Merge pull request #14630 from github/release-prep/2.15.2

Release preparation for version 2.15.2
2026-05-16 04:09:27 +02:00 · 2023-10-30 11:26:32 +00:00 · 2023-10-30 11:05:53 +00:00 · 2023-10-30 10:08:29 +00:00 · 2023-10-30 10:06:26 +00:00 · 2023-10-30 10:50:02 +01:00
4462 changed files with 317634 additions and 162987 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -17,3 +17,26 @@ updates:
    ignore:
      - dependency-name: '*'
        update-types: ['version-update:semver-patch', 'version-update:semver-minor']
+
+  - package-ecosystem: "gomod"
+    directory: "go/extractor"
+    schedule:
+      interval: "daily"
+    allow:
+      - dependency-name: "golang.org/x/mod"
+      - dependency-name: "golang.org/x/tools"
+    groups:
+      extractor-dependencies:
+        patterns:
+          - "golang.org/x/*"
+    reviewers:
+      - "github/codeql-go"
+
+  - package-ecosystem: "gomod"
+    directory: "go/ql/test"
+    schedule:
+      interval: "monthly"
+    ignore:
+      - dependency-name: "*"
+    reviewers:
+      - "github/codeql-go"
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -45,11 +45,7 @@ documentation:

 # Since these are all shared files that need to be synced, just pick _one_ copy of each.
 "DataFlow Library":
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll"
+  - "shared/dataflow/**/*"

 "ATM":
  - javascript/ql/experimental/adaptivethreatmodeling/**/*
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -9,26 +9,42 @@ on:
      - "*/ql/lib/**/*.ql"
      - "*/ql/lib/**/*.qll"
      - "*/ql/lib/**/*.yml"
+      - "shared/**/*.ql"
+      - "shared/**/*.qll"
      - "!**/experimental/**"
      - "!ql/**"
      - ".github/workflows/check-change-note.yml"

 jobs:
  check-change-note:
+    env: 
+      REPO: ${{ github.repository }}
+      PULL_REQUEST_NUMBER: ${{ github.event.number }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    runs-on: ubuntu-latest
    steps:
+
      - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
        if: |
          github.event.pull_request.draft == false &&
          !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
-          grep true -c
+          change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
+          
+          if [ -z "$change_note_files" ]; then
+            echo "No change note found. Either add one, or add the 'no-change-note-required' label."
+            exit 1
+          fi
+
+          echo "Change notes found:"
+          echo "$change_note_files"
+
      - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
-          grep true -c
+          bad_change_note_file_names=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))][] | select((test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$")) | not)')
+
+          if [ -n "$bad_change_note_file_names" ]; then
+            echo "The following change note file names are invalid:"
+            echo "$bad_change_note_file_names"
+            exit 1
+          fi
--- a/.github/workflows/check-implicit-this.yml
+++ b/.github/workflows/check-implicit-this.yml
@@ -13,7 +13,7 @@ jobs:
  check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Check that implicit this warnings is enabled for all packs
        shell: bash
        run: |
--- a/.github/workflows/check-qldoc.yml
+++ b/.github/workflows/check-qldoc.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2

--- a/.github/workflows/check-query-ids.yml
+++ b/.github/workflows/check-query-ids.yml
@@ -16,6 +16,6 @@ jobs:
    name: Check query IDs
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Check for duplicate query IDs
        run: python3 misc/scripts/check-query-ids.py
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -33,7 +33,7 @@ jobs:
        dotnet-version: 7.0.102

    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest-xl

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
        with:
@@ -29,9 +29,9 @@ jobs:
        # run with --check-only if running in a PR (github.sha != main)
        if : ${{ github.event_name == 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
      - name: compile queries - full
        # do full compile if running on main - this populates the cache
        if : ${{ github.event_name != 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -29,7 +29,7 @@ jobs:
  qlupgrade:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - name: Check DB upgrade scripts
        run: |
@@ -52,8 +52,7 @@ jobs:
      matrix:
        slice: ["1/2", "2/2"]
    steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
+      - uses: actions/checkout@v4
      - uses: ./csharp/actions/create-extractor-pack
      - name: Cache compilation cache
        id: query-cache
@@ -62,25 +61,41 @@ jobs:
          key: csharp-qltest-${{ matrix.slice }}
      - name: Run QL tests
        run: |
-          CODEQL_PATH=$(gh codeql version --format=json | jq -r .unpackedLocation)
-          # The legacy ASP extractor is not in this repo, so take the one from the nightly build
-          mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
-          # Safe guard against using the bundled extractor
-          rm -rf "$CODEQL_PATH/csharp"
-          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
        env:
          GITHUB_TOKEN: ${{ github.token }}
  unit-tests:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-2019]
+    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Setup dotnet
        uses: actions/setup-dotnet@v3
        with:
          dotnet-version: 7.0.102
      - name: Extractor unit tests
        run: |
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 autobuilder/Semmle.Autobuild.CSharp.Tests
          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
+        shell: bash
+  stubgentest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Run stub generator tests
+        run: |
+          # Generate (Asp)NetCore stubs
+          STUBS_PATH=stubs_output
+          python3 scripts/stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
+          rm -rf ql/test/resources/stubs/_frameworks
+          # Update existing stubs in the repo with the freshly generated ones
+          mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
+          git status
+          codeql test run --threads=0 --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/csv-coverage-metrics.yml
+++ b/.github/workflows/csv-coverage-metrics.yml
@@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
@@ -47,7 +47,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -31,11 +31,11 @@ jobs:
          GITHUB_CONTEXT: ${{ toJSON(github.event) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: merge
      - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 2
          path: base
@@ -89,9 +89,32 @@ jobs:
      - name: Save PR number
        run: |
          mkdir -p pr
-          echo ${{ github.event.pull_request.number }} > pr/NR
+          echo ${PR_NUMBER} > pr/NR
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
      - name: Upload PR number
        uses: actions/upload-artifact@v3
        with:
          name: pr
          path: pr/
+      - name: Save comment ID (if it exists)
+        run: |
+          # Find the latest comment starting with COMMENT_PREFIX
+          COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports."
+          COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty')
+          if [[ -z ${COMMENT_ID} ]]
+          then
+            echo "Comment not found. Not uploading 'comment/ID' artifact."
+          else
+            mkdir -p comment
+            echo ${COMMENT_ID} > comment/ID
+          fi
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+      - name: Upload comment ID (if it exists)
+        uses: actions/upload-artifact@v3
+        with:
+          name: comment
+          path: comment/
+          if-no-files-found: ignore
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -20,7 +20,7 @@ jobs:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: Set up Python 3.8
      uses: actions/setup-python@v4
      with:
--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -9,11 +9,11 @@ jobs:

    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: script
      - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: codeqlModels
          fetch-depth: 0
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -17,7 +17,7 @@ jobs:
          GITHUB_CONTEXT: ${{ toJSON(github.event) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: ql
          fetch-depth: 0
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -13,11 +13,11 @@ jobs:

    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: script
      - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: codeqlModels
          ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
--- a/.github/workflows/fast-forward.yml
+++ b/.github/workflows/fast-forward.yml
@@ -25,7 +25,7 @@ jobs:
          exit 1

      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Git config
        shell: bash
--- a/.github/workflows/go-tests-other-os.yml
+++ b/.github/workflows/go-tests-other-os.yml
@@ -7,19 +7,21 @@ on:
      - .github/workflows/go-tests-other-os.yml
      - .github/actions/**
      - codeql-workspace.yml
+env:
+  GO_VERSION: '~1.21.0'
 jobs:
  test-mac:
    name: Test MacOS
    runs-on: macos-latest
    steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
        uses: actions/setup-go@v4
        with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
        id: go

      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4

      - name: Set up CodeQL CLI
        uses: ./.github/actions/fetch-codeql
@@ -47,14 +49,14 @@ jobs:
    name: Test Windows
    runs-on: windows-latest-xl
    steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
        uses: actions/setup-go@v4
        with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
        id: go

      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4

      - name: Set up CodeQL CLI
        uses: ./.github/actions/fetch-codeql
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -15,19 +15,21 @@ on:
      - .github/workflows/go-tests.yml
      - .github/actions/**
      - codeql-workspace.yml
+env:
+  GO_VERSION: '~1.21.0'
 jobs:
  test-linux:
    name: Test Linux (Ubuntu)
    runs-on: ubuntu-latest-xl
    steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
        uses: actions/setup-go@v4
        with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
        id: go

      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4

      - name: Set up CodeQL CLI
        uses: ./.github/actions/fetch-codeql
--- a/.github/workflows/js-ml-tests.yml
+++ b/.github/workflows/js-ml-tests.yml
@@ -1,65 +0,0 @@
-name: JS ML-powered queries tests
-
-on:
-  push:
-    paths:
-      - "javascript/ql/experimental/adaptivethreatmodeling/**"
-      - .github/workflows/js-ml-tests.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
-  pull_request:
-    paths:
-      - "javascript/ql/experimental/adaptivethreatmodeling/**"
-      - .github/workflows/js-ml-tests.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-  workflow_dispatch:
-
-defaults:
-  run:
-    working-directory: javascript/ql/experimental/adaptivethreatmodeling
-
-jobs:
-  qltest:
-    name: Test QL
-    runs-on: ubuntu-latest-xl
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: ./.github/actions/fetch-codeql
-
-      - name: Install pack dependencies
-        run: |
-          for pack in modelbuilding src test; do
-            codeql pack install --mode verify -- "${pack}"
-          done
-      
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: js-ml-test
-
-      - name: Check QL compilation
-        run: |
-          codeql query compile \
-            --check-only \
-            --ram 50000 \
-            --additional-packs "${{ github.workspace }}" \
-            --threads=0 \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
-            -- \
-            lib modelbuilding src
-
-      - name: Run QL tests
-        run: |
-          codeql test run \
-            --threads=0 \
-            --ram 50000 \
-            --additional-packs "${{ github.workspace }}" \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
-            -- \
-            test
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -27,12 +27,12 @@ jobs:
        slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
    steps:
      - name: Clone github/codeql from PR
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        if: github.event.pull_request
        with:
          path: codeql-pr
      - name: Clone github/codeql from main
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: codeql-main
          ref: main
--- a/.github/workflows/mad_regenerate-models.yml
+++ b/.github/workflows/mad_regenerate-models.yml
@@ -27,11 +27,11 @@ jobs:
            ref: "placeholder"
    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Setup CodeQL binaries
        uses: ./.github/actions/fetch-codeql
      - name: Clone repositories
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          path: repos/${{ matrix.ref }}
          ref: ${{ matrix.ref }}
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -43,7 +43,7 @@ jobs:
          if-no-files-found: error
          retention-days: 1

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
          persist-credentials: false
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ubuntu-latest-xl
    steps:
      ### Build the queries ###
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Find codeql
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -21,7 +21,7 @@ jobs:
          - github/codeql
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - name: Find codeql
        id: find-codeql
@@ -42,7 +42,7 @@ jobs:
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
@@ -71,7 +71,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v3
        with:
          name: measurements
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -21,7 +21,7 @@ jobs:
  qltest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Find codeql
        id: find-codeql
        uses: github/codeql-action/init@v2
@@ -61,7 +61,7 @@ jobs:
    needs: [qltest]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Install GNU tar 
        if: runner.os == 'macOS'
        run: |
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -20,7 +20,7 @@ jobs:

    steps:
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
      with:
        path: codeql 
    - name: Set up Python 3.8
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -42,7 +42,7 @@ jobs:
    runs-on: ${{ matrix.os }}

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Install GNU tar
        if: runner.os == 'macOS'
        run: |
@@ -113,7 +113,7 @@ jobs:
  compile-queries:
    runs-on: ubuntu-latest-xl
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Cache compilation cache
@@ -145,7 +145,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: [build, compile-queries]
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v3
        with:
          name: ruby.dbscheme
@@ -206,7 +206,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    needs: [package]
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql

--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -27,14 +27,14 @@ jobs:
        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - uses: ./.github/actions/fetch-codeql

      - uses: ./ruby/actions/create-extractor-pack

      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
@@ -59,7 +59,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v3
        with:
          name: measurements
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -14,6 +14,7 @@ on:
  pull_request:
    paths:
      - "ruby/**"
+      - "shared/**"
      - .github/workflows/ruby-qltest.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
@@ -32,7 +33,7 @@ jobs:
  qlupgrade:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - name: Check DB upgrade scripts
        run: |
@@ -53,7 +54,7 @@ jobs:
    strategy:
      fail-fast: false
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: ./ruby/actions/create-extractor-pack
      - name: Cache compilation cache
--- a/.github/workflows/swift.yml
+++ b/.github/workflows/swift.yml
@@ -39,31 +39,31 @@ jobs:
  build-and-test-macos:
    runs-on: macos-12-xl
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./swift/actions/build-and-test
  build-and-test-linux:
    runs-on: ubuntu-latest-xl
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./swift/actions/build-and-test
  qltests-linux:
    needs: build-and-test-linux
    runs-on: ubuntu-latest-xl
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./swift/actions/run-ql-tests
  qltests-macos:
    if : ${{ github.event_name == 'pull_request' }}
    needs: build-and-test-macos
    runs-on: macos-12-xl
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./swift/actions/run-ql-tests
  integration-tests-linux:
    needs: build-and-test-linux
    runs-on: ubuntu-latest-xl
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./swift/actions/run-integration-tests
  integration-tests-macos:
    if : ${{ github.event_name == 'pull_request' }}
@@ -71,13 +71,13 @@ jobs:
    runs-on: macos-12-xl
    timeout-minutes: 60
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./swift/actions/run-integration-tests
  codegen:
    if : ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: bazelbuild/setup-bazelisk@v2
      - uses: actions/setup-python@v4
        with:
@@ -102,6 +102,6 @@ jobs:
    if : ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: ./swift/actions/database-upgrade-scripts
--- a/.github/workflows/sync-files.yml
+++ b/.github/workflows/sync-files.yml
@@ -14,7 +14,7 @@ jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Check synchronized files
        run: python config/sync-files.py
      - name: Check dbscheme fragments
--- a/.github/workflows/tree-sitter-extractor-test.yml
+++ b/.github/workflows/tree-sitter-extractor-test.yml
@@ -27,7 +27,7 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Check formatting
        run: cargo fmt --all -- --check
      - name: Run tests
@@ -35,12 +35,12 @@ jobs:
  fmt:
    runs-on: ubuntu-latest  
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Check formatting
        run: cargo fmt --check
  clippy:
    runs-on: ubuntu-latest  
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: Run clippy
        run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
--- a/.github/workflows/validate-change-notes.yml
+++ b/.github/workflows/validate-change-notes.yml
@@ -20,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -4,7 +4,9 @@ provide:
  - "*/ql/test/qlpack.yml"
  - "*/ql/examples/qlpack.yml"
  - "*/ql/consistency-queries/qlpack.yml"
-  - "shared/*/qlpack.yml"
+  - "*/ql/automodel/src/qlpack.yml"
+  - "*/ql/automodel/test/qlpack.yml"
+  - "shared/**/qlpack.yml"
  - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
  - "go/ql/config/legacy-support/qlpack.yml"
  - "go/build/codeql-extractor-go/codeql-extractor.yml"
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -22,27 +22,14 @@
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll",
    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll"
  ],
-  "TaintTracking Java/C++/C#/Go/Python/Ruby/Swift": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTracking.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTracking.qll"
-  ],
  "TaintTracking Legacy Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
@@ -66,15 +53,6 @@
    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
  ],
-  "DataFlow Java/C++/C#/Python/Ruby/Swift Consistency checks": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll"
-  ],
  "DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
@@ -484,10 +462,6 @@
    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
    "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
  ],
-  "CFG": [
-    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
-    "swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowGraphImplShared.qll"
-  ],
  "TypeTracker": [
    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
@@ -524,22 +498,6 @@
    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
    "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
  ],
-  "TaintedFormatStringQuery Ruby/JS": [
-    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
-    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"
-  ],
-  "TaintedFormatStringCustomizations Ruby/JS": [
-    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
-    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
-  ],
-  "HttpToFileAccessQuery JS/Ruby": [
-    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",
-    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"
-  ],
-  "HttpToFileAccessCustomizations JS/Ruby": [
-    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
-    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
-  ],
  "Typo database": [
    "javascript/ql/src/Expressions/TypoDatabase.qll",
    "ql/ql/src/codeql_ql/style/TypoDatabase.qll"
@@ -571,5 +529,9 @@
  "EncryptionKeySizes Python/Java": [
    "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
    "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
+  ],
+  "Python model summaries test extension": [
+    "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
+    "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
  ]
-}
+}
--- a/cpp/BUILD.bazel
+++ b/cpp/BUILD.bazel
@@ -1,12 +1,17 @@
-package(default_visibility = ["//visibility:public"])
-
 load("@rules_pkg//:mappings.bzl", "pkg_filegroup")

+package(default_visibility = ["//visibility:public"])
+
 alias(
    name = "dbscheme",
    actual = "//cpp/ql/lib:dbscheme",
 )

+alias(
+    name = "dbscheme-stats",
+    actual = "//cpp/ql/lib:dbscheme-stats",
+)
+
 pkg_filegroup(
    name = "db-files",
    srcs = [
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs
@@ -327,7 +327,7 @@ namespace Semmle.Autobuild.Cpp.Tests
        {
            Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
            Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
-            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
+            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program^ Files^ ^(x86^)\Microsoft^ Visual^ Studio^ 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
            Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
            Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
            Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = 0;
--- a/cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/builtintypes.ql
+++ b/cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/builtintypes.ql
@@ -0,0 +1,19 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if
+    type instanceof @fp16 or
+    type instanceof @std_bfloat16 or
+    type instanceof @std_float16 or
+    type instanceof @complex_std_float32 or
+    type instanceof @complex_float32x or
+    type instanceof @complex_std_float64 or
+    type instanceof @complex_float64x or
+    type instanceof @complex_std_float128
+  then kind_new = 2
+  else kind_new = kind
+select type, name, kind_new, size, sign, alignment
--- a/cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/old.dbscheme
+++ b/cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/old.dbscheme
--- a/cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties
+++ b/cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties
@@ -0,0 +1,3 @@
+description: Introduce new floating-point types from C23 and C++23
+compatibility: backwards
+builtintypes.rel: run builtintypes.qlo
--- a/cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/old.dbscheme
+++ b/cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/old.dbscheme
--- a/cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/upgrade.properties
+++ b/cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/upgrade.properties
@@ -0,0 +1,2 @@
+description: Make __is_trivial a builtin operation
+compatibility: full
--- a/cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/old.dbscheme
+++ b/cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/old.dbscheme
--- a/cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/upgrade.properties
+++ b/cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/upgrade.properties
@@ -0,0 +1,3 @@
+description: Introduce extractor version numbers
+compatibility: breaking
+extractor_version.rel: delete
--- a/cpp/ql/lib/BUILD.bazel
+++ b/cpp/ql/lib/BUILD.bazel
@@ -1,7 +1,7 @@
-package(default_visibility = ["//cpp:__pkg__"])
-
 load("@rules_pkg//:mappings.bzl", "pkg_files")

+package(default_visibility = ["//cpp:__pkg__"])
+
 pkg_files(
    name = "dbscheme",
    srcs = ["semmlecode.cpp.dbscheme"],
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,58 @@
+## 0.11.0
+
+### Breaking Changes
+
+* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
+
+### New Features
+
+* Added a new class `AdditionalCallTarget` for specifying additional call targets.
+
+### Minor Analysis Improvements
+
+* More field accesses are identified as `ImplicitThisFieldAccess`.
+* Added support for new floating-point types in C23 and C++23.
+
+## 0.10.1
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
+* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
+
+## 0.10.0
+
+### Minor Analysis Improvements
+
+* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
+ non-returning in the IR and dataflow.
+* Treat functions that reach the end of the function as returning in the IR.
+  They used to be treated as unreachable but it is allowed in C. 
+* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
+
+## 0.9.3
+
+No user-facing changes.
+
+## 0.9.2
+
+### Deprecated APIs
+
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
+
+### New Features
+
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
+
+### Minor Analysis Improvements
+
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
+
+## 0.9.1
+
+No user-facing changes.
+
 ## 0.9.0

 ### Breaking Changes
--- a/cpp/ql/lib/change-notes/released/0.10.0.md
+++ b/cpp/ql/lib/change-notes/released/0.10.0.md
@@ -0,0 +1,9 @@
+## 0.10.0
+
+### Minor Analysis Improvements
+
+* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
+ non-returning in the IR and dataflow.
+* Treat functions that reach the end of the function as returning in the IR.
+  They used to be treated as unreachable but it is allowed in C. 
+* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
--- a/cpp/ql/lib/change-notes/released/0.10.1.md
+++ b/cpp/ql/lib/change-notes/released/0.10.1.md
@@ -0,0 +1,6 @@
+## 0.10.1
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
+* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
--- a/cpp/ql/lib/change-notes/released/0.11.0.md
+++ b/cpp/ql/lib/change-notes/released/0.11.0.md
@@ -0,0 +1,14 @@
+## 0.11.0
+
+### Breaking Changes
+
+* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
+
+### New Features
+
+* Added a new class `AdditionalCallTarget` for specifying additional call targets.
+
+### Minor Analysis Improvements
+
+* More field accesses are identified as `ImplicitThisFieldAccess`.
+* Added support for new floating-point types in C23 and C++23.
--- a/cpp/ql/lib/change-notes/released/0.9.1.md
+++ b/cpp/ql/lib/change-notes/released/0.9.1.md
@@ -0,0 +1,3 @@
+## 0.9.1
+
+No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/0.9.2.md
+++ b/cpp/ql/lib/change-notes/released/0.9.2.md
@@ -0,0 +1,14 @@
+## 0.9.2
+
+### Deprecated APIs
+
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
+
+### New Features
+
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
+
+### Minor Analysis Improvements
+
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
--- a/cpp/ql/lib/change-notes/released/0.9.3.md
+++ b/cpp/ql/lib/change-notes/released/0.9.3.md
@@ -0,0 +1,3 @@
+## 0.9.3
+
+No user-facing changes.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.0
+lastReleaseVersion: 0.11.0
--- a/cpp/ql/lib/experimental/cryptography/Concepts.qll
+++ b/cpp/ql/lib/experimental/cryptography/Concepts.qll
@@ -0,0 +1,3 @@
+import experimental.cryptography.CryptoArtifact
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.modules.OpenSSL as OpenSSL
--- a/cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll
+++ b/cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll
@@ -0,0 +1,239 @@
+/**
+ * Names of known cryptographic algorithms.
+ * The names are standardized into upper-case, no spaces, dashes or underscores.
+ */
+
+/**
+ * Returns a string to represent generally unknown algorithms.
+ * Predicate is to be used to get a consistent string representation
+ * for unknown algorithms.
+ */
+string unknownAlgorithm() { result = "UNKNOWN" }
+
+string getHashType() { result = "HASH" }
+
+string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" }
+
+string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" }
+
+string getKeyDerivationType() { result = "KEY_DERIVATION" }
+
+string getCipherBlockModeType() { result = "BLOCK_MODE" }
+
+string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" }
+
+string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" }
+
+string getEllipticCurveType() { result = "ELLIPTIC_CURVE" }
+
+string getSignatureType() { result = "SIGNATURE" }
+
+string getKeyExchangeType() { result = "KEY_EXCHANGE" }
+
+string getAsymmetricType() {
+  result in [
+      getAsymmetricEncryptionType(), getSignatureType(), getKeyExchangeType(),
+      getEllipticCurveType()
+    ]
+}
+
+predicate isKnownType(string algType) {
+  algType in [
+      getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(),
+      getKeyDerivationType(), getCipherBlockModeType(), getSymmetricPaddingType(),
+      getAsymmetricPaddingType(), getEllipticCurveType(), getSignatureType(), getKeyExchangeType()
+    ]
+}
+
+predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) }
+
+predicate isKnownAlgorithm(string name, string algType) {
+  isHashingAlgorithm(name) and algType = "HASH"
+  or
+  isEncryptionAlgorithm(name, algType) and
+  algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"]
+  or
+  isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION"
+  or
+  isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE"
+  or
+  isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"]
+  or
+  isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE"
+  or
+  isSignatureAlgorithm(name) and algType = "SIGNATURE"
+  or
+  isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE"
+}
+
+/**
+ * Holds if `name` is a known hashing algorithm in the model/library.
+ */
+predicate isHashingAlgorithm(string name) {
+  name =
+    [
+      "BLAKE2", "BLAKE2B", "BLAKE2S", "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224",
+      "SHA512256", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256",
+      "SM3", "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD",
+      "RIPEMD128", "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1", "MGF1SHA1",
+      "MDC2", "SIPHASH"
+    ]
+}
+
+predicate isEncryptionAlgorithm(string name, string algType) {
+  isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION"
+  or
+  isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION"
+}
+
+predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) }
+
+/**
+ * Holds if `name` corresponds to a known symmetric encryption algorithm.
+ */
+predicate isSymmetricEncryptionAlgorithm(string name) {
+  // NOTE: AES is meant to caputure all possible key lengths
+  name =
+    [
+      "AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5",
+      "CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20",
+      "CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789",
+      "GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012",
+      "GOST34112012", "IDEA", "RABBIT", "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES",
+      "DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5",
+      "RC5", "MAGMA", "KUZNYECHIK"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known key derivation algorithm.
+ */
+predicate isKeyDerivationAlgorithm(string name) {
+  name =
+    [
+      "ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF",
+      "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT",
+      "X963KDF", "EVPKDF"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known cipher block mode
+ */
+predicate isCipherBlockModeAlgorithm(string name) {
+  name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"]
+}
+
+/**
+ * Holds if `name` corresponds to a known padding algorithm
+ */
+predicate isPaddingAlgorithm(string name, string algType) {
+  isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING"
+  or
+  isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING"
+}
+
+/**
+ * holds if `name` corresponds to a known symmetric padding algorithm
+ */
+predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] }
+
+/**
+ * Holds if `name` corresponds to a known asymmetric padding algorithm
+ */
+predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] }
+
+predicate isBrainpoolCurve(string curveName, int keySize) {
+  // ALL BRAINPOOL CURVES
+  keySize in [160, 192, 224, 256, 320, 384, 512] and
+  (
+    curveName = "BRAINPOOLP" + keySize.toString() + "R1"
+    or
+    curveName = "BRAINPOOLP" + keySize.toString() + "T1"
+  )
+}
+
+predicate isSecCurve(string curveName, int keySize) {
+  // ALL SEC CURVES
+  keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and
+  exists(string suff | suff in ["R1", "R2", "K1"] |
+    curveName = "SECT" + keySize.toString() + suff or
+    curveName = "SECP" + keySize.toString() + suff
+  )
+}
+
+predicate isC2Curve(string curveName, int keySize) {
+  // ALL C2 CURVES
+  keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and
+  exists(string pre, string suff |
+    pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"]
+  |
+    curveName = "C2" + pre + keySize.toString() + suff
+  )
+}
+
+predicate isPrimeCurve(string curveName, int keySize) {
+  // ALL PRIME CURVES
+  keySize in [192, 239, 256] and
+  exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff)
+}
+
+predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) }
+
+/**
+ * Holds if `name` corresponds to a known elliptic curve.
+ */
+predicate isEllipticCurveAlgorithm(string curveName, int keySize) {
+  isSecCurve(curveName, keySize)
+  or
+  isBrainpoolCurve(curveName, keySize)
+  or
+  isC2Curve(curveName, keySize)
+  or
+  isPrimeCurve(curveName, keySize)
+  or
+  curveName = "ES256" and keySize = 256
+  or
+  curveName = "CURVE25519" and keySize = 255
+  or
+  curveName = "X25519" and keySize = 255
+  or
+  curveName = "ED25519" and keySize = 255
+  or
+  curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size
+  or
+  curveName = "ED448" and keySize = 448
+  or
+  curveName = "X448" and keySize = 448
+  or
+  curveName = "NUMSP256T1" and keySize = 256
+  or
+  curveName = "NUMSP384T1" and keySize = 384
+  or
+  curveName = "NUMSP512T1" and keySize = 512
+  or
+  curveName = "SM2" and keySize in [256, 512]
+}
+
+/**
+ * Holds if `name` corresponds to a known signature algorithm.
+ */
+predicate isSignatureAlgorithm(string name) {
+  name =
+    [
+      "DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256",
+      "ECDSA384", "ECDSA512"
+    ]
+}
+
+/**
+ * Holds if `name` is a key exchange algorithm.
+ */
+predicate isKeyExchangeAlgorithm(string name) {
+  name = ["ECDH", "DH", "DIFFIEHELLMAN", "X25519", "X448"]
+}
+
+/**
+ * Holds if `name` corresponds to a known asymmetric encryption.
+ */
+predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] }
--- a/cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll
+++ b/cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll
@@ -0,0 +1,316 @@
+import cpp
+private import experimental.cryptography.CryptoAlgorithmNames
+import semmle.code.cpp.ir.dataflow.TaintTracking
+
+/*
+ * A cryptographic artifact is a DataFlow::Node associated with some
+ * operation, algorithm, or any other aspect of cryptography.
+ */
+
+abstract class CryptographicArtifact extends Expr { }
+
+// /**
+//  * Associates a symmetric encryption algorithm with a block mode.
+//  * The DataFlow::Node representing this association should be the
+//  * point where the algorithm and block mode are combined.
+//  * This may be at the call to encryption or in the construction
+//  * of an object prior to encryption.
+//  */
+// abstract class SymmetricCipher extends CryptographicArtifact{
+//   abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm();
+//   abstract BlockMode getBlockMode();
+//   final predicate hasBlockMode(){
+//     exists(this.getBlockMode())
+//   }
+// }
+// /**
+//  * A cryptographic operation is a method call that invokes a cryptographic
+//  * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm
+//  * (key generation).
+//  *
+//  * Since operations are related to or in support of algorithms, operations must
+//  * provide a reference to their associated algorithm. Often operataions themselves
+//  * encapsulate algorithms, so operations can also extend CryptographicAlgorithm
+//  * and refer to themselves as the target algorithm.
+//  */
+// abstract class CryptographicOperation extends CryptographicArtifact, Call{
+//   // bindingset[paramName, ind]
+//   // final DataFlow::Node getParameterSource(int ind, string paramName){
+//   //   result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName))
+//   // }
+//   final string getAlgorithmName(){
+//     if exists(this.getAlgorithm().getName())
+//     then result = this.getAlgorithm().getName()
+//     else result = unknownAlgorithm()
+//   }
+//   final predicate hasAlgorithm(){
+//     exists(this.getAlgorithm())
+//   }
+//   final predicate isUnknownAlgorithm(){
+//     this.getAlgorithmName() = unknownAlgorithm()
+//     or
+//     not this.hasAlgorithm()
+//   }
+//   // TODO: this might have to be parameterized by a configuration source for
+//   //       situations where an operation is passed an algorithm
+//   abstract CryptographicAlgorithm getAlgorithm();
+// }
+// /** A key generation operation for asymmetric keys */
+// abstract class KeyGen extends CryptographicOperation{
+//   int getAKeySizeInBits(){
+//     result = getKeySizeInBits(_)
+//   }
+//   final predicate hasKeySize(Expr configSrc){
+//     exists(this.getKeySizeInBits(configSrc))
+//   }
+//   final predicate hasKeySize(){
+//     exists(this.getAKeySizeInBits())
+//   }
+//   abstract Expr getKeyConfigSrc();
+//   abstract int getKeySizeInBits(Expr configSrc);
+// }
+abstract class CryptographicOperation extends CryptographicArtifact, Call { }
+
+abstract class KeyGeneration extends CryptographicOperation {
+  // TODO: what if the algorithm is UNKNOWN?
+  abstract Expr getKeyConfigurationSource(CryptographicAlgorithm alg);
+
+  abstract CryptographicAlgorithm getAlgorithm();
+
+  int getKeySizeInBits(CryptographicAlgorithm alg) {
+    result = this.getKeyConfigurationSource(alg).(Literal).getValue().toInt()
+  }
+
+  predicate hasConstantKeySize(CryptographicAlgorithm alg) { exists(this.getKeySizeInBits(alg)) }
+
+  predicate hasKeyConfigurationSource(CryptographicAlgorithm alg) {
+    exists(this.getKeyConfigurationSource(alg))
+  }
+
+  Expr getAKeyConfigurationSource() { result = this.getKeyConfigurationSource(_) }
+}
+
+abstract class AsymmetricKeyGeneration extends KeyGeneration { }
+
+abstract class SymmetricKeyGeneration extends KeyGeneration { }
+
+/**
+ * A cryptographic algorithm is a `CryptographicArtifact`
+ * representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`).
+ * Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5)
+ * or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")).
+ * Cryptogrpahic algorithms may also be operations that wrap or abstract one or
+ * more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7).
+ *
+ * In principle, this class should model the location where an algorithm enters the program, not
+ * necessarily where it is used.
+ */
+abstract class CryptographicAlgorithm extends CryptographicArtifact {
+  abstract string getName();
+
+  abstract string getAlgType();
+
+  //  string getAlgType(){
+  //   if this instanceof HashAlgorithm then result = getHashType()
+  //   else if this instanceof KeyDerivationAlgorithm then result = getKeyDerivationType()
+  //   else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricEncryptionType()
+  //   else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricEncryptionType()
+  //   else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricPaddingType()
+  //   else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricPaddingType()
+  //   else if this instanceof EllipticCurveAlgorithm then result = getEllipticCurveType()
+  //   else if this instanceof BlockMode then result = getCipherBlockModeType()
+  //   else if this instanceof KeyExchangeAlgorithm then result = getKeyExchangeType()
+  //   else if this instanceof SigningAlgorithm then result = getSignatureType()
+  //   else result = unknownAlgorithm()
+  // }
+  // TODO: handle case where name isn't known, not just unknown?
+  /**
+   * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
+   * Subclassess should override for more api-specific normalization.
+   * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
+   */
+  bindingset[s]
+  string normalizeName(string s) {
+    exists(string normStr | normStr = s.toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+      result = normStr and isKnownAlgorithm(result)
+      or
+      result = unknownAlgorithm() and not isKnownAlgorithm(normStr)
+    )
+  }
+
+  abstract Expr configurationSink();
+
+  predicate hasConfigurationSink() { exists(this.configurationSink()) }
+}
+
+abstract class HashAlgorithm extends CryptographicAlgorithm {
+  final string getHashName() {
+    if exists(string n | n = this.getName() and isHashingAlgorithm(n))
+    then isHashingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getHashType() }
+}
+
+abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm {
+  final string getKDFName() {
+    if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n))
+    then isKeyDerivationAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getKeyDerivationType() }
+}
+
+// abstract class KeyDerivationOperation extends CryptographicOperation{
+//   DataFlow::Node getIterationSizeSrc(){
+//     none()
+//   }
+//   DataFlow::Node getSaltConfigSrc(){
+//     none()
+//   }
+//   DataFlow::Node getHashConfigSrc(){
+//     none()
+//   }
+//   // TODO: get encryption algorithm for CBC-based KDF?
+//   DataFlow::Node getDerivedKeySizeSrc(){
+//     none()
+//   }
+//   DataFlow::Node getModeSrc(){
+//     none()
+//   }
+//   // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type?
+//   abstract predicate requiresIteration();
+//   abstract predicate requiresSalt();
+//   abstract predicate requiresHash();
+//   //abstract predicate requiresKeySize(); // Going to assume all requires a size
+//   abstract predicate requiresMode();
+// }
+abstract class EncryptionAlgorithm extends CryptographicAlgorithm {
+  final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm }
+
+  final predicate isSymmetric() { not this.isAsymmetric() }
+  // NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent
+  //       class does not have this common predicate.
+}
+
+/**
+ * A parent class to represent any algorithm for which
+ * asymmetric cryptography is involved.
+ * Intended to be distinct from AsymmetricEncryptionAlgorithm
+ * which is intended only for asymmetric algorithms that specifically encrypt.
+ */
+abstract class AsymmetricAlgorithm extends CryptographicAlgorithm { }
+
+/**
+ * Algorithms directly or indirectly related to asymmetric encryption,
+ * e.g., RSA, DSA, but also RSA padding algorithms
+ */
+abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm {
+  final string getEncryptionName() {
+    if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n))
+    then isAsymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getAsymmetricEncryptionType() }
+}
+
+/**
+ * Algorithms directly or indirectly related to symmetric encryption,
+ * e.g., AES, DES, but also block modes and padding
+ */
+abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm {
+  final string getEncryptionName() {
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  // TODO: add a stream cipher predicate?
+  override string getAlgType() { result = getSymmetricEncryptionType() }
+}
+
+// Used only to categorize all padding into a single object,
+// DO_NOT add predicates here. Only for categorization purposes.
+abstract class PaddingAlgorithm extends CryptographicAlgorithm { }
+
+abstract class SymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName() {
+    if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n))
+    then isSymmetricPaddingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getSymmetricPaddingType() }
+}
+
+abstract class AsymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName() {
+    if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n))
+    then isAsymmetricPaddingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getAsymmetricPaddingType() }
+}
+
+abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm {
+  final string getCurveName() {
+    if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n))
+    then isEllipticCurveAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) }
+
+  override string getAlgType() { result = getEllipticCurveType() }
+}
+
+abstract class BlockModeAlgorithm extends CryptographicAlgorithm {
+  final string getBlockModeName() {
+    if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
+    then isCipherBlockModeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  /**
+   * Gets the source of the IV configuration.
+   */
+  abstract Expr getIVorNonce();
+
+  final predicate hasIVorNonce() { exists(this.getIVorNonce()) }
+
+  override string getAlgType() { result = getCipherBlockModeType() }
+}
+
+// abstract class KeyWrapOperation extends CryptographicOperation{
+// }
+abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm {
+  final string getAuthticatedEncryptionName() {
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm {
+  final string getKeyExchangeName() {
+    if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n))
+    then isKeyExchangeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getKeyExchangeType() }
+}
+
+abstract class SigningAlgorithm extends AsymmetricAlgorithm {
+  final string getSigningName() {
+    if exists(string n | n = this.getName() and isSignatureAlgorithm(n))
+    then isSignatureAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getSignatureType() }
+}
--- a/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll
+++ b/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll
@@ -0,0 +1,718 @@
+import cpp
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.CryptoArtifact
+import experimental.cryptography.utils.OpenSSL.CryptoFunction
+import experimental.cryptography.utils.OpenSSL.AlgorithmSink
+import experimental.cryptography.utils.OpenSSL.PassthroughFunction
+import experimental.cryptography.utils.OpenSSL.CryptoAlgorithm
+import experimental.cryptography.CryptoArtifact
+// import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.dataflow.DataFlow
+
+/**
+ *  Problematic case in OpenSSL speed.c
+ *    static const char *names[ALGOR_NUM] = {
+ *        "md2", "mdc2", "md4", "md5", "sha1", "rmd160",
+ *        "sha256", "sha512", "whirlpool", "hmac(md5)",
+ *        "des-cbc", "des-ede3", "rc4", "idea-cbc", "seed-cbc",
+ *        "rc2-cbc", "rc5-cbc", "blowfish", "cast-cbc",
+ *        "aes-128-cbc", "aes-192-cbc", "aes-256-cbc",
+ *        "camellia-128-cbc", "camellia-192-cbc", "camellia-256-cbc",
+ *        "evp", "ghash", "rand", "cmac"
+ *    };
+ *
+ *    Every entry is considered a block mode, hash, and symmetric encryption algorithm
+ *    getEncryptionName for example, will return unknown
+ */
+predicate nodeToExpr(DataFlow::Node node, Expr e) {
+  e = node.asExpr() or e = node.asIndirectArgument()
+}
+
+Expr getExprFromNode(DataFlow::Node node) { nodeToExpr(node, result) }
+
+DataFlow::Node getNodeFromExpr(Expr e) { nodeToExpr(result, e) }
+
+predicate isEVP_PKEY_CTX(Type t) { t.getUnderlyingType().stripType().getName() = "evp_pkey_ctx_st" }
+
+/**
+ * An expression representing an EVP_PKEY_CTX* at the location of a
+ * known AlgorithmSinkArgument.
+ * The EVP_PKEY_CTX* represents the location where the CTX is tied to the algorithm,
+ * and can be used as a source for tracing EVP_PKEY_CTX to other operations.
+ */
+class Known_EVP_PKEY_CTX_Ptr_Source extends Expr {
+  Known_EVP_PKEY_CTX_Ptr_Source() {
+    isEVP_PKEY_CTX(this.getUnderlyingType()) and
+    this.getUnderlyingType() instanceof PointerType and
+    exists(AlgorithmSinkArgument arg, Call sinkCall |
+      arg.getSinkCall() = sinkCall and
+      sinkCall.getAnArgument() = this
+      or
+      this = sinkCall
+    )
+  }
+}
+
+// module CTXFlow implements DataFlow::ConfigSig{
+//     predicate isSource(DataFlow::Node source) {
+//         // ASSUMPTION: at a sink, an algorithm is converted into a CTX through a return of the call only
+//         //             and is the primary source of interest for CTX tracing
+//         source.asExpr() instanceof AlgorithmSinkArgument
+//     }
+//     predicate isSink(DataFlow::Node sink){
+//         sink.asExpr() instanceof CTXSink
+//     }
+//     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+//         //  cls.getName() = "asn1_object_st" flow out on any EVP_PKEY_CTX which is "evp_pkey_ctx_st"
+//         exists(Call c |
+//             isEVP_PKEY_CTX(c.getUnderlyingType()) and
+//             node1.asExpr() = c.getAnArgument() and c = node2.asExpr())
+//     }
+// }
+// module CTXFlowConfig = DataFlow::Global<CTXFlow>;
+// TODO: currently only handles tracing from literals to sinks
+module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof Literal and
+    // Optimization to reduce literal tracing on integers to only those that are known/relevant NIDs.
+    (
+      exists(source.asExpr().getValue().toInt())
+      implies
+      source.asExpr().getValue().toInt() < getNIDMax()
+    ) and
+    // False positives observed inside OBJ_nid2* and OBJ_sn2* functions where NULL is a possible assignment.
+    // While this is a concern, it only occurs if the object being referenced is NULL to begin with
+    // Perhaps a different query should be used to find these caes if they represent a threat.
+    // Filter out any open ssl function source in a function namae Obj_*
+    // False positives in OpenSSL also observed for CRYPTO_strndup (filtering any CRYPTO_* function)
+    // due to setting a null byte in the string
+    (
+      isPossibleOpenSSLFunction(source.getEnclosingCallable())
+      implies
+      (
+        not source.getEnclosingCallable().getName().matches("OBJ_%") and
+        not source.getEnclosingCallable().getName().matches("CRYPTO_%")
+      )
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    // A sink is a call to a function that takes an algorithm as an argument
+    // must include checks for asIndirectArgument since the input may be a pointer to an object
+    // and the member of the object holds the algorithm on the trace.
+    getExprFromNode(sink) instanceof AlgorithmSinkArgument
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    knownPassThroughStep(node1, node2)
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    // If the node is the 'next' argument of a isCallPassThrough, it is only allowed if it is an out parameter
+    // i.e., a defining argument. This barrier says that if the node is an expression not an out parameter, it is filtered.
+    // Out arguments will not be filtered.
+    exists(Call c | knownPassthoughCall(c, _, node.asExpr()) and c.getAnArgument() = node.asExpr())
+    or
+    // False positive reducer, don't flow out through argv
+    node.asVariable().hasName("argv")
+    or
+    node.asIndirectVariable().hasName("argv")
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // Assume a read on crypto identifying field for any object of type asn1_object_st (i.e., ASN1_OBJECT)
+    exists(Class cls | cls.getName() = "asn1_object_st" |
+      node.getType().getUnspecifiedType().stripType() = cls and
+      c.(DataFlow::FieldContent).getField() = cls.getAMember() and
+      c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"]
+    )
+  }
+}
+
+module LiteralAlgorithmTracer = DataFlow::Global<LiteralAlgorithmTracerConfig>;
+
+/**
+ * `source` is an expression that is a source of an algorithm of type `algType`.
+ * `algType` may be `UNKONWN`.
+ *  See CryptoAlgorithmNames for other possible values of `algType`.
+ */
+bindingset[sinkAlgType]
+predicate hasLiteralPathToAlgSink(DataFlow::Node source, DataFlow::Node sink, string sinkAlgType) {
+  LiteralAlgorithmTracer::flow(source, sink) and
+  getExprFromNode(sink).(AlgorithmSinkArgument).algType() = sinkAlgType
+}
+
+private predicate knownTracedAlgorithm(Literal e, string srcSinkType) {
+  knownTracedAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate knownTracedAlgorithm(Literal e, string srcType, string sinkType) {
+  resolveAlgorithmFromLiteral(e, _, srcType) and
+  hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
+  isKnownType(sinkType) and
+  isKnownType(srcType)
+}
+
+private predicate unknownTracedLiteralAlgorithm(Literal e, string srcSinkType) {
+  // Asymmetric special case:
+  // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
+  // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
+  if getAsymmetricType() = srcSinkType
+  then forall(string t | t = getAsymmetricType() | unknownTracedLiteralAlgorithm(e, t, srcSinkType))
+  else unknownTracedLiteralAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate unknownTracedLiteralAlgorithm(Literal e, string srcType, string sinkType) {
+  // the literal resolves to an algorithm, but not to the sinktype
+  // or generally doesn't resolve to any algorithm type
+  // this case covers 'nonsense' cases e.g., use RSA for symmetric encryption
+  not resolveAlgorithmFromLiteral(e, _, srcType) and
+  isValidAlgorithmLiteral(e) and
+  hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
+  isKnownType(sinkType) and
+  isKnownType(srcType)
+}
+
+private predicate unknownTracedNonLiteralAlgorithm(AlgorithmSinkArgument e, string srcSinkType) {
+  // Asymmetric special case:
+  // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
+  // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
+  if getAsymmetricType() = srcSinkType
+  then
+    forall(string t | t = getAsymmetricType() | unknownTracedNonLiteralAlgorithm(e, t, srcSinkType))
+  else unknownTracedNonLiteralAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate unknownTracedNonLiteralAlgorithm(
+  AlgorithmSinkArgument e, string srcType, string sinkType
+) {
+  not hasLiteralPathToAlgSink(_, getNodeFromExpr(e), srcType) and
+  LiteralAlgorithmTracerConfig::isSink(getNodeFromExpr(e)) and
+  e.algType() = sinkType and
+  isKnownType(srcType) and
+  isKnownType(sinkType)
+}
+
+private predicate functionAlgorithm(Call c, string algType) {
+  isOpenSSLCryptoFunctionCall(c, _, algType)
+}
+
+abstract class OpenSSLTracedAlgorithm extends CryptographicAlgorithm {
+  override string getName() { resolveAlgorithmFromLiteral(this, result, this.getAlgType()) }
+
+  override Expr configurationSink() {
+    exists(DataFlow::Node sink |
+      hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
+    |
+      result = getExprFromNode(sink)
+    )
+  }
+}
+
+abstract class OpenSSLFunctionAlgorithm extends CryptographicAlgorithm {
+  override string getName() { isOpenSSLCryptoFunctionCall(this, result, this.getAlgType()) }
+
+  override Expr configurationSink() { result = this }
+}
+
+abstract class OpenSSLUnknownTracedLiteralAlgorithm extends CryptographicAlgorithm {
+  override string getName() { result = unknownAlgorithm() }
+
+  override Expr configurationSink() {
+    exists(DataFlow::Node sink |
+      hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
+    |
+      result = getExprFromNode(sink)
+    )
+  }
+}
+
+abstract class OpenSSLUnknownTracedNonLiteralAlgorithm extends CryptographicAlgorithm {
+  override string getName() { result = unknownAlgorithm() }
+
+  override Expr configurationSink() { result = this }
+}
+
+module SymmetricEncryption {
+  abstract class OpenSSLSymmetricEncryptionAlgorithm extends SymmetricEncryptionAlgorithm { }
+
+  class OpenSSLSymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionTracedAlgorithm() {
+      knownTracedAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionFunctionAlgorithm() {
+      functionAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+}
+
+module BlockModes {
+  /**
+   * In OpenSSL, block modes are associated directly with symmetric encryption algorithms.
+   * As such, OpenSSLBLockModes are modeled as extensions of any openssl symmetric encryption algorithm
+   */
+  class OpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLBlockModeAlgorithm() {
+      //two cases, either the block mode is a literal or it is a function call
+      resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE")
+      or
+      isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
+    }
+
+    override string getName() {
+      resolveAlgorithmFromLiteral(this, result, "BLOCK_MODE")
+      or
+      isOpenSSLCryptoFunctionCall(this, result, "BLOCK_MODE")
+    }
+
+    override Expr configurationSink() {
+      result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
+    }
+
+    override Expr getIVorNonce() {
+      // TODO
+      none()
+    }
+  }
+
+  class UnknownOpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
+  {
+    UnknownOpenSSLBlockModeAlgorithm() {
+      //two cases, either the block mode is a literal or it is a function call
+      not resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE") and
+      not isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() {
+      result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
+    }
+
+    override Expr getIVorNonce() { none() }
+  }
+}
+
+module Hashes {
+  abstract class OpenSSLHashAlgorithm extends HashAlgorithm { }
+
+  class OpenSSLHashTracedAlgorithm extends OpenSSLTracedAlgorithm, OpenSSLHashAlgorithm {
+    OpenSSLHashTracedAlgorithm() { knownTracedAlgorithm(this, getHashType()) }
+  }
+
+  class OpenSSLHashFunctionAlgorithm extends OpenSSLFunctionAlgorithm, OpenSSLHashAlgorithm {
+    OpenSSLHashFunctionAlgorithm() { functionAlgorithm(this, getHashType()) }
+  }
+
+  class OpenSSLHashTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    OpenSSLHashAlgorithm
+  {
+    OpenSSLHashTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getHashType())
+    }
+  }
+
+  class OpenSSLHashUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    OpenSSLHashAlgorithm
+  {
+    OpenSSLHashUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getHashType())
+    }
+  }
+
+  class OpenSSLNullHash extends HashAlgorithm {
+    OpenSSLNullHash() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getTarget().getName() in ["EVP_md_null"]
+      )
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() { result = this }
+  }
+}
+
+module EllipticCurves {
+  // TODO: need to address EVP_PKEY_Q_keygen where the type is "EC" but the curve is UNKNOWN?
+  class OpenSSLEllipticCurveTracedAlgorithm extends OpenSSLTracedAlgorithm, EllipticCurveAlgorithm {
+    OpenSSLEllipticCurveTracedAlgorithm() { knownTracedAlgorithm(this, getEllipticCurveType()) }
+  }
+
+  class OpenSSLEllipticCurveFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurveFunctionAlgorithm() { functionAlgorithm(this, getEllipticCurveType()) }
+  }
+
+  class OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getEllipticCurveType())
+    }
+  }
+
+  class OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getEllipticCurveType())
+    }
+  }
+
+  // https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_ex.html
+  class OpenSSLNullEllipticCurve extends EllipticCurveAlgorithm {
+    OpenSSLNullEllipticCurve() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getTarget().getName() in ["EC_KEY_new", "EC_KEY_new_ex"]
+      )
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() { result = this }
+  }
+}
+
+module AsymmetricEncryption {
+  class OpenSSLAsymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionTracedAlgorithm() {
+      knownTracedAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionFunctionAlgorithm() {
+      functionAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+}
+
+module SigningAlgorithms {
+  class OpenSSLSignatureTracedAlgorithm extends OpenSSLTracedAlgorithm, SigningAlgorithm {
+    OpenSSLSignatureTracedAlgorithm() { knownTracedAlgorithm(this, getSignatureType()) }
+  }
+
+  class OpenSSLSignatureFunctionAlgorithm extends OpenSSLFunctionAlgorithm, SigningAlgorithm {
+    OpenSSLSignatureFunctionAlgorithm() { functionAlgorithm(this, getSignatureType()) }
+  }
+
+  class OpenSSLSignatureTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    SigningAlgorithm
+  {
+    OpenSSLSignatureTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getSignatureType())
+    }
+  }
+
+  class OpenSSLSignatureUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    SigningAlgorithm
+  {
+    OpenSSLSignatureUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getSignatureType())
+    }
+  }
+}
+
+module KeyExchange {
+  class OpenSSLKeyExchangeTracedAlgorithm extends OpenSSLTracedAlgorithm, KeyExchangeAlgorithm {
+    OpenSSLKeyExchangeTracedAlgorithm() { knownTracedAlgorithm(this, getKeyExchangeType()) }
+  }
+
+  class OpenSSLKeyExchangeFunctionAlgorithm extends OpenSSLFunctionAlgorithm, KeyExchangeAlgorithm {
+    OpenSSLKeyExchangeFunctionAlgorithm() { functionAlgorithm(this, getKeyExchangeType()) }
+  }
+
+  class OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    KeyExchangeAlgorithm
+  {
+    OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getKeyExchangeType())
+    }
+  }
+
+  class OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    KeyExchangeAlgorithm
+  {
+    OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getKeyExchangeType())
+    }
+  }
+}
+
+module KeyGeneration {
+  /**
+   * Functions that explicitly set key generation parameters.
+   * `sizeInd` is the parameter specifying the size of the key.
+   * `outInd` is the parameter or return value that the key is written to.
+   * `outInd` is -1 if the key is written to the return value.
+   */
+  predicate isAsymmetricKeyGenExplicitAlgorithm(Function func, int sizeInd, int outInd) {
+    isPossibleOpenSSLFunction(func) and
+    exists(string name | func.hasGlobalName(name) |
+      name in [
+          "EVP_PKEY_CTX_set_dsa_paramgen_bits", "DSA_generate_parameters_ex",
+          "EVP_PKEY_CTX_set_rsa_keygen_bits", "RSA_generate_key_ex", "RSA_generate_key_fips",
+          "EVP_PKEY_CTX_set_dh_paramgen_prime_len", "DH_generate_parameters_ex"
+        ] and
+      sizeInd = 1 and
+      outInd = 0
+      or
+      name in ["DSA_generate_parameters", "RSA_generate_key", "DH_generate_parameters"] and
+      sizeInd = 0 and
+      outInd = -1
+    ) and
+    exists(Type t |
+      (
+        if sizeInd = -1
+        then t = func.getType().getUnderlyingType()
+        else t = func.getParameter(sizeInd).getUnderlyingType()
+      ) and
+      t instanceof IntegralType and
+      not t instanceof CharType
+    )
+  }
+
+  module AsymExplicitAlgKeyLengthFlowConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      // Optimizations to avoid tracing all integers
+      node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
+      node.asExpr().(Literal).getValue().toInt() < 8500
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(FunctionCall c, int sizeInd |
+        isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), sizeInd, _) and
+        c.getArgument(sizeInd) = node.asExpr()
+      )
+    }
+  }
+
+  module AsymExplicitAlgKeyLengthFlow = DataFlow::Global<AsymExplicitAlgKeyLengthFlowConfig>;
+
+  class OpenSSLAsymmetricKeyGenTiedToAlgorithm extends AsymmetricKeyGeneration {
+    OpenSSLAsymmetricKeyGenTiedToAlgorithm() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), _, _)
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() { result = this }
+
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
+      alg = this and
+      exists(int sizeInd |
+        isAsymmetricKeyGenExplicitAlgorithm(this.getTarget(), sizeInd, _) and
+        AsymExplicitAlgKeyLengthFlow::flow(DataFlow::exprNode(result),
+          DataFlow::exprNode(this.getArgument(sizeInd)))
+      )
+    }
+  }
+
+  module Length_to_RSA_EVP_PKEY_Q_keygen_Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      // Optimizations to avoid tracing all integers
+      node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
+      node.asExpr().(Literal).getValue().toInt() < 5000
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(FunctionCall c |
+        c.getTarget().getName() = "EVP_PKEY_Q_keygen" and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getArgument(3) = node.asExpr()
+      )
+    }
+  }
+
+  module Length_to_RSA_EVP_PKEY_Q_keygen_Flow =
+    DataFlow::Global<Length_to_RSA_EVP_PKEY_Q_keygen_Config>;
+
+  class OpenSSL_RSA_EVP_PKEY_Q_keygen extends AsymmetricKeyGeneration {
+    OpenSSL_RSA_EVP_PKEY_Q_keygen() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        this.getTarget().getName() = "EVP_PKEY_Q_keygen" and
+        this.getArgument(3).getUnderlyingType() instanceof IntegralType
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() {
+      result.configurationSink().(AlgorithmSinkArgument).getSinkCall() = this
+    }
+
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
+      alg = this.getAlgorithm() and
+      Length_to_RSA_EVP_PKEY_Q_keygen_Flow::flow(DataFlow::exprNode(result),
+        DataFlow::exprNode(this.getArgument(3)))
+    }
+  }
+
+  predicate isKeyGenOperationWithNoSize(Function func) {
+    isPossibleOpenSSLFunction(func) and
+    exists(string name | func.hasGlobalName(name) |
+      name in ["EVP_PKEY_keygen", "DSA_generate_key", "DH_generate_key", "EVP_PKEY_generate"]
+    )
+  }
+
+  module KeyGenKeySizeInitToKeyGenConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      exists(Call c, Function func, int outInd |
+        isAsymmetricKeyGenExplicitAlgorithm(func, _, outInd) and
+        c.getTarget() = func
+      |
+        if outInd = -1 then node.asExpr() = c else node.asExpr() = c.getArgument(outInd)
+      )
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(Call c |
+        isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr()
+      )
+    }
+  }
+
+  module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global<KeyGenKeySizeInitToKeyGenConfig>;
+
+  predicate isEVP_PKEY_CTX_Source(DataFlow::Node node, CryptographicAlgorithm alg) {
+    exists(Call c |
+      alg.configurationSink().(AlgorithmSinkArgument).getSinkCall() = c and
+      (
+        node.asExpr() = c
+        or
+        node.asExpr() = c.getAnArgument()
+        or
+        node.asDefiningArgument() = c.getAnArgument()
+      )
+    ) and
+    (
+      node.asExpr() instanceof Known_EVP_PKEY_CTX_Ptr_Source
+      or
+      node.asDefiningArgument() instanceof Known_EVP_PKEY_CTX_Ptr_Source
+    )
+  }
+
+  predicate isKeyGen_EVP_PKEY_CTX_Sink(DataFlow::Node node, Call c) {
+    isKeyGenOperationWithNoSize(c.getTarget()) and nodeToExpr(node, c.getAnArgument())
+  }
+
+  /**
+   * Trace from EVP_PKEY_CTX* at algorithm sink to keygen,
+   * users can then extrapolatae the matching algorithm from the alg sink to the keygen
+   */
+  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }
+
+    predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
+  }
+
+  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
+    DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize>;
+
+  /**
+   * UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume
+   * is it set on context prior to the call). No path from a key configuration to these operations
+   * means the key size is UNKNOWN, or more precisely the key size is DEFAULT but
+   * the defaults can change with each version of OpenSSL, we simply assume the size is generally UNKNOWN.
+   * ASSUMPTION/TODO: we currently model all known locations where a key size is set explicitly.
+   *                 When a key is set implicitly, this usually means a key generation operation
+   *                 is called where the operation takes in no key size, and no flow to this operation
+   *                 initializes the context with a key size.
+   *                 Currently, without a definitive source (set of sources) to start tracing from, we cannot determine
+   *                 determine if a single path exists that initializes the context with a key size and another that doesn't.
+   *                 Rather than attempt to model all possible sources, we assume that if no path
+   *                 from a key config location reaches a generic key generation operation, then the key size is not set.
+   *                 NOTE: while this is true, it is possible a key size is set in one path, but not in another
+   *                 meaning this approach (and other similar approaches used in this model for UNKNOWN)
+   *                 can produce false negatives.
+   */
+  class OpenSSLDefaultKeyGeneration extends AsymmetricKeyGeneration {
+    OpenSSLDefaultKeyGeneration() {
+      // this is a call to a function matching isKeyGenOperationWithNoSize
+      // and there is no flow from a key configuration source to this call
+      exists(Call c |
+        this = c and
+        isKeyGenOperationWithNoSize(this.getTarget()) and
+        not exists(DataFlow::Node src, DataFlow::Node sink |
+          KeyGenKeySizeInitToKeyGenFlow::flow(src, sink) and
+          nodeToExpr(sink, this.getAnArgument())
+        )
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() {
+      if this.getTarget().getName() in ["DSA_generate_key", "DH_generate_key"]
+      then result = this
+      else
+        // NOTE/ASSUMPTION: EVP_PKEY_keygen, EVP_PKEY_generate assume only other possibilities,
+        //        each take in a CTX as the first arg, need to trace from an alg sink from this CTX param
+        // get every alg sink, get the corresponding call, trace out on any CTX type variable
+        // to the key gen
+        // NOTE: looking for any cryptographic algorithm tracing to the keygen to handle
+        //  any odd cases we aren't awaare of where keygen can be used for other algorithm types
+        exists(DataFlow::Node src, DataFlow::Node sink |
+          EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow::flow(src, sink) and
+          isEVP_PKEY_CTX_Source(src, result) and
+          isKeyGen_EVP_PKEY_CTX_Sink(sink, this)
+          // TODO: what if there is no CTX source? then the keygen becomes an UNKNOWN sink
+        )
+    }
+
+    /**
+     * For this class, there is no known configuration source for any algorithm
+     */
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) { none() }
+  }
+}
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll
@@ -0,0 +1,296 @@
+/**
+ * Predicates/classes for identifying algorithm sinks.
+ * An Algorithm Sink is a function that takes an algorithm as an argument.
+ * In particular, any function that takes in an algorithm that until the call
+ * the algorithm is not definitely known to be an algorithm (e.g., an integer used as an identifier to fetch an algorithm)
+ */
+
+//TODO: enforce a hierarchy of AlgorithmSinkArgument, e.g., so I can get all Asymmetric SinkArguments that includes all the strictly RSA etc.
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import experimental.cryptography.CryptoAlgorithmNames
+
+predicate isAlgorithmSink(AlgorithmSinkArgument arg, string algType) { arg.algType() = algType }
+
+abstract class AlgorithmSinkArgument extends Expr {
+  AlgorithmSinkArgument() {
+    exists(Call c | c.getAnArgument() = this and openSSLLibraryFunc(c.getTarget()))
+  }
+
+  /**
+   * Gets the function call in which the argument exists
+   */
+  Call getSinkCall() { result.getAnArgument() = this }
+
+  abstract string algType();
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html
+predicate cipherAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EVP_get_cipherbyname", "EVP_get_cipherbynid", "EVP_get_cipherbyobj"] and argInd = 0
+  or
+  funcName = "EVP_CIPHER_fetch" and argInd = 1
+}
+
+class CipherAlgorithmSink extends AlgorithmSinkArgument {
+  CipherAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      cipherAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getSymmetricEncryptionType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_MAC_fetch
+predicate macAlgorithmSink(string funcName, int argInd) {
+  (funcName = "EVP_MAC_fetch" and argInd = 1)
+}
+
+class MACAlgorithmSink extends AlgorithmSinkArgument {
+  MACAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      macAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_MD_fetch
+predicate messageDigestAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"] and argInd = 0
+  or
+  funcName = "EVP_MD_fetch" and argInd = 1
+}
+
+class MessageDigestAlgorithmSink extends AlgorithmSinkArgument {
+  MessageDigestAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      messageDigestAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getHashType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEYEXCH_fetch
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEM_fetch
+predicate keyExchangeAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KEYEXCH_fetch" and argInd = 1
+  or
+  funcName = "EVP_KEM_fetch" and argInd = 1
+}
+
+class KeyExchangeAlgorithmSink extends AlgorithmSinkArgument {
+  KeyExchangeAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyExchangeAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getKeyExchangeType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEYMGMT_fetch
+predicate keyManagementAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KEYMGMT_fetch" and argInd = 1
+}
+
+class KeyManagementAlgorithmSink extends AlgorithmSinkArgument {
+  KeyManagementAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyManagementAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KDF
+predicate keyDerivationAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KDF_fetch" and argInd = 1
+}
+
+class KeyDerivationAlgorithmSink extends AlgorithmSinkArgument {
+  KeyDerivationAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyDerivationAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getKeyDerivationType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_ASYM_CIPHER_fetch
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new_CMAC_key.html
+predicate asymmetricCipherAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_ASYM_CIPHER_fetch" and argInd = 1
+  or
+  funcName = "EVP_PKEY_new_CMAC_key" and argInd = 3
+  // NOTE: other cases are handled by AsymmetricAlgorithmSink
+}
+
+class AsymmetricCipherAlgorithmSink extends AlgorithmSinkArgument {
+  AsymmetricCipherAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      asymmetricCipherAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
+}
+
+class AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(3)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      c.getArgument(3).getType().getUnderlyingType() instanceof IntegralType
+    )
+  }
+
+  override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_RAND_fetch
+predicate randomAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_RAND_fetch" and argInd = 1
+}
+
+class RandomAlgorithmSink extends AlgorithmSinkArgument {
+  RandomAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      randomAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_SIGNATURE_fetch
+predicate signatureAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_SIGNATURE_fetch" and argInd = 1
+}
+
+class SignatureAlgorithmSink extends AlgorithmSinkArgument {
+  SignatureAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      signatureAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getSignatureType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_by_curve_name.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.html
+predicate ellipticCurveAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EC_KEY_new_by_curve_name", "EVP_EC_gen"] and argInd = 0
+  or
+  funcName = "EC_KEY_new_by_curve_name_ex" and argInd = 2
+  or
+  funcName in ["EVP_PKEY_CTX_set_ec_paramgen_curve_nid"] and argInd = 1
+}
+
+class EllipticCurveAlgorithmSink extends AlgorithmSinkArgument {
+  EllipticCurveAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      ellipticCurveAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getEllipticCurveType() }
+}
+
+/**
+ * Special cased to address the fact that arg index 3 (zero offset based) is the curve name.
+ * ASSUMPTION: if the arg ind 3 is a char* assume it is an elliptic curve
+ */
+class EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(3)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      c.getArgument(3).getType().getUnderlyingType() instanceof PointerType and
+      c.getArgument(3).getType().getUnderlyingType().stripType() instanceof CharType
+    )
+  }
+
+  override string algType() { result = getEllipticCurveType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id.html
+// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_new_raw_private_key.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_Q_keygen.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
+predicate asymmetricAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_PKEY_CTX_new_id" and argInd = 0
+  or
+  funcName = "EVP_PKEY_CTX_new_from_name" and argInd = 1
+  or
+  funcName in [
+      "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key", "EVP_PKEY_new_mac_key"
+    ] and
+  argInd = 0
+  or
+  funcName in ["EVP_PKEY_new_raw_private_key_ex", "EVP_PKEY_new_raw_public_key_ex"] and argInd = 1
+  or
+  // special casing this as arg index 3 must be specified depending on if RSA or ECC, and otherwise not specified for other algs
+  // funcName = "EVP_PKEY_Q_keygen" and argInd = 2
+  funcName in ["EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"] and argInd = 1
+  // TODO consider void cases EVP_PKEY_new
+}
+
+class AsymmetricAlgorithmSink extends AlgorithmSinkArgument {
+  AsymmetricAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      asymmetricAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getAsymmetricType() }
+}
+
+class AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(2)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      not exists(c.getArgument(3))
+    )
+  }
+
+  override string algType() { result = getAsymmetricType() }
+}
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoAlgorithm.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoAlgorithm.qll
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll
@@ -0,0 +1,121 @@
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import experimental.cryptography.CryptoAlgorithmNames
+
+predicate inferredOpenSSLCryptoFunctionCall(Call c, string normalized, string algType) {
+  inferredOpenSSLCryptoFunction(c.getTarget(), normalized, algType)
+}
+
+predicate inferredOpenSSLCryptoFunction(Function f, string normalized, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  normalizeFunctionName(f, algType) = normalized
+}
+
+predicate isOpenSSLCryptoFunction(Function f, string normalized, string algType) {
+  // NOTE: relying on inference as there are thousands of functions for crypto
+  //       enumerating them all and maintaining the list seems problematic.
+  //       For now, we will rely on dynamically inferring algorithms for function names.
+  //       This has been seen to be reasonably efficient and accurate.
+  inferredOpenSSLCryptoFunction(f, normalized, algType)
+}
+
+predicate isOpenSSLCryptoFunctionCall(Call c, string normalized, string algType) {
+  isOpenSSLCryptoFunction(c.getTarget(), normalized, algType)
+}
+
+private string basicNormalizeFunctionName(Function f, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = f.getName().toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `f` is the function name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+private string privateNormalizeFunctionName(Function f, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  result = basicNormalizeFunctionName(f, algType) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = basicNormalizeFunctionName(f, algType) and
+    res2.length() > result.length()
+  )
+}
+
+/**
+ * Normalizes a function name to a known algorithm name, similar to `normalizeName`.
+ * A function is not, however, allowed to be UNKNOWN. The function either
+ * normalizes to a known algorithm name, or the predicate does not hold (no result).
+ *
+ * The predicate attempts to restrict normalization to what looks like an openssl
+ * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`).
+ * This may give false postive functions if a directory erronously appears to be openssl;
+ * however, we take the stance that if a function
+ * exists strongly mapping to a known function name in a directory such as these,
+ * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were.
+ */
+private string normalizeFunctionName(Function f, string algType) {
+  algType != "UNKNOWN" and
+  isPossibleOpenSSLFunction(f) and
+  result = privateNormalizeFunctionName(f, algType) and
+  // Addressing false positives
+  // For algorithm names less than or equal to 4, we must see the algorithm name
+  // in the original function as upper case (it can't be split between tokens)
+  // One exception found is DES_xcbc_encrypt, this is DESX
+  (
+    (result.length() <= 4 and result != "DESX")
+    implies
+    f.getName().toUpperCase().matches("%" + result + "%")
+  ) and
+  (
+    (result.length() <= 4 and result = "DESX")
+    implies
+    (f.getName().toUpperCase().matches("%DESX%") or f.getName().toUpperCase().matches("%DES_X%"))
+  ) and
+  // (result.length() <= 3 implies (not f.getName().toUpperCase().regexpMatch(".*" + result + "[a-zA-Z0-9].*|.*[a-zA-Z0-9]" + result + ".*")))
+  // and
+  // DES specific false positives
+  (
+    result.matches("DES")
+    implies
+    not f.getName().toUpperCase().regexpMatch(".*DES[a-zA-Z0-9].*|.*[a-zA-Z0-9]DES.*")
+  ) and
+  // ((result.matches("%DES%")) implies not exists(string s | s in ["DESCRIBE", "DESTROY", "DESCRIPTION", "DESCRIPTOR", "NODES"] |
+  //     f.getName().toUpperCase().matches("%" + s + "%"))) and
+  // SEED specific false positives
+  (
+    result.matches("SEED")
+    implies
+    not exists(string s |
+      s in [
+          "SEED_SRC_GENERATE", "RAND", "NEW_SEED", "GEN_SEED", "SEED_GEN", "SET_SEED", "GET_SEED",
+          "GET0_SEED", "RESEED", "SEEDING"
+        ]
+    |
+      f.getName().toUpperCase().matches("%" + s + "%")
+    )
+  ) and
+  // ARIA specific false positives
+  (result.matches("ARIA") implies not f.getName().toUpperCase().matches("%VARIANT%")) and
+  // CTR false positives
+  (result.matches("CTR") implies not f.getName().toUpperCase().matches("%CTRL%")) and
+  // ES false positives (e.g., ES256 from AES256)
+  (result.matches("ES%") implies not f.getName().toUpperCase().matches("%AES%")) and
+  // RSA false positives
+  (result.matches("RSA") implies not f.getName().toUpperCase().matches("%UNIVERSAL%")) and
+  //rsaz functions deemed to be too low level, and can be ignored
+  not f.getLocation().getFile().getBaseName().matches("rsaz_exp.c") and
+  // General False positives
+  // Functions that 'get' do not set an algorithm, and therefore are considered ignorable
+  not f.getName().toLowerCase().matches("%get%")
+}
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll
@@ -0,0 +1,153 @@
+/**
+ * This file contains predicates create to build up initial data sets for OpenSSL
+ * predicates. E.g., These predicates were used to assist in associating all
+ * openSSL functions with their known crypto algorithms.
+ */
+
+import cpp
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.utils.OpenSSL.CryptoFunction
+
+private string basicNormalizeFunctionName(Function f, string algType) {
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = f.getName().toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `f` is the function name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+private string privateNormalizeFunctionName(Function f, string algType) {
+  result = basicNormalizeFunctionName(f, algType) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = basicNormalizeFunctionName(f, algType) and
+    res2.length() > result.length()
+  ) and
+  // Addressing bad normalization case-by-case
+  // CASE: ES256 being identified when the algorithm is AES256
+  (
+    result.matches("ES256")
+    implies
+    not exists(string res2 | res2 = basicNormalizeFunctionName(f, _) and res2.matches("AES%"))
+  )
+}
+
+/**
+ * Normalizes a function name to a known algorithm name, similar to `normalizeName`.
+ * A function is not, however, allowed to be UNKNOWN. The function either
+ * normalizes to a known algorithm name, or the predicate does not hold (no result).
+ *
+ * The predicate attempts to restrict normalization to what looks like an openssl
+ * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`).
+ * This may give false postive functions if a directory erronously appears to be openssl;
+ * however, we take the stance that if a function
+ * exists strongly mapping to a known function name in a directory such as these,
+ * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were.
+ */
+string normalizeFunctionName(Function f, string algType) {
+  algType != "UNKNOWN" and
+  result = privateNormalizeFunctionName(f, algType) and
+  openSSLLibraryFunc(f) and
+  // Addressing false positives
+  // For algorithm names less than or equal to 4, we must see the algorithm name
+  // in the original function as upper case (it can't be split between tokens)
+  // One exception found is DES_xcbc_encrypt, this is DESX
+  (
+    (result.length() <= 4 and result != "DESX")
+    implies
+    f.getName().toUpperCase().matches("%" + result + "%")
+  ) and
+  (
+    (result.length() <= 4 and result = "DESX")
+    implies
+    (f.getName().toUpperCase().matches("%DESX%") or f.getName().toUpperCase().matches("%DES_X%"))
+  ) and
+  // (result.length() <= 3 implies (not f.getName().toUpperCase().regexpMatch(".*" + result + "[a-zA-Z0-9].*|.*[a-zA-Z0-9]" + result + ".*")))
+  // and
+  // DES specific false positives
+  (
+    result.matches("DES")
+    implies
+    not f.getName().toUpperCase().regexpMatch(".*DES[a-zA-Z0-9].*|.*[a-zA-Z0-9]DES.*")
+  ) and
+  // ((result.matches("%DES%")) implies not exists(string s | s in ["DESCRIBE", "DESTROY", "DESCRIPTION", "DESCRIPTOR", "NODES"] |
+  //     f.getName().toUpperCase().matches("%" + s + "%"))) and
+  // SEED specific false positives
+  (
+    result.matches("%SEED%")
+    implies
+    not not exists(string s |
+      s in ["NEW_SEED", "GEN_SEED", "SET_SEED", "GET_SEED", "GET0_SEED", "RESEED", "SEEDING"]
+    |
+      f.getName().toUpperCase().matches("%" + s + "%")
+    )
+  ) and
+  // ARIA specific false positives
+  (result.matches("%ARIA%") implies not f.getName().toUpperCase().matches("%VARIANT%"))
+}
+
+/**
+ * Predicate to support name normalization.
+ * Converts the raw name upper-case with no hyphen, slash, underscore, hash, or space.
+ * Looks for substrings that are known algorithms, and normalizes the name.
+ * If the algorithm cannot be determined or is in the ignorable list (`isIgnorableOpenSSLAlgorithm`)
+ * this predicate will not resolve a name.
+ *
+ * Rationale for private: For normalization, we want to get the longest string for a normalized name match
+ *       for a given algorithm type. I found this easier to express if the public normalizeName
+ *       checks that the name is the longest, and that UNKNOWN is reserved if there exists no
+ *       result from this predicate that is known.
+ */
+bindingset[name]
+string privateNormalizeName(string name, string algType) {
+  //not isIgnorableOpenSSLAlgorithm(name, _, _) and
+  // targetOpenSSLAlgorithm(name, _) and
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = name.toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `name` is the name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+bindingset[name]
+string normalizeName(string name, string algType) {
+  (
+    if exists(privateNormalizeName(name, _))
+    then result = privateNormalizeName(name, algType)
+    else (
+      result = unknownAlgorithm() and algType = "UNKNOWN"
+    )
+  ) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = privateNormalizeName(name, algType) and
+    res2.length() > result.length()
+  ) and
+  // Addressing bad normalization case-by-case
+  // CASE: ES256 being identified when the algorithm is AES256
+  (
+    result.matches("ES256")
+    implies
+    not exists(string res2 | res2 = privateNormalizeName(name, _) and res2.matches("AES%"))
+  )
+}
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/LibraryFunction.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/LibraryFunction.qll
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll
@@ -0,0 +1,59 @@
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import semmle.code.cpp.ir.dataflow.DataFlow
+
+// TODO: possible use of extensible predicates here
+// NOTE: -1 for outInd represents the return value
+predicate knownPassthroughFunction(Function f, int inInd, int outInd) {
+  // Trace through functions
+  // See https://www.openssl.org/docs/man1.1.1/man3/OBJ_obj2txt
+  //     https://www.openssl.org/docs/man3.0/man3/EVP_CIPHER_get0_name
+  openSSLLibraryFunc(f) and
+  (
+    f.getName() in [
+        "OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn", "OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid",
+        "OBJ_txt2nid", "OBJ_txt2obj", "OBJ_dup", "EVP_CIPHER_get0_name"
+      ] and
+    inInd = 0 and
+    outInd = -1
+    or
+    f.getName() in ["OBJ_obj2txt", "i2t_ASN1_OBJECT"] and
+    inInd = 2 and
+    outInd = 0
+    or
+    // Dup/copy pattern occurs in more places,
+    //see: https://www.openssl.org/docs/manmaster/man3/EC_KEY_copy.html and https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_dup.html
+    f.getName().matches("%_dup") and inInd = 0 and outInd = -1
+    or
+    f.getName().matches("%_copy") and inInd = 0 and outInd = -1
+  )
+}
+
+/**
+ * `c` is a call to a function that preserves the algorithm but changes its form.
+ * `onExpr` is the input argument passing through to, `outExpr` is the next expression in a dataflow step associated with `c`
+ */
+predicate knownPassthoughCall(Call c, Expr inExpr, Expr outExpr) {
+  exists(int inInd, int outInd |
+    knownPassthroughFunction(c.getTarget(), inInd, outInd) and
+    inExpr = c.getArgument(inInd) and
+    if outInd = -1 then outExpr = c else outExpr = c.getArgument(outInd)
+  )
+}
+
+/*
+ * Explicitly add flow through openssl functions that preserve the algorithm but alter the form (e.g., from NID to string)
+ */
+
+predicate knownPassThroughStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(Expr cur, Expr next |
+    (cur = node1.asExpr() or cur = node1.asIndirectArgument()) and
+    (
+      next = node2.asExpr() or
+      next = node2.asIndirectArgument() or
+      next = node2.asDefiningArgument()
+    )
+  |
+    exists(Call c | knownPassthoughCall(c, cur, next))
+  )
+}
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.9.0
+version: 0.11.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,6 +7,7 @@ library: true
 upgrades: upgrades
 dependencies:
  codeql/dataflow: ${workspace}
+  codeql/rangeanalysis: ${workspace}
  codeql/ssa: ${workspace}
  codeql/tutorial: ${workspace}
  codeql/util: ${workspace}
--- a/cpp/ql/lib/semmle/code/cpp/File.qll
+++ b/cpp/ql/lib/semmle/code/cpp/File.qll
@@ -5,155 +5,35 @@
 import semmle.code.cpp.Element
 import semmle.code.cpp.Declaration
 import semmle.code.cpp.metrics.MetricFile
+private import codeql.util.FileSystem
+
+private module Input implements InputSig {
+  abstract class ContainerBase extends @container {
+    abstract string getAbsolutePath();
+
+    ContainerBase getParentContainer() {
+      containerparent(unresolveElement(result), underlyingElement(this))
+    }
+
+    string toString() { result = this.getAbsolutePath() }
+  }
+
+  class FolderBase extends ContainerBase, @folder {
+    override string getAbsolutePath() { folders(underlyingElement(this), result) }
+  }
+
+  class FileBase extends ContainerBase, @file {
+    override string getAbsolutePath() { files(underlyingElement(this), result) }
+  }
+
+  predicate hasSourceLocationPrefix = sourceLocationPrefix/1;
+}
+
+private module Impl = Make<Input>;

 /** A file or folder. */
-class Container extends Locatable, @container {
-  /**
-   * Gets the absolute, canonical path of this container, using forward slashes
-   * as path separator.
-   *
-   * The path starts with a _root prefix_ followed by zero or more _path
-   * segments_ separated by forward slashes.
-   *
-   * The root prefix is of one of the following forms:
-   *
-   *   1. A single forward slash `/` (Unix-style)
-   *   2. An upper-case drive letter followed by a colon and a forward slash,
-   *      such as `C:/` (Windows-style)
-   *   3. Two forward slashes, a computer name, and then another forward slash,
-   *      such as `//FileServer/` (UNC-style)
-   *
-   * Path segments are never empty (that is, absolute paths never contain two
-   * contiguous slashes, except as part of a UNC-style root prefix). Also, path
-   * segments never contain forward slashes, and no path segment is of the
-   * form `.` (one dot) or `..` (two dots).
-   *
-   * Note that an absolute path never ends with a forward slash, except if it is
-   * a bare root prefix, that is, the path has no path segments. A container
-   * whose absolute path has no segments is always a `Folder`, not a `File`.
-   */
-  string getAbsolutePath() { none() } // overridden by subclasses
-
-  /**
-   * Gets the relative path of this file or folder from the root folder of the
-   * analyzed source location. The relative path of the root folder itself is
-   * the empty string.
-   *
-   * This has no result if the container is outside the source root, that is,
-   * if the root folder is not a reflexive, transitive parent of this container.
-   */
-  string getRelativePath() {
-    exists(string absPath, string pref |
-      absPath = this.getAbsolutePath() and sourceLocationPrefix(pref)
-    |
-      absPath = pref and result = ""
-      or
-      absPath = pref.regexpReplaceAll("/$", "") + "/" + result and
-      not result.matches("/%")
-    )
-  }
-
-  /**
-   * Gets the base name of this container including extension, that is, the last
-   * segment of its absolute path, or the empty string if it has no segments.
-   *
-   * Here are some examples of absolute paths and the corresponding base names
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Base name</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"tst.js"</td></tr>
-   * <tr><td>"C:/Program Files (x86)"</td><td>"Program Files (x86)"</td></tr>
-   * <tr><td>"/"</td><td>""</td></tr>
-   * <tr><td>"C:/"</td><td>""</td></tr>
-   * <tr><td>"D:/"</td><td>""</td></tr>
-   * <tr><td>"//FileServer/"</td><td>""</td></tr>
-   * </table>
-   */
-  string getBaseName() {
-    result = this.getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1)
-  }
-
-  /**
-   * Gets the extension of this container, that is, the suffix of its base name
-   * after the last dot character, if any.
-   *
-   * In particular,
-   *
-   *  - if the name does not include a dot, there is no extension, so this
-   *    predicate has no result;
-   *  - if the name ends in a dot, the extension is the empty string;
-   *  - if the name contains multiple dots, the extension follows the last dot.
-   *
-   * Here are some examples of absolute paths and the corresponding extensions
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Extension</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"js"</td></tr>
-   * <tr><td>"/tmp/.classpath"</td><td>"classpath"</td></tr>
-   * <tr><td>"/bin/bash"</td><td>not defined</td></tr>
-   * <tr><td>"/tmp/tst2."</td><td>""</td></tr>
-   * <tr><td>"/tmp/x.tar.gz"</td><td>"gz"</td></tr>
-   * </table>
-   */
-  string getExtension() {
-    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3)
-  }
-
-  /**
-   * Gets the stem of this container, that is, the prefix of its base name up to
-   * (but not including) the last dot character if there is one, or the entire
-   * base name if there is not.
-   *
-   * Here are some examples of absolute paths and the corresponding stems
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Stem</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"tst"</td></tr>
-   * <tr><td>"/tmp/.classpath"</td><td>""</td></tr>
-   * <tr><td>"/bin/bash"</td><td>"bash"</td></tr>
-   * <tr><td>"/tmp/tst2."</td><td>"tst2"</td></tr>
-   * <tr><td>"/tmp/x.tar.gz"</td><td>"x.tar"</td></tr>
-   * </table>
-   */
-  string getStem() {
-    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1)
-  }
-
-  /** Gets the parent container of this file or folder, if any. */
-  Container getParentContainer() {
-    containerparent(unresolveElement(result), underlyingElement(this))
-  }
-
-  /** Gets a file or sub-folder in this container. */
-  Container getAChildContainer() { this = result.getParentContainer() }
-
-  /** Gets a file in this container. */
-  File getAFile() { result = this.getAChildContainer() }
-
-  /** Gets the file in this container that has the given `baseName`, if any. */
-  File getFile(string baseName) {
-    result = this.getAFile() and
-    result.getBaseName() = baseName
-  }
-
-  /** Gets a sub-folder in this container. */
-  Folder getAFolder() { result = this.getAChildContainer() }
-
-  /** Gets the sub-folder in this container that has the given `baseName`, if any. */
-  Folder getFolder(string baseName) {
-    result = this.getAFolder() and
-    result.getBaseName() = baseName
-  }
-
-  /**
-   * Gets a textual representation of the path of this container.
-   *
-   * This is the absolute path of the container.
-   */
-  override string toString() { result = this.getAbsolutePath() }
+class Container extends ElementBase, Impl::Container {
+  override string toString() { result = Impl::Container.super.toString() }
 }

 /**
@@ -166,14 +46,7 @@ class Container extends Locatable, @container {
 *
 * To get the full path, use `getAbsolutePath`.
 */
-class Folder extends Container, @folder {
-  override string getAbsolutePath() { folders(underlyingElement(this), result) }
-
-  override Location getLocation() {
-    result.getContainer() = this and
-    result.hasLocationInfo(_, 0, 0, 0, 0)
-  }
-
+class Folder extends Container, Impl::Folder {
  override string getAPrimaryQlClass() { result = "Folder" }
 }

@@ -189,9 +62,7 @@ class Folder extends Container, @folder {
 * The base name further decomposes into the _stem_ and _extension_ -- see
 * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
 */
-class File extends Container, @file {
-  override string getAbsolutePath() { files(underlyingElement(this), result) }
-
+class File extends Container, Locatable, Impl::File {
  override string getAPrimaryQlClass() { result = "File" }

  override Location getLocation() {
--- a/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll
+++ b/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll
@@ -158,9 +158,7 @@ class NameQualifyingElement extends Element, @namequalifyingelement {
 /**
 * A special name-qualifying element. For example: `__super`.
 */
-library class SpecialNameQualifyingElement extends NameQualifyingElement,
-  @specialnamequalifyingelement
-{
+class SpecialNameQualifyingElement extends NameQualifyingElement, @specialnamequalifyingelement {
  /** Gets the name of this special qualifying element. */
  override string getName() { specialnamequalifyingelements(underlyingElement(this), result) }

--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
@@ -826,17 +826,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
    or
    expr.(Conversion).getExpr() = ele and pred = "getExpr()"
    or
-    expr.(DeleteArrayExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
+    expr.(DeleteOrDeleteArrayExpr).getDeallocatorCall() = ele and pred = "getDeallocatorCall()"
    or
-    expr.(DeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
+    expr.(DeleteOrDeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
    or
-    expr.(DeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
-    or
-    expr.(DeleteExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
-    or
-    expr.(DeleteExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
-    or
-    expr.(DeleteExpr).getExpr() = ele and pred = "getExpr()"
+    expr.(DeleteOrDeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
    or
    expr.(DestructorFieldDestruction).getExpr() = ele and pred = "getExpr()"
    or
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -819,6 +819,30 @@ private predicate floatingPointTypeMapping(
  or
  // _Complex _Float16
  kind = 53 and base = 2 and domain = TComplexDomain() and realKind = 52 and extended = false
+  or
+  // __fp16
+  kind = 54 and base = 2 and domain = TRealDomain() and realKind = 54 and extended = false
+  or
+  // __bf16
+  kind = 55 and base = 2 and domain = TRealDomain() and realKind = 55 and extended = false
+  or
+  // std::float16_t
+  kind = 56 and base = 2 and domain = TRealDomain() and realKind = 56 and extended = false
+  or
+  // _Complex _Float32
+  kind = 57 and base = 2 and domain = TComplexDomain() and realKind = 45 and extended = false
+  or
+  // _Complex _Float32x
+  kind = 58 and base = 2 and domain = TComplexDomain() and realKind = 46 and extended = true
+  or
+  // _Complex _Float64
+  kind = 59 and base = 2 and domain = TComplexDomain() and realKind = 47 and extended = false
+  or
+  // _Complex _Float64x
+  kind = 60 and base = 2 and domain = TComplexDomain() and realKind = 48 and extended = true
+  or
+  // _Complex _Float128
+  kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -73,6 +73,10 @@ private int isSource(Expr bufferExpr, Element why) {
  )
 }

+/** Same as `getBufferSize`, but with the `why` column projected away to prevent large duplications. */
+pragma[nomagic]
+int getBufferSizeProj(Expr bufferExpr) { result = getBufferSize(bufferExpr, _) }
+
 /**
 * Get the size in bytes of the buffer pointed to by an expression (if this can be determined).
 */
@@ -87,7 +91,7 @@ int getBufferSize(Expr bufferExpr, Element why) {
    why = bufferVar and
    parentPtr = bufferExpr.(VariableAccess).getQualifier() and
    parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
-    result = getBufferSize(parentPtr, _) + bufferSize - parentClass.getSize()
+    result = getBufferSizeProj(parentPtr) + bufferSize - parentClass.getSize()
  |
    if exists(bufferVar.getType().getSize())
    then bufferSize = bufferVar.getType().getSize()
@@ -95,7 +99,6 @@ int getBufferSize(Expr bufferExpr, Element why) {
  )
  or
  // dataflow (all sources must be the same size)
-  result = unique(Expr def | DataFlow::localExprFlowStep(def, bufferExpr) | getBufferSize(def, _)) and
-  // find reason
+  result = unique(Expr def | DataFlow::localExprFlowStep(def, bufferExpr) | getBufferSizeProj(def)) and
  exists(Expr def | DataFlow::localExprFlowStep(def, bufferExpr) | exists(getBufferSize(def, why)))
 }
--- a/cpp/ql/lib/semmle/code/cpp/commons/StringAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/StringAnalysis.qll
@@ -27,9 +27,6 @@ predicate canValueFlow(Expr fromExpr, Expr toExpr) {
  fromExpr = toExpr.(ConditionalExpr).getElse()
 }

-/** DEPRECATED: Alias for AnalyzedString */
-deprecated class AnalysedString = AnalyzedString;
-
 /**
 * An analyzed null terminated string.
 */
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll
@@ -78,7 +78,7 @@ predicate parameterUsePair(Parameter p, VariableAccess va) {
 /**
 * Utility class: A definition or use of a stack variable.
 */
-library class DefOrUse extends ControlFlowNodeBase {
+class DefOrUse extends ControlFlowNodeBase {
  DefOrUse() {
    // Uninstantiated templates are purely syntax, and only on instantiation
    // will they be complete with information about types, conversions, call
@@ -140,7 +140,7 @@ library class DefOrUse extends ControlFlowNodeBase {
 }

 /** A definition of a stack variable. */
-library class Def extends DefOrUse {
+class Def extends DefOrUse {
  Def() { definition(_, this) }

  override SemanticStackVariable getVariable(boolean isDef) {
@@ -155,7 +155,7 @@ private predicate parameterIsOverwritten(Function f, Parameter p) {
 }

 /** A definition of a parameter. */
-library class ParameterDef extends DefOrUse {
+class ParameterDef extends DefOrUse {
  ParameterDef() {
    // Optimization: parameters that are not overwritten do not require
    // reachability analysis
@@ -169,7 +169,7 @@ library class ParameterDef extends DefOrUse {
 }

 /** A use of a stack variable. */
-library class Use extends DefOrUse {
+class Use extends DefOrUse {
  Use() { useOfVar(_, this) }

  override SemanticStackVariable getVariable(boolean isDef) {
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/Dereferenced.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/Dereferenced.qll
@@ -26,17 +26,18 @@ predicate callDereferences(FunctionCall fc, int i) {
 }

 /**
- * Holds if evaluation of `op` dereferences `e`.
+ * Holds if evaluation of `op` dereferences `e` directly.
+ *
+ * This predicate does not recurse through function calls or arithmetic operations. To find
+ * such cases, use `dereferencedByOperation`.
 */
-predicate dereferencedByOperation(Expr op, Expr e) {
+predicate directDereferencedByOperation(Expr op, Expr e) {
  exists(PointerDereferenceExpr deref |
    deref.getAChild() = e and
    deref = op and
    not deref.getParent*() instanceof SizeofOperator
  )
  or
-  exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
-  or
  exists(ArrayExpr ae |
    (
      not ae.getParent() instanceof AddressOfExpr and
@@ -50,6 +51,24 @@ predicate dereferencedByOperation(Expr op, Expr e) {
    )
  )
  or
+  // ptr->Field
+  e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
+  or
+  // ptr->method()
+  e = op.(Call).getQualifier() and isClassPointerType(e.getType())
+}
+
+/**
+ * Holds if evaluation of `op` dereferences `e`.
+ *
+ * This includes the set of operations identified via `directDereferencedByOperation`, as well
+ * as calls to function that are known to dereference an argument.
+ */
+predicate dereferencedByOperation(Expr op, Expr e) {
+  directDereferencedByOperation(op, e)
+  or
+  exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
+  or
  exists(AddressOfExpr addof, ArrayExpr ae |
    dereferencedByOperation(addof, op) and
    addof.getOperand() = ae and
@@ -74,12 +93,6 @@ predicate dereferencedByOperation(Expr op, Expr e) {
    e = fc.getArgument(i) and
    op = fc
  )
-  or
-  // ptr->Field
-  e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
-  or
-  // ptr->method()
-  e = op.(Call).getQualifier() and isClassPointerType(e.getType())
 }

 private predicate isClassPointerType(Type t) {
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -240,7 +240,7 @@ private class GuardConditionFromIR extends GuardCondition {
   */
  private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
    exists(IRBlock irb |
-      forex(IRGuardCondition inst | inst = ir | inst.controls(irb, testIsTrue)) and
+      ir.controls(irb, testIsTrue) and
      irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
      not isUnreachedBlock(irb)
    )
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll
@@ -10,7 +10,7 @@ import SSAUtils
 * The SSA logic comes in two versions: the standard SSA and range-analysis RangeSSA.
 * This class provides the standard SSA logic.
 */
-library class StandardSsa extends SsaHelper {
+class StandardSsa extends SsaHelper {
  StandardSsa() { this = 0 }
 }

--- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll
@@ -114,7 +114,7 @@ private predicate live_at_exit_of_bb(StackVariable v, BasicBlock b) {

 /** Common SSA logic for standard SSA and range-analysis SSA. */
 cached
-library class SsaHelper extends int {
+class SsaHelper extends int {
  /* 0 = StandardSSA, 1 = RangeSSA */
  cached
  SsaHelper() { this in [0 .. 1] }
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
@@ -332,21 +332,12 @@ private Node getControlOrderChildSparse(Node n, int i) {
  n = any(ConditionDeclExpr cd | i = 0 and result = cd.getInitializingExpr())
  or
  n =
-    any(DeleteExpr del |
+    any(DeleteOrDeleteArrayExpr del |
      i = 0 and result = del.getExpr()
      or
      i = 1 and result = del.getDestructorCall()
      or
-      i = 2 and result = del.getAllocatorCall()
-    )
-  or
-  n =
-    any(DeleteArrayExpr del |
-      i = 0 and result = del.getExpr()
-      or
-      i = 1 and result = del.getDestructorCall()
-      or
-      i = 2 and result = del.getAllocatorCall()
+      i = 2 and result = del.getDeallocatorCall()
    )
  or
  n =
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -366,12 +366,12 @@ class CompileTimeConstantInt extends Expr {
  int getIntValue() { result = val }
 }

-library class CompileTimeVariableExpr extends Expr {
+class CompileTimeVariableExpr extends Expr {
  CompileTimeVariableExpr() { not this instanceof CompileTimeConstantInt }
 }

 /** A helper class for evaluation of expressions. */
-library class ExprEvaluator extends int {
+class ExprEvaluator extends int {
  /*
   * 0 = ConditionEvaluator,
   * 1 = SwitchEvaluator,
@@ -956,7 +956,7 @@ private predicate returnStmt(Function f, Expr value) {
 }

 /** A helper class for evaluation of conditions. */
-library class ConditionEvaluator extends ExprEvaluator {
+class ConditionEvaluator extends ExprEvaluator {
  ConditionEvaluator() { this = 0 }

  override predicate interesting(Expr e) {
@@ -967,7 +967,7 @@ library class ConditionEvaluator extends ExprEvaluator {
 }

 /** A helper class for evaluation of switch expressions. */
-library class SwitchEvaluator extends ExprEvaluator {
+class SwitchEvaluator extends ExprEvaluator {
  SwitchEvaluator() { this = 1 }

  override predicate interesting(Expr e) { e = getASwitchExpr(_, _) }
@@ -976,7 +976,7 @@ library class SwitchEvaluator extends ExprEvaluator {
 private int getSwitchValue(Expr e) { exists(SwitchEvaluator x | result = x.getValue(e)) }

 /** A helper class for evaluation of loop entry conditions. */
-library class LoopEntryConditionEvaluator extends ExprEvaluator {
+class LoopEntryConditionEvaluator extends ExprEvaluator {
  LoopEntryConditionEvaluator() { this in [2 .. 3] }

  abstract override predicate interesting(Expr e);
@@ -1149,7 +1149,7 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
 }

 /** A helper class for evaluation of while-loop entry conditions. */
-library class WhileLoopEntryConditionEvaluator extends LoopEntryConditionEvaluator {
+class WhileLoopEntryConditionEvaluator extends LoopEntryConditionEvaluator {
  WhileLoopEntryConditionEvaluator() { this = 2 }

  override predicate interesting(Expr e) { exists(WhileStmt while | e = while.getCondition()) }
@@ -1162,7 +1162,7 @@ library class WhileLoopEntryConditionEvaluator extends LoopEntryConditionEvaluat
 }

 /** A helper class for evaluation of for-loop entry conditions. */
-library class ForLoopEntryConditionEvaluator extends LoopEntryConditionEvaluator {
+class ForLoopEntryConditionEvaluator extends LoopEntryConditionEvaluator {
  ForLoopEntryConditionEvaluator() { this = 3 }

  override predicate interesting(Expr e) { exists(ForStmt for | e = for.getCondition()) }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll
@@ -25,6 +25,10 @@ import semmle.code.cpp.dataflow.DataFlow2
 * global (inter-procedural) taint-tracking analyses.
 */
 deprecated module TaintTracking {
-  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTracking
+  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
+  private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<CppOldDataFlow, CppOldTaintTracking>
  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
@@ -79,13 +79,3 @@ class ArgumentPosition extends int {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
-
-/**
- * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
- *
- * This is a temporary hook to support technical debt in the Go language; do not use.
- */
-pragma[inline]
-predicate golangSpecificParamArgFilter(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
-  any()
-}
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
@@ -91,21 +91,6 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
   */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
@@ -288,15 +250,17 @@ private module Config implements FullStateConfigSig {

  predicate isBarrier(Node node, FlowState state) {
    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
  }

  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }

+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  predicate isAdditionalFlowStep(Node node1, Node node2) {
    singleConfiguration() and
    any(Configuration config).isAdditionalFlowStep(node1, node2)
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -91,21 +91,6 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
   */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
@@ -288,15 +250,17 @@ private module Config implements FullStateConfigSig {

  predicate isBarrier(Node node, FlowState state) {
    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
  }

  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }

+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  predicate isAdditionalFlowStep(Node node1, Node node2) {
    singleConfiguration() and
    any(Configuration config).isAdditionalFlowStep(node1, node2)
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -91,21 +91,6 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
   */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
@@ -288,15 +250,17 @@ private module Config implements FullStateConfigSig {

  predicate isBarrier(Node node, FlowState state) {
    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
  }

  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }

+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  predicate isAdditionalFlowStep(Node node1, Node node2) {
    singleConfiguration() and
    any(Configuration config).isAdditionalFlowStep(node1, node2)
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -91,21 +91,6 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
   */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
@@ -288,15 +250,17 @@ private module Config implements FullStateConfigSig {

  predicate isBarrier(Node node, FlowState state) {
    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
  }

  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }

+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  predicate isAdditionalFlowStep(Node node1, Node node2) {
    singleConfiguration() and
    any(Configuration config).isAdditionalFlowStep(node1, node2)
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -3,297 +3,25 @@
 * data-flow classes and predicates.
 */

-private import DataFlowImplSpecific::Private
-private import DataFlowImplSpecific::Public
-private import tainttracking1.TaintTrackingParameter::Private
-private import tainttracking1.TaintTrackingParameter::Public
+private import cpp
+private import DataFlowImplSpecific
+private import TaintTrackingImplSpecific
+private import codeql.dataflow.internal.DataFlowImplConsistency

-module Consistency {
-  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
-
-  /** A class for configuring the consistency queries. */
-  class ConsistencyConfiguration extends TConsistencyConfiguration {
-    string toString() { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
-    predicate uniqueEnclosingCallableExclude(Node n) { none() }
-
-    /** Holds if `call` should be excluded from the consistency test `uniqueCallEnclosingCallable`. */
-    predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
-    predicate uniqueNodeLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
-    predicate missingLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
-    predicate postWithInFlowExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
-    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
-    predicate reverseReadExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postHasUniquePre`. */
-    predicate postHasUniquePreExclude(PostUpdateNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */
-    predicate uniquePostUpdateExclude(Node n) { none() }
-
-    /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */
-    predicate viableImplInCallContextTooLargeExclude(
-      DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
-    ) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
-    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
-    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
-    predicate identityLocalStepExclude(Node n) { none() }
-  }
-
-  private class RelevantNode extends Node {
-    RelevantNode() {
-      this instanceof ArgumentNode or
-      this instanceof ParameterNode or
-      this instanceof ReturnNode or
-      this = getAnOutNode(_, _) or
-      simpleLocalFlowStep(this, _) or
-      simpleLocalFlowStep(_, this) or
-      jumpStep(this, _) or
-      jumpStep(_, this) or
-      storeStep(this, _, _) or
-      storeStep(_, _, this) or
-      readStep(this, _, _) or
-      readStep(_, _, this) or
-      defaultAdditionalTaintStep(this, _) or
-      defaultAdditionalTaintStep(_, this)
-    }
-  }
-
-  query predicate uniqueEnclosingCallable(Node n, string msg) {
-    exists(int c |
-      n instanceof RelevantNode and
-      c = count(nodeGetEnclosingCallable(n)) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
-      msg = "Node should have one enclosing callable but has " + c + "."
-    )
-  }
-
-  query predicate uniqueCallEnclosingCallable(DataFlowCall call, string msg) {
-    exists(int c |
-      c = count(call.getEnclosingCallable()) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueCallEnclosingCallableExclude(call) and
-      msg = "Call should have one enclosing callable but has " + c + "."
-    )
-  }
-
-  query predicate uniqueType(Node n, string msg) {
-    exists(int c |
-      n instanceof RelevantNode and
-      c = count(getNodeType(n)) and
-      c != 1 and
-      msg = "Node should have one type but has " + c + "."
-    )
-  }
-
-  query predicate uniqueNodeLocation(Node n, string msg) {
-    exists(int c |
-      c =
-        count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-        ) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
-      msg = "Node should have one location but has " + c + "."
-    )
-  }
-
-  query predicate missingLocation(string msg) {
-    exists(int c |
-      c =
-        strictcount(Node n |
-          not n.hasLocationInfo(_, _, _, _, _) and
-          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
-        ) and
-      msg = "Nodes without location: " + c
-    )
-  }
-
-  query predicate uniqueNodeToString(Node n, string msg) {
-    exists(int c |
-      c = count(n.toString()) and
-      c != 1 and
-      msg = "Node should have one toString but has " + c + "."
-    )
-  }
-
-  query predicate missingToString(string msg) {
-    exists(int c |
-      c = strictcount(Node n | not exists(n.toString())) and
-      msg = "Nodes without toString: " + c
-    )
-  }
-
-  query predicate parameterCallable(ParameterNode p, string msg) {
-    exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
-    msg = "Callable mismatch for parameter."
-  }
-
-  query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
-    simpleLocalFlowStep(n1, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Local flow step does not preserve enclosing callable."
-  }
-
-  query predicate readStepIsLocal(Node n1, Node n2, string msg) {
-    readStep(n1, _, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Read step does not preserve enclosing callable."
-  }
-
-  query predicate storeStepIsLocal(Node n1, Node n2, string msg) {
-    storeStep(n1, _, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Store step does not preserve enclosing callable."
-  }
-
-  private DataFlowType typeRepr() { result = getNodeType(_) }
-
-  query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
-    t = typeRepr() and
-    not compatibleTypes(t, t) and
-    msg = "Type compatibility predicate is not reflexive."
-  }
-
-  query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
-    isUnreachableInCall(n, call) and
-    exists(DataFlowCallable c |
-      c = nodeGetEnclosingCallable(n) and
-      not viableCallable(call) = c
-    ) and
-    msg = "Call context for isUnreachableInCall is inconsistent with call graph."
-  }
-
-  query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
-    (
-      n = getAnOutNode(call, _) and
-      msg = "OutNode and call does not share enclosing callable."
-      or
-      n.(ArgumentNode).argumentOf(call, _) and
-      msg = "ArgumentNode and call does not share enclosing callable."
-    ) and
-    nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
-  }
-
-  // This predicate helps the compiler forget that in some languages
-  // it is impossible for a result of `getPreUpdateNode` to be an
-  // instance of `PostUpdateNode`.
-  private Node getPre(PostUpdateNode n) {
-    result = n.getPreUpdateNode()
+private module Input implements InputSig<CppOldDataFlow> {
+  predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
+    // Is the null pointer (or something that's not really a pointer)
+    exists(n.asExpr().getValue())
    or
-    none()
-  }
-
-  query predicate postIsNotPre(PostUpdateNode n, string msg) {
-    getPre(n) = n and
-    msg = "PostUpdateNode should not equal its pre-update node."
-  }
-
-  query predicate postHasUniquePre(PostUpdateNode n, string msg) {
-    not any(ConsistencyConfiguration conf).postHasUniquePreExclude(n) and
-    exists(int c |
-      c = count(n.getPreUpdateNode()) and
-      c != 1 and
-      msg = "PostUpdateNode should have one pre-update node but has " + c + "."
+    // Isn't a pointer or is a pointer to const
+    forall(DerivedType dt | dt = n.asExpr().getActualType() |
+      dt.getBaseType().isConst()
+      or
+      dt.getBaseType() instanceof RoutineType
    )
-  }
-
-  query predicate uniquePostUpdate(Node n, string msg) {
-    not any(ConsistencyConfiguration conf).uniquePostUpdateExclude(n) and
-    1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
-    msg = "Node has multiple PostUpdateNodes."
-  }
-
-  query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
-    nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
-    msg = "PostUpdateNode does not share callable with its pre-update node."
-  }
-
-  private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
-
-  query predicate reverseRead(Node n, string msg) {
-    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
-    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
-    msg = "Origin of readStep is missing a PostUpdateNode."
-  }
-
-  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
-    not hasPost(n) and
-    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
-    msg = "ArgumentNode is missing PostUpdateNode."
-  }
-
-  // This predicate helps the compiler forget that in some languages
-  // it is impossible for a `PostUpdateNode` to be the target of
-  // `simpleLocalFlowStep`.
-  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
-
-  query predicate postWithInFlow(Node n, string msg) {
-    isPostUpdateNode(n) and
-    not clearsContent(n, _) and
-    simpleLocalFlowStep(_, n) and
-    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
-    msg = "PostUpdateNode should not be the target of local flow."
-  }
-
-  query predicate viableImplInCallContextTooLarge(
-    DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
-  ) {
-    callable = viableImplInCallContext(call, ctx) and
-    not callable = viableCallable(call) and
-    not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
-  }
-
-  query predicate uniqueParameterNodeAtPosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
-    isParameterNode(p, c, pos) and
-    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
-    msg = "Parameters with overlapping positions."
-  }
-
-  query predicate uniqueParameterNodePosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
-    isParameterNode(p, c, pos) and
-    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
-    msg = "Parameter node with multiple positions."
-  }
-
-  query predicate uniqueContentApprox(Content c, string msg) {
-    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
-    msg = "Non-unique content approximation."
-  }
-
-  query predicate identityLocalStep(Node n, string msg) {
-    simpleLocalFlowStep(n, n) and
-    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
-    msg = "Node steps to itself"
+    // The above list of cases isn't exhaustive, but it narrows down the
+    // consistency alerts enough that most of them are interesting.
  }
 }
+
+module Consistency = MakeConsistency<CppOldDataFlow, CppOldTaintTracking, Input>;
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -91,21 +91,6 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
-
-  /**
-   * DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
-   *
-   * Holds if data flow through nodes guarded by `guard` is prohibited when
-   * the flow state is `state`
-   */
-  deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
-
  /**
   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
   */
@@ -225,29 +210,6 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-/** A bridge class to access the deprecated `isBarrierGuard`. */
-private class BarrierGuardGuardedNodeBridge extends Unit {
-  abstract predicate guardedNode(Node n, Configuration config);
-
-  abstract predicate guardedNode(Node n, FlowState state, Configuration config);
-}
-
-private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
-  deprecated override predicate guardedNode(Node n, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g) and
-      n = g.getAGuardedNode()
-    )
-  }
-
-  deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
-    exists(BarrierGuard g |
-      config.isBarrierGuard(g, state) and
-      n = g.getAGuardedNode()
-    )
-  }
-}
-
 private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
@@ -288,15 +250,17 @@ private module Config implements FullStateConfigSig {

  predicate isBarrier(Node node, FlowState state) {
    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getState(state), getConfig(state)) or
-    any(BarrierGuardGuardedNodeBridge b).guardedNode(node, getConfig(state))
+    getConfig(state).isBarrier(node)
  }

  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }

  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }

+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
  predicate isAdditionalFlowStep(Node node1, Node node2) {
    singleConfiguration() and
    any(Configuration config).isAdditionalFlowStep(node1, node2)
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -2,7 +2,6 @@ private import cpp
 private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
-private import DataFlowImplConsistency
 private import codeql.util.Unit

 /** Gets the callable in which this node occurs. */
@@ -209,6 +208,8 @@ predicate expectsContent(Node n, ContentSet c) { none() }

 predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }

+predicate localMustFlowStep(Node node1, Node node2) { none() }
+
 /** Gets the type of `n` used for type pruning. */
 Type getNodeType(Node n) {
  suppressUnusedNode(n) and
@@ -296,28 +297,3 @@ class ContentApprox = Unit;
 /** Gets an approximated value for content `c`. */
 pragma[inline]
 ContentApprox getContentApprox(Content c) { any() }
-
-private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
-  override predicate argHasPostUpdateExclude(ArgumentNode n) {
-    // Is the null pointer (or something that's not really a pointer)
-    exists(n.asExpr().getValue())
-    or
-    // Isn't a pointer or is a pointer to const
-    forall(DerivedType dt | dt = n.asExpr().getActualType() |
-      dt.getBaseType().isConst()
-      or
-      dt.getBaseType() instanceof RoutineType
-    )
-    // The above list of cases isn't exhaustive, but it narrows down the
-    // consistency alerts enough that most of them are interesting.
-  }
-}
-
-/**
- * Gets an additional term that is added to the `join` and `branch` computations to reflect
- * an additional forward or backwards branching factor that is not taken into account
- * when calculating the (virtual) dispatch cost.
- *
- * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
- */
-int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -874,28 +874,3 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
    )
  }
 }
-
-/**
- * DEPRECATED: Use `BarrierGuard` module instead.
- *
- * A guard that validates some expression.
- *
- * To use this in a configuration, extend the class and provide a
- * characteristic predicate precisely specifying the guard, and override
- * `checks` to specify what is being validated and in which branch.
- *
- * It is important that all extending classes in scope are disjoint.
- */
-deprecated class BarrierGuard extends GuardCondition {
-  /** Override this predicate to hold if this guard validates `e` upon evaluating to `b`. */
-  abstract predicate checks(Expr e, boolean b);
-
-  /** Gets a node guarded by this guard. */
-  final ExprNode getAGuardedNode() {
-    exists(SsaDefinition def, Variable v, boolean branch |
-      result.getExpr() = def.getAUse(v) and
-      this.checks(def.getAUse(v), branch) and
-      this.controls(result.getExpr().getBasicBlock(), branch)
-    )
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingImplSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingImplSpecific.qll
@@ -0,0 +1,10 @@
+/**
+ * Provides C++-specific definitions for use in the taint tracking library.
+ */
+
+private import codeql.dataflow.TaintTracking
+private import DataFlowImplSpecific
+
+module CppOldTaintTracking implements InputSig<CppOldDataFlow> {
+  import TaintTrackingUtil
+}
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -39,7 +39,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
 * of `c` at sinks and inputs to additional taint steps.
 */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }

 /**
 * Holds if `node` should be a sanitizer in all global taint flow configurations
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -1,75 +0,0 @@
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> implements
-  DataFlowInternal::FullStateConfigSig
-{
-  import Config
-
-  predicate isBarrier(DataFlow::Node node) {
-    Config::isBarrier(node) or defaultTaintSanitizer(node)
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    Config::isAdditionalFlowStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    Config::allowImplicitRead(node, c)
-    or
-    (
-      Config::isSink(node) or
-      Config::isSink(node, _) or
-      Config::isAdditionalFlowStep(node, _) or
-      Config::isAdditionalFlowStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-}
-
-/**
- * Constructs a global taint tracking computation.
- */
-module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
-  private module Config0 implements DataFlowInternal::FullStateConfigSig {
-    import DataFlowInternal::DefaultState<Config>
-    import Config
-  }
-
-  private module C implements DataFlowInternal::FullStateConfigSig {
-    import AddTaintDefaults<Config0>
-  }
-
-  import DataFlowInternal::Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global taint tracking computation using flow state.
- */
-module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
-  private module Config0 implements DataFlowInternal::FullStateConfigSig {
-    import Config
-  }
-
-  private module C implements DataFlowInternal::FullStateConfigSig {
-    import AddTaintDefaults<Config0>
-  }
-
-  import DataFlowInternal::Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
-  import GlobalWithState<Config>
-}
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -116,33 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
-  }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited
-   * when the flow state is `state`.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
-
-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
-    this.isSanitizerGuard(guard, state)
-  }
-
  /**
   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
   */
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -116,33 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
-  }
-
-  /**
-   * DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
-   *
-   * Holds if taint propagation through nodes guarded by `guard` is prohibited
-   * when the flow state is `state`.
-   */
-  deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
-    none()
-  }
-
-  deprecated final override predicate isBarrierGuard(
-    DataFlow::BarrierGuard guard, DataFlow::FlowState state
-  ) {
-    this.isSanitizerGuard(guard, state)
-  }
-
  /**
   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
   */
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll
@@ -23,6 +23,10 @@ import semmle.code.cpp.dataflow.new.DataFlow2
 * global (inter-procedural) taint-tracking analyses.
 */
 module TaintTracking {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTracking
+  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
+  private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Access.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Access.qll
@@ -306,15 +306,13 @@ private predicate exprHasReferenceConversion(Expr e) { referenceConversion(e.get
 *   }
 * };
 * ```
- * Note: the C++ front-end often automatically desugars `field` to
- * `this->field`, so most accesses of `this->field` are instances
- * of `PointerFieldAccess` (with `ThisExpr` as the qualifier), not
- * `ImplicitThisFieldAccess`.
 */
 class ImplicitThisFieldAccess extends FieldAccess {
  override string getAPrimaryQlClass() { result = "ImplicitThisFieldAccess" }

-  ImplicitThisFieldAccess() { not exists(this.getQualifier()) }
+  ImplicitThisFieldAccess() {
+    this.getQualifier().(ThisExpr).isCompilerGenerated() or not exists(this.getQualifier())
+  }
 }

 /**
@@ -332,7 +330,7 @@ class PointerToFieldLiteral extends ImplicitThisFieldAccess {
    // access without a qualifier. The only other unqualified field accesses it
    // emits are for compiler-generated constructors and destructors. When we
    // filter those out, there are only pointer-to-field literals left.
-    not this.isCompilerGenerated()
+    not this.isCompilerGenerated() and not exists(this.getQualifier())
  }

  override predicate isConstant() { any() }
--- a/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
@@ -1547,3 +1547,21 @@ class BuiltInBitCast extends BuiltInOperation, @builtinbitcast {

  override string getAPrimaryQlClass() { result = "BuiltInBitCast" }
 }
+
+/**
+ * A C++ `__is_trivial` built-in operation (used by some implementations of the
+ * `<type_traits>` header).
+ *
+ * Returns `true` if a type is a trivial type.
+ * ```
+ *  template<typename _Tp>
+ *    struct is_trivial
+ *    : public integral_constant<bool, __is_trivial(_Tp)>
+ *    {};
+ * ```
+ */
+class BuiltInIsTrivial extends BuiltInOperation, @istrivialexpr {
+  override string toString() { result = "__is_trivial" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInIsTrivial" }
+}
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -932,19 +932,91 @@ class NewArrayExpr extends NewOrNewArrayExpr, @new_array_expr {
  Expr getExtent() { result = this.getChild(2) }
 }

+private class TDeleteOrDeleteArrayExpr = @delete_expr or @delete_array_expr;
+
+/**
+ * A C++ `delete` or `delete[]` expression.
+ */
+class DeleteOrDeleteArrayExpr extends Expr, TDeleteOrDeleteArrayExpr {
+  override int getPrecedence() { result = 16 }
+
+  /**
+   * Gets the call to a destructor that occurs prior to the object's memory being deallocated, if any.
+   *
+   * In the case of `delete[]` at runtime, the destructor will be called once for each element in the array, but the
+   * destructor call only exists once in the AST.
+   */
+  DestructorCall getDestructorCall() { result = this.getChild(1) }
+
+  /**
+   * Gets the destructor to be called to destroy the object or array, if any.
+   */
+  Destructor getDestructor() { result = this.getDestructorCall().getTarget() }
+
+  /**
+   * Gets the `operator delete` or `operator delete[]` that deallocates storage.
+   * Does not hold if the type being destroyed has a virtual destructor. In that case, the
+   * `operator delete` that will be called is determined at runtime based on the
+   * dynamic type of the object.
+   */
+  Function getDeallocator() {
+    expr_deallocator(underlyingElement(this), unresolveElement(result), _)
+  }
+
+  /**
+   * DEPRECATED: use `getDeallocatorCall` instead.
+   */
+  deprecated FunctionCall getAllocatorCall() { result = this.getChild(0) }
+
+  /**
+   * Gets the call to a non-default `operator delete`/`delete[]` that deallocates storage, if any.
+   *
+   * This will only be present when the type being deleted has a custom `operator delete` and
+   * does not have a virtual destructor.
+   */
+  FunctionCall getDeallocatorCall() { result = this.getChild(0) }
+
+  /**
+   * Holds if the deallocation function expects a size argument.
+   */
+  predicate hasSizedDeallocation() {
+    exists(int form |
+      expr_deallocator(underlyingElement(this), _, form) and
+      form.bitAnd(1) != 0 // Bit zero is the "size" bit
+    )
+  }
+
+  /**
+   * Holds if the deallocation function expects an alignment argument.
+   */
+  predicate hasAlignedDeallocation() {
+    exists(int form |
+      expr_deallocator(underlyingElement(this), _, form) and
+      form.bitAnd(2) != 0 // Bit one is the "alignment" bit
+    )
+  }
+
+  /**
+   * Gets the object or array being deleted.
+   */
+  Expr getExpr() {
+    // If there is a destructor call, the object being deleted is the qualifier
+    // otherwise it is the third child.
+    result = this.getChild(3) or result = this.getDestructorCall().getQualifier()
+  }
+}
+
 /**
 * A C++ `delete` (non-array) expression.
 * ```
 * delete ptr;
 * ```
 */
-class DeleteExpr extends Expr, @delete_expr {
+class DeleteExpr extends DeleteOrDeleteArrayExpr, @delete_expr {
  override string toString() { result = "delete" }

  override string getAPrimaryQlClass() { result = "DeleteExpr" }

-  override int getPrecedence() { result = 16 }
-
  /**
   * Gets the compile-time type of the object being deleted.
   */
@@ -957,58 +1029,6 @@ class DeleteExpr extends Expr, @delete_expr {
          .(PointerType)
          .getBaseType()
  }
-
-  /**
-   * Gets the call to a destructor that occurs prior to the object's memory being deallocated, if any.
-   */
-  DestructorCall getDestructorCall() { result = this.getChild(1) }
-
-  /**
-   * Gets the destructor to be called to destroy the object, if any.
-   */
-  Destructor getDestructor() { result = this.getDestructorCall().getTarget() }
-
-  /**
-   * Gets the `operator delete` that deallocates storage. Does not hold
-   * if the type being destroyed has a virtual destructor. In that case, the
-   * `operator delete` that will be called is determined at runtime based on the
-   * dynamic type of the object.
-   */
-  Function getDeallocator() {
-    expr_deallocator(underlyingElement(this), unresolveElement(result), _)
-  }
-
-  /**
-   * Holds if the deallocation function expects a size argument.
-   */
-  predicate hasSizedDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(1) != 0 // Bit zero is the "size" bit
-    )
-  }
-
-  /**
-   * Holds if the deallocation function expects an alignment argument.
-   */
-  predicate hasAlignedDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(2) != 0 // Bit one is the "alignment" bit
-    )
-  }
-
-  /**
-   * Gets the call to a non-default `operator delete` that deallocates storage, if any.
-   *
-   * This will only be present when the type being deleted has a custom `operator delete`.
-   */
-  FunctionCall getAllocatorCall() { result = this.getChild(0) }
-
-  /**
-   * Gets the object being deleted.
-   */
-  Expr getExpr() { result = this.getChild(3) or result = this.getChild(1).getChild(-1) }
 }

 /**
@@ -1017,13 +1037,11 @@ class DeleteExpr extends Expr, @delete_expr {
 * delete[] arr;
 * ```
 */
-class DeleteArrayExpr extends Expr, @delete_array_expr {
+class DeleteArrayExpr extends DeleteOrDeleteArrayExpr, @delete_array_expr {
  override string toString() { result = "delete[]" }

  override string getAPrimaryQlClass() { result = "DeleteArrayExpr" }

-  override int getPrecedence() { result = 16 }
-
  /**
   * Gets the element type of the array being deleted.
   */
@@ -1036,58 +1054,6 @@ class DeleteArrayExpr extends Expr, @delete_array_expr {
          .(PointerType)
          .getBaseType()
  }
-
-  /**
-   * Gets the call to a destructor that occurs prior to the array's memory being deallocated, if any.
-   *
-   * At runtime, the destructor will be called once for each element in the array, but the
-   * destructor call only exists once in the AST.
-   */
-  DestructorCall getDestructorCall() { result = this.getChild(1) }
-
-  /**
-   * Gets the destructor to be called to destroy each element in the array, if any.
-   */
-  Destructor getDestructor() { result = this.getDestructorCall().getTarget() }
-
-  /**
-   * Gets the `operator delete[]` that deallocates storage.
-   */
-  Function getDeallocator() {
-    expr_deallocator(underlyingElement(this), unresolveElement(result), _)
-  }
-
-  /**
-   * Holds if the deallocation function expects a size argument.
-   */
-  predicate hasSizedDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(1) != 0 // Bit zero is the "size" bit
-    )
-  }
-
-  /**
-   * Holds if the deallocation function expects an alignment argument.
-   */
-  predicate hasAlignedDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(2) != 0 // Bit one is the "alignment" bit
-    )
-  }
-
-  /**
-   * Gets the call to a non-default `operator delete` that deallocates storage, if any.
-   *
-   * This will only be present when the type being deleted has a custom `operator delete`.
-   */
-  FunctionCall getAllocatorCall() { result = this.getChild(0) }
-
-  /**
-   * Gets the array being deleted.
-   */
-  Expr getExpr() { result = this.getChild(3) or result = this.getChild(1).getChild(-1) }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/internal/ExtractorVersion.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/ExtractorVersion.qll
@@ -0,0 +1,15 @@
+/**
+ * INTERNAL: Do not use. Provides predicates for getting the CodeQL and frontend
+ * version used during database extraction.
+ */
+
+/** Get the extractor CodeQL version */
+string getExtractorCodeQLVersion() { extractor_version(result, _) }
+
+/** Get the extractor frontend version */
+string getExtractorFrontendVersion() { extractor_version(_, result) }
+
+predicate isExtractorFrontendVersion65OrHigher() {
+  // Version numbers we not included in the database before 6.5.
+  exists(getExtractorCodeQLVersion())
+}
--- a/Show More
+++ b/Show More