {
    tag = OnlyInstructionTag() and
-    result = getIRUserVariable(expr.getEnclosingDeclaration(), expr.getTarget())
+    exists(Declaration d, Variable v |
+      accessHasEnclosingDeclarationAndVariable(d, v, expr) and
+      result = getIRUserVariable(d, v)
+    )
  }
 }

+pragma[nomagic]
+private predicate accessHasEnclosingDeclarationAndVariable(
+  Declaration d, Variable v, VariableAccess va
+) {
+  d = getEnclosingDeclaration(va) and
+  v = va.getTarget()
+}
+
 class TranslatedFieldAccess extends TranslatedVariableAccess {
  override FieldAccess expr;

@@ -2000,7 +2056,7 @@ class TranslatedDestructorFieldDestruction extends TranslatedNonConstantExpr, St
  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
    tag = OnlyInstructionTag() and
    operandTag instanceof UnaryOperandTag and
-    result = getTranslatedFunction(expr.getEnclosingFunction()).getInitializeThisInstruction()
+    result = getTranslatedFunction(getEnclosingFunction(expr)).getInitializeThisInstruction()
  }

  final override Field getInstructionField(InstructionTag tag) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -322,11 +322,13 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
      (
        var instanceof GlobalOrNamespaceVariable
        or
+        var instanceof StaticLocalVariable
+        or
        var instanceof MemberVariable and not var instanceof Field
      ) and
      exists(VariableAccess access |
        access.getTarget() = var and
-        access.getEnclosingFunction() = func
+        getEnclosingFunction(access) = func
      )
      or
      var.(LocalScopeVariable).getFunction() = func
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
@@ -1,4 +1,5 @@
 import semmle.code.cpp.ir.implementation.raw.internal.TranslatedElement
+private import TranslatedExpr
 private import cpp
 private import semmle.code.cpp.ir.implementation.IRType
 private import semmle.code.cpp.ir.implementation.Opcode
@@ -8,16 +9,16 @@ private import TranslatedInitialization
 private import InstructionTag
 private import semmle.code.cpp.ir.internal.IRUtilities

-class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
-  TTranslatedGlobalOrNamespaceVarInit, InitializationContext
+class TranslatedStaticStorageDurationVarInit extends TranslatedRootElement,
+  TTranslatedStaticStorageDurationVarInit, InitializationContext
 {
-  GlobalOrNamespaceVariable var;
+  Variable var;

-  TranslatedGlobalOrNamespaceVarInit() { this = TTranslatedGlobalOrNamespaceVarInit(var) }
+  TranslatedStaticStorageDurationVarInit() { this = TTranslatedStaticStorageDurationVarInit(var) }

  override string toString() { result = var.toString() }

-  final override GlobalOrNamespaceVariable getAst() { result = var }
+  final override Variable getAst() { result = var }

  final override Declaration getFunction() { result = var }

@@ -111,11 +112,13 @@ class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
      (
        varUsed instanceof GlobalOrNamespaceVariable
        or
+        varUsed instanceof StaticLocalVariable
+        or
        varUsed instanceof MemberVariable and not varUsed instanceof Field
      ) and
      exists(VariableAccess access |
        access.getTarget() = varUsed and
-        access.getEnclosingVariable() = var
+        getEnclosingVariable(access) = var
      )
      or
      var = varUsed
@@ -128,6 +131,4 @@ class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
  }
 }

-TranslatedGlobalOrNamespaceVarInit getTranslatedVarInit(GlobalOrNamespaceVariable var) {
-  result.getAst() = var
-}
+TranslatedStaticStorageDurationVarInit getTranslatedVarInit(Variable var) { result.getAst() = var }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
@@ -138,8 +138,9 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
  final override string toString() { result = "init: " + expr.toString() }

  final override Declaration getFunction() {
-    result = expr.getEnclosingFunction() or
-    result = expr.getEnclosingVariable().(GlobalOrNamespaceVariable)
+    result = getEnclosingFunction(expr) or
+    result = getEnclosingVariable(expr).(GlobalOrNamespaceVariable) or
+    result = getEnclosingVariable(expr).(StaticInitializedStaticLocalVariable)
  }

  final override Locatable getAst() { result = expr }
@@ -159,7 +160,7 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
  final InitializationContext getContext() { result = getParent() }

  final TranslatedFunction getEnclosingFunction() {
-    result = getTranslatedFunction(expr.getEnclosingFunction())
+    result = getTranslatedFunction(this.getFunction())
  }
 }

@@ -201,11 +202,13 @@ class TranslatedClassListInitialization extends TranslatedListInitialization {
  override ClassAggregateLiteral expr;

  override TranslatedElement getChild(int id) {
-    exists(TranslatedFieldInitialization fieldInit |
-      result = fieldInit and
-      fieldInit = getTranslatedFieldInitialization(expr, _) and
-      fieldInit.getOrder() = id
-    )
+    result =
+      rank[id + 1](TranslatedFieldInitialization fieldInit, int ord |
+        fieldInit = getTranslatedFieldInitialization(expr, _) and
+        fieldInit.getOrder() = ord
+      |
+        fieldInit order by ord, fieldInit.getPosition()
+      )
  }
 }

@@ -222,7 +225,7 @@ class TranslatedArrayListInitialization extends TranslatedListInitialization {
      rank[id + 1](TranslatedElementInitialization init |
        init.getInitList() = expr
      |
-        init order by init.getElementIndex()
+        init order by init.getElementIndex(), init.getPosition()
      )
  }
 }
@@ -491,8 +494,9 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
  deprecated override Locatable getAST() { result = getAst() }

  final override Declaration getFunction() {
-    result = ast.getEnclosingFunction() or
-    result = ast.getEnclosingVariable().(GlobalOrNamespaceVariable)
+    result = getEnclosingFunction(ast) or
+    result = getEnclosingVariable(ast).(GlobalOrNamespaceVariable) or
+    result = getEnclosingVariable(ast).(StaticInitializedStaticLocalVariable)
  }

  final override Instruction getFirstInstruction() { result = getInstruction(getFieldAddressTag()) }
@@ -522,6 +526,9 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
  final InstructionTag getFieldAddressTag() { result = InitializerFieldAddressTag() }

  final Field getField() { result = field }
+
+  /** Gets the position in the initializer list, or `-1` if the initialization is implicit. */
+  int getPosition() { result = -1 }
 }

 /**
@@ -532,9 +539,10 @@ class TranslatedExplicitFieldInitialization extends TranslatedFieldInitializatio
  InitializationContext, TTranslatedExplicitFieldInitialization
 {
  Expr expr;
+  int position;

  TranslatedExplicitFieldInitialization() {
-    this = TTranslatedExplicitFieldInitialization(ast, field, expr)
+    this = TTranslatedExplicitFieldInitialization(ast, field, expr, position)
  }

  override Instruction getTargetAddress() { result = getInstruction(getFieldAddressTag()) }
@@ -556,6 +564,8 @@ class TranslatedExplicitFieldInitialization extends TranslatedFieldInitializatio
  private TranslatedInitialization getInitialization() {
    result = getTranslatedInitialization(expr)
  }
+
+  override int getPosition() { result = position }
 }

 private string getZeroValue(Type type) {
@@ -643,9 +653,11 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
  deprecated override Locatable getAST() { result = getAst() }

  final override Declaration getFunction() {
-    result = initList.getEnclosingFunction()
+    result = getEnclosingFunction(initList)
    or
-    result = initList.getEnclosingVariable().(GlobalOrNamespaceVariable)
+    result = getEnclosingVariable(initList).(GlobalOrNamespaceVariable)
+    or
+    result = getEnclosingVariable(initList).(StaticInitializedStaticLocalVariable)
  }

  final override Instruction getFirstInstruction() { result = getInstruction(getElementIndexTag()) }
@@ -689,6 +701,8 @@ abstract class TranslatedElementInitialization extends TranslatedElement {

  abstract int getElementIndex();

+  int getPosition() { result = -1 }
+
  final InstructionTag getElementAddressTag() { result = InitializerElementAddressTag() }

  final InstructionTag getElementIndexTag() { result = InitializerElementIndexTag() }
@@ -706,9 +720,10 @@ class TranslatedExplicitElementInitialization extends TranslatedElementInitializ
  TTranslatedExplicitElementInitialization, InitializationContext
 {
  int elementIndex;
+  int position;

  TranslatedExplicitElementInitialization() {
-    this = TTranslatedExplicitElementInitialization(initList, elementIndex)
+    this = TTranslatedExplicitElementInitialization(initList, elementIndex, position)
  }

  override Instruction getTargetAddress() { result = getInstruction(getElementAddressTag()) }
@@ -731,8 +746,13 @@ class TranslatedExplicitElementInitialization extends TranslatedElementInitializ

  override int getElementIndex() { result = elementIndex }

+  override int getPosition() { result = position }
+
  TranslatedInitialization getInitialization() {
-    result = getTranslatedInitialization(initList.getElementExpr(elementIndex).getFullyConverted())
+    result =
+      getTranslatedInitialization(initList
+            .getElementExpr(elementIndex, position)
+            .getFullyConverted())
  }
 }

@@ -836,7 +856,7 @@ abstract class TranslatedStructorCallFromStructor extends TranslatedElement, Str
    result = getStructorCall()
  }

-  final override Function getFunction() { result = call.getEnclosingFunction() }
+  final override Function getFunction() { result = getEnclosingFunction(call) }

  final override Instruction getChildSuccessor(TranslatedElement child) {
    child = getStructorCall() and
@@ -973,7 +993,7 @@ class TranslatedConstructorBareInit extends TranslatedElement, TTranslatedConstr

  override TranslatedElement getChild(int id) { none() }

-  override Function getFunction() { result = getParent().getFunction() }
+  override Declaration getFunction() { result = this.getParent().getFunction() }

  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
@@ -1105,3 +1105,49 @@ class TranslatedAsmStmt extends TranslatedStmt {
    )
  }
 }
+
+class TranslatedVlaDimensionStmt extends TranslatedStmt {
+  override VlaDimensionStmt stmt;
+
+  override TranslatedExpr getChild(int id) {
+    id = 0 and
+    result = getTranslatedExpr(stmt.getDimensionExpr().getFullyConverted())
+  }
+
+  override Instruction getFirstInstruction() { result = this.getChild(0).getFirstInstruction() }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    none()
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = this.getChild(0) and
+    result = this.getParent().getChildSuccessor(this)
+  }
+}
+
+class TranslatedVlaDeclarationStmt extends TranslatedStmt {
+  override VlaDeclStmt stmt;
+
+  override TranslatedExpr getChild(int id) { none() }
+
+  override Instruction getFirstInstruction() { result = this.getInstruction(OnlyInstructionTag()) }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    // TODO: This needs a new kind of instruction that represents initialization of a VLA.
+    // For now we just emit a `NoOp` instruction so that the CFG isn't incomplete.
+    tag = OnlyInstructionTag() and
+    opcode instanceof Opcode::NoOp and
+    resultType = getVoidType()
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    tag = OnlyInstructionTag() and
+    result = this.getParent().getChildSuccessor(this) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) { none() }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll
@@ -1,6 +1,7 @@
 private import IR
 import InstructionConsistency // module is below
 import IRTypeConsistency // module is in IRType.qll
+import internal.IRConsistencyImports

 module InstructionConsistency {
  private import internal.InstructionImports as Imports
@@ -28,7 +29,7 @@ module InstructionConsistency {
    PresentIRFunction() { this = TPresentIRFunction(irFunc) }

    override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
+      result = concat(LanguageDebug::getIdentityString(irFunc.getFunction()), "; ")
    }

    override Language::Location getLocation() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll
@@ -149,7 +149,9 @@ private class PrintableIRFunction extends PrintableIRNode, TPrintableIRFunction

  override Language::Location getLocation() { result = irFunc.getLocation() }

-  override string getLabel() { result = Language::getIdentityString(irFunc.getFunction()) }
+  override string getLabel() {
+    result = Imports::LanguageDebug::getIdentityString(irFunc.getFunction())
+  }

  override int getOrder() {
    this =
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll
@@ -159,26 +159,56 @@ private predicate fieldAddressValueNumber(
  tvalueNumber(instr.getObjectAddress()) = objectAddress
 }

+pragma[nomagic]
+private predicate binaryValueNumber0(
+  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, boolean isLeft,
+  TValueNumber valueNumber
+) {
+  not instr instanceof PointerArithmeticInstruction and
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getOpcode() = opcode and
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate binaryValueNumber(
  BinaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber leftOperand,
  TValueNumber rightOperand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  not instr instanceof PointerArithmeticInstruction and
-  instr.getOpcode() = opcode and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  binaryValueNumber0(instr, irFunc, opcode, true, leftOperand) and
+  binaryValueNumber0(instr, irFunc, opcode, false, rightOperand)
 }

-private predicate pointerArithmeticValueNumber(
+pragma[nomagic]
+private predicate pointerArithmeticValueNumber0(
  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
-  TValueNumber leftOperand, TValueNumber rightOperand
+  boolean isLeft, TValueNumber valueNumber
 ) {
  instr.getEnclosingIRFunction() = irFunc and
  instr.getOpcode() = opcode and
  instr.getElementSize() = elementSize and
-  tvalueNumber(instr.getLeft()) = leftOperand and
-  tvalueNumber(instr.getRight()) = rightOperand
+  (
+    isLeft = true and
+    tvalueNumber(instr.getLeft()) = valueNumber
+    or
+    isLeft = false and
+    tvalueNumber(instr.getRight()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
+private predicate pointerArithmeticValueNumber(
+  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
+  TValueNumber leftOperand, TValueNumber rightOperand
+) {
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, true, leftOperand) and
+  pointerArithmeticValueNumber0(instr, irFunc, opcode, elementSize, false, rightOperand)
 }

 private predicate unaryValueNumber(
@@ -203,14 +233,29 @@ private predicate inheritanceConversionValueNumber(
  unique( | | instr.getDerivedClass()) = derivedClass
 }

+pragma[nomagic]
+private predicate loadTotalOverlapValueNumber0(
+  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
+  boolean isAddress
+) {
+  instr.getEnclosingIRFunction() = irFunc and
+  instr.getResultIRType() = type and
+  (
+    isAddress = true and
+    tvalueNumberOfOperand(instr.getSourceAddressOperand()) = valueNumber
+    or
+    isAddress = false and
+    tvalueNumber(instr.getSourceValueOperand().getAnyDef()) = valueNumber
+  )
+}
+
+pragma[assume_small_delta]
 private predicate loadTotalOverlapValueNumber(
  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber memOperand,
  TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
-  tvalueNumber(instr.getAnOperand().(MemoryOperand).getAnyDef()) = memOperand and
-  tvalueNumberOfOperand(instr.getAnOperand().(AddressOperand)) = operand and
-  instr.getResultIRType() = type
+  loadTotalOverlapValueNumber0(instr, irFunc, type, operand, true) and
+  loadTotalOverlapValueNumber0(instr, irFunc, type, memOperand, false)
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRConsistencyImports.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRConsistencyImports.qll
@@ -0,0 +1 @@
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll
@@ -1 +1,2 @@
 import semmle.code.cpp.ir.IRConfiguration as IRConfiguration
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll
@@ -1,2 +1,55 @@
-private import SSAConstruction as Ssa
-import Ssa::SsaConsistency
+import SsaConsistency
+import SSAConsistencyImports
+
+module SsaConsistency {
+  /**
+   * Holds if a `MemoryOperand` has more than one `MemoryLocation` assigned by alias analysis.
+   */
+  query predicate multipleOperandMemoryLocations(
+    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int locationCount |
+      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
+      locationCount > 1 and
+      func = operand.getEnclosingIRFunction() and
+      funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
+    )
+  }
+
+  /**
+   * Holds if a `MemoryLocation` does not have an associated `VirtualVariable`.
+   */
+  query predicate missingVirtualVariableForMemoryLocation(
+    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
+  ) {
+    not exists(location.getVirtualVariable()) and
+    func = location.getIRFunction() and
+    funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+    message = "Memory location has no virtual variable in function '$@'."
+  }
+
+  /**
+   * Holds if a `MemoryLocation` is a member of more than one `VirtualVariable`.
+   */
+  query predicate multipleVirtualVariablesForMemoryLocation(
+    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
+  ) {
+    exists(int vvarCount |
+      vvarCount = strictcount(location.getVirtualVariable()) and
+      vvarCount > 1 and
+      func = location.getIRFunction() and
+      funcText = LanguageDebug::getIdentityString(func.getFunction()) and
+      message =
+        "Memory location has " + vvarCount.toString() + " virtual variables in function '$@': (" +
+          concat(Alias::VirtualVariable vvar |
+            vvar = location.getVirtualVariable()
+          |
+            vvar.toString(), ", "
+          ) + ")."
+    )
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistencyImports.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistencyImports.qll
@@ -0,0 +1,3 @@
+import semmle.code.cpp.ir.implementation.raw.IR as OldIR
+import SimpleSSA as Alias
+import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -996,7 +996,7 @@ deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;

 /**
 * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
- * `DebugSSA` module, which is then imported by PrintSSA.
+ * `DebugSsa` module, which is then imported by PrintSSA.
 */
 module DebugSsa {
  import PhiInsertion
@@ -1063,62 +1063,6 @@ private module CachedForDebugging {
  int maxValue() { result = 2147483647 }
 }

-module SsaConsistency {
-  /**
-   * Holds if a `MemoryOperand` has more than one `MemoryLocation` assigned by alias analysis.
-   */
-  query predicate multipleOperandMemoryLocations(
-    OldIR::MemoryOperand operand, string message, OldIR::IRFunction func, string funcText
-  ) {
-    exists(int locationCount |
-      locationCount = strictcount(Alias::getOperandMemoryLocation(operand)) and
-      locationCount > 1 and
-      func = operand.getEnclosingIRFunction() and
-      funcText = Language::getIdentityString(func.getFunction()) and
-      message =
-        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
-          " memory accesses in function '$@': " +
-          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
-    )
-  }
-
-  /**
-   * Holds if a `MemoryLocation` does not have an associated `VirtualVariable`.
-   */
-  query predicate missingVirtualVariableForMemoryLocation(
-    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
-  ) {
-    not exists(location.getVirtualVariable()) and
-    func = location.getIRFunction() and
-    funcText = Language::getIdentityString(func.getFunction()) and
-    message = "Memory location has no virtual variable in function '$@'."
-  }
-
-  /**
-   * Holds if a `MemoryLocation` is a member of more than one `VirtualVariable`.
-   */
-  query predicate multipleVirtualVariablesForMemoryLocation(
-    Alias::MemoryLocation location, string message, OldIR::IRFunction func, string funcText
-  ) {
-    exists(int vvarCount |
-      vvarCount = strictcount(location.getVirtualVariable()) and
-      vvarCount > 1 and
-      func = location.getIRFunction() and
-      funcText = Language::getIdentityString(func.getFunction()) and
-      message =
-        "Memory location has " + vvarCount.toString() + " virtual variables in function '$@': (" +
-          concat(Alias::VirtualVariable vvar |
-            vvar = location.getVirtualVariable()
-          |
-            vvar.toString(), ", "
-          ) + ")."
-    )
-  }
-}
-
-/** DEPRECATED: Alias for SsaConsistency */
-deprecated module SSAConsistency = SsaConsistency;
-
 /**
 * Provides the portion of the parameterized IR interface that is used to construct the SSA stages
 * of the IR. The raw stage of the IR does not expose these predicates.
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
@@ -1,5 +1,4 @@
 private import cpp
-private import semmle.code.cpp.Print
 private import semmle.code.cpp.ir.implementation.IRType
 private import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction::Raw as Raw

@@ -538,12 +537,14 @@ CppType getCanonicalOpaqueType(Type tag, int byteSize) {
 }

 /**
- * Gets a string that uniquely identifies an `IROpaqueType` tag. This may be different from the usual
- * `toString()` of the tag in order to ensure uniqueness.
+ * Gets a string that uniquely identifies an `IROpaqueType` tag. Using `toString` here might
+ * not be sufficient to ensure uniqueness, but suffices for our current debugging purposes.
+ * To ensure uniqueness `getOpaqueTagIdentityString` from `semmle.code.cpp.Print` could be used,
+ * but that comes at the cost of importing all the `Dump` classes defined in that library.
 */
 string getOpaqueTagIdentityString(Type tag) {
  hasOpaqueType(tag, _) and
-  result = getTypeIdentityString(tag)
+  result = tag.toString()
 }

 module LanguageTypeConsistency {
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
@@ -1,5 +1,4 @@
 private import cpp as Cpp
-private import semmle.code.cpp.Print as Print
 private import IRUtilities
 private import semmle.code.cpp.ir.implementation.IRType
 private import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as IRConstruction
@@ -48,7 +47,7 @@ class Variable = Cpp::Variable;

 class AutomaticVariable = Cpp::StackVariable;

-class StaticVariable = Cpp::Variable;
+class StaticVariable = Cpp::StaticStorageDurationVariable;

 class GlobalVariable = Cpp::GlobalOrNamespaceVariable;

@@ -65,8 +64,6 @@ class Expr = Cpp::Expr;

 class Class = Cpp::Class; // Used for inheritance conversions

-predicate getIdentityString = Print::getIdentityString/1;
-
 predicate hasCaseEdge(string minValue, string maxValue) { hasCaseEdge(_, minValue, maxValue) }

 predicate hasPositionalArgIndex(int argIndex) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguageDebug.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguageDebug.qll
@@ -0,0 +1,9 @@
+private import cpp
+private import semmle.code.cpp.Print as Print
+
+string getIdentityString(Declaration decl) {
+  if decl instanceof StaticLocalVariable
+  then
+    exists(StaticLocalVariable v | v = decl | result = v.getType().toString() + " " + v.getName())
+  else result = Print::getIdentityString(decl)
+}
--- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SimpleRangeAnalysis.qll
@@ -5,9 +5,11 @@

 private import cpp
 private import semmle.code.cpp.ir.IR
-private import experimental.semmle.code.cpp.semantic.SemanticBound
-private import experimental.semmle.code.cpp.semantic.SemanticExprSpecific
-private import RangeAnalysis
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticBound
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysisImpl
+private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils

 /**
 * Gets the lower bound of the expression.
@@ -22,8 +24,10 @@ private import RangeAnalysis
 *    `lowerBound(expr.getFullyConverted())`
 */
 float lowerBound(Expr expr) {
-  exists(Instruction i, SemBound b | i.getAst() = expr and b instanceof SemZeroBound |
-    semBounded(getSemanticExpr(i), b, result, false, _)
+  exists(Instruction i, ConstantBounds::SemBound b |
+    i.getAst() = expr and b instanceof ConstantBounds::SemZeroBound
+  |
+    ConstantStage::semBounded(getSemanticExpr(i), b, result, false, _)
  )
 }

@@ -40,8 +44,10 @@ float lowerBound(Expr expr) {
 *    `upperBound(expr.getFullyConverted())`
 */
 float upperBound(Expr expr) {
-  exists(Instruction i, SemBound b | i.getAst() = expr and b instanceof SemZeroBound |
-    semBounded(getSemanticExpr(i), b, result, true, _)
+  exists(Instruction i, ConstantBounds::SemBound b |
+    i.getAst() = expr and b instanceof ConstantBounds::SemZeroBound
+  |
+    ConstantStage::semBounded(getSemanticExpr(i), b, result, true, _)
  )
 }

@@ -90,7 +96,15 @@ predicate defMightOverflow(RangeSsaDefinition def, StackVariable v) {
 * does not consider the possibility that the expression might overflow
 * due to a conversion.
 */
-predicate exprMightOverflowNegatively(Expr expr) { none() }
+predicate exprMightOverflowNegatively(Expr expr) {
+  lowerBound(expr) < exprMinVal(expr)
+  or
+  exists(SemanticExprConfig::Expr semExpr |
+    semExpr.getUnconverted().getAst() = expr and
+    ConstantStage::potentiallyOverflowingExpr(false, semExpr) and
+    not ConstantStage::initialBounded(semExpr, _, _, false, _, _, _)
+  )
+}

 /**
 * Holds if the expression might overflow negatively. Conversions
@@ -108,7 +122,15 @@ predicate convertedExprMightOverflowNegatively(Expr expr) {
 * does not consider the possibility that the expression might overflow
 * due to a conversion.
 */
-predicate exprMightOverflowPositively(Expr expr) { none() }
+predicate exprMightOverflowPositively(Expr expr) {
+  upperBound(expr) > exprMaxVal(expr)
+  or
+  exists(SemanticExprConfig::Expr semExpr |
+    semExpr.getUnconverted().getAst() = expr and
+    ConstantStage::potentiallyOverflowingExpr(true, semExpr) and
+    not ConstantStage::initialBounded(semExpr, _, _, true, _, _, _)
+  )
+}

 /**
 * Holds if the expression might overflow positively. Conversions
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/Semantic.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/Semantic.qll
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticBound.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticBound.qll
@@ -5,6 +5,7 @@
 private import SemanticExpr
 private import SemanticExprSpecific::SemanticExprConfig as Specific
 private import SemanticSSA
+private import SemanticLocation

 /**
 * A valid base for an expression bound.
@@ -14,6 +15,8 @@ private import SemanticSSA
 class SemBound instanceof Specific::Bound {
  final string toString() { result = super.toString() }

+  final SemLocation getLocation() { result = super.getLocation() }
+
  final SemExpr getExpr(int delta) { result = Specific::getBoundExpr(this, delta) }
 }

--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticCFG.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticCFG.qll
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll
@@ -5,19 +5,99 @@
 private import cpp as Cpp
 private import semmle.code.cpp.ir.IR as IR
 private import Semantic
-private import experimental.semmle.code.cpp.rangeanalysis.Bound as IRBound
+private import analysis.Bound as IRBound
 private import semmle.code.cpp.controlflow.IRGuards as IRGuards
 private import semmle.code.cpp.ir.ValueNumbering

 module SemanticExprConfig {
  class Location = Cpp::Location;

-  class Expr = IR::Instruction;
+  /** A `ConvertInstruction` or a `CopyValueInstruction`. */
+  private class Conversion extends IR::UnaryInstruction {
+    Conversion() {
+      this instanceof IR::CopyValueInstruction
+      or
+      this instanceof IR::ConvertInstruction
+    }
+
+    /** Holds if this instruction converts a value of type `tFrom` to a value of type `tTo`. */
+    predicate converts(SemType tFrom, SemType tTo) {
+      tFrom = getSemanticType(this.getUnary().getResultIRType()) and
+      tTo = getSemanticType(this.getResultIRType())
+    }
+  }
+
+  /**
+   * Gets a conversion-like instruction that consumes `op`, and
+   * which is guaranteed to not overflow.
+   */
+  private IR::Instruction safeConversion(IR::Operand op) {
+    exists(Conversion conv, SemType tFrom, SemType tTo |
+      conv.converts(tFrom, tTo) and
+      conversionCannotOverflow(tFrom, tTo) and
+      conv.getUnaryOperand() = op and
+      result = conv
+    )
+  }
+
+  /** Holds if `i1 = i2` or if `i2` is a safe conversion that consumes `i1`. */
+  private predicate idOrSafeConversion(IR::Instruction i1, IR::Instruction i2) {
+    not i1.getResultIRType() instanceof IR::IRVoidType and
+    (
+      i1 = i2
+      or
+      i2 = safeConversion(i1.getAUse()) and
+      i1.getBlock() = i2.getBlock()
+    )
+  }
+
+  module Equiv = QlBuiltins::EquivalenceRelation<IR::Instruction, idOrSafeConversion/2>;
+
+  /**
+   * The expressions on which we perform range analysis.
+   */
+  class Expr extends Equiv::EquivalenceClass {
+    /** Gets the n'th instruction in this equivalence class. */
+    private IR::Instruction getInstruction(int n) {
+      result =
+        rank[n + 1](IR::Instruction instr, int i, IR::IRBlock block |
+          this = Equiv::getEquivalenceClass(instr) and block.getInstruction(i) = instr
+        |
+          instr order by i
+        )
+    }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = this.getUnconverted().toString() }
+
+    /** Gets the basic block of this expression. */
+    IR::IRBlock getBlock() { result = this.getUnconverted().getBlock() }
+
+    /** Gets the unconverted instruction associated with this expression. */
+    IR::Instruction getUnconverted() { result = this.getInstruction(0) }
+
+    /**
+     * Gets the final instruction associated with this expression. This
+     * represents the result after applying all the safe conversions.
+     */
+    IR::Instruction getConverted() {
+      exists(int n |
+        result = this.getInstruction(n) and
+        not exists(this.getInstruction(n + 1))
+      )
+    }
+
+    /** Gets the type of the result produced by this instruction. */
+    IR::IRType getResultIRType() { result = this.getConverted().getResultIRType() }
+
+    /** Gets the location of the source code for this expression. */
+    Location getLocation() { result = this.getUnconverted().getLocation() }
+  }

  SemBasicBlock getExprBasicBlock(Expr e) { result = getSemanticBasicBlock(e.getBlock()) }

  private predicate anyConstantExpr(Expr expr, SemType type, string value) {
-    exists(IR::ConstantInstruction instr | instr = expr |
+    exists(IR::ConstantInstruction instr | getSemanticExpr(instr) = expr |
      type = getSemanticType(instr.getResultIRType()) and
      value = instr.getValue()
    )
@@ -58,41 +138,46 @@ module SemanticExprConfig {
  predicate nullLiteral(Expr expr, SemAddressType type) { anyConstantExpr(expr, type, _) }

  predicate stringLiteral(Expr expr, SemType type, string value) {
-    anyConstantExpr(expr, type, value) and expr instanceof IR::StringConstantInstruction
+    anyConstantExpr(expr, type, value) and
+    expr.getUnconverted() instanceof IR::StringConstantInstruction
  }

  predicate binaryExpr(Expr expr, Opcode opcode, SemType type, Expr leftOperand, Expr rightOperand) {
-    exists(IR::BinaryInstruction instr | instr = expr |
+    exists(IR::BinaryInstruction instr |
+      instr = expr.getUnconverted() and
      type = getSemanticType(instr.getResultIRType()) and
-      leftOperand = instr.getLeft() and
-      rightOperand = instr.getRight() and
+      leftOperand = getSemanticExpr(instr.getLeft()) and
+      rightOperand = getSemanticExpr(instr.getRight()) and
      // REVIEW: Merge the two `Opcode` types.
      opcode.toString() = instr.getOpcode().toString()
    )
  }

  predicate unaryExpr(Expr expr, Opcode opcode, SemType type, Expr operand) {
-    type = getSemanticType(expr.getResultIRType()) and
-    (
-      exists(IR::UnaryInstruction instr | instr = expr |
-        operand = instr.getUnary() and
-        // REVIEW: Merge the two operand types.
-        opcode.toString() = instr.getOpcode().toString()
-      )
-      or
-      exists(IR::StoreInstruction instr | instr = expr |
-        operand = instr.getSourceValue() and
-        opcode instanceof Opcode::Store
-      )
+    exists(IR::UnaryInstruction instr | instr = expr.getUnconverted() |
+      type = getSemanticType(instr.getResultIRType()) and
+      operand = getSemanticExpr(instr.getUnary()) and
+      // REVIEW: Merge the two operand types.
+      opcode.toString() = instr.getOpcode().toString()
+    )
+    or
+    exists(IR::StoreInstruction instr | instr = expr.getUnconverted() |
+      type = getSemanticType(instr.getResultIRType()) and
+      operand = getSemanticExpr(instr.getSourceValue()) and
+      opcode instanceof Opcode::Store
    )
  }

  predicate nullaryExpr(Expr expr, Opcode opcode, SemType type) {
-    type = getSemanticType(expr.getResultIRType()) and
-    (
-      expr instanceof IR::LoadInstruction and opcode instanceof Opcode::Load
-      or
-      expr instanceof IR::InitializeParameterInstruction and
+    exists(IR::LoadInstruction load |
+      load = expr.getUnconverted() and
+      type = getSemanticType(load.getResultIRType()) and
+      opcode instanceof Opcode::Load
+    )
+    or
+    exists(IR::InitializeParameterInstruction init |
+      init = expr.getUnconverted() and
+      type = getSemanticType(init.getResultIRType()) and
      opcode instanceof Opcode::InitializeParameter
    )
  }
@@ -122,8 +207,10 @@ module SemanticExprConfig {
  newtype TSsaVariable =
    TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() } or
-    TSsaPointerArithmeticGuard(IR::PointerArithmeticInstruction instr) {
-      exists(Guard g, IR::Operand use | use = instr.getAUse() |
+    TSsaPointerArithmeticGuard(ValueNumber instr) {
+      exists(Guard g, IR::Operand use |
+        use = instr.getAUse() and use.getIRType() instanceof IR::IRAddressType
+      |
        g.comparesLt(use, _, _, _, _) or
        g.comparesLt(_, use, _, _, _) or
        g.comparesEq(use, _, _, _, _) or
@@ -138,7 +225,7 @@ module SemanticExprConfig {

    IR::Instruction asInstruction() { none() }

-    IR::PointerArithmeticInstruction asPointerArithGuard() { none() }
+    ValueNumber asPointerArithGuard() { none() }

    IR::Operand asOperand() { none() }
  }
@@ -156,15 +243,15 @@ module SemanticExprConfig {
  }

  class SsaPointerArithmeticGuard extends SsaVariable, TSsaPointerArithmeticGuard {
-    IR::PointerArithmeticInstruction instr;
+    ValueNumber vn;

-    SsaPointerArithmeticGuard() { this = TSsaPointerArithmeticGuard(instr) }
+    SsaPointerArithmeticGuard() { this = TSsaPointerArithmeticGuard(vn) }

-    final override string toString() { result = instr.toString() }
+    final override string toString() { result = vn.toString() }

-    final override Location getLocation() { result = instr.getLocation() }
+    final override Location getLocation() { result = vn.getLocation() }

-    final override IR::PointerArithmeticInstruction asPointerArithGuard() { result = instr }
+    final override ValueNumber asPointerArithGuard() { result = vn }
  }

  class SsaOperand extends SsaVariable, TSsaOperand {
@@ -179,7 +266,9 @@ module SemanticExprConfig {
    final override IR::Operand asOperand() { result = op }
  }

-  predicate explicitUpdate(SsaVariable v, Expr sourceExpr) { v.asInstruction() = sourceExpr }
+  predicate explicitUpdate(SsaVariable v, Expr sourceExpr) {
+    getSemanticExpr(v.asInstruction()) = sourceExpr
+  }

  predicate phi(SsaVariable v) { v.asInstruction() instanceof IR::PhiInstruction }

@@ -192,9 +281,9 @@ module SemanticExprConfig {
  }

  Expr getAUse(SsaVariable v) {
-    result.(IR::LoadInstruction).getSourceValue() = v.asInstruction()
+    result.getUnconverted().(IR::LoadInstruction).getSourceValue() = v.asInstruction()
    or
-    result = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+    result.getUnconverted() = v.asPointerArithGuard().getAnInstruction()
  }

  SemType getSsaVariableType(SsaVariable v) {
@@ -236,7 +325,7 @@ module SemanticExprConfig {
    final override predicate hasRead(SsaVariable v) {
      exists(IR::Operand operand |
        operand.getDef() = v.asInstruction() or
-        operand.getDef() = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+        operand.getDef() = v.asPointerArithGuard().getAnInstruction()
      |
        not operand instanceof IR::PhiInputOperand and
        operand.getUse().getBlock() = block
@@ -257,7 +346,7 @@ module SemanticExprConfig {
    final override predicate hasRead(SsaVariable v) {
      exists(IR::PhiInputOperand operand |
        operand.getDef() = v.asInstruction() or
-        operand.getDef() = valueNumber(v.asPointerArithGuard()).getAnInstruction()
+        operand.getDef() = v.asPointerArithGuard().getAnInstruction()
      |
        operand.getPredecessorBlock() = pred and
        operand.getUse().getBlock() = succ
@@ -303,17 +392,21 @@ module SemanticExprConfig {
  }

  Expr getBoundExpr(Bound bound, int delta) {
-    result = bound.(IRBound::Bound).getInstruction(delta)
+    result = getSemanticExpr(bound.(IRBound::Bound).getInstruction(delta))
  }

  class Guard = IRGuards::IRGuardCondition;

  predicate guard(Guard guard, BasicBlock block) { block = guard.getBlock() }

-  Expr getGuardAsExpr(Guard guard) { result = guard }
+  Expr getGuardAsExpr(Guard guard) { result = getSemanticExpr(guard) }

  predicate equalityGuard(Guard guard, Expr e1, Expr e2, boolean polarity) {
-    guard.comparesEq(e1.getAUse(), e2.getAUse(), 0, true, polarity)
+    exists(IR::Instruction left, IR::Instruction right |
+      getSemanticExpr(left) = e1 and
+      getSemanticExpr(right) = e2 and
+      guard.comparesEq(left.getAUse(), right.getAUse(), 0, true, polarity)
+    )
  }

  predicate guardDirectlyControlsBlock(Guard guard, BasicBlock controlled, boolean branch) {
@@ -324,16 +417,17 @@ module SemanticExprConfig {
    guard.controlsEdge(bb1, bb2, branch)
  }

-  Guard comparisonGuard(Expr e) { result = e }
+  Guard comparisonGuard(Expr e) { getSemanticExpr(result) = e }

  predicate implies_v2(Guard g1, boolean b1, Guard g2, boolean b2) {
    none() // TODO
  }
+
+  /** Gets the expression associated with `instr`. */
+  SemExpr getSemanticExpr(IR::Instruction instr) { result = Equiv::getEquivalenceClass(instr) }
 }

-SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
-
-IR::Instruction getCppInstruction(SemExpr e) { e = result }
+predicate getSemanticExpr = SemanticExprConfig::getSemanticExpr/1;

 SemBasicBlock getSemanticBasicBlock(IR::IRBlock block) { result = block }

--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticGuard.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticGuard.qll
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticLocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticLocation.qll
@@ -0,0 +1,23 @@
+private import semmle.code.cpp.Location
+
+class SemLocation instanceof Location {
+  /**
+   * Gets a textual representation of this element.
+   *
+   * The format is "file://filePath:startLine:startColumn:endLine:endColumn".
+   */
+  string toString() { result = super.toString() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.0
 .1.2
				`@@ -0,0 +1 @@`
				`import semmle.code.cpp.ir.internal.IRCppLanguageDebug as LanguageDebug`