Use named return parameters

We allow them, but don't do anything with them yet.

.github/labeler.yml

@@ -45,11 +45,7 @@ documentation:
 
 # Since these are all shared files that need to be synced, just pick _one_ copy of each.
 "DataFlow Library":
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll"
+  - "shared/dataflow/**/*"
 
 "ATM":
   - javascript/ql/experimental/adaptivethreatmodeling/**/*

.github/workflows/check-implicit-this.yml

@@ -13,7 +13,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check that implicit this warnings is enabled for all packs
         shell: bash
         run: |

.github/workflows/check-qldoc.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 2
 

.github/workflows/check-query-ids.yml

@@ -16,6 +16,6 @@ jobs:
     name: Check query IDs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check for duplicate query IDs
         run: python3 misc/scripts/check-query-ids.py

.github/workflows/codeql-analysis.yml

@@ -33,7 +33,7 @@ jobs:
         dotnet-version: 7.0.102
 
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/compile-queries.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest-xl
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
         with:

.github/workflows/csharp-qltest.yml

@@ -29,7 +29,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -52,8 +52,7 @@ jobs:
       matrix:
         slice: ["1/2", "2/2"]
     steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
+      - uses: actions/checkout@v4
       - uses: ./csharp/actions/create-extractor-pack
       - name: Cache compilation cache
         id: query-cache
@@ -62,25 +61,41 @@ jobs:
           key: csharp-qltest-${{ matrix.slice }}
       - name: Run QL tests
         run: |
-          CODEQL_PATH=$(gh codeql version --format=json | jq -r .unpackedLocation)
-          # The legacy ASP extractor is not in this repo, so take the one from the nightly build
-          mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
-          # Safe guard against using the bundled extractor
-          rm -rf "$CODEQL_PATH/csharp"
-          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-2019]
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup dotnet
         uses: actions/setup-dotnet@v3
         with:
           dotnet-version: 7.0.102
       - name: Extractor unit tests
         run: |
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 autobuilder/Semmle.Autobuild.CSharp.Tests
           dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
+        shell: bash
+  stubgentest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Run stub generator tests
+        run: |
+          # Generate (Asp)NetCore stubs
+          STUBS_PATH=stubs_output
+          python3 ql/src/Stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger latest "$STUBS_PATH"
+          rm -rf ql/test/resources/stubs/_frameworks
+          # Update existing stubs in the repo with the freshly generated ones
+          mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
+          git status
+          codeql test run --threads=0 --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+        env:
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/csv-coverage-metrics.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -31,11 +31,11 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: merge
       - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 2
           path: base

.github/workflows/csv-coverage-pr-comment.yml

@@ -20,7 +20,7 @@ jobs:
         GITHUB_CONTEXT: ${{ toJSON(github.event) }}
       run: echo "$GITHUB_CONTEXT"
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Set up Python 3.8
       uses: actions/setup-python@v4
       with:

.github/workflows/csv-coverage-timeseries.yml

@@ -9,11 +9,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: codeqlModels
           fetch-depth: 0

.github/workflows/csv-coverage-update.yml

@@ -17,7 +17,7 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: ql
           fetch-depth: 0

.github/workflows/csv-coverage.yml

@@ -13,11 +13,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: codeqlModels
           ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}

.github/workflows/fast-forward.yml

@@ -25,7 +25,7 @@ jobs:
           exit 1
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Git config
         shell: bash

.github/workflows/go-tests-other-os.yml

@@ -7,19 +7,21 @@ on:
       - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
+env:
+  GO_VERSION: '~1.21.0'
 jobs:
   test-mac:
     name: Test MacOS
     runs-on: macos-latest
     steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql
@@ -47,14 +49,14 @@ jobs:
     name: Test Windows
     runs-on: windows-latest-xl
     steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql

.github/workflows/go-tests.yml

@@ -15,19 +15,21 @@ on:
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
+env:
+  GO_VERSION: '~1.21.0'
 jobs:
   test-linux:
     name: Test Linux (Ubuntu)
     runs-on: ubuntu-latest-xl
     steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql

.github/workflows/js-ml-tests.yml

@@ -1,65 +0,0 @@
-name: JS ML-powered queries tests
-
-on:
-  push:
-    paths:
-      - "javascript/ql/experimental/adaptivethreatmodeling/**"
-      - .github/workflows/js-ml-tests.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
-  pull_request:
-    paths:
-      - "javascript/ql/experimental/adaptivethreatmodeling/**"
-      - .github/workflows/js-ml-tests.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-  workflow_dispatch:
-
-defaults:
-  run:
-    working-directory: javascript/ql/experimental/adaptivethreatmodeling
-
-jobs:
-  qltest:
-    name: Test QL
-    runs-on: ubuntu-latest-xl
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: ./.github/actions/fetch-codeql
-
-      - name: Install pack dependencies
-        run: |
-          for pack in modelbuilding src test; do
-            codeql pack install --mode verify -- "${pack}"
-          done
-      
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: js-ml-test
-
-      - name: Check QL compilation
-        run: |
-          codeql query compile \
-            --check-only \
-            --ram 50000 \
-            --additional-packs "${{ github.workspace }}" \
-            --threads=0 \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
-            -- \
-            lib modelbuilding src
-
-      - name: Run QL tests
-        run: |
-          codeql test run \
-            --threads=0 \
-            --ram 50000 \
-            --additional-packs "${{ github.workspace }}" \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
-            -- \
-            test

.github/workflows/mad_modelDiff.yml

@@ -27,12 +27,12 @@ jobs:
         slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
     steps:
       - name: Clone github/codeql from PR
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event.pull_request
         with:
           path: codeql-pr
       - name: Clone github/codeql from main
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: codeql-main
           ref: main

.github/workflows/mad_regenerate-models.yml

@@ -27,11 +27,11 @@ jobs:
             ref: "placeholder"
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup CodeQL binaries
         uses: ./.github/actions/fetch-codeql
       - name: Clone repositories
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: repos/${{ matrix.ref }}
           ref: ${{ matrix.ref }}

.github/workflows/qhelp-pr-preview.yml

@@ -43,7 +43,7 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 2
           persist-credentials: false

.github/workflows/ql-for-ql-build.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       ### Build the queries ###
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Find codeql

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -21,7 +21,7 @@ jobs:
           - github/codeql
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Find codeql
         id: find-codeql
@@ -42,7 +42,7 @@ jobs:
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -71,7 +71,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
         with:
           name: measurements

.github/workflows/ql-for-ql-tests.yml

@@ -21,7 +21,7 @@ jobs:
   qltest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Find codeql
         id: find-codeql
         uses: github/codeql-action/init@v2
@@ -61,7 +61,7 @@ jobs:
     needs: [qltest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install GNU tar 
         if: runner.os == 'macOS'
         run: |

.github/workflows/query-list.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         path: codeql 
     - name: Set up Python 3.8

.github/workflows/ruby-build.yml

@@ -42,7 +42,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |
@@ -113,7 +113,7 @@ jobs:
   compile-queries:
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Cache compilation cache
@@ -145,7 +145,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, compile-queries]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
         with:
           name: ruby.dbscheme
@@ -206,7 +206,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [package]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
 

.github/workflows/ruby-dataset-measure.yml

@@ -27,14 +27,14 @@ jobs:
         repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: ./.github/actions/fetch-codeql
 
       - uses: ./ruby/actions/create-extractor-pack
 
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -59,7 +59,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
         with:
           name: measurements

.github/workflows/ruby-qltest.yml

@@ -14,6 +14,7 @@ on:
   pull_request:
     paths:
       - "ruby/**"
+      - "shared/**"
       - .github/workflows/ruby-qltest.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
@@ -32,7 +33,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -53,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache

.github/workflows/swift.yml

@@ -39,31 +39,31 @@ jobs:
   build-and-test-macos:
     runs-on: macos-12-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
   build-and-test-linux:
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
   qltests-linux:
     needs: build-and-test-linux
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests
   qltests-macos:
     if : ${{ github.event_name == 'pull_request' }}
     needs: build-and-test-macos
     runs-on: macos-12-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests
   integration-tests-linux:
     needs: build-and-test-linux
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/run-integration-tests
   integration-tests-macos:
     if : ${{ github.event_name == 'pull_request' }}
@@ -71,13 +71,13 @@ jobs:
     runs-on: macos-12-xl
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/run-integration-tests
   codegen:
     if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: bazelbuild/setup-bazelisk@v2
       - uses: actions/setup-python@v4
         with:
@@ -102,6 +102,6 @@ jobs:
     if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - uses: ./swift/actions/database-upgrade-scripts

.github/workflows/sync-files.yml

@@ -14,7 +14,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check synchronized files
         run: python config/sync-files.py
       - name: Check dbscheme fragments

.github/workflows/tree-sitter-extractor-test.yml

@@ -27,7 +27,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check formatting
         run: cargo fmt --all -- --check
       - name: Run tests
@@ -35,12 +35,12 @@ jobs:
   fmt:
     runs-on: ubuntu-latest  
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check formatting
         run: cargo fmt --check
   clippy:
     runs-on: ubuntu-latest  
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Run clippy
         run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments

.github/workflows/validate-change-notes.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql

codeql-workspace.yml

@@ -4,6 +4,8 @@ provide:
   - "*/ql/test/qlpack.yml"
   - "*/ql/examples/qlpack.yml"
   - "*/ql/consistency-queries/qlpack.yml"
+  - "*/ql/automodel/src/qlpack.yml"
+  - "*/ql/automodel/test/qlpack.yml"
   - "shared/*/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"

config/identical-files.json

@@ -28,20 +28,8 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll"
   ],
-  "TaintTracking Java/C++/C#/Go/Python/Ruby/Swift": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTracking.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTracking.qll"
-  ],
   "TaintTracking Legacy Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
@@ -65,15 +53,6 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
-  "DataFlow Java/C++/C#/Python/Ruby/Swift Consistency checks": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll"
-  ],
   "DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
     "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
@@ -566,5 +545,9 @@
   "EncryptionKeySizes Python/Java": [
     "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
     "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
+  ],
+  "Python model summaries test extension": [
+    "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
+    "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
   ]
 }

cpp/BUILD.bazel

@@ -1,12 +1,17 @@
-package(default_visibility = ["//visibility:public"])
-
 load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
 
+package(default_visibility = ["//visibility:public"])
+
 alias(
     name = "dbscheme",
     actual = "//cpp/ql/lib:dbscheme",
 )
 
+alias(
+    name = "dbscheme-stats",
+    actual = "//cpp/ql/lib:dbscheme-stats",
+)
+
 pkg_filegroup(
     name = "db-files",
     srcs = [

cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/upgrade.properties

@@ -0,0 +1,2 @@
+description: Make __is_trivial a builtin operation
+compatibility: full

cpp/ql/lib/BUILD.bazel

@@ -1,7 +1,7 @@
-package(default_visibility = ["//cpp:__pkg__"])
-
 load("@rules_pkg//:mappings.bzl", "pkg_files")
 
+package(default_visibility = ["//cpp:__pkg__"])
+
 pkg_files(
     name = "dbscheme",
     srcs = ["semmlecode.cpp.dbscheme"],

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 0.9.3
+
+No user-facing changes.
+
+## 0.9.2
+
+### Deprecated APIs
+
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
+
+### New Features
+
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
+
+### Minor Analysis Improvements
+
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
+
 ## 0.9.1
 
 No user-facing changes.

cpp/ql/lib/change-notes/2023-09-06-as-defining-argument-off-by-one-fix.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.

cpp/ql/lib/change-notes/2023-09-07-return-from-end.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Treat functions that reach the end of the function as returning in the IR.
+  They used to be treated as unreachable but it is allowed in C. 

cpp/ql/lib/change-notes/2023-09-08-more-unreachble.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
+ non-returning in the IR and dataflow.

cpp/ql/lib/change-notes/released/0.9.2.md

@@ -0,0 +1,14 @@
+## 0.9.2
+
+### Deprecated APIs
+
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
+
+### New Features
+
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
+
+### Minor Analysis Improvements
+
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

cpp/ql/lib/change-notes/released/0.9.3.md

@@ -0,0 +1,3 @@
+## 0.9.3
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.1
+lastReleaseVersion: 0.9.3

cpp/ql/lib/experimental/cryptography/Concepts.qll

@@ -0,0 +1,3 @@
+import experimental.cryptography.CryptoArtifact
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.modules.OpenSSL as OpenSSL

cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll

@@ -0,0 +1,239 @@
+/**
+ * Names of known cryptographic algorithms.
+ * The names are standardized into upper-case, no spaces, dashes or underscores.
+ */
+
+/**
+ * Returns a string to represent generally unknown algorithms.
+ * Predicate is to be used to get a consistent string representation
+ * for unknown algorithms.
+ */
+string unknownAlgorithm() { result = "UNKNOWN" }
+
+string getHashType() { result = "HASH" }
+
+string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" }
+
+string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" }
+
+string getKeyDerivationType() { result = "KEY_DERIVATION" }
+
+string getCipherBlockModeType() { result = "BLOCK_MODE" }
+
+string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" }
+
+string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" }
+
+string getEllipticCurveType() { result = "ELLIPTIC_CURVE" }
+
+string getSignatureType() { result = "SIGNATURE" }
+
+string getKeyExchangeType() { result = "KEY_EXCHANGE" }
+
+string getAsymmetricType() {
+  result in [
+      getAsymmetricEncryptionType(), getSignatureType(), getKeyExchangeType(),
+      getEllipticCurveType()
+    ]
+}
+
+predicate isKnownType(string algType) {
+  algType in [
+      getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(),
+      getKeyDerivationType(), getCipherBlockModeType(), getSymmetricPaddingType(),
+      getAsymmetricPaddingType(), getEllipticCurveType(), getSignatureType(), getKeyExchangeType()
+    ]
+}
+
+predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) }
+
+predicate isKnownAlgorithm(string name, string algType) {
+  isHashingAlgorithm(name) and algType = "HASH"
+  or
+  isEncryptionAlgorithm(name, algType) and
+  algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"]
+  or
+  isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION"
+  or
+  isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE"
+  or
+  isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"]
+  or
+  isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE"
+  or
+  isSignatureAlgorithm(name) and algType = "SIGNATURE"
+  or
+  isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE"
+}
+
+/**
+ * Holds if `name` is a known hashing algorithm in the model/library.
+ */
+predicate isHashingAlgorithm(string name) {
+  name =
+    [
+      "BLAKE2", "BLAKE2B", "BLAKE2S", "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224",
+      "SHA512256", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256",
+      "SM3", "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD",
+      "RIPEMD128", "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1", "MGF1SHA1",
+      "MDC2", "SIPHASH"
+    ]
+}
+
+predicate isEncryptionAlgorithm(string name, string algType) {
+  isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION"
+  or
+  isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION"
+}
+
+predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) }
+
+/**
+ * Holds if `name` corresponds to a known symmetric encryption algorithm.
+ */
+predicate isSymmetricEncryptionAlgorithm(string name) {
+  // NOTE: AES is meant to caputure all possible key lengths
+  name =
+    [
+      "AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5",
+      "CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20",
+      "CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789",
+      "GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012",
+      "GOST34112012", "IDEA", "RABBIT", "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES",
+      "DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5",
+      "RC5", "MAGMA", "KUZNYECHIK"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known key derivation algorithm.
+ */
+predicate isKeyDerivationAlgorithm(string name) {
+  name =
+    [
+      "ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF",
+      "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT",
+      "X963KDF", "EVPKDF"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known cipher block mode
+ */
+predicate isCipherBlockModeAlgorithm(string name) {
+  name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"]
+}
+
+/**
+ * Holds if `name` corresponds to a known padding algorithm
+ */
+predicate isPaddingAlgorithm(string name, string algType) {
+  isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING"
+  or
+  isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING"
+}
+
+/**
+ * holds if `name` corresponds to a known symmetric padding algorithm
+ */
+predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] }
+
+/**
+ * Holds if `name` corresponds to a known asymmetric padding algorithm
+ */
+predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] }
+
+predicate isBrainpoolCurve(string curveName, int keySize) {
+  // ALL BRAINPOOL CURVES
+  keySize in [160, 192, 224, 256, 320, 384, 512] and
+  (
+    curveName = "BRAINPOOLP" + keySize.toString() + "R1"
+    or
+    curveName = "BRAINPOOLP" + keySize.toString() + "T1"
+  )
+}
+
+predicate isSecCurve(string curveName, int keySize) {
+  // ALL SEC CURVES
+  keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and
+  exists(string suff | suff in ["R1", "R2", "K1"] |
+    curveName = "SECT" + keySize.toString() + suff or
+    curveName = "SECP" + keySize.toString() + suff
+  )
+}
+
+predicate isC2Curve(string curveName, int keySize) {
+  // ALL C2 CURVES
+  keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and
+  exists(string pre, string suff |
+    pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"]
+  |
+    curveName = "C2" + pre + keySize.toString() + suff
+  )
+}
+
+predicate isPrimeCurve(string curveName, int keySize) {
+  // ALL PRIME CURVES
+  keySize in [192, 239, 256] and
+  exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff)
+}
+
+predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) }
+
+/**
+ * Holds if `name` corresponds to a known elliptic curve.
+ */
+predicate isEllipticCurveAlgorithm(string curveName, int keySize) {
+  isSecCurve(curveName, keySize)
+  or
+  isBrainpoolCurve(curveName, keySize)
+  or
+  isC2Curve(curveName, keySize)
+  or
+  isPrimeCurve(curveName, keySize)
+  or
+  curveName = "ES256" and keySize = 256
+  or
+  curveName = "CURVE25519" and keySize = 255
+  or
+  curveName = "X25519" and keySize = 255
+  or
+  curveName = "ED25519" and keySize = 255
+  or
+  curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size
+  or
+  curveName = "ED448" and keySize = 448
+  or
+  curveName = "X448" and keySize = 448
+  or
+  curveName = "NUMSP256T1" and keySize = 256
+  or
+  curveName = "NUMSP384T1" and keySize = 384
+  or
+  curveName = "NUMSP512T1" and keySize = 512
+  or
+  curveName = "SM2" and keySize in [256, 512]
+}
+
+/**
+ * Holds if `name` corresponds to a known signature algorithm.
+ */
+predicate isSignatureAlgorithm(string name) {
+  name =
+    [
+      "DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256",
+      "ECDSA384", "ECDSA512"
+    ]
+}
+
+/**
+ * Holds if `name` is a key exchange algorithm.
+ */
+predicate isKeyExchangeAlgorithm(string name) {
+  name = ["ECDH", "DH", "DIFFIEHELLMAN", "X25519", "X448"]
+}
+
+/**
+ * Holds if `name` corresponds to a known asymmetric encryption.
+ */
+predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] }

cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll

@@ -0,0 +1,316 @@
+import cpp
+private import experimental.cryptography.CryptoAlgorithmNames
+import semmle.code.cpp.ir.dataflow.TaintTracking
+
+/*
+ * A cryptographic artifact is a DataFlow::Node associated with some
+ * operation, algorithm, or any other aspect of cryptography.
+ */
+
+abstract class CryptographicArtifact extends Expr { }
+
+// /**
+//  * Associates a symmetric encryption algorithm with a block mode.
+//  * The DataFlow::Node representing this association should be the
+//  * point where the algorithm and block mode are combined.
+//  * This may be at the call to encryption or in the construction
+//  * of an object prior to encryption.
+//  */
+// abstract class SymmetricCipher extends CryptographicArtifact{
+//   abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm();
+//   abstract BlockMode getBlockMode();
+//   final predicate hasBlockMode(){
+//     exists(this.getBlockMode())
+//   }
+// }
+// /**
+//  * A cryptographic operation is a method call that invokes a cryptographic
+//  * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm
+//  * (key generation).
+//  *
+//  * Since operations are related to or in support of algorithms, operations must
+//  * provide a reference to their associated algorithm. Often operataions themselves
+//  * encapsulate algorithms, so operations can also extend CryptographicAlgorithm
+//  * and refer to themselves as the target algorithm.
+//  */
+// abstract class CryptographicOperation extends CryptographicArtifact, Call{
+//   // bindingset[paramName, ind]
+//   // final DataFlow::Node getParameterSource(int ind, string paramName){
+//   //   result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName))
+//   // }
+//   final string getAlgorithmName(){
+//     if exists(this.getAlgorithm().getName())
+//     then result = this.getAlgorithm().getName()
+//     else result = unknownAlgorithm()
+//   }
+//   final predicate hasAlgorithm(){
+//     exists(this.getAlgorithm())
+//   }
+//   final predicate isUnknownAlgorithm(){
+//     this.getAlgorithmName() = unknownAlgorithm()
+//     or
+//     not this.hasAlgorithm()
+//   }
+//   // TODO: this might have to be parameterized by a configuration source for
+//   //       situations where an operation is passed an algorithm
+//   abstract CryptographicAlgorithm getAlgorithm();
+// }
+// /** A key generation operation for asymmetric keys */
+// abstract class KeyGen extends CryptographicOperation{
+//   int getAKeySizeInBits(){
+//     result = getKeySizeInBits(_)
+//   }
+//   final predicate hasKeySize(Expr configSrc){
+//     exists(this.getKeySizeInBits(configSrc))
+//   }
+//   final predicate hasKeySize(){
+//     exists(this.getAKeySizeInBits())
+//   }
+//   abstract Expr getKeyConfigSrc();
+//   abstract int getKeySizeInBits(Expr configSrc);
+// }
+abstract class CryptographicOperation extends CryptographicArtifact, Call { }
+
+abstract class KeyGeneration extends CryptographicOperation {
+  // TODO: what if the algorithm is UNKNOWN?
+  abstract Expr getKeyConfigurationSource(CryptographicAlgorithm alg);
+
+  abstract CryptographicAlgorithm getAlgorithm();
+
+  int getKeySizeInBits(CryptographicAlgorithm alg) {
+    result = this.getKeyConfigurationSource(alg).(Literal).getValue().toInt()
+  }
+
+  predicate hasConstantKeySize(CryptographicAlgorithm alg) { exists(this.getKeySizeInBits(alg)) }
+
+  predicate hasKeyConfigurationSource(CryptographicAlgorithm alg) {
+    exists(this.getKeyConfigurationSource(alg))
+  }
+
+  Expr getAKeyConfigurationSource() { result = this.getKeyConfigurationSource(_) }
+}
+
+abstract class AsymmetricKeyGeneration extends KeyGeneration { }
+
+abstract class SymmetricKeyGeneration extends KeyGeneration { }
+
+/**
+ * A cryptographic algorithm is a `CryptographicArtifact`
+ * representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`).
+ * Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5)
+ * or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")).
+ * Cryptogrpahic algorithms may also be operations that wrap or abstract one or
+ * more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7).
+ *
+ * In principle, this class should model the location where an algorithm enters the program, not
+ * necessarily where it is used.
+ */
+abstract class CryptographicAlgorithm extends CryptographicArtifact {
+  abstract string getName();
+
+  abstract string getAlgType();
+
+  //  string getAlgType(){
+  //   if this instanceof HashAlgorithm then result = getHashType()
+  //   else if this instanceof KeyDerivationAlgorithm then result = getKeyDerivationType()
+  //   else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricEncryptionType()
+  //   else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricEncryptionType()
+  //   else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricPaddingType()
+  //   else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricPaddingType()
+  //   else if this instanceof EllipticCurveAlgorithm then result = getEllipticCurveType()
+  //   else if this instanceof BlockMode then result = getCipherBlockModeType()
+  //   else if this instanceof KeyExchangeAlgorithm then result = getKeyExchangeType()
+  //   else if this instanceof SigningAlgorithm then result = getSignatureType()
+  //   else result = unknownAlgorithm()
+  // }
+  // TODO: handle case where name isn't known, not just unknown?
+  /**
+   * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
+   * Subclassess should override for more api-specific normalization.
+   * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
+   */
+  bindingset[s]
+  string normalizeName(string s) {
+    exists(string normStr | normStr = s.toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+      result = normStr and isKnownAlgorithm(result)
+      or
+      result = unknownAlgorithm() and not isKnownAlgorithm(normStr)
+    )
+  }
+
+  abstract Expr configurationSink();
+
+  predicate hasConfigurationSink() { exists(this.configurationSink()) }
+}
+
+abstract class HashAlgorithm extends CryptographicAlgorithm {
+  final string getHashName() {
+    if exists(string n | n = this.getName() and isHashingAlgorithm(n))
+    then isHashingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getHashType() }
+}
+
+abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm {
+  final string getKDFName() {
+    if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n))
+    then isKeyDerivationAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getKeyDerivationType() }
+}
+
+// abstract class KeyDerivationOperation extends CryptographicOperation{
+//   DataFlow::Node getIterationSizeSrc(){
+//     none()
+//   }
+//   DataFlow::Node getSaltConfigSrc(){
+//     none()
+//   }
+//   DataFlow::Node getHashConfigSrc(){
+//     none()
+//   }
+//   // TODO: get encryption algorithm for CBC-based KDF?
+//   DataFlow::Node getDerivedKeySizeSrc(){
+//     none()
+//   }
+//   DataFlow::Node getModeSrc(){
+//     none()
+//   }
+//   // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type?
+//   abstract predicate requiresIteration();
+//   abstract predicate requiresSalt();
+//   abstract predicate requiresHash();
+//   //abstract predicate requiresKeySize(); // Going to assume all requires a size
+//   abstract predicate requiresMode();
+// }
+abstract class EncryptionAlgorithm extends CryptographicAlgorithm {
+  final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm }
+
+  final predicate isSymmetric() { not this.isAsymmetric() }
+  // NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent
+  //       class does not have this common predicate.
+}
+
+/**
+ * A parent class to represent any algorithm for which
+ * asymmetric cryptography is involved.
+ * Intended to be distinct from AsymmetricEncryptionAlgorithm
+ * which is intended only for asymmetric algorithms that specifically encrypt.
+ */
+abstract class AsymmetricAlgorithm extends CryptographicAlgorithm { }
+
+/**
+ * Algorithms directly or indirectly related to asymmetric encryption,
+ * e.g., RSA, DSA, but also RSA padding algorithms
+ */
+abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm {
+  final string getEncryptionName() {
+    if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n))
+    then isAsymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getAsymmetricEncryptionType() }
+}
+
+/**
+ * Algorithms directly or indirectly related to symmetric encryption,
+ * e.g., AES, DES, but also block modes and padding
+ */
+abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm {
+  final string getEncryptionName() {
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  // TODO: add a stream cipher predicate?
+  override string getAlgType() { result = getSymmetricEncryptionType() }
+}
+
+// Used only to categorize all padding into a single object,
+// DO_NOT add predicates here. Only for categorization purposes.
+abstract class PaddingAlgorithm extends CryptographicAlgorithm { }
+
+abstract class SymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName() {
+    if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n))
+    then isSymmetricPaddingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getSymmetricPaddingType() }
+}
+
+abstract class AsymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName() {
+    if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n))
+    then isAsymmetricPaddingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getAsymmetricPaddingType() }
+}
+
+abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm {
+  final string getCurveName() {
+    if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n))
+    then isEllipticCurveAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) }
+
+  override string getAlgType() { result = getEllipticCurveType() }
+}
+
+abstract class BlockModeAlgorithm extends CryptographicAlgorithm {
+  final string getBlockModeName() {
+    if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
+    then isCipherBlockModeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  /**
+   * Gets the source of the IV configuration.
+   */
+  abstract Expr getIVorNonce();
+
+  final predicate hasIVorNonce() { exists(this.getIVorNonce()) }
+
+  override string getAlgType() { result = getCipherBlockModeType() }
+}
+
+// abstract class KeyWrapOperation extends CryptographicOperation{
+// }
+abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm {
+  final string getAuthticatedEncryptionName() {
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm {
+  final string getKeyExchangeName() {
+    if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n))
+    then isKeyExchangeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getKeyExchangeType() }
+}
+
+abstract class SigningAlgorithm extends AsymmetricAlgorithm {
+  final string getSigningName() {
+    if exists(string n | n = this.getName() and isSignatureAlgorithm(n))
+    then isSignatureAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getSignatureType() }
+}

cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll

@@ -0,0 +1,718 @@
+import cpp
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.CryptoArtifact
+import experimental.cryptography.utils.OpenSSL.CryptoFunction
+import experimental.cryptography.utils.OpenSSL.AlgorithmSink
+import experimental.cryptography.utils.OpenSSL.PassthroughFunction
+import experimental.cryptography.utils.OpenSSL.CryptoAlgorithm
+import experimental.cryptography.CryptoArtifact
+// import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.dataflow.DataFlow
+
+/**
+ *  Problematic case in OpenSSL speed.c
+ *    static const char *names[ALGOR_NUM] = {
+ *        "md2", "mdc2", "md4", "md5", "sha1", "rmd160",
+ *        "sha256", "sha512", "whirlpool", "hmac(md5)",
+ *        "des-cbc", "des-ede3", "rc4", "idea-cbc", "seed-cbc",
+ *        "rc2-cbc", "rc5-cbc", "blowfish", "cast-cbc",
+ *        "aes-128-cbc", "aes-192-cbc", "aes-256-cbc",
+ *        "camellia-128-cbc", "camellia-192-cbc", "camellia-256-cbc",
+ *        "evp", "ghash", "rand", "cmac"
+ *    };
+ *
+ *    Every entry is considered a block mode, hash, and symmetric encryption algorithm
+ *    getEncryptionName for example, will return unknown
+ */
+predicate nodeToExpr(DataFlow::Node node, Expr e) {
+  e = node.asExpr() or e = node.asIndirectArgument()
+}
+
+Expr getExprFromNode(DataFlow::Node node) { nodeToExpr(node, result) }
+
+DataFlow::Node getNodeFromExpr(Expr e) { nodeToExpr(result, e) }
+
+predicate isEVP_PKEY_CTX(Type t) { t.getUnderlyingType().stripType().getName() = "evp_pkey_ctx_st" }
+
+/**
+ * An expression representing an EVP_PKEY_CTX* at the location of a
+ * known AlgorithmSinkArgument.
+ * The EVP_PKEY_CTX* represents the location where the CTX is tied to the algorithm,
+ * and can be used as a source for tracing EVP_PKEY_CTX to other operations.
+ */
+class Known_EVP_PKEY_CTX_Ptr_Source extends Expr {
+  Known_EVP_PKEY_CTX_Ptr_Source() {
+    isEVP_PKEY_CTX(this.getUnderlyingType()) and
+    this.getUnderlyingType() instanceof PointerType and
+    exists(AlgorithmSinkArgument arg, Call sinkCall |
+      arg.getSinkCall() = sinkCall and
+      sinkCall.getAnArgument() = this
+      or
+      this = sinkCall
+    )
+  }
+}
+
+// module CTXFlow implements DataFlow::ConfigSig{
+//     predicate isSource(DataFlow::Node source) {
+//         // ASSUMPTION: at a sink, an algorithm is converted into a CTX through a return of the call only
+//         //             and is the primary source of interest for CTX tracing
+//         source.asExpr() instanceof AlgorithmSinkArgument
+//     }
+//     predicate isSink(DataFlow::Node sink){
+//         sink.asExpr() instanceof CTXSink
+//     }
+//     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+//         //  cls.getName() = "asn1_object_st" flow out on any EVP_PKEY_CTX which is "evp_pkey_ctx_st"
+//         exists(Call c |
+//             isEVP_PKEY_CTX(c.getUnderlyingType()) and
+//             node1.asExpr() = c.getAnArgument() and c = node2.asExpr())
+//     }
+// }
+// module CTXFlowConfig = DataFlow::Global<CTXFlow>;
+// TODO: currently only handles tracing from literals to sinks
+module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof Literal and
+    // Optimization to reduce literal tracing on integers to only those that are known/relevant NIDs.
+    (
+      exists(source.asExpr().getValue().toInt())
+      implies
+      source.asExpr().getValue().toInt() < getNIDMax()
+    ) and
+    // False positives observed inside OBJ_nid2* and OBJ_sn2* functions where NULL is a possible assignment.
+    // While this is a concern, it only occurs if the object being referenced is NULL to begin with
+    // Perhaps a different query should be used to find these caes if they represent a threat.
+    // Filter out any open ssl function source in a function namae Obj_*
+    // False positives in OpenSSL also observed for CRYPTO_strndup (filtering any CRYPTO_* function)
+    // due to setting a null byte in the string
+    (
+      isPossibleOpenSSLFunction(source.getEnclosingCallable())
+      implies
+      (
+        not source.getEnclosingCallable().getName().matches("OBJ_%") and
+        not source.getEnclosingCallable().getName().matches("CRYPTO_%")
+      )
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    // A sink is a call to a function that takes an algorithm as an argument
+    // must include checks for asIndirectArgument since the input may be a pointer to an object
+    // and the member of the object holds the algorithm on the trace.
+    getExprFromNode(sink) instanceof AlgorithmSinkArgument
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    knownPassThroughStep(node1, node2)
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    // If the node is the 'next' argument of a isCallPassThrough, it is only allowed if it is an out parameter
+    // i.e., a defining argument. This barrier says that if the node is an expression not an out parameter, it is filtered.
+    // Out arguments will not be filtered.
+    exists(Call c | knownPassthoughCall(c, _, node.asExpr()) and c.getAnArgument() = node.asExpr())
+    or
+    // False positive reducer, don't flow out through argv
+    node.asVariable().hasName("argv")
+    or
+    node.asIndirectVariable().hasName("argv")
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // Assume a read on crypto identifying field for any object of type asn1_object_st (i.e., ASN1_OBJECT)
+    exists(Class cls | cls.getName() = "asn1_object_st" |
+      node.getType().getUnspecifiedType().stripType() = cls and
+      c.(DataFlow::FieldContent).getField() = cls.getAMember() and
+      c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"]
+    )
+  }
+}
+
+module LiteralAlgorithmTracer = DataFlow::Global<LiteralAlgorithmTracerConfig>;
+
+/**
+ * `source` is an expression that is a source of an algorithm of type `algType`.
+ * `algType` may be `UNKONWN`.
+ *  See CryptoAlgorithmNames for other possible values of `algType`.
+ */
+bindingset[sinkAlgType]
+predicate hasLiteralPathToAlgSink(DataFlow::Node source, DataFlow::Node sink, string sinkAlgType) {
+  LiteralAlgorithmTracer::flow(source, sink) and
+  getExprFromNode(sink).(AlgorithmSinkArgument).algType() = sinkAlgType
+}
+
+private predicate knownTracedAlgorithm(Literal e, string srcSinkType) {
+  knownTracedAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate knownTracedAlgorithm(Literal e, string srcType, string sinkType) {
+  resolveAlgorithmFromLiteral(e, _, srcType) and
+  hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
+  isKnownType(sinkType) and
+  isKnownType(srcType)
+}
+
+private predicate unknownTracedLiteralAlgorithm(Literal e, string srcSinkType) {
+  // Asymmetric special case:
+  // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
+  // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
+  if getAsymmetricType() = srcSinkType
+  then forall(string t | t = getAsymmetricType() | unknownTracedLiteralAlgorithm(e, t, srcSinkType))
+  else unknownTracedLiteralAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate unknownTracedLiteralAlgorithm(Literal e, string srcType, string sinkType) {
+  // the literal resolves to an algorithm, but not to the sinktype
+  // or generally doesn't resolve to any algorithm type
+  // this case covers 'nonsense' cases e.g., use RSA for symmetric encryption
+  not resolveAlgorithmFromLiteral(e, _, srcType) and
+  isValidAlgorithmLiteral(e) and
+  hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
+  isKnownType(sinkType) and
+  isKnownType(srcType)
+}
+
+private predicate unknownTracedNonLiteralAlgorithm(AlgorithmSinkArgument e, string srcSinkType) {
+  // Asymmetric special case:
+  // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
+  // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
+  if getAsymmetricType() = srcSinkType
+  then
+    forall(string t | t = getAsymmetricType() | unknownTracedNonLiteralAlgorithm(e, t, srcSinkType))
+  else unknownTracedNonLiteralAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate unknownTracedNonLiteralAlgorithm(
+  AlgorithmSinkArgument e, string srcType, string sinkType
+) {
+  not hasLiteralPathToAlgSink(_, getNodeFromExpr(e), srcType) and
+  LiteralAlgorithmTracerConfig::isSink(getNodeFromExpr(e)) and
+  e.algType() = sinkType and
+  isKnownType(srcType) and
+  isKnownType(sinkType)
+}
+
+private predicate functionAlgorithm(Call c, string algType) {
+  isOpenSSLCryptoFunctionCall(c, _, algType)
+}
+
+abstract class OpenSSLTracedAlgorithm extends CryptographicAlgorithm {
+  override string getName() { resolveAlgorithmFromLiteral(this, result, this.getAlgType()) }
+
+  override Expr configurationSink() {
+    exists(DataFlow::Node sink |
+      hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
+    |
+      result = getExprFromNode(sink)
+    )
+  }
+}
+
+abstract class OpenSSLFunctionAlgorithm extends CryptographicAlgorithm {
+  override string getName() { isOpenSSLCryptoFunctionCall(this, result, this.getAlgType()) }
+
+  override Expr configurationSink() { result = this }
+}
+
+abstract class OpenSSLUnknownTracedLiteralAlgorithm extends CryptographicAlgorithm {
+  override string getName() { result = unknownAlgorithm() }
+
+  override Expr configurationSink() {
+    exists(DataFlow::Node sink |
+      hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
+    |
+      result = getExprFromNode(sink)
+    )
+  }
+}
+
+abstract class OpenSSLUnknownTracedNonLiteralAlgorithm extends CryptographicAlgorithm {
+  override string getName() { result = unknownAlgorithm() }
+
+  override Expr configurationSink() { result = this }
+}
+
+module SymmetricEncryption {
+  abstract class OpenSSLSymmetricEncryptionAlgorithm extends SymmetricEncryptionAlgorithm { }
+
+  class OpenSSLSymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionTracedAlgorithm() {
+      knownTracedAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionFunctionAlgorithm() {
+      functionAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+}
+
+module BlockModes {
+  /**
+   * In OpenSSL, block modes are associated directly with symmetric encryption algorithms.
+   * As such, OpenSSLBLockModes are modeled as extensions of any openssl symmetric encryption algorithm
+   */
+  class OpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLBlockModeAlgorithm() {
+      //two cases, either the block mode is a literal or it is a function call
+      resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE")
+      or
+      isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
+    }
+
+    override string getName() {
+      resolveAlgorithmFromLiteral(this, result, "BLOCK_MODE")
+      or
+      isOpenSSLCryptoFunctionCall(this, result, "BLOCK_MODE")
+    }
+
+    override Expr configurationSink() {
+      result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
+    }
+
+    override Expr getIVorNonce() {
+      // TODO
+      none()
+    }
+  }
+
+  class UnknownOpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
+  {
+    UnknownOpenSSLBlockModeAlgorithm() {
+      //two cases, either the block mode is a literal or it is a function call
+      not resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE") and
+      not isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() {
+      result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
+    }
+
+    override Expr getIVorNonce() { none() }
+  }
+}
+
+module Hashes {
+  abstract class OpenSSLHashAlgorithm extends HashAlgorithm { }
+
+  class OpenSSLHashTracedAlgorithm extends OpenSSLTracedAlgorithm, OpenSSLHashAlgorithm {
+    OpenSSLHashTracedAlgorithm() { knownTracedAlgorithm(this, getHashType()) }
+  }
+
+  class OpenSSLHashFunctionAlgorithm extends OpenSSLFunctionAlgorithm, OpenSSLHashAlgorithm {
+    OpenSSLHashFunctionAlgorithm() { functionAlgorithm(this, getHashType()) }
+  }
+
+  class OpenSSLHashTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    OpenSSLHashAlgorithm
+  {
+    OpenSSLHashTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getHashType())
+    }
+  }
+
+  class OpenSSLHashUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    OpenSSLHashAlgorithm
+  {
+    OpenSSLHashUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getHashType())
+    }
+  }
+
+  class OpenSSLNullHash extends HashAlgorithm {
+    OpenSSLNullHash() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getTarget().getName() in ["EVP_md_null"]
+      )
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() { result = this }
+  }
+}
+
+module EllipticCurves {
+  // TODO: need to address EVP_PKEY_Q_keygen where the type is "EC" but the curve is UNKNOWN?
+  class OpenSSLEllipticCurveTracedAlgorithm extends OpenSSLTracedAlgorithm, EllipticCurveAlgorithm {
+    OpenSSLEllipticCurveTracedAlgorithm() { knownTracedAlgorithm(this, getEllipticCurveType()) }
+  }
+
+  class OpenSSLEllipticCurveFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurveFunctionAlgorithm() { functionAlgorithm(this, getEllipticCurveType()) }
+  }
+
+  class OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getEllipticCurveType())
+    }
+  }
+
+  class OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getEllipticCurveType())
+    }
+  }
+
+  // https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_ex.html
+  class OpenSSLNullEllipticCurve extends EllipticCurveAlgorithm {
+    OpenSSLNullEllipticCurve() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getTarget().getName() in ["EC_KEY_new", "EC_KEY_new_ex"]
+      )
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() { result = this }
+  }
+}
+
+module AsymmetricEncryption {
+  class OpenSSLAsymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionTracedAlgorithm() {
+      knownTracedAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionFunctionAlgorithm() {
+      functionAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+}
+
+module SigningAlgorithms {
+  class OpenSSLSignatureTracedAlgorithm extends OpenSSLTracedAlgorithm, SigningAlgorithm {
+    OpenSSLSignatureTracedAlgorithm() { knownTracedAlgorithm(this, getSignatureType()) }
+  }
+
+  class OpenSSLSignatureFunctionAlgorithm extends OpenSSLFunctionAlgorithm, SigningAlgorithm {
+    OpenSSLSignatureFunctionAlgorithm() { functionAlgorithm(this, getSignatureType()) }
+  }
+
+  class OpenSSLSignatureTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    SigningAlgorithm
+  {
+    OpenSSLSignatureTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getSignatureType())
+    }
+  }
+
+  class OpenSSLSignatureUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    SigningAlgorithm
+  {
+    OpenSSLSignatureUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getSignatureType())
+    }
+  }
+}
+
+module KeyExchange {
+  class OpenSSLKeyExchangeTracedAlgorithm extends OpenSSLTracedAlgorithm, KeyExchangeAlgorithm {
+    OpenSSLKeyExchangeTracedAlgorithm() { knownTracedAlgorithm(this, getKeyExchangeType()) }
+  }
+
+  class OpenSSLKeyExchangeFunctionAlgorithm extends OpenSSLFunctionAlgorithm, KeyExchangeAlgorithm {
+    OpenSSLKeyExchangeFunctionAlgorithm() { functionAlgorithm(this, getKeyExchangeType()) }
+  }
+
+  class OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    KeyExchangeAlgorithm
+  {
+    OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getKeyExchangeType())
+    }
+  }
+
+  class OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    KeyExchangeAlgorithm
+  {
+    OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getKeyExchangeType())
+    }
+  }
+}
+
+module KeyGeneration {
+  /**
+   * Functions that explicitly set key generation parameters.
+   * `sizeInd` is the parameter specifying the size of the key.
+   * `outInd` is the parameter or return value that the key is written to.
+   * `outInd` is -1 if the key is written to the return value.
+   */
+  predicate isAsymmetricKeyGenExplicitAlgorithm(Function func, int sizeInd, int outInd) {
+    isPossibleOpenSSLFunction(func) and
+    exists(string name | func.hasGlobalName(name) |
+      name in [
+          "EVP_PKEY_CTX_set_dsa_paramgen_bits", "DSA_generate_parameters_ex",
+          "EVP_PKEY_CTX_set_rsa_keygen_bits", "RSA_generate_key_ex", "RSA_generate_key_fips",
+          "EVP_PKEY_CTX_set_dh_paramgen_prime_len", "DH_generate_parameters_ex"
+        ] and
+      sizeInd = 1 and
+      outInd = 0
+      or
+      name in ["DSA_generate_parameters", "RSA_generate_key", "DH_generate_parameters"] and
+      sizeInd = 0 and
+      outInd = -1
+    ) and
+    exists(Type t |
+      (
+        if sizeInd = -1
+        then t = func.getType().getUnderlyingType()
+        else t = func.getParameter(sizeInd).getUnderlyingType()
+      ) and
+      t instanceof IntegralType and
+      not t instanceof CharType
+    )
+  }
+
+  module AsymExplicitAlgKeyLengthFlowConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      // Optimizations to avoid tracing all integers
+      node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
+      node.asExpr().(Literal).getValue().toInt() < 8500
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(FunctionCall c, int sizeInd |
+        isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), sizeInd, _) and
+        c.getArgument(sizeInd) = node.asExpr()
+      )
+    }
+  }
+
+  module AsymExplicitAlgKeyLengthFlow = DataFlow::Global<AsymExplicitAlgKeyLengthFlowConfig>;
+
+  class OpenSSLAsymmetricKeyGenTiedToAlgorithm extends AsymmetricKeyGeneration {
+    OpenSSLAsymmetricKeyGenTiedToAlgorithm() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), _, _)
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() { result = this }
+
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
+      alg = this and
+      exists(int sizeInd |
+        isAsymmetricKeyGenExplicitAlgorithm(this.getTarget(), sizeInd, _) and
+        AsymExplicitAlgKeyLengthFlow::flow(DataFlow::exprNode(result),
+          DataFlow::exprNode(this.getArgument(sizeInd)))
+      )
+    }
+  }
+
+  module Length_to_RSA_EVP_PKEY_Q_keygen_Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      // Optimizations to avoid tracing all integers
+      node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
+      node.asExpr().(Literal).getValue().toInt() < 5000
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(FunctionCall c |
+        c.getTarget().getName() = "EVP_PKEY_Q_keygen" and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getArgument(3) = node.asExpr()
+      )
+    }
+  }
+
+  module Length_to_RSA_EVP_PKEY_Q_keygen_Flow =
+    DataFlow::Global<Length_to_RSA_EVP_PKEY_Q_keygen_Config>;
+
+  class OpenSSL_RSA_EVP_PKEY_Q_keygen extends AsymmetricKeyGeneration {
+    OpenSSL_RSA_EVP_PKEY_Q_keygen() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        this.getTarget().getName() = "EVP_PKEY_Q_keygen" and
+        this.getArgument(3).getUnderlyingType() instanceof IntegralType
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() {
+      result.configurationSink().(AlgorithmSinkArgument).getSinkCall() = this
+    }
+
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
+      alg = this.getAlgorithm() and
+      Length_to_RSA_EVP_PKEY_Q_keygen_Flow::flow(DataFlow::exprNode(result),
+        DataFlow::exprNode(this.getArgument(3)))
+    }
+  }
+
+  predicate isKeyGenOperationWithNoSize(Function func) {
+    isPossibleOpenSSLFunction(func) and
+    exists(string name | func.hasGlobalName(name) |
+      name in ["EVP_PKEY_keygen", "DSA_generate_key", "DH_generate_key", "EVP_PKEY_generate"]
+    )
+  }
+
+  module KeyGenKeySizeInitToKeyGenConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      exists(Call c, Function func, int outInd |
+        isAsymmetricKeyGenExplicitAlgorithm(func, _, outInd) and
+        c.getTarget() = func
+      |
+        if outInd = -1 then node.asExpr() = c else node.asExpr() = c.getArgument(outInd)
+      )
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(Call c |
+        isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr()
+      )
+    }
+  }
+
+  module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global<KeyGenKeySizeInitToKeyGenConfig>;
+
+  predicate isEVP_PKEY_CTX_Source(DataFlow::Node node, CryptographicAlgorithm alg) {
+    exists(Call c |
+      alg.configurationSink().(AlgorithmSinkArgument).getSinkCall() = c and
+      (
+        node.asExpr() = c
+        or
+        node.asExpr() = c.getAnArgument()
+        or
+        node.asDefiningArgument() = c.getAnArgument()
+      )
+    ) and
+    (
+      node.asExpr() instanceof Known_EVP_PKEY_CTX_Ptr_Source
+      or
+      node.asDefiningArgument() instanceof Known_EVP_PKEY_CTX_Ptr_Source
+    )
+  }
+
+  predicate isKeyGen_EVP_PKEY_CTX_Sink(DataFlow::Node node, Call c) {
+    isKeyGenOperationWithNoSize(c.getTarget()) and nodeToExpr(node, c.getAnArgument())
+  }
+
+  /**
+   * Trace from EVP_PKEY_CTX* at algorithm sink to keygen,
+   * users can then extrapolatae the matching algorithm from the alg sink to the keygen
+   */
+  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }
+
+    predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
+  }
+
+  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
+    DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize>;
+
+  /**
+   * UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume
+   * is it set on context prior to the call). No path from a key configuration to these operations
+   * means the key size is UNKNOWN, or more precisely the key size is DEFAULT but
+   * the defaults can change with each version of OpenSSL, we simply assume the size is generally UNKNOWN.
+   * ASSUMPTION/TODO: we currently model all known locations where a key size is set explicitly.
+   *                 When a key is set implicitly, this usually means a key generation operation
+   *                 is called where the operation takes in no key size, and no flow to this operation
+   *                 initializes the context with a key size.
+   *                 Currently, without a definitive source (set of sources) to start tracing from, we cannot determine
+   *                 determine if a single path exists that initializes the context with a key size and another that doesn't.
+   *                 Rather than attempt to model all possible sources, we assume that if no path
+   *                 from a key config location reaches a generic key generation operation, then the key size is not set.
+   *                 NOTE: while this is true, it is possible a key size is set in one path, but not in another
+   *                 meaning this approach (and other similar approaches used in this model for UNKNOWN)
+   *                 can produce false negatives.
+   */
+  class OpenSSLDefaultKeyGeneration extends AsymmetricKeyGeneration {
+    OpenSSLDefaultKeyGeneration() {
+      // this is a call to a function matching isKeyGenOperationWithNoSize
+      // and there is no flow from a key configuration source to this call
+      exists(Call c |
+        this = c and
+        isKeyGenOperationWithNoSize(this.getTarget()) and
+        not exists(DataFlow::Node src, DataFlow::Node sink |
+          KeyGenKeySizeInitToKeyGenFlow::flow(src, sink) and
+          nodeToExpr(sink, this.getAnArgument())
+        )
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() {
+      if this.getTarget().getName() in ["DSA_generate_key", "DH_generate_key"]
+      then result = this
+      else
+        // NOTE/ASSUMPTION: EVP_PKEY_keygen, EVP_PKEY_generate assume only other possibilities,
+        //        each take in a CTX as the first arg, need to trace from an alg sink from this CTX param
+        // get every alg sink, get the corresponding call, trace out on any CTX type variable
+        // to the key gen
+        // NOTE: looking for any cryptographic algorithm tracing to the keygen to handle
+        //  any odd cases we aren't awaare of where keygen can be used for other algorithm types
+        exists(DataFlow::Node src, DataFlow::Node sink |
+          EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow::flow(src, sink) and
+          isEVP_PKEY_CTX_Source(src, result) and
+          isKeyGen_EVP_PKEY_CTX_Sink(sink, this)
+          // TODO: what if there is no CTX source? then the keygen becomes an UNKNOWN sink
+        )
+    }
+
+    /**
+     * For this class, there is no known configuration source for any algorithm
+     */
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) { none() }
+  }
+}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll

@@ -0,0 +1,296 @@
+/**
+ * Predicates/classes for identifying algorithm sinks.
+ * An Algorithm Sink is a function that takes an algorithm as an argument.
+ * In particular, any function that takes in an algorithm that until the call
+ * the algorithm is not definitely known to be an algorithm (e.g., an integer used as an identifier to fetch an algorithm)
+ */
+
+//TODO: enforce a hierarchy of AlgorithmSinkArgument, e.g., so I can get all Asymmetric SinkArguments that includes all the strictly RSA etc.
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import experimental.cryptography.CryptoAlgorithmNames
+
+predicate isAlgorithmSink(AlgorithmSinkArgument arg, string algType) { arg.algType() = algType }
+
+abstract class AlgorithmSinkArgument extends Expr {
+  AlgorithmSinkArgument() {
+    exists(Call c | c.getAnArgument() = this and openSSLLibraryFunc(c.getTarget()))
+  }
+
+  /**
+   * Gets the function call in which the argument exists
+   */
+  Call getSinkCall() { result.getAnArgument() = this }
+
+  abstract string algType();
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html
+predicate cipherAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EVP_get_cipherbyname", "EVP_get_cipherbynid", "EVP_get_cipherbyobj"] and argInd = 0
+  or
+  funcName = "EVP_CIPHER_fetch" and argInd = 1
+}
+
+class CipherAlgorithmSink extends AlgorithmSinkArgument {
+  CipherAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      cipherAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getSymmetricEncryptionType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_MAC_fetch
+predicate macAlgorithmSink(string funcName, int argInd) {
+  (funcName = "EVP_MAC_fetch" and argInd = 1)
+}
+
+class MACAlgorithmSink extends AlgorithmSinkArgument {
+  MACAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      macAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_MD_fetch
+predicate messageDigestAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"] and argInd = 0
+  or
+  funcName = "EVP_MD_fetch" and argInd = 1
+}
+
+class MessageDigestAlgorithmSink extends AlgorithmSinkArgument {
+  MessageDigestAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      messageDigestAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getHashType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEYEXCH_fetch
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEM_fetch
+predicate keyExchangeAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KEYEXCH_fetch" and argInd = 1
+  or
+  funcName = "EVP_KEM_fetch" and argInd = 1
+}
+
+class KeyExchangeAlgorithmSink extends AlgorithmSinkArgument {
+  KeyExchangeAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyExchangeAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getKeyExchangeType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEYMGMT_fetch
+predicate keyManagementAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KEYMGMT_fetch" and argInd = 1
+}
+
+class KeyManagementAlgorithmSink extends AlgorithmSinkArgument {
+  KeyManagementAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyManagementAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KDF
+predicate keyDerivationAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KDF_fetch" and argInd = 1
+}
+
+class KeyDerivationAlgorithmSink extends AlgorithmSinkArgument {
+  KeyDerivationAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyDerivationAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getKeyDerivationType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_ASYM_CIPHER_fetch
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new_CMAC_key.html
+predicate asymmetricCipherAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_ASYM_CIPHER_fetch" and argInd = 1
+  or
+  funcName = "EVP_PKEY_new_CMAC_key" and argInd = 3
+  // NOTE: other cases are handled by AsymmetricAlgorithmSink
+}
+
+class AsymmetricCipherAlgorithmSink extends AlgorithmSinkArgument {
+  AsymmetricCipherAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      asymmetricCipherAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
+}
+
+class AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(3)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      c.getArgument(3).getType().getUnderlyingType() instanceof IntegralType
+    )
+  }
+
+  override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_RAND_fetch
+predicate randomAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_RAND_fetch" and argInd = 1
+}
+
+class RandomAlgorithmSink extends AlgorithmSinkArgument {
+  RandomAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      randomAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_SIGNATURE_fetch
+predicate signatureAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_SIGNATURE_fetch" and argInd = 1
+}
+
+class SignatureAlgorithmSink extends AlgorithmSinkArgument {
+  SignatureAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      signatureAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getSignatureType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_by_curve_name.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.html
+predicate ellipticCurveAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EC_KEY_new_by_curve_name", "EVP_EC_gen"] and argInd = 0
+  or
+  funcName = "EC_KEY_new_by_curve_name_ex" and argInd = 2
+  or
+  funcName in ["EVP_PKEY_CTX_set_ec_paramgen_curve_nid"] and argInd = 1
+}
+
+class EllipticCurveAlgorithmSink extends AlgorithmSinkArgument {
+  EllipticCurveAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      ellipticCurveAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getEllipticCurveType() }
+}
+
+/**
+ * Special cased to address the fact that arg index 3 (zero offset based) is the curve name.
+ * ASSUMPTION: if the arg ind 3 is a char* assume it is an elliptic curve
+ */
+class EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(3)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      c.getArgument(3).getType().getUnderlyingType() instanceof PointerType and
+      c.getArgument(3).getType().getUnderlyingType().stripType() instanceof CharType
+    )
+  }
+
+  override string algType() { result = getEllipticCurveType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id.html
+// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_new_raw_private_key.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_Q_keygen.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
+predicate asymmetricAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_PKEY_CTX_new_id" and argInd = 0
+  or
+  funcName = "EVP_PKEY_CTX_new_from_name" and argInd = 1
+  or
+  funcName in [
+      "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key", "EVP_PKEY_new_mac_key"
+    ] and
+  argInd = 0
+  or
+  funcName in ["EVP_PKEY_new_raw_private_key_ex", "EVP_PKEY_new_raw_public_key_ex"] and argInd = 1
+  or
+  // special casing this as arg index 3 must be specified depending on if RSA or ECC, and otherwise not specified for other algs
+  // funcName = "EVP_PKEY_Q_keygen" and argInd = 2
+  funcName in ["EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"] and argInd = 1
+  // TODO consider void cases EVP_PKEY_new
+}
+
+class AsymmetricAlgorithmSink extends AlgorithmSinkArgument {
+  AsymmetricAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      asymmetricAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getAsymmetricType() }
+}
+
+class AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(2)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      not exists(c.getArgument(3))
+    )
+  }
+
+  override string algType() { result = getAsymmetricType() }
+}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll

@@ -0,0 +1,121 @@
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import experimental.cryptography.CryptoAlgorithmNames
+
+predicate inferredOpenSSLCryptoFunctionCall(Call c, string normalized, string algType) {
+  inferredOpenSSLCryptoFunction(c.getTarget(), normalized, algType)
+}
+
+predicate inferredOpenSSLCryptoFunction(Function f, string normalized, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  normalizeFunctionName(f, algType) = normalized
+}
+
+predicate isOpenSSLCryptoFunction(Function f, string normalized, string algType) {
+  // NOTE: relying on inference as there are thousands of functions for crypto
+  //       enumerating them all and maintaining the list seems problematic.
+  //       For now, we will rely on dynamically inferring algorithms for function names.
+  //       This has been seen to be reasonably efficient and accurate.
+  inferredOpenSSLCryptoFunction(f, normalized, algType)
+}
+
+predicate isOpenSSLCryptoFunctionCall(Call c, string normalized, string algType) {
+  isOpenSSLCryptoFunction(c.getTarget(), normalized, algType)
+}
+
+private string basicNormalizeFunctionName(Function f, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = f.getName().toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `f` is the function name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+private string privateNormalizeFunctionName(Function f, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  result = basicNormalizeFunctionName(f, algType) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = basicNormalizeFunctionName(f, algType) and
+    res2.length() > result.length()
+  )
+}
+
+/**
+ * Normalizes a function name to a known algorithm name, similar to `normalizeName`.
+ * A function is not, however, allowed to be UNKNOWN. The function either
+ * normalizes to a known algorithm name, or the predicate does not hold (no result).
+ *
+ * The predicate attempts to restrict normalization to what looks like an openssl
+ * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`).
+ * This may give false postive functions if a directory erronously appears to be openssl;
+ * however, we take the stance that if a function
+ * exists strongly mapping to a known function name in a directory such as these,
+ * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were.
+ */
+private string normalizeFunctionName(Function f, string algType) {
+  algType != "UNKNOWN" and
+  isPossibleOpenSSLFunction(f) and
+  result = privateNormalizeFunctionName(f, algType) and
+  // Addressing false positives
+  // For algorithm names less than or equal to 4, we must see the algorithm name
+  // in the original function as upper case (it can't be split between tokens)
+  // One exception found is DES_xcbc_encrypt, this is DESX
+  (
+    (result.length() <= 4 and result != "DESX")
+    implies
+    f.getName().toUpperCase().matches("%" + result + "%")
+  ) and
+  (
+    (result.length() <= 4 and result = "DESX")
+    implies
+    (f.getName().toUpperCase().matches("%DESX%") or f.getName().toUpperCase().matches("%DES_X%"))
+  ) and
+  // (result.length() <= 3 implies (not f.getName().toUpperCase().regexpMatch(".*" + result + "[a-zA-Z0-9].*|.*[a-zA-Z0-9]" + result + ".*")))
+  // and
+  // DES specific false positives
+  (
+    result.matches("DES")
+    implies
+    not f.getName().toUpperCase().regexpMatch(".*DES[a-zA-Z0-9].*|.*[a-zA-Z0-9]DES.*")
+  ) and
+  // ((result.matches("%DES%")) implies not exists(string s | s in ["DESCRIBE", "DESTROY", "DESCRIPTION", "DESCRIPTOR", "NODES"] |
+  //     f.getName().toUpperCase().matches("%" + s + "%"))) and
+  // SEED specific false positives
+  (
+    result.matches("SEED")
+    implies
+    not exists(string s |
+      s in [
+          "SEED_SRC_GENERATE", "RAND", "NEW_SEED", "GEN_SEED", "SEED_GEN", "SET_SEED", "GET_SEED",
+          "GET0_SEED", "RESEED", "SEEDING"
+        ]
+    |
+      f.getName().toUpperCase().matches("%" + s + "%")
+    )
+  ) and
+  // ARIA specific false positives
+  (result.matches("ARIA") implies not f.getName().toUpperCase().matches("%VARIANT%")) and
+  // CTR false positives
+  (result.matches("CTR") implies not f.getName().toUpperCase().matches("%CTRL%")) and
+  // ES false positives (e.g., ES256 from AES256)
+  (result.matches("ES%") implies not f.getName().toUpperCase().matches("%AES%")) and
+  // RSA false positives
+  (result.matches("RSA") implies not f.getName().toUpperCase().matches("%UNIVERSAL%")) and
+  //rsaz functions deemed to be too low level, and can be ignored
+  not f.getLocation().getFile().getBaseName().matches("rsaz_exp.c") and
+  // General False positives
+  // Functions that 'get' do not set an algorithm, and therefore are considered ignorable
+  not f.getName().toLowerCase().matches("%get%")
+}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll

@@ -0,0 +1,153 @@
+/**
+ * This file contains predicates create to build up initial data sets for OpenSSL
+ * predicates. E.g., These predicates were used to assist in associating all
+ * openSSL functions with their known crypto algorithms.
+ */
+
+import cpp
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.utils.OpenSSL.CryptoFunction
+
+private string basicNormalizeFunctionName(Function f, string algType) {
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = f.getName().toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `f` is the function name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+private string privateNormalizeFunctionName(Function f, string algType) {
+  result = basicNormalizeFunctionName(f, algType) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = basicNormalizeFunctionName(f, algType) and
+    res2.length() > result.length()
+  ) and
+  // Addressing bad normalization case-by-case
+  // CASE: ES256 being identified when the algorithm is AES256
+  (
+    result.matches("ES256")
+    implies
+    not exists(string res2 | res2 = basicNormalizeFunctionName(f, _) and res2.matches("AES%"))
+  )
+}
+
+/**
+ * Normalizes a function name to a known algorithm name, similar to `normalizeName`.
+ * A function is not, however, allowed to be UNKNOWN. The function either
+ * normalizes to a known algorithm name, or the predicate does not hold (no result).
+ *
+ * The predicate attempts to restrict normalization to what looks like an openssl
+ * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`).
+ * This may give false postive functions if a directory erronously appears to be openssl;
+ * however, we take the stance that if a function
+ * exists strongly mapping to a known function name in a directory such as these,
+ * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were.
+ */
+string normalizeFunctionName(Function f, string algType) {
+  algType != "UNKNOWN" and
+  result = privateNormalizeFunctionName(f, algType) and
+  openSSLLibraryFunc(f) and
+  // Addressing false positives
+  // For algorithm names less than or equal to 4, we must see the algorithm name
+  // in the original function as upper case (it can't be split between tokens)
+  // One exception found is DES_xcbc_encrypt, this is DESX
+  (
+    (result.length() <= 4 and result != "DESX")
+    implies
+    f.getName().toUpperCase().matches("%" + result + "%")
+  ) and
+  (
+    (result.length() <= 4 and result = "DESX")
+    implies
+    (f.getName().toUpperCase().matches("%DESX%") or f.getName().toUpperCase().matches("%DES_X%"))
+  ) and
+  // (result.length() <= 3 implies (not f.getName().toUpperCase().regexpMatch(".*" + result + "[a-zA-Z0-9].*|.*[a-zA-Z0-9]" + result + ".*")))
+  // and
+  // DES specific false positives
+  (
+    result.matches("DES")
+    implies
+    not f.getName().toUpperCase().regexpMatch(".*DES[a-zA-Z0-9].*|.*[a-zA-Z0-9]DES.*")
+  ) and
+  // ((result.matches("%DES%")) implies not exists(string s | s in ["DESCRIBE", "DESTROY", "DESCRIPTION", "DESCRIPTOR", "NODES"] |
+  //     f.getName().toUpperCase().matches("%" + s + "%"))) and
+  // SEED specific false positives
+  (
+    result.matches("%SEED%")
+    implies
+    not not exists(string s |
+      s in ["NEW_SEED", "GEN_SEED", "SET_SEED", "GET_SEED", "GET0_SEED", "RESEED", "SEEDING"]
+    |
+      f.getName().toUpperCase().matches("%" + s + "%")
+    )
+  ) and
+  // ARIA specific false positives
+  (result.matches("%ARIA%") implies not f.getName().toUpperCase().matches("%VARIANT%"))
+}
+
+/**
+ * Predicate to support name normalization.
+ * Converts the raw name upper-case with no hyphen, slash, underscore, hash, or space.
+ * Looks for substrings that are known algorithms, and normalizes the name.
+ * If the algorithm cannot be determined or is in the ignorable list (`isIgnorableOpenSSLAlgorithm`)
+ * this predicate will not resolve a name.
+ *
+ * Rationale for private: For normalization, we want to get the longest string for a normalized name match
+ *       for a given algorithm type. I found this easier to express if the public normalizeName
+ *       checks that the name is the longest, and that UNKNOWN is reserved if there exists no
+ *       result from this predicate that is known.
+ */
+bindingset[name]
+string privateNormalizeName(string name, string algType) {
+  //not isIgnorableOpenSSLAlgorithm(name, _, _) and
+  // targetOpenSSLAlgorithm(name, _) and
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = name.toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `name` is the name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+bindingset[name]
+string normalizeName(string name, string algType) {
+  (
+    if exists(privateNormalizeName(name, _))
+    then result = privateNormalizeName(name, algType)
+    else (
+      result = unknownAlgorithm() and algType = "UNKNOWN"
+    )
+  ) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = privateNormalizeName(name, algType) and
+    res2.length() > result.length()
+  ) and
+  // Addressing bad normalization case-by-case
+  // CASE: ES256 being identified when the algorithm is AES256
+  (
+    result.matches("ES256")
+    implies
+    not exists(string res2 | res2 = privateNormalizeName(name, _) and res2.matches("AES%"))
+  )
+}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll

@@ -0,0 +1,59 @@
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import semmle.code.cpp.ir.dataflow.DataFlow
+
+// TODO: possible use of extensible predicates here
+// NOTE: -1 for outInd represents the return value
+predicate knownPassthroughFunction(Function f, int inInd, int outInd) {
+  // Trace through functions
+  // See https://www.openssl.org/docs/man1.1.1/man3/OBJ_obj2txt
+  //     https://www.openssl.org/docs/man3.0/man3/EVP_CIPHER_get0_name
+  openSSLLibraryFunc(f) and
+  (
+    f.getName() in [
+        "OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn", "OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid",
+        "OBJ_txt2nid", "OBJ_txt2obj", "OBJ_dup", "EVP_CIPHER_get0_name"
+      ] and
+    inInd = 0 and
+    outInd = -1
+    or
+    f.getName() in ["OBJ_obj2txt", "i2t_ASN1_OBJECT"] and
+    inInd = 2 and
+    outInd = 0
+    or
+    // Dup/copy pattern occurs in more places,
+    //see: https://www.openssl.org/docs/manmaster/man3/EC_KEY_copy.html and https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_dup.html
+    f.getName().matches("%_dup") and inInd = 0 and outInd = -1
+    or
+    f.getName().matches("%_copy") and inInd = 0 and outInd = -1
+  )
+}
+
+/**
+ * `c` is a call to a function that preserves the algorithm but changes its form.
+ * `onExpr` is the input argument passing through to, `outExpr` is the next expression in a dataflow step associated with `c`
+ */
+predicate knownPassthoughCall(Call c, Expr inExpr, Expr outExpr) {
+  exists(int inInd, int outInd |
+    knownPassthroughFunction(c.getTarget(), inInd, outInd) and
+    inExpr = c.getArgument(inInd) and
+    if outInd = -1 then outExpr = c else outExpr = c.getArgument(outInd)
+  )
+}
+
+/*
+ * Explicitly add flow through openssl functions that preserve the algorithm but alter the form (e.g., from NID to string)
+ */
+
+predicate knownPassThroughStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(Expr cur, Expr next |
+    (cur = node1.asExpr() or cur = node1.asIndirectArgument()) and
+    (
+      next = node2.asExpr() or
+      next = node2.asIndirectArgument() or
+      next = node2.asDefiningArgument()
+    )
+  |
+    exists(Call c | knownPassthoughCall(c, cur, next))
+  )
+}

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.9.1
+version: 0.10.0-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -5,155 +5,35 @@
 import semmle.code.cpp.Element
 import semmle.code.cpp.Declaration
 import semmle.code.cpp.metrics.MetricFile
+private import codeql.util.FileSystem
+
+private module Input implements InputSig {
+  abstract class ContainerBase extends @container {
+    abstract string getAbsolutePath();
+
+    ContainerBase getParentContainer() {
+      containerparent(unresolveElement(result), underlyingElement(this))
+    }
+
+    string toString() { result = this.getAbsolutePath() }
+  }
+
+  class FolderBase extends ContainerBase, @folder {
+    override string getAbsolutePath() { folders(underlyingElement(this), result) }
+  }
+
+  class FileBase extends ContainerBase, @file {
+    override string getAbsolutePath() { files(underlyingElement(this), result) }
+  }
+
+  predicate hasSourceLocationPrefix = sourceLocationPrefix/1;
+}
+
+private module Impl = Make<Input>;
 
 /** A file or folder. */
-class Container extends Locatable, @container {
-  /**
-   * Gets the absolute, canonical path of this container, using forward slashes
-   * as path separator.
-   *
-   * The path starts with a _root prefix_ followed by zero or more _path
-   * segments_ separated by forward slashes.
-   *
-   * The root prefix is of one of the following forms:
-   *
-   *   1. A single forward slash `/` (Unix-style)
-   *   2. An upper-case drive letter followed by a colon and a forward slash,
-   *      such as `C:/` (Windows-style)
-   *   3. Two forward slashes, a computer name, and then another forward slash,
-   *      such as `//FileServer/` (UNC-style)
-   *
-   * Path segments are never empty (that is, absolute paths never contain two
-   * contiguous slashes, except as part of a UNC-style root prefix). Also, path
-   * segments never contain forward slashes, and no path segment is of the
-   * form `.` (one dot) or `..` (two dots).
-   *
-   * Note that an absolute path never ends with a forward slash, except if it is
-   * a bare root prefix, that is, the path has no path segments. A container
-   * whose absolute path has no segments is always a `Folder`, not a `File`.
-   */
-  string getAbsolutePath() { none() } // overridden by subclasses
-
-  /**
-   * Gets the relative path of this file or folder from the root folder of the
-   * analyzed source location. The relative path of the root folder itself is
-   * the empty string.
-   *
-   * This has no result if the container is outside the source root, that is,
-   * if the root folder is not a reflexive, transitive parent of this container.
-   */
-  string getRelativePath() {
-    exists(string absPath, string pref |
-      absPath = this.getAbsolutePath() and sourceLocationPrefix(pref)
-    |
-      absPath = pref and result = ""
-      or
-      absPath = pref.regexpReplaceAll("/$", "") + "/" + result and
-      not result.matches("/%")
-    )
-  }
-
-  /**
-   * Gets the base name of this container including extension, that is, the last
-   * segment of its absolute path, or the empty string if it has no segments.
-   *
-   * Here are some examples of absolute paths and the corresponding base names
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Base name</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"tst.js"</td></tr>
-   * <tr><td>"C:/Program Files (x86)"</td><td>"Program Files (x86)"</td></tr>
-   * <tr><td>"/"</td><td>""</td></tr>
-   * <tr><td>"C:/"</td><td>""</td></tr>
-   * <tr><td>"D:/"</td><td>""</td></tr>
-   * <tr><td>"//FileServer/"</td><td>""</td></tr>
-   * </table>
-   */
-  string getBaseName() {
-    result = this.getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1)
-  }
-
-  /**
-   * Gets the extension of this container, that is, the suffix of its base name
-   * after the last dot character, if any.
-   *
-   * In particular,
-   *
-   *  - if the name does not include a dot, there is no extension, so this
-   *    predicate has no result;
-   *  - if the name ends in a dot, the extension is the empty string;
-   *  - if the name contains multiple dots, the extension follows the last dot.
-   *
-   * Here are some examples of absolute paths and the corresponding extensions
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Extension</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"js"</td></tr>
-   * <tr><td>"/tmp/.classpath"</td><td>"classpath"</td></tr>
-   * <tr><td>"/bin/bash"</td><td>not defined</td></tr>
-   * <tr><td>"/tmp/tst2."</td><td>""</td></tr>
-   * <tr><td>"/tmp/x.tar.gz"</td><td>"gz"</td></tr>
-   * </table>
-   */
-  string getExtension() {
-    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3)
-  }
-
-  /**
-   * Gets the stem of this container, that is, the prefix of its base name up to
-   * (but not including) the last dot character if there is one, or the entire
-   * base name if there is not.
-   *
-   * Here are some examples of absolute paths and the corresponding stems
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Stem</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"tst"</td></tr>
-   * <tr><td>"/tmp/.classpath"</td><td>""</td></tr>
-   * <tr><td>"/bin/bash"</td><td>"bash"</td></tr>
-   * <tr><td>"/tmp/tst2."</td><td>"tst2"</td></tr>
-   * <tr><td>"/tmp/x.tar.gz"</td><td>"x.tar"</td></tr>
-   * </table>
-   */
-  string getStem() {
-    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1)
-  }
-
-  /** Gets the parent container of this file or folder, if any. */
-  Container getParentContainer() {
-    containerparent(unresolveElement(result), underlyingElement(this))
-  }
-
-  /** Gets a file or sub-folder in this container. */
-  Container getAChildContainer() { this = result.getParentContainer() }
-
-  /** Gets a file in this container. */
-  File getAFile() { result = this.getAChildContainer() }
-
-  /** Gets the file in this container that has the given `baseName`, if any. */
-  File getFile(string baseName) {
-    result = this.getAFile() and
-    result.getBaseName() = baseName
-  }
-
-  /** Gets a sub-folder in this container. */
-  Folder getAFolder() { result = this.getAChildContainer() }
-
-  /** Gets the sub-folder in this container that has the given `baseName`, if any. */
-  Folder getFolder(string baseName) {
-    result = this.getAFolder() and
-    result.getBaseName() = baseName
-  }
-
-  /**
-   * Gets a textual representation of the path of this container.
-   *
-   * This is the absolute path of the container.
-   */
-  override string toString() { result = this.getAbsolutePath() }
+class Container extends Locatable, Impl::Container {
+  override string toString() { result = Impl::Container.super.toString() }
 }
 
 /**
@@ -166,9 +46,7 @@ class Container extends Locatable, @container {
  *
  * To get the full path, use `getAbsolutePath`.
  */
-class Folder extends Container, @folder {
-  override string getAbsolutePath() { folders(underlyingElement(this), result) }
-
+class Folder extends Container, Impl::Folder {
   override Location getLocation() {
     result.getContainer() = this and
     result.hasLocationInfo(_, 0, 0, 0, 0)
@@ -189,9 +67,7 @@ class Folder extends Container, @folder {
  * The base name further decomposes into the _stem_ and _extension_ -- see
  * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
  */
-class File extends Container, @file {
-  override string getAbsolutePath() { files(underlyingElement(this), result) }
-
+class File extends Container, Impl::File {
   override string getAPrimaryQlClass() { result = "File" }
 
   override Location getLocation() {

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -826,17 +826,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(Conversion).getExpr() = ele and pred = "getExpr()"
     or
-    expr.(DeleteArrayExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
+    expr.(DeleteOrDeleteArrayExpr).getDeallocatorCall() = ele and pred = "getDeallocatorCall()"
     or
-    expr.(DeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
+    expr.(DeleteOrDeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
     or
-    expr.(DeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
-    or
-    expr.(DeleteExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
-    or
-    expr.(DeleteExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
-    or
-    expr.(DeleteExpr).getExpr() = ele and pred = "getExpr()"
+    expr.(DeleteOrDeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
     or
     expr.(DestructorFieldDestruction).getExpr() = ele and pred = "getExpr()"
     or

cpp/ql/lib/semmle/code/cpp/controlflow/Dereferenced.qll

@@ -26,17 +26,18 @@ predicate callDereferences(FunctionCall fc, int i) {
 }
 
 /**
- * Holds if evaluation of `op` dereferences `e`.
+ * Holds if evaluation of `op` dereferences `e` directly.
+ *
+ * This predicate does not recurse through function calls or arithmetic operations. To find
+ * such cases, use `dereferencedByOperation`.
  */
-predicate dereferencedByOperation(Expr op, Expr e) {
+predicate directDereferencedByOperation(Expr op, Expr e) {
   exists(PointerDereferenceExpr deref |
     deref.getAChild() = e and
     deref = op and
     not deref.getParent*() instanceof SizeofOperator
   )
   or
-  exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
-  or
   exists(ArrayExpr ae |
     (
       not ae.getParent() instanceof AddressOfExpr and
@@ -50,6 +51,24 @@ predicate dereferencedByOperation(Expr op, Expr e) {
     )
   )
   or
+  // ptr->Field
+  e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
+  or
+  // ptr->method()
+  e = op.(Call).getQualifier() and isClassPointerType(e.getType())
+}
+
+/**
+ * Holds if evaluation of `op` dereferences `e`.
+ *
+ * This includes the set of operations identified via `directDereferencedByOperation`, as well
+ * as calls to function that are known to dereference an argument.
+ */
+predicate dereferencedByOperation(Expr op, Expr e) {
+  directDereferencedByOperation(op, e)
+  or
+  exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
+  or
   exists(AddressOfExpr addof, ArrayExpr ae |
     dereferencedByOperation(addof, op) and
     addof.getOperand() = ae and
@@ -74,12 +93,6 @@ predicate dereferencedByOperation(Expr op, Expr e) {
     e = fc.getArgument(i) and
     op = fc
   )
-  or
-  // ptr->Field
-  e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
-  or
-  // ptr->method()
-  e = op.(Call).getQualifier() and isClassPointerType(e.getType())
 }
 
 private predicate isClassPointerType(Type t) {

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -240,7 +240,7 @@ private class GuardConditionFromIR extends GuardCondition {
    */
   private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
     exists(IRBlock irb |
-      forex(IRGuardCondition inst | inst = ir | inst.controls(irb, testIsTrue)) and
+      ir.controls(irb, testIsTrue) and
       irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
       not isUnreachedBlock(irb)
     )

cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -332,21 +332,12 @@ private Node getControlOrderChildSparse(Node n, int i) {
   n = any(ConditionDeclExpr cd | i = 0 and result = cd.getInitializingExpr())
   or
   n =
-    any(DeleteExpr del |
+    any(DeleteOrDeleteArrayExpr del |
       i = 0 and result = del.getExpr()
       or
       i = 1 and result = del.getDestructorCall()
       or
-      i = 2 and result = del.getAllocatorCall()
-    )
-  or
-  n =
-    any(DeleteArrayExpr del |
-      i = 0 and result = del.getExpr()
-      or
-      i = 1 and result = del.getDestructorCall()
-      or
-      i = 2 and result = del.getAllocatorCall()
+      i = 2 and result = del.getDeallocatorCall()
     )
   or
   n =

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll

@@ -25,6 +25,10 @@ import semmle.code.cpp.dataflow.DataFlow2
  * global (inter-procedural) taint-tracking analyses.
  */
 deprecated module TaintTracking {
-  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTracking
+  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
+  private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<CppOldDataFlow, CppOldTaintTracking>
   import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll

@@ -79,13 +79,3 @@ class ArgumentPosition extends int {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
-
-/**
- * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
- *
- * This is a temporary hook to support technical debt in the Go language; do not use.
- */
-pragma[inline]
-predicate golangSpecificParamArgFilter(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
-  any()
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -3,297 +3,25 @@
  * data-flow classes and predicates.
  */
 
-private import DataFlowImplSpecific::Private
-private import DataFlowImplSpecific::Public
-private import tainttracking1.TaintTrackingParameter::Private
-private import tainttracking1.TaintTrackingParameter::Public
+private import cpp
+private import DataFlowImplSpecific
+private import TaintTrackingImplSpecific
+private import codeql.dataflow.internal.DataFlowImplConsistency
 
-module Consistency {
-  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
-
-  /** A class for configuring the consistency queries. */
-  class ConsistencyConfiguration extends TConsistencyConfiguration {
-    string toString() { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
-    predicate uniqueEnclosingCallableExclude(Node n) { none() }
-
-    /** Holds if `call` should be excluded from the consistency test `uniqueCallEnclosingCallable`. */
-    predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
-    predicate uniqueNodeLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
-    predicate missingLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
-    predicate postWithInFlowExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
-    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
-    predicate reverseReadExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postHasUniquePre`. */
-    predicate postHasUniquePreExclude(PostUpdateNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */
-    predicate uniquePostUpdateExclude(Node n) { none() }
-
-    /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */
-    predicate viableImplInCallContextTooLargeExclude(
-      DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
-    ) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
-    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
-    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
-    predicate identityLocalStepExclude(Node n) { none() }
-  }
-
-  private class RelevantNode extends Node {
-    RelevantNode() {
-      this instanceof ArgumentNode or
-      this instanceof ParameterNode or
-      this instanceof ReturnNode or
-      this = getAnOutNode(_, _) or
-      simpleLocalFlowStep(this, _) or
-      simpleLocalFlowStep(_, this) or
-      jumpStep(this, _) or
-      jumpStep(_, this) or
-      storeStep(this, _, _) or
-      storeStep(_, _, this) or
-      readStep(this, _, _) or
-      readStep(_, _, this) or
-      defaultAdditionalTaintStep(this, _) or
-      defaultAdditionalTaintStep(_, this)
-    }
-  }
-
-  query predicate uniqueEnclosingCallable(Node n, string msg) {
-    exists(int c |
-      n instanceof RelevantNode and
-      c = count(nodeGetEnclosingCallable(n)) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
-      msg = "Node should have one enclosing callable but has " + c + "."
-    )
-  }
-
-  query predicate uniqueCallEnclosingCallable(DataFlowCall call, string msg) {
-    exists(int c |
-      c = count(call.getEnclosingCallable()) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueCallEnclosingCallableExclude(call) and
-      msg = "Call should have one enclosing callable but has " + c + "."
-    )
-  }
-
-  query predicate uniqueType(Node n, string msg) {
-    exists(int c |
-      n instanceof RelevantNode and
-      c = count(getNodeType(n)) and
-      c != 1 and
-      msg = "Node should have one type but has " + c + "."
-    )
-  }
-
-  query predicate uniqueNodeLocation(Node n, string msg) {
-    exists(int c |
-      c =
-        count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-        ) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
-      msg = "Node should have one location but has " + c + "."
-    )
-  }
-
-  query predicate missingLocation(string msg) {
-    exists(int c |
-      c =
-        strictcount(Node n |
-          not n.hasLocationInfo(_, _, _, _, _) and
-          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
-        ) and
-      msg = "Nodes without location: " + c
-    )
-  }
-
-  query predicate uniqueNodeToString(Node n, string msg) {
-    exists(int c |
-      c = count(n.toString()) and
-      c != 1 and
-      msg = "Node should have one toString but has " + c + "."
-    )
-  }
-
-  query predicate missingToString(string msg) {
-    exists(int c |
-      c = strictcount(Node n | not exists(n.toString())) and
-      msg = "Nodes without toString: " + c
-    )
-  }
-
-  query predicate parameterCallable(ParameterNode p, string msg) {
-    exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
-    msg = "Callable mismatch for parameter."
-  }
-
-  query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
-    simpleLocalFlowStep(n1, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Local flow step does not preserve enclosing callable."
-  }
-
-  query predicate readStepIsLocal(Node n1, Node n2, string msg) {
-    readStep(n1, _, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Read step does not preserve enclosing callable."
-  }
-
-  query predicate storeStepIsLocal(Node n1, Node n2, string msg) {
-    storeStep(n1, _, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Store step does not preserve enclosing callable."
-  }
-
-  private DataFlowType typeRepr() { result = getNodeType(_) }
-
-  query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
-    t = typeRepr() and
-    not compatibleTypes(t, t) and
-    msg = "Type compatibility predicate is not reflexive."
-  }
-
-  query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
-    isUnreachableInCall(n, call) and
-    exists(DataFlowCallable c |
-      c = nodeGetEnclosingCallable(n) and
-      not viableCallable(call) = c
-    ) and
-    msg = "Call context for isUnreachableInCall is inconsistent with call graph."
-  }
-
-  query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
-    (
-      n = getAnOutNode(call, _) and
-      msg = "OutNode and call does not share enclosing callable."
-      or
-      n.(ArgumentNode).argumentOf(call, _) and
-      msg = "ArgumentNode and call does not share enclosing callable."
-    ) and
-    nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
-  }
-
-  // This predicate helps the compiler forget that in some languages
-  // it is impossible for a result of `getPreUpdateNode` to be an
-  // instance of `PostUpdateNode`.
-  private Node getPre(PostUpdateNode n) {
-    result = n.getPreUpdateNode()
+private module Input implements InputSig<CppOldDataFlow> {
+  predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
+    // Is the null pointer (or something that's not really a pointer)
+    exists(n.asExpr().getValue())
     or
-    none()
-  }
-
-  query predicate postIsNotPre(PostUpdateNode n, string msg) {
-    getPre(n) = n and
-    msg = "PostUpdateNode should not equal its pre-update node."
-  }
-
-  query predicate postHasUniquePre(PostUpdateNode n, string msg) {
-    not any(ConsistencyConfiguration conf).postHasUniquePreExclude(n) and
-    exists(int c |
-      c = count(n.getPreUpdateNode()) and
-      c != 1 and
-      msg = "PostUpdateNode should have one pre-update node but has " + c + "."
+    // Isn't a pointer or is a pointer to const
+    forall(DerivedType dt | dt = n.asExpr().getActualType() |
+      dt.getBaseType().isConst()
+      or
+      dt.getBaseType() instanceof RoutineType
     )
-  }
-
-  query predicate uniquePostUpdate(Node n, string msg) {
-    not any(ConsistencyConfiguration conf).uniquePostUpdateExclude(n) and
-    1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
-    msg = "Node has multiple PostUpdateNodes."
-  }
-
-  query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
-    nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
-    msg = "PostUpdateNode does not share callable with its pre-update node."
-  }
-
-  private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
-
-  query predicate reverseRead(Node n, string msg) {
-    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
-    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
-    msg = "Origin of readStep is missing a PostUpdateNode."
-  }
-
-  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
-    not hasPost(n) and
-    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
-    msg = "ArgumentNode is missing PostUpdateNode."
-  }
-
-  // This predicate helps the compiler forget that in some languages
-  // it is impossible for a `PostUpdateNode` to be the target of
-  // `simpleLocalFlowStep`.
-  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
-
-  query predicate postWithInFlow(Node n, string msg) {
-    isPostUpdateNode(n) and
-    not clearsContent(n, _) and
-    simpleLocalFlowStep(_, n) and
-    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
-    msg = "PostUpdateNode should not be the target of local flow."
-  }
-
-  query predicate viableImplInCallContextTooLarge(
-    DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
-  ) {
-    callable = viableImplInCallContext(call, ctx) and
-    not callable = viableCallable(call) and
-    not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
-  }
-
-  query predicate uniqueParameterNodeAtPosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
-    isParameterNode(p, c, pos) and
-    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
-    msg = "Parameters with overlapping positions."
-  }
-
-  query predicate uniqueParameterNodePosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
-    isParameterNode(p, c, pos) and
-    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
-    msg = "Parameter node with multiple positions."
-  }
-
-  query predicate uniqueContentApprox(Content c, string msg) {
-    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
-    msg = "Non-unique content approximation."
-  }
-
-  query predicate identityLocalStep(Node n, string msg) {
-    simpleLocalFlowStep(n, n) and
-    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
-    msg = "Node steps to itself"
+    // The above list of cases isn't exhaustive, but it narrows down the
+    // consistency alerts enough that most of them are interesting.
   }
 }
+
+module Consistency = MakeConsistency<CppOldDataFlow, CppOldTaintTracking, Input>;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -2,7 +2,6 @@ private import cpp
 private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
-private import DataFlowImplConsistency
 private import codeql.util.Unit
 
 /** Gets the callable in which this node occurs. */
@@ -209,6 +208,8 @@ predicate expectsContent(Node n, ContentSet c) { none() }
 
 predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
 
+predicate localMustFlowStep(Node node1, Node node2) { none() }
+
 /** Gets the type of `n` used for type pruning. */
 Type getNodeType(Node n) {
   suppressUnusedNode(n) and
@@ -296,28 +297,3 @@ class ContentApprox = Unit;
 /** Gets an approximated value for content `c`. */
 pragma[inline]
 ContentApprox getContentApprox(Content c) { any() }
-
-private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
-  override predicate argHasPostUpdateExclude(ArgumentNode n) {
-    // Is the null pointer (or something that's not really a pointer)
-    exists(n.asExpr().getValue())
-    or
-    // Isn't a pointer or is a pointer to const
-    forall(DerivedType dt | dt = n.asExpr().getActualType() |
-      dt.getBaseType().isConst()
-      or
-      dt.getBaseType() instanceof RoutineType
-    )
-    // The above list of cases isn't exhaustive, but it narrows down the
-    // consistency alerts enough that most of them are interesting.
-  }
-}
-
-/**
- * Gets an additional term that is added to the `join` and `branch` computations to reflect
- * an additional forward or backwards branching factor that is not taken into account
- * when calculating the (virtual) dispatch cost.
- *
- * Argument `arg` is part of a path from a source to a sink, and `p` is the target parameter.
- */
-int getAdditionalFlowIntoCallNodeTerm(ArgumentNode arg, ParameterNode p) { none() }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingImplSpecific.qll

@@ -0,0 +1,10 @@
+/**
+ * Provides C++-specific definitions for use in the taint tracking library.
+ */
+
+private import codeql.dataflow.TaintTracking
+private import DataFlowImplSpecific
+
+module CppOldTaintTracking implements InputSig<CppOldDataFlow> {
+  import TaintTrackingUtil
+}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

@@ -39,7 +39,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll

@@ -1,75 +0,0 @@
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> implements
-  DataFlowInternal::FullStateConfigSig
-{
-  import Config
-
-  predicate isBarrier(DataFlow::Node node) {
-    Config::isBarrier(node) or defaultTaintSanitizer(node)
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    Config::isAdditionalFlowStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    Config::allowImplicitRead(node, c)
-    or
-    (
-      Config::isSink(node) or
-      Config::isSink(node, _) or
-      Config::isAdditionalFlowStep(node, _) or
-      Config::isAdditionalFlowStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-}
-
-/**
- * Constructs a global taint tracking computation.
- */
-module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
-  private module Config0 implements DataFlowInternal::FullStateConfigSig {
-    import DataFlowInternal::DefaultState<Config>
-    import Config
-  }
-
-  private module C implements DataFlowInternal::FullStateConfigSig {
-    import AddTaintDefaults<Config0>
-  }
-
-  import DataFlowInternal::Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global taint tracking computation using flow state.
- */
-module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
-  private module Config0 implements DataFlowInternal::FullStateConfigSig {
-    import Config
-  }
-
-  private module C implements DataFlowInternal::FullStateConfigSig {
-    import AddTaintDefaults<Config0>
-  }
-
-  import DataFlowInternal::Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
-  import GlobalWithState<Config>
-}

cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll

@@ -23,6 +23,10 @@ import semmle.code.cpp.dataflow.new.DataFlow2
  * global (inter-procedural) taint-tracking analyses.
  */
 module TaintTracking {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTracking
+  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
+  private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
   import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -1547,3 +1547,21 @@ class BuiltInBitCast extends BuiltInOperation, @builtinbitcast {
 
   override string getAPrimaryQlClass() { result = "BuiltInBitCast" }
 }
+
+/**
+ * A C++ `__is_trivial` built-in operation (used by some implementations of the
+ * `<type_traits>` header).
+ *
+ * Returns `true` if a type is a trivial type.
+ * ```
+ *  template<typename _Tp>
+ *    struct is_trivial
+ *    : public integral_constant<bool, __is_trivial(_Tp)>
+ *    {};
+ * ```
+ */
+class BuiltInIsTrivial extends BuiltInOperation, @istrivialexpr {
+  override string toString() { result = "__is_trivial" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInIsTrivial" }
+}

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -932,19 +932,91 @@ class NewArrayExpr extends NewOrNewArrayExpr, @new_array_expr {
   Expr getExtent() { result = this.getChild(2) }
 }
 
+private class TDeleteOrDeleteArrayExpr = @delete_expr or @delete_array_expr;
+
+/**
+ * A C++ `delete` or `delete[]` expression.
+ */
+class DeleteOrDeleteArrayExpr extends Expr, TDeleteOrDeleteArrayExpr {
+  override int getPrecedence() { result = 16 }
+
+  /**
+   * Gets the call to a destructor that occurs prior to the object's memory being deallocated, if any.
+   *
+   * In the case of `delete[]` at runtime, the destructor will be called once for each element in the array, but the
+   * destructor call only exists once in the AST.
+   */
+  DestructorCall getDestructorCall() { result = this.getChild(1) }
+
+  /**
+   * Gets the destructor to be called to destroy the object or array, if any.
+   */
+  Destructor getDestructor() { result = this.getDestructorCall().getTarget() }
+
+  /**
+   * Gets the `operator delete` or `operator delete[]` that deallocates storage.
+   * Does not hold if the type being destroyed has a virtual destructor. In that case, the
+   * `operator delete` that will be called is determined at runtime based on the
+   * dynamic type of the object.
+   */
+  Function getDeallocator() {
+    expr_deallocator(underlyingElement(this), unresolveElement(result), _)
+  }
+
+  /**
+   * DEPRECATED: use `getDeallocatorCall` instead.
+   */
+  deprecated FunctionCall getAllocatorCall() { result = this.getChild(0) }
+
+  /**
+   * Gets the call to a non-default `operator delete`/`delete[]` that deallocates storage, if any.
+   *
+   * This will only be present when the type being deleted has a custom `operator delete` and
+   * does not have a virtual destructor.
+   */
+  FunctionCall getDeallocatorCall() { result = this.getChild(0) }
+
+  /**
+   * Holds if the deallocation function expects a size argument.
+   */
+  predicate hasSizedDeallocation() {
+    exists(int form |
+      expr_deallocator(underlyingElement(this), _, form) and
+      form.bitAnd(1) != 0 // Bit zero is the "size" bit
+    )
+  }
+
+  /**
+   * Holds if the deallocation function expects an alignment argument.
+   */
+  predicate hasAlignedDeallocation() {
+    exists(int form |
+      expr_deallocator(underlyingElement(this), _, form) and
+      form.bitAnd(2) != 0 // Bit one is the "alignment" bit
+    )
+  }
+
+  /**
+   * Gets the object or array being deleted.
+   */
+  Expr getExpr() {
+    // If there is a destructor call, the object being deleted is the qualifier
+    // otherwise it is the third child.
+    result = this.getChild(3) or result = this.getDestructorCall().getQualifier()
+  }
+}
+
 /**
  * A C++ `delete` (non-array) expression.
  * ```
  * delete ptr;
  * ```
  */
-class DeleteExpr extends Expr, @delete_expr {
+class DeleteExpr extends DeleteOrDeleteArrayExpr, @delete_expr {
   override string toString() { result = "delete" }
 
   override string getAPrimaryQlClass() { result = "DeleteExpr" }
 
-  override int getPrecedence() { result = 16 }
-
   /**
    * Gets the compile-time type of the object being deleted.
    */
@@ -957,58 +1029,6 @@ class DeleteExpr extends Expr, @delete_expr {
           .(PointerType)
           .getBaseType()
   }
-
-  /**
-   * Gets the call to a destructor that occurs prior to the object's memory being deallocated, if any.
-   */
-  DestructorCall getDestructorCall() { result = this.getChild(1) }
-
-  /**
-   * Gets the destructor to be called to destroy the object, if any.
-   */
-  Destructor getDestructor() { result = this.getDestructorCall().getTarget() }
-
-  /**
-   * Gets the `operator delete` that deallocates storage. Does not hold
-   * if the type being destroyed has a virtual destructor. In that case, the
-   * `operator delete` that will be called is determined at runtime based on the
-   * dynamic type of the object.
-   */
-  Function getDeallocator() {
-    expr_deallocator(underlyingElement(this), unresolveElement(result), _)
-  }
-
-  /**
-   * Holds if the deallocation function expects a size argument.
-   */
-  predicate hasSizedDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(1) != 0 // Bit zero is the "size" bit
-    )
-  }
-
-  /**
-   * Holds if the deallocation function expects an alignment argument.
-   */
-  predicate hasAlignedDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(2) != 0 // Bit one is the "alignment" bit
-    )
-  }
-
-  /**
-   * Gets the call to a non-default `operator delete` that deallocates storage, if any.
-   *
-   * This will only be present when the type being deleted has a custom `operator delete`.
-   */
-  FunctionCall getAllocatorCall() { result = this.getChild(0) }
-
-  /**
-   * Gets the object being deleted.
-   */
-  Expr getExpr() { result = this.getChild(3) or result = this.getChild(1).getChild(-1) }
 }
 
 /**
@@ -1017,13 +1037,11 @@ class DeleteExpr extends Expr, @delete_expr {
  * delete[] arr;
  * ```
  */
-class DeleteArrayExpr extends Expr, @delete_array_expr {
+class DeleteArrayExpr extends DeleteOrDeleteArrayExpr, @delete_array_expr {
   override string toString() { result = "delete[]" }
 
   override string getAPrimaryQlClass() { result = "DeleteArrayExpr" }
 
-  override int getPrecedence() { result = 16 }
-
   /**
    * Gets the element type of the array being deleted.
    */
@@ -1036,58 +1054,6 @@ class DeleteArrayExpr extends Expr, @delete_array_expr {
           .(PointerType)
           .getBaseType()
   }
-
-  /**
-   * Gets the call to a destructor that occurs prior to the array's memory being deallocated, if any.
-   *
-   * At runtime, the destructor will be called once for each element in the array, but the
-   * destructor call only exists once in the AST.
-   */
-  DestructorCall getDestructorCall() { result = this.getChild(1) }
-
-  /**
-   * Gets the destructor to be called to destroy each element in the array, if any.
-   */
-  Destructor getDestructor() { result = this.getDestructorCall().getTarget() }
-
-  /**
-   * Gets the `operator delete[]` that deallocates storage.
-   */
-  Function getDeallocator() {
-    expr_deallocator(underlyingElement(this), unresolveElement(result), _)
-  }
-
-  /**
-   * Holds if the deallocation function expects a size argument.
-   */
-  predicate hasSizedDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(1) != 0 // Bit zero is the "size" bit
-    )
-  }
-
-  /**
-   * Holds if the deallocation function expects an alignment argument.
-   */
-  predicate hasAlignedDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(2) != 0 // Bit one is the "alignment" bit
-    )
-  }
-
-  /**
-   * Gets the call to a non-default `operator delete` that deallocates storage, if any.
-   *
-   * This will only be present when the type being deleted has a custom `operator delete`.
-   */
-  FunctionCall getAllocatorCall() { result = this.getChild(0) }
-
-  /**
-   * Gets the array being deleted.
-   */
-  Expr getExpr() { result = this.getChild(3) or result = this.getChild(1).getChild(-1) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/TaintTracking.qll

@@ -19,6 +19,10 @@ import semmle.code.cpp.ir.dataflow.DataFlow
 import semmle.code.cpp.ir.dataflow.DataFlow2
 
 module TaintTracking {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTracking
+  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
+  private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
   import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -271,13 +271,3 @@ DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
-
-/**
- * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
- *
- * This is a temporary hook to support technical debt in the Go language; do not use.
- */
-pragma[inline]
-predicate golangSpecificParamArgFilter(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
-  any()
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -297,6 +297,10 @@ private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
 
+  predicate isBarrierIn(Node node, FlowState state) { none() }
+
+  predicate isBarrierOut(Node node, FlowState state) { none() }
+
   predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
     any(Configuration config).isAdditionalFlowStep(node1, node2)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -3,297 +3,17 @@
  * data-flow classes and predicates.
  */
 
-private import DataFlowImplSpecific::Private
-private import DataFlowImplSpecific::Public
-private import tainttracking1.TaintTrackingParameter::Private
-private import tainttracking1.TaintTrackingParameter::Public
+private import cpp
+private import DataFlowImplSpecific
+private import TaintTrackingImplSpecific
+private import codeql.dataflow.internal.DataFlowImplConsistency
 
-module Consistency {
-  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
-
-  /** A class for configuring the consistency queries. */
-  class ConsistencyConfiguration extends TConsistencyConfiguration {
-    string toString() { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
-    predicate uniqueEnclosingCallableExclude(Node n) { none() }
-
-    /** Holds if `call` should be excluded from the consistency test `uniqueCallEnclosingCallable`. */
-    predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
-    predicate uniqueNodeLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
-    predicate missingLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
-    predicate postWithInFlowExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
-    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
-    predicate reverseReadExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postHasUniquePre`. */
-    predicate postHasUniquePreExclude(PostUpdateNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */
-    predicate uniquePostUpdateExclude(Node n) { none() }
-
-    /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */
-    predicate viableImplInCallContextTooLargeExclude(
-      DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
-    ) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
-    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
-    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `n` should be excluded from the consistency test `identityLocalStep`. */
-    predicate identityLocalStepExclude(Node n) { none() }
-  }
-
-  private class RelevantNode extends Node {
-    RelevantNode() {
-      this instanceof ArgumentNode or
-      this instanceof ParameterNode or
-      this instanceof ReturnNode or
-      this = getAnOutNode(_, _) or
-      simpleLocalFlowStep(this, _) or
-      simpleLocalFlowStep(_, this) or
-      jumpStep(this, _) or
-      jumpStep(_, this) or
-      storeStep(this, _, _) or
-      storeStep(_, _, this) or
-      readStep(this, _, _) or
-      readStep(_, _, this) or
-      defaultAdditionalTaintStep(this, _) or
-      defaultAdditionalTaintStep(_, this)
-    }
-  }
-
-  query predicate uniqueEnclosingCallable(Node n, string msg) {
-    exists(int c |
-      n instanceof RelevantNode and
-      c = count(nodeGetEnclosingCallable(n)) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
-      msg = "Node should have one enclosing callable but has " + c + "."
-    )
-  }
-
-  query predicate uniqueCallEnclosingCallable(DataFlowCall call, string msg) {
-    exists(int c |
-      c = count(call.getEnclosingCallable()) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueCallEnclosingCallableExclude(call) and
-      msg = "Call should have one enclosing callable but has " + c + "."
-    )
-  }
-
-  query predicate uniqueType(Node n, string msg) {
-    exists(int c |
-      n instanceof RelevantNode and
-      c = count(getNodeType(n)) and
-      c != 1 and
-      msg = "Node should have one type but has " + c + "."
-    )
-  }
-
-  query predicate uniqueNodeLocation(Node n, string msg) {
-    exists(int c |
-      c =
-        count(string filepath, int startline, int startcolumn, int endline, int endcolumn |
-          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-        ) and
-      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
-      msg = "Node should have one location but has " + c + "."
-    )
-  }
-
-  query predicate missingLocation(string msg) {
-    exists(int c |
-      c =
-        strictcount(Node n |
-          not n.hasLocationInfo(_, _, _, _, _) and
-          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
-        ) and
-      msg = "Nodes without location: " + c
-    )
-  }
-
-  query predicate uniqueNodeToString(Node n, string msg) {
-    exists(int c |
-      c = count(n.toString()) and
-      c != 1 and
-      msg = "Node should have one toString but has " + c + "."
-    )
-  }
-
-  query predicate missingToString(string msg) {
-    exists(int c |
-      c = strictcount(Node n | not exists(n.toString())) and
-      msg = "Nodes without toString: " + c
-    )
-  }
-
-  query predicate parameterCallable(ParameterNode p, string msg) {
-    exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
-    msg = "Callable mismatch for parameter."
-  }
-
-  query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
-    simpleLocalFlowStep(n1, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Local flow step does not preserve enclosing callable."
-  }
-
-  query predicate readStepIsLocal(Node n1, Node n2, string msg) {
-    readStep(n1, _, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Read step does not preserve enclosing callable."
-  }
-
-  query predicate storeStepIsLocal(Node n1, Node n2, string msg) {
-    storeStep(n1, _, n2) and
-    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
-    msg = "Store step does not preserve enclosing callable."
-  }
-
-  private DataFlowType typeRepr() { result = getNodeType(_) }
-
-  query predicate compatibleTypesReflexive(DataFlowType t, string msg) {
-    t = typeRepr() and
-    not compatibleTypes(t, t) and
-    msg = "Type compatibility predicate is not reflexive."
-  }
-
-  query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
-    isUnreachableInCall(n, call) and
-    exists(DataFlowCallable c |
-      c = nodeGetEnclosingCallable(n) and
-      not viableCallable(call) = c
-    ) and
-    msg = "Call context for isUnreachableInCall is inconsistent with call graph."
-  }
-
-  query predicate localCallNodes(DataFlowCall call, Node n, string msg) {
-    (
-      n = getAnOutNode(call, _) and
-      msg = "OutNode and call does not share enclosing callable."
-      or
-      n.(ArgumentNode).argumentOf(call, _) and
-      msg = "ArgumentNode and call does not share enclosing callable."
-    ) and
-    nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
-  }
-
-  // This predicate helps the compiler forget that in some languages
-  // it is impossible for a result of `getPreUpdateNode` to be an
-  // instance of `PostUpdateNode`.
-  private Node getPre(PostUpdateNode n) {
-    result = n.getPreUpdateNode()
-    or
-    none()
-  }
-
-  query predicate postIsNotPre(PostUpdateNode n, string msg) {
-    getPre(n) = n and
-    msg = "PostUpdateNode should not equal its pre-update node."
-  }
-
-  query predicate postHasUniquePre(PostUpdateNode n, string msg) {
-    not any(ConsistencyConfiguration conf).postHasUniquePreExclude(n) and
-    exists(int c |
-      c = count(n.getPreUpdateNode()) and
-      c != 1 and
-      msg = "PostUpdateNode should have one pre-update node but has " + c + "."
-    )
-  }
-
-  query predicate uniquePostUpdate(Node n, string msg) {
-    not any(ConsistencyConfiguration conf).uniquePostUpdateExclude(n) and
-    1 < strictcount(PostUpdateNode post | post.getPreUpdateNode() = n) and
-    msg = "Node has multiple PostUpdateNodes."
-  }
-
-  query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
-    nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
-    msg = "PostUpdateNode does not share callable with its pre-update node."
-  }
-
-  private predicate hasPost(Node n) { exists(PostUpdateNode post | post.getPreUpdateNode() = n) }
-
-  query predicate reverseRead(Node n, string msg) {
-    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
-    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
-    msg = "Origin of readStep is missing a PostUpdateNode."
-  }
-
-  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
-    not hasPost(n) and
-    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
-    msg = "ArgumentNode is missing PostUpdateNode."
-  }
-
-  // This predicate helps the compiler forget that in some languages
-  // it is impossible for a `PostUpdateNode` to be the target of
-  // `simpleLocalFlowStep`.
-  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
-
-  query predicate postWithInFlow(Node n, string msg) {
-    isPostUpdateNode(n) and
-    not clearsContent(n, _) and
-    simpleLocalFlowStep(_, n) and
-    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
-    msg = "PostUpdateNode should not be the target of local flow."
-  }
-
-  query predicate viableImplInCallContextTooLarge(
-    DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable
-  ) {
-    callable = viableImplInCallContext(call, ctx) and
-    not callable = viableCallable(call) and
-    not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable)
-  }
-
-  query predicate uniqueParameterNodeAtPosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
-    isParameterNode(p, c, pos) and
-    not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
-    msg = "Parameters with overlapping positions."
-  }
-
-  query predicate uniqueParameterNodePosition(
-    DataFlowCallable c, ParameterPosition pos, Node p, string msg
-  ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
-    isParameterNode(p, c, pos) and
-    not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
-    msg = "Parameter node with multiple positions."
-  }
-
-  query predicate uniqueContentApprox(Content c, string msg) {
-    not exists(unique(ContentApprox approx | approx = getContentApprox(c))) and
-    msg = "Non-unique content approximation."
-  }
-
-  query predicate identityLocalStep(Node n, string msg) {
-    simpleLocalFlowStep(n, n) and
-    not any(ConsistencyConfiguration c).identityLocalStepExclude(n) and
-    msg = "Node steps to itself"
+private module Input implements InputSig<CppDataFlow> {
+  predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
+    // The rules for whether an IR argument gets a post-update node are too
+    // complex to model here.
+    any()
   }
 }
+
+module Consistency = MakeConsistency<CppDataFlow, CppTaintTracking, Input>;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -18,4 +18,6 @@ module CppDataFlow implements InputSig {
   import Public
 
   Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
+
+  predicate getAdditionalFlowIntoCallNodeTerm = Private::getAdditionalFlowIntoCallNodeTerm/2;
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -2,7 +2,6 @@ private import cpp as Cpp
 private import DataFlowUtil
 private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
-private import DataFlowImplConsistency
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
@@ -220,9 +219,10 @@ private module IndirectOperands {
     int indirectionIndex;
 
     IndirectOperandFromIRRepr() {
-      exists(Operand repr |
-        repr = Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) and
-        nodeHasOperand(this, repr, indirectionIndex - 1)
+      exists(Operand repr, int indirectionIndexRepr |
+        Ssa::hasIRRepresentationOfIndirectOperand(operand, indirectionIndex, repr,
+          indirectionIndexRepr) and
+        nodeHasOperand(this, repr, indirectionIndexRepr)
       )
     }
 
@@ -262,9 +262,10 @@ private module IndirectInstructions {
     int indirectionIndex;
 
     IndirectInstructionFromIRRepr() {
-      exists(Instruction repr |
-        repr = Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) and
-        nodeHasInstruction(this, repr, indirectionIndex - 1)
+      exists(Instruction repr, int indirectionIndexRepr |
+        Ssa::hasIRRepresentationOfIndirectInstruction(instr, indirectionIndex, repr,
+          indirectionIndexRepr) and
+        nodeHasInstruction(this, repr, indirectionIndexRepr)
       )
     }
 
@@ -690,7 +691,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1,
 private predicate numberOfLoadsFromOperandRec(
   Operand operandFrom, Operand operandTo, int ind, boolean certain
 ) {
-  exists(Instruction load | Ssa::isDereference(load, operandFrom) |
+  exists(Instruction load | Ssa::isDereference(load, operandFrom, _) |
     operandTo = operandFrom and ind = 0 and certain = true
     or
     numberOfLoadsFromOperand(load.getAUse(), operandTo, ind - 1, certain)
@@ -714,7 +715,7 @@ private predicate numberOfLoadsFromOperand(
 ) {
   numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain)
   or
-  not Ssa::isDereference(_, operandFrom) and
+  not Ssa::isDereference(_, operandFrom, _) and
   not conversionFlow(operandFrom, _, _, _) and
   operandFrom = operandTo and
   n = 0 and
@@ -803,6 +804,8 @@ predicate expectsContent(Node n, ContentSet c) { none() }
 
 predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
 
+predicate localMustFlowStep(Node node1, Node node2) { none() }
+
 /** Gets the type of `n` used for type pruning. */
 DataFlowType getNodeType(Node n) {
   suppressUnusedNode(n) and
@@ -1011,14 +1014,6 @@ ContentApprox getContentApprox(Content c) {
   )
 }
 
-private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
-  override predicate argHasPostUpdateExclude(ArgumentNode n) {
-    // The rules for whether an IR argument gets a post-update node are too
-    // complex to model here.
-    any()
-  }
-}
-
 /**
  * A local flow relation that includes both local steps, read steps and
  * argument-to-return flow through summarized functions.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -193,13 +193,23 @@ class Node extends TIRDataFlowNode {
    * a `Conversion`, then the result is the underlying non-`Conversion` base
    * expression.
    */
-  Expr asExpr() { result = this.(ExprNode).getExpr() }
+  Expr asExpr() { result = this.asExpr(_) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr asExpr(int n) { result = this.(ExprNode).getExpr(n) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr asIndirectExpr(int n, int index) { result = this.(IndirectExprNode).getExpr(n, index) }
 
   /**
    * Gets the non-conversion expression that's indirectly tracked by this node
    * under `index` number of indirections.
    */
-  Expr asIndirectExpr(int index) { result = this.(IndirectExprNode).getExpr(index) }
+  Expr asIndirectExpr(int index) { result = this.asIndirectExpr(_, index) }
 
   /**
    * Gets the non-conversion expression that's indirectly tracked by this node
@@ -211,15 +221,26 @@ class Node extends TIRDataFlowNode {
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  Expr asConvertedExpr() { result = this.(ExprNode).getConvertedExpr() }
+  Expr asConvertedExpr() { result = this.asConvertedExpr(_) }
+
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  Expr asConvertedExpr(int n) { result = this.(ExprNode).getConvertedExpr(n) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr asIndirectConvertedExpr(int n, int index) {
+    result = this.(IndirectExprNode).getConvertedExpr(n, index)
+  }
 
   /**
    * Gets the expression that's indirectly tracked by this node
    * behind `index` number of indirections.
    */
-  Expr asIndirectConvertedExpr(int index) {
-    result = this.(IndirectExprNode).getConvertedExpr(index)
-  }
+  Expr asIndirectConvertedExpr(int index) { result = this.asIndirectConvertedExpr(_, index) }
 
   /**
    * Gets the expression that's indirectly tracked by this node behind a
@@ -254,9 +275,7 @@ class Node extends TIRDataFlowNode {
    * after the `f` has returned.
    */
   Expr asDefiningArgument(int index) {
-    // Subtract one because `DefinitionByReferenceNode` is defined to be in
-    // the range `[0 ... n - 1]` for some `n` instead of `[1 ... n]`.
-    this.(DefinitionByReferenceNode).getIndirectionIndex() = index - 1 and
+    this.(DefinitionByReferenceNode).getIndirectionIndex() = index and
     result = this.(DefinitionByReferenceNode).getArgument()
   }
 
@@ -393,9 +412,10 @@ class Node extends TIRDataFlowNode {
 }
 
 private string toExprString(Node n) {
-  result = n.asExpr().toString()
+  result = n.asExpr(0).toString()
   or
-  result = n.asIndirectExpr().toString() + " indirection"
+  not exists(n.asExpr()) and
+  result = n.asIndirectExpr(0, 1).toString() + " indirection"
 }
 
 /**
@@ -550,11 +570,14 @@ class SsaPhiNode extends Node, TSsaPhiNode {
    * `fromBackEdge` is true if data flows along a back-edge,
    * and `false` otherwise.
    */
+  cached
   final Node getAnInput(boolean fromBackEdge) {
     localFlowStep(result, this) and
-    if phi.getBasicBlock().dominates(result.getBasicBlock())
-    then fromBackEdge = true
-    else fromBackEdge = false
+    exists(IRBlock bPhi, IRBlock bResult |
+      bPhi = phi.getBasicBlock() and bResult = result.getBasicBlock()
+    |
+      if bPhi.dominates(bResult) then fromBackEdge = true else fromBackEdge = false
+    )
   }
 
   /** Gets a node that is used as input to this phi node. */
@@ -932,7 +955,7 @@ class RawIndirectOperand extends Node, TRawIndirectOperand {
   }
 
   override string toStringImpl() {
-    result = instructionNode(this.getOperand().getDef()).toStringImpl() + " indirection"
+    result = operandNode(this.getOperand()).toStringImpl() + " indirection"
   }
 }
 
@@ -1039,77 +1062,130 @@ class RawIndirectInstruction extends Node, TRawIndirectInstruction {
   }
 }
 
-/** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
-predicate exprNodeShouldBeOperand(OperandNode node, Expr e) {
-  exists(Instruction def |
-    unique( | | getAUse(def)) = node.getOperand() and
-    e = def.getConvertedResultExpression()
-  )
+private module GetConvertedResultExpression {
+  private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
+  private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
+
+  private Operand getAnInitializeDynamicAllocationInstructionAddress() {
+    result = any(InitializeDynamicAllocationInstruction init).getAllocationAddressOperand()
+  }
+
+  /**
+   * Gets the expression that should be returned as the result expression from `instr`.
+   *
+   * Note that this predicate may return multiple results in cases where a conversion belongs to a
+   * different AST element than its operand.
+   */
+  Expr getConvertedResultExpression(Instruction instr, int n) {
+    // Only fully converted instructions have a result for `asConvertedExpr`
+    not conversionFlow(unique(Operand op |
+        // The address operand of a `InitializeDynamicAllocationInstruction` is
+        // special: we need to handle it during dataflow (since it's
+        // effectively a store to an indirection), but it doesn't appear in
+        // source syntax, so dataflow node <-> expression conversion shouldn't
+        // care about it.
+        op = getAUse(instr) and not op = getAnInitializeDynamicAllocationInstructionAddress()
+      |
+        op
+      ), _, false, false) and
+    result = getConvertedResultExpressionImpl(instr) and
+    n = 0
+    or
+    // If the conversion also has a result then we return multiple results
+    exists(Operand operand | conversionFlow(operand, instr, false, false) |
+      n = 1 and
+      result = getConvertedResultExpressionImpl(operand.getDef())
+      or
+      result = getConvertedResultExpression(operand.getDef(), n - 1)
+    )
+  }
+
+  private Expr getConvertedResultExpressionImpl0(Instruction instr) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedAssignOperation tao |
+      result = tao.getExpr() and
+      instr = tao.getInstruction(any(AssignmentStoreTag tag))
+    )
+    or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedCrementOperation tco |
+      result = tco.getExpr() and
+      instr = tco.getInstruction(any(CrementStoreTag tag))
+    )
+    or
+    // IR construction inserts an additional cast to a `size_t` on the extent
+    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
+    // a result for `getConvertedResultExpression`. We remap this here so that
+    // this `ConvertInstruction` maps to the result of the expression that
+    // represents the extent.
+    exists(TranslatedNonConstantAllocationSize tas |
+      result = tas.getExtent().getExpr() and
+      instr = tas.getInstruction(any(AllocationExtentConvertTag tag))
+    )
+    or
+    // There's no instruction that returns `ParenthesisExpr`, but some queries
+    // expect this
+    exists(TranslatedTransparentConversion ttc |
+      result = ttc.getExpr().(ParenthesisExpr) and
+      instr = ttc.getResult()
+    )
+  }
+
+  private Expr getConvertedResultExpressionImpl(Instruction instr) {
+    result = getConvertedResultExpressionImpl0(instr)
+    or
+    not exists(getConvertedResultExpressionImpl0(instr)) and
+    result = instr.getConvertedResultExpression()
+  }
 }
 
-private predicate indirectExprNodeShouldBeIndirectOperand0(
-  VariableAddressInstruction instr, RawIndirectOperand node, Expr e
-) {
-  instr = node.getOperand().getDef() and
-  e = instr.getAst().(Expr).getUnconverted()
+private import GetConvertedResultExpression
+
+/** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
+predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) {
+  exists(Instruction def |
+    unique( | | getAUse(def)) = node.getOperand() and
+    e = getConvertedResultExpression(def, n)
+  )
 }
 
 /** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */
-private predicate indirectExprNodeShouldBeIndirectOperand(RawIndirectOperand node, Expr e) {
-  exists(Instruction instr | instr = node.getOperand().getDef() |
-    exists(Expr e0 |
-      indirectExprNodeShouldBeIndirectOperand0(instr, node, e0) and
-      e = e0.getFullyConverted()
-    )
-    or
-    not indirectExprNodeShouldBeIndirectOperand0(_, node, _) and
-    e = instr.getConvertedResultExpression()
+private predicate indirectExprNodeShouldBeIndirectOperand(
+  IndirectOperand node, Expr e, int n, int indirectionIndex
+) {
+  exists(Instruction def |
+    node.hasOperandAndIndirectionIndex(unique( | | getAUse(def)), indirectionIndex) and
+    e = getConvertedResultExpression(def, n)
   )
 }
 
-private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e) {
+private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) {
   exists(CallInstruction call |
     call.getStaticCallTarget() instanceof Constructor and
-    e = call.getConvertedResultExpression() and
+    e = getConvertedResultExpression(call, n) and
     call.getThisArgumentOperand() = node.getAddressOperand()
   )
 }
 
 /** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
-predicate exprNodeShouldBeInstruction(Node node, Expr e) {
-  not exprNodeShouldBeOperand(_, e) and
-  not exprNodeShouldBeIndirectOutNode(_, e) and
-  (
-    e = node.asInstruction().getConvertedResultExpression()
-    or
-    // The instruction that contains the result of an `AssignOperation` is
-    // the unloaded left operand (see the comments in `TranslatedAssignOperation`).
-    // That means that for cases like
-    // ```cpp
-    // int x = ...;
-    // x += 1;
-    // ```
-    // the result of `x += 1` is the `VariableAddressInstruction` that represents `x`. But
-    // that instruction doesn't receive the flow from this `AssignOperation`. So instead we
-    // map the operation to the `AddInstruction`.
-    node.asInstruction().getAst() = e.(AssignOperation)
-    or
-    // Same story for `CrementOperation`s (cf. the comments in the subclasses
-    // of `TranslatedCrementOperation`).
-    node.asInstruction().getAst() = e.(CrementOperation)
-  )
+predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) {
+  not exprNodeShouldBeOperand(_, e, n) and
+  not exprNodeShouldBeIndirectOutNode(_, e, n) and
+  e = getConvertedResultExpression(node.asInstruction(), n)
 }
 
 /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
-predicate indirectExprNodeShouldBeIndirectInstruction(IndirectInstruction node, Expr e) {
+predicate indirectExprNodeShouldBeIndirectInstruction(
+  IndirectInstruction node, Expr e, int n, int indirectionIndex
+) {
+  not indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) and
   exists(Instruction instr |
-    node.hasInstructionAndIndirectionIndex(instr, _) and
-    not indirectExprNodeShouldBeIndirectOperand(_, e)
-  |
-    e = instr.(VariableAddressInstruction).getAst().(Expr).getFullyConverted()
-    or
-    not instr instanceof VariableAddressInstruction and
-    e = instr.getConvertedResultExpression()
+    node.hasInstructionAndIndirectionIndex(instr, indirectionIndex) and
+    e = getConvertedResultExpression(instr, n)
   )
 }
 
@@ -1118,30 +1194,32 @@ abstract private class ExprNodeBase extends Node {
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  abstract Expr getConvertedExpr();
+  abstract Expr getConvertedExpr(int n);
 
   /** Gets the non-conversion expression corresponding to this node, if any. */
-  abstract Expr getExpr();
+  final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() }
 }
 
 private class InstructionExprNode extends ExprNodeBase, InstructionNode {
-  InstructionExprNode() { exprNodeShouldBeInstruction(this, _) }
+  InstructionExprNode() {
+    exists(Expr e, int n |
+      exprNodeShouldBeInstruction(this, e, n) and
+      not exprNodeShouldBeInstruction(_, e, n + 1)
+    )
+  }
 
-  final override Expr getConvertedExpr() { exprNodeShouldBeInstruction(this, result) }
-
-  final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() }
-
-  final override string toStringImpl() { result = this.getConvertedExpr().toString() }
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeInstruction(this, result, n) }
 }
 
 private class OperandExprNode extends ExprNodeBase, OperandNode {
-  OperandExprNode() { exprNodeShouldBeOperand(this, _) }
+  OperandExprNode() {
+    exists(Expr e, int n |
+      exprNodeShouldBeOperand(this, e, n) and
+      not exprNodeShouldBeOperand(_, e, n + 1)
+    )
+  }
 
-  final override Expr getConvertedExpr() { exprNodeShouldBeOperand(this, result) }
-
-  final override Expr getExpr() { result = this.getConvertedExpr().getUnconverted() }
-
-  final override string toStringImpl() { result = this.getConvertedExpr().toString() }
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeOperand(this, result, n) }
 }
 
 abstract private class IndirectExprNodeBase extends Node {
@@ -1149,67 +1227,75 @@ abstract private class IndirectExprNodeBase extends Node {
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  abstract Expr getConvertedExpr(int indirectionIndex);
+  abstract Expr getConvertedExpr(int n, int indirectionIndex);
 
   /** Gets the non-conversion expression corresponding to this node, if any. */
-  abstract Expr getExpr(int indirectionIndex);
-}
-
-private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase, RawIndirectOperand {
-  IndirectOperandIndirectExprNode() { indirectExprNodeShouldBeIndirectOperand(this, _) }
-
-  final override Expr getConvertedExpr(int index) {
-    this.getIndirectionIndex() = index and
-    indirectExprNodeShouldBeIndirectOperand(this, result)
-  }
-
-  final override Expr getExpr(int index) {
-    this.getIndirectionIndex() = index and
-    result = this.getConvertedExpr(index).getUnconverted()
+  final Expr getExpr(int n, int indirectionIndex) {
+    result = this.getConvertedExpr(n, indirectionIndex).getUnconverted()
   }
 }
 
-private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase,
-  RawIndirectInstruction
+private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
 {
-  IndirectInstructionIndirectExprNode() { indirectExprNodeShouldBeIndirectInstruction(this, _) }
-
-  final override Expr getConvertedExpr(int index) {
-    this.getIndirectionIndex() = index and
-    indirectExprNodeShouldBeIndirectInstruction(this, result)
+  IndirectOperandIndirectExprNode() {
+    exists(Expr e, int n, int indirectionIndex |
+      indirectExprNodeShouldBeIndirectOperand(this, e, n, indirectionIndex) and
+      not indirectExprNodeShouldBeIndirectOperand(_, e, n + 1, indirectionIndex)
+    )
   }
 
-  final override Expr getExpr(int index) {
-    this.getIndirectionIndex() = index and
-    result = this.getConvertedExpr(index).getUnconverted()
+  final override Expr getConvertedExpr(int n, int index) {
+    indirectExprNodeShouldBeIndirectOperand(this, result, n, index)
+  }
+}
+
+private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
+{
+  IndirectInstructionIndirectExprNode() {
+    exists(Expr e, int n, int indirectionIndex |
+      indirectExprNodeShouldBeIndirectInstruction(this, e, n, indirectionIndex) and
+      not indirectExprNodeShouldBeIndirectInstruction(_, e, n + 1, indirectionIndex)
+    )
+  }
+
+  final override Expr getConvertedExpr(int n, int index) {
+    indirectExprNodeShouldBeIndirectInstruction(this, result, n, index)
   }
 }
 
 private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
-  IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _) }
+  IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _, _) }
 
-  final override Expr getConvertedExpr() { exprNodeShouldBeIndirectOutNode(this, result) }
-
-  final override Expr getExpr() { result = this.getConvertedExpr() }
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) }
 }
 
 /**
  * An expression, viewed as a node in a data flow graph.
  */
 class ExprNode extends Node instanceof ExprNodeBase {
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getExpr(int n) { result = super.getExpr(n) }
+
   /**
    * Gets the non-conversion expression corresponding to this node, if any. If
    * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
    * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
    * expression.
    */
-  Expr getExpr() { result = super.getExpr() }
+  final Expr getExpr() { result = this.getExpr(_) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getConvertedExpr(int n) { result = super.getConvertedExpr(n) }
 
   /**
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  Expr getConvertedExpr() { result = super.getConvertedExpr() }
+  final Expr getConvertedExpr() { result = this.getConvertedExpr(_) }
 }
 
 /**
@@ -1222,13 +1308,27 @@ class IndirectExprNode extends Node instanceof IndirectExprNodeBase {
    * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
    * expression.
    */
-  Expr getExpr(int indirectionIndex) { result = super.getExpr(indirectionIndex) }
+  final Expr getExpr(int indirectionIndex) { result = this.getExpr(_, indirectionIndex) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getExpr(int n, int indirectionIndex) { result = super.getExpr(n, indirectionIndex) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getConvertedExpr(int n, int indirectionIndex) {
+    result = super.getConvertedExpr(n, indirectionIndex)
+  }
 
   /**
    * Gets the expression corresponding to this node, if any. The returned
    * expression may be a `Conversion`.
    */
-  Expr getConvertedExpr(int indirectionIndex) { result = super.getConvertedExpr(indirectionIndex) }
+  Expr getConvertedExpr(int indirectionIndex) {
+    result = this.getConvertedExpr(_, indirectionIndex)
+  }
 }
 
 /**
@@ -1254,6 +1354,9 @@ class ParameterNode extends Node {
    * pointer-indirection parameters are at further negative positions.
    */
   predicate isParameterOf(Function f, ParameterPosition pos) { none() } // overridden by subclasses
+
+  /** Gets the `Parameter` associated with this node, if it exists. */
+  Parameter getParameter() { none() } // overridden by subclasses
 }
 
 /** An explicit positional parameter, including `this`, but not `...`. */
@@ -1276,10 +1379,9 @@ private class ExplicitParameterNode extends ParameterNode, DirectParameterNode {
     f.getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
   }
 
-  /** Gets the `Parameter` associated with this node. */
-  Parameter getParameter() { result = instr.getParameter() }
-
   override string toStringImpl() { result = instr.getParameter().toString() }
+
+  override Parameter getParameter() { result = instr.getParameter() }
 }
 
 /** An implicit `this` parameter. */
@@ -1441,7 +1543,7 @@ OperandNode operandNode(Operand operand) { result.getOperand() = operand }
  * _out of_ an expression, like when an argument is passed by reference, use
  * `definitionByReferenceNodeFromArgument` instead.
  */
-ExprNode exprNode(Expr e) { result.getExpr() = e }
+ExprNode exprNode(Expr e) { result.getExpr(_) = e }
 
 /**
  * Gets the `Node` corresponding to the value of evaluating `e`. Here, `e` may
@@ -1449,7 +1551,7 @@ ExprNode exprNode(Expr e) { result.getExpr() = e }
  * argument is passed by reference, use
  * `definitionByReferenceNodeFromArgument` instead.
  */
-ExprNode convertedExprNode(Expr e) { result.getConvertedExpr() = e }
+ExprNode convertedExprNode(Expr e) { result.getConvertedExpr(_) = e }
 
 /**
  * Gets the `Node` corresponding to the value of `p` at function entry.
@@ -1594,16 +1696,7 @@ private module Cached {
     // Reverse flow: data that flows from the definition node back into the indirection returned
     // by a function. This allows data to flow 'in' through references returned by a modeled
     // function such as `operator[]`.
-    exists(Operand address, int indirectionIndex |
-      nodeHasOperand(nodeTo.(IndirectReturnOutNode), address, indirectionIndex)
-    |
-      exists(StoreInstruction store |
-        nodeHasInstruction(nodeFrom, store, indirectionIndex - 1) and
-        store.getDestinationAddressOperand() = address
-      )
-      or
-      Ssa::outNodeHasAddressAndIndex(nodeFrom, address, indirectionIndex)
-    )
+    reverseFlow(nodeFrom, nodeTo)
   }
 
   private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
@@ -1634,6 +1727,39 @@ private module Cached {
       )
     )
   }
+
+  private predicate reverseFlow(Node nodeFrom, Node nodeTo) {
+    reverseFlowOperand(nodeFrom, nodeTo)
+    or
+    reverseFlowInstruction(nodeFrom, nodeTo)
+  }
+
+  private predicate reverseFlowOperand(Node nodeFrom, IndirectReturnOutNode nodeTo) {
+    exists(Operand address, int indirectionIndex |
+      nodeHasOperand(nodeTo, address, indirectionIndex)
+    |
+      exists(StoreInstruction store |
+        nodeHasInstruction(nodeFrom, store, indirectionIndex - 1) and
+        store.getDestinationAddressOperand() = address
+      )
+      or
+      // We also want a write coming out of an `OutNode` to flow `nodeTo`.
+      // This is different from `reverseFlowInstruction` since `nodeFrom` can never
+      // be an `OutNode` when it's defined by an instruction.
+      Ssa::outNodeHasAddressAndIndex(nodeFrom, address, indirectionIndex)
+    )
+  }
+
+  private predicate reverseFlowInstruction(Node nodeFrom, IndirectReturnOutNode nodeTo) {
+    exists(Instruction address, int indirectionIndex |
+      nodeHasInstruction(nodeTo, address, indirectionIndex)
+    |
+      exists(StoreInstruction store |
+        nodeHasInstruction(nodeFrom, store, indirectionIndex - 1) and
+        store.getDestinationAddress() = address
+      )
+    )
+  }
 }
 
 import Cached

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll

@@ -87,6 +87,30 @@ module ProductFlow {
      * dataflow graph.
      */
     default predicate isBarrierIn2(DataFlow::Node node) { none() }
+
+    /**
+     * Gets the virtual dispatch branching limit when calculating field flow in the first
+     * projection of the product dataflow graph.
+     *
+     * This can be overridden to a smaller value to improve performance (a
+     * value of 0 disables field flow), or a larger value to get more results.
+     */
+    default int fieldFlowBranchLimit1() {
+      // NOTE: This should be synchronized with the default value in the shared dataflow library
+      result = 2
+    }
+
+    /**
+     * Gets the virtual dispatch branching limit when calculating field flow in the second
+     * projection of the product dataflow graph.
+     *
+     * This can be overridden to a smaller value to improve performance (a
+     * value of 0 disables field flow), or a larger value to get more results.
+     */
+    default int fieldFlowBranchLimit2() {
+      // NOTE: This should be synchronized with the default value in the shared dataflow library
+      result = 2
+    }
   }
 
   /**
@@ -272,6 +296,30 @@ module ProductFlow {
      * dataflow graph.
      */
     default predicate isBarrierIn2(DataFlow::Node node) { none() }
+
+    /**
+     * Gets the virtual dispatch branching limit when calculating field flow in the first
+     * projection of the product dataflow graph.
+     *
+     * This can be overridden to a smaller value to improve performance (a
+     * value of 0 disables field flow), or a larger value to get more results.
+     */
+    default int fieldFlowBranchLimit1() {
+      // NOTE: This should be synchronized with the default value in the shared dataflow library
+      result = 2
+    }
+
+    /**
+     * Gets the virtual dispatch branching limit when calculating field flow in the second
+     * projection of the product dataflow graph.
+     *
+     * This can be overridden to a smaller value to improve performance (a
+     * value of 0 disables field flow), or a larger value to get more results.
+     */
+    default int fieldFlowBranchLimit2() {
+      // NOTE: This should be synchronized with the default value in the shared dataflow library
+      result = 2
+    }
   }
 
   /**
@@ -326,6 +374,8 @@ module ProductFlow {
 
       predicate isBarrier(DataFlow::Node node, FlowState state) { Config::isBarrier1(node, state) }
 
+      predicate isBarrier(DataFlow::Node node) { Config::isBarrier1(node) }
+
       predicate isBarrierOut(DataFlow::Node node) { Config::isBarrierOut1(node) }
 
       predicate isAdditionalFlowStep(
@@ -335,6 +385,8 @@ module ProductFlow {
       }
 
       predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn1(node) }
+
+      int fieldFlowBranchLimit() { result = Config::fieldFlowBranchLimit1() }
     }
 
     private module Flow1 = DataFlow::GlobalWithState<Config1>;
@@ -358,6 +410,8 @@ module ProductFlow {
 
       predicate isBarrier(DataFlow::Node node, FlowState state) { Config::isBarrier2(node, state) }
 
+      predicate isBarrier(DataFlow::Node node) { Config::isBarrier2(node) }
+
       predicate isBarrierOut(DataFlow::Node node) { Config::isBarrierOut2(node) }
 
       predicate isAdditionalFlowStep(
@@ -367,6 +421,8 @@ module ProductFlow {
       }
 
       predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn2(node) }
+
+      int fieldFlowBranchLimit() { result = Config::fieldFlowBranchLimit2() }
     }
 
     private module Flow2 = DataFlow::GlobalWithState<Config2>;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -74,7 +74,7 @@ predicate hasRawIndirectOperand(Operand op, int indirectionIndex) {
     type = getLanguageType(op) and
     m = countIndirectionsForCppType(type) and
     indirectionIndex = [1 .. m] and
-    not exists(getIRRepresentationOfIndirectOperand(op, indirectionIndex))
+    not hasIRRepresentationOfIndirectOperand(op, indirectionIndex, _, _)
   )
 }
 
@@ -88,7 +88,7 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {
     type = getResultLanguageType(instr) and
     m = countIndirectionsForCppType(type) and
     indirectionIndex = [1 .. m] and
-    not exists(getIRRepresentationOfIndirectInstruction(instr, indirectionIndex))
+    not hasIRRepresentationOfIndirectInstruction(instr, indirectionIndex, _, _)
   )
 }
 
@@ -108,7 +108,7 @@ private newtype TDefOrUseImpl =
   } or
   TUseImpl(BaseSourceVariableInstruction base, Operand operand, int indirectionIndex) {
     isUse(_, operand, base, _, indirectionIndex) and
-    not isDef(_, _, operand, _, _, _)
+    not isDef(true, _, operand, _, _, _)
   } or
   TGlobalUse(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
     // Represents a final "use" of a global variable to ensure that
@@ -447,9 +447,16 @@ class GlobalUse extends UseImpl, TGlobalUse {
   IRFunction getIRFunction() { result = f }
 
   final override predicate hasIndexInBlock(IRBlock block, int index) {
-    exists(ExitFunctionInstruction exit |
-      exit = f.getExitFunctionInstruction() and
-      block.getInstruction(index) = exit
+    // Similar to the `FinalParameterUse` case, we want to generate flow out of
+    // globals at any exit so that we can flow out of non-returning functions.
+    // Obviously this isn't correct as we can't actually flow but the global flow
+    // requires this if we want to flow into children.
+    exists(Instruction return |
+      return instanceof ReturnInstruction or
+      return instanceof UnreachedInstruction
+    |
+      block.getInstruction(index) = return and
+      return.getEnclosingIRFunction() = f
     )
   }
 
@@ -610,7 +617,7 @@ private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
       hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
       hasOperandAndIndex(nTo, op2, indirectionIndex - 1) and
       instr = op2.getDef() and
-      isDereference(instr, op1)
+      isDereference(instr, op1, _)
     )
   )
 }
@@ -638,12 +645,24 @@ private predicate adjustForPointerArith(PostUpdateNode pun, UseOrPhi use) {
   )
 }
 
+/**
+ * Holds if `nodeFrom` flows to `nodeTo` because there is `def-use` or
+ * `use-use` flow from `defOrUse` to `use`.
+ *
+ * `uncertain` is `true` if the `defOrUse` is an uncertain definition.
+ */
+private predicate localSsaFlow(
+  SsaDefOrUse defOrUse, Node nodeFrom, UseOrPhi use, Node nodeTo, boolean uncertain
+) {
+  nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and
+  adjacentDefRead(defOrUse, use) and
+  useToNode(use, nodeTo) and
+  nodeFrom != nodeTo
+}
+
 private predicate ssaFlowImpl(SsaDefOrUse defOrUse, Node nodeFrom, Node nodeTo, boolean uncertain) {
   exists(UseOrPhi use |
-    nodeToDefOrUse(nodeFrom, defOrUse, uncertain) and
-    adjacentDefRead(defOrUse, use) and
-    useToNode(use, nodeTo) and
-    nodeFrom != nodeTo
+    localSsaFlow(defOrUse, nodeFrom, use, nodeTo, uncertain)
     or
     // Initial global variable value to a first use
     nodeFrom.(InitialGlobalValue).getGlobalDef() = defOrUse and
@@ -684,19 +703,99 @@ predicate ssaFlow(Node nodeFrom, Node nodeTo) {
   )
 }
 
-private predicate isArgumentOfCallable(DataFlowCall call, ArgumentNode arg) {
-  arg.argumentOf(call, _)
+private predicate isArgumentOfCallableInstruction(DataFlowCall call, Instruction instr) {
+  isArgumentOfCallableOperand(call, unique( | | getAUse(instr)))
 }
 
-/** Holds if there is def-use or use-use flow from `pun` to `nodeTo`. */
-predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
-  exists(UseOrPhi use, Node preUpdate |
+private predicate isArgumentOfCallableOperand(DataFlowCall call, Operand operand) {
+  operand.(ArgumentOperand).getCall() = call
+  or
+  exists(FieldAddressInstruction fai |
+    fai.getObjectAddressOperand() = operand and
+    isArgumentOfCallableInstruction(call, fai)
+  )
+  or
+  exists(Instruction deref |
+    isArgumentOfCallableInstruction(call, deref) and
+    isDereference(deref, operand, _)
+  )
+  or
+  exists(Instruction instr |
+    isArgumentOfCallableInstruction(call, instr) and
+    conversionFlow(operand, instr, _, _)
+  )
+}
+
+private predicate isArgumentOfCallable(DataFlowCall call, Node n) {
+  isArgumentOfCallableOperand(call, n.asOperand())
+  or
+  exists(Operand op |
+    n.(IndirectOperand).hasOperandAndIndirectionIndex(op, _) and
+    isArgumentOfCallableOperand(call, op)
+  )
+  or
+  exists(Instruction instr |
+    n.(IndirectInstruction).hasInstructionAndIndirectionIndex(instr, _) and
+    isArgumentOfCallableInstruction(call, instr)
+  )
+}
+
+/**
+ * Holds if there is use-use flow from `pun`'s pre-update node to `n`.
+ */
+private predicate postUpdateNodeToFirstUse(PostUpdateNode pun, Node n) {
+  exists(UseOrPhi use |
     adjustForPointerArith(pun, use) and
-    useToNode(use, nodeTo) and
+    useToNode(use, n)
+  )
+}
+
+private predicate stepUntilNotInCall(DataFlowCall call, Node n1, Node n2) {
+  isArgumentOfCallable(call, n1) and
+  exists(Node mid | localSsaFlow(_, n1, _, mid, _) |
+    isArgumentOfCallable(call, mid) and
+    stepUntilNotInCall(call, mid, n2)
+    or
+    not isArgumentOfCallable(call, mid) and
+    mid = n2
+  )
+}
+
+bindingset[n1, n2]
+pragma[inline_late]
+private predicate isArgumentOfSameCall(DataFlowCall call, Node n1, Node n2) {
+  isArgumentOfCallable(call, n1) and isArgumentOfCallable(call, n2)
+}
+
+/**
+ * Holds if there is def-use or use-use flow from `pun` to `nodeTo`.
+ *
+ * Note: This is more complex than it sounds. Consider a call such as:
+ * ```cpp
+ * write_first_argument(x, x);
+ * sink(x);
+ * ```
+ * Assume flow comes out of the first argument to `write_first_argument`. We
+ * don't want flow to go to the `x` that's also an argument to
+ * `write_first_argument` (because we just flowed out of that function, and we
+ * don't want to flow back into it again).
+ *
+ * We do, however, want flow from the output argument to `x` on the next line, and
+ * similarly we want flow from the second argument of `write_first_argument` to `x`
+ * on the next line.
+ */
+predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
+  exists(Node preUpdate, Node mid |
     preUpdate = pun.getPreUpdateNode() and
-    not exists(DataFlowCall call |
-      isArgumentOfCallable(call, preUpdate) and isArgumentOfCallable(call, nodeTo)
+    postUpdateNodeToFirstUse(pun, mid)
+  |
+    exists(DataFlowCall call |
+      isArgumentOfSameCall(call, preUpdate, mid) and
+      stepUntilNotInCall(call, mid, nodeTo)
     )
+    or
+    not isArgumentOfSameCall(_, preUpdate, mid) and
+    nodeTo = mid
   )
 }
 
@@ -726,7 +825,7 @@ predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
     or
     exists(PhiNode phiTo |
       phi != phiTo and
-      lastRefRedefExt(phi, _, _, phiTo) and
+      lastRefRedefExt(phi, bb1, i1, phiTo) and
       nodeTo.(SsaPhiNode).getPhiNode() = phiTo
     )
   )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -320,10 +320,20 @@ private module IteratorIndirections {
   }
 }
 
-predicate isDereference(Instruction deref, Operand address) {
-  any(Indirection ind).isAdditionalDereference(deref, address)
+/**
+ * Holds if `deref` is the result of loading the value at the address
+ * represented by `address`.
+ *
+ * If `additional = true` then the dereference comes from an `Indirection`
+ * class (such as a call to an iterator's `operator*`), and if
+ * `additional = false` the dereference is a `LoadInstruction`.
+ */
+predicate isDereference(Instruction deref, Operand address, boolean additional) {
+  any(Indirection ind).isAdditionalDereference(deref, address) and
+  additional = true
   or
-  deref.(LoadInstruction).getSourceAddressOperand() = address
+  deref.(LoadInstruction).getSourceAddressOperand() = address and
+  additional = false
 }
 
 predicate isWrite(Node0Impl value, Operand address, boolean certain) {
@@ -545,7 +555,7 @@ private module Cached {
       isDef(_, value, iteratorDerefAddress, iteratorBase, numberOfLoads + 2, 0) and
       isUse(_, iteratorAddress, iteratorBase, numberOfLoads + 1, 0) and
       iteratorBase.getResultType() instanceof Interfaces::Iterator and
-      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse()) and
+      isDereference(iteratorAddress.getDef(), read.getArgumentDef().getAUse(), _) and
       memory = read.getSideEffectOperand().getAnyDef()
     )
   }
@@ -781,11 +791,14 @@ private module Cached {
    * instead associated with the operand returned by this predicate.
    */
   cached
-  Operand getIRRepresentationOfIndirectOperand(Operand operand, int indirectionIndex) {
+  predicate hasIRRepresentationOfIndirectOperand(
+    Operand operand, int indirectionIndex, Operand operandRepr, int indirectionIndexRepr
+  ) {
+    indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and
     exists(Instruction load |
-      isDereference(load, operand) and
-      result = unique( | | getAUse(load)) and
-      isUseImpl(operand, _, indirectionIndex - 1)
+      isDereference(load, operand, false) and
+      operandRepr = unique( | | getAUse(load)) and
+      indirectionIndexRepr = indirectionIndex - 1
     )
   }
 
@@ -797,12 +810,15 @@ private module Cached {
    * instead associated with the instruction returned by this predicate.
    */
   cached
-  Instruction getIRRepresentationOfIndirectInstruction(Instruction instr, int indirectionIndex) {
+  predicate hasIRRepresentationOfIndirectInstruction(
+    Instruction instr, int indirectionIndex, Instruction instrRepr, int indirectionIndexRepr
+  ) {
+    indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and
     exists(Instruction load, Operand address |
-      address.getDef() = instr and
-      isDereference(load, address) and
-      isUseImpl(address, _, indirectionIndex - 1) and
-      result = load
+      address = unique( | | getAUse(instr)) and
+      isDereference(load, address, false) and
+      instrRepr = load and
+      indirectionIndexRepr = indirectionIndex - 1
     )
   }
 
@@ -823,7 +839,7 @@ private module Cached {
     or
     exists(int ind0 |
       exists(Operand address |
-        isDereference(operand.getDef(), address) and
+        isDereference(operand.getDef(), address, _) and
         isUseImpl(address, base, ind0)
       )
       or
@@ -893,7 +909,7 @@ private module Cached {
     )
     or
     exists(Operand address, boolean certain0 |
-      isDereference(operand.getDef(), address) and
+      isDereference(operand.getDef(), address, _) and
       isDefImpl(address, base, ind - 1, certain0)
     |
       if isCertainAddress(operand) then certain = certain0 else certain = false

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingImplSpecific.qll

@@ -0,0 +1,10 @@
+/**
+ * Provides C++-specific definitions for use in the taint tracking library.
+ */
+
+private import codeql.dataflow.TaintTracking
+private import DataFlowImplSpecific
+
+module CppTaintTracking implements InputSig<CppDataFlow> {
+  import TaintTrackingUtil
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -57,7 +57,7 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
   )
   or
   // Taint flow from an address to its dereference.
-  Ssa::isDereference(instrTo, opFrom)
+  Ssa::isDereference(instrTo, opFrom, _)
   or
   // Unary instructions tend to preserve enough information in practice that we
   // want taint to flow through.
@@ -112,7 +112,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll

@@ -1,75 +0,0 @@
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> implements
-  DataFlowInternal::FullStateConfigSig
-{
-  import Config
-
-  predicate isBarrier(DataFlow::Node node) {
-    Config::isBarrier(node) or defaultTaintSanitizer(node)
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    Config::isAdditionalFlowStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    Config::allowImplicitRead(node, c)
-    or
-    (
-      Config::isSink(node) or
-      Config::isSink(node, _) or
-      Config::isAdditionalFlowStep(node, _) or
-      Config::isAdditionalFlowStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-}
-
-/**
- * Constructs a global taint tracking computation.
- */
-module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
-  private module Config0 implements DataFlowInternal::FullStateConfigSig {
-    import DataFlowInternal::DefaultState<Config>
-    import Config
-  }
-
-  private module C implements DataFlowInternal::FullStateConfigSig {
-    import AddTaintDefaults<Config0>
-  }
-
-  import DataFlowInternal::Impl<C>
-}
-
-/** DEPRECATED: Use `Global` instead. */
-deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
-  import Global<Config>
-}
-
-/**
- * Constructs a global taint tracking computation using flow state.
- */
-module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
-  private module Config0 implements DataFlowInternal::FullStateConfigSig {
-    import Config
-  }
-
-  private module C implements DataFlowInternal::FullStateConfigSig {
-    import AddTaintDefaults<Config0>
-  }
-
-  import DataFlowInternal::Impl<C>
-}
-
-/** DEPRECATED: Use `GlobalWithState` instead. */
-deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
-  import GlobalWithState<Config>
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -55,6 +55,7 @@ private newtype TOpcode =
   TVariableAddress() or
   TFieldAddress() or
   TFunctionAddress() or
+  TVirtualDeleteFunctionAddress() or
   TElementsAddress() or
   TConstant() or
   TStringConstant() or
@@ -887,6 +888,15 @@ module Opcode {
     final override string toString() { result = "FunctionAddress" }
   }
 
+  /**
+   * The `Opcode` for a `VirtualDeleteFunctionAddress`.
+   *
+   * See the `VirtualDeleteFunctionAddressInstruction` documentation for more details.
+   */
+  class VirtualDeleteFunctionAddress extends Opcode, TVirtualDeleteFunctionAddress {
+    final override string toString() { result = "VirtualDeleteFunctionAddress" }
+  }
+
   /**
    * The `Opcode` for a `ConstantInstruction`.
    *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -576,6 +576,22 @@ class FunctionAddressInstruction extends FunctionInstruction {
   FunctionAddressInstruction() { this.getOpcode() instanceof Opcode::FunctionAddress }
 }
 
+/**
+ * An instruction that returns the address of a "virtual" delete function.
+ *
+ * This function, which does not actually exist in the source code, is used to
+ * delete objects of a class with a virtual destructor. In that case the deacllocation
+ * function is selected at runtime based on the dynamic type of the object. So this
+ * function dynamically dispatches to the correct deallocation function.
+ * It also should pass in the required extra arguments to the deallocation function
+ * which may differ dynamically depending on the type of the object.
+ */
+class VirtualDeleteFunctionAddressInstruction extends Instruction {
+  VirtualDeleteFunctionAddressInstruction() {
+    this.getOpcode() instanceof Opcode::VirtualDeleteFunctionAddress
+  }
+}
+
 /**
  * An instruction that initializes a parameter of the enclosing function with the value of the
  * corresponding argument passed by the caller.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -576,6 +576,22 @@ class FunctionAddressInstruction extends FunctionInstruction {
   FunctionAddressInstruction() { this.getOpcode() instanceof Opcode::FunctionAddress }
 }
 
+/**
+ * An instruction that returns the address of a "virtual" delete function.
+ *
+ * This function, which does not actually exist in the source code, is used to
+ * delete objects of a class with a virtual destructor. In that case the deacllocation
+ * function is selected at runtime based on the dynamic type of the object. So this
+ * function dynamically dispatches to the correct deallocation function.
+ * It also should pass in the required extra arguments to the deallocation function
+ * which may differ dynamically depending on the type of the object.
+ */
+class VirtualDeleteFunctionAddressInstruction extends Instruction {
+  VirtualDeleteFunctionAddressInstruction() {
+    this.getOpcode() instanceof Opcode::VirtualDeleteFunctionAddress
+  }
+}
+
 /**
  * An instruction that initializes a parameter of the enclosing function with the value of the
  * corresponding argument passed by the caller.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -405,9 +405,6 @@ predicate hasUnreachedInstruction(IRFunction func) {
   exists(Call c |
     c.getEnclosingFunction() = func.getFunction() and
     any(Options opt).exits(c.getTarget())
-  ) and
-  not exists(TranslatedUnreachableReturnStmt return |
-    return.getEnclosingFunction().getFunction() = func.getFunction()
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -120,9 +120,9 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
 }
 
 /**
- * A `Call` or `NewOrNewArrayExpr`.
+ * A `Call` or `NewOrNewArrayExpr` or `DeleteOrDeleteArrayExpr`.
  *
- * Both kinds of expression invoke a function as part of their evaluation. This class provides a
+ * All kinds of expression invoke a function as part of their evaluation. This class provides a
  * way to treat both kinds of function similarly, and to get the invoked `Function`.
  */
 class CallOrAllocationExpr extends Expr {
@@ -130,6 +130,8 @@ class CallOrAllocationExpr extends Expr {
     this instanceof Call
     or
     this instanceof NewOrNewArrayExpr
+    or
+    this instanceof DeleteOrDeleteArrayExpr
   }
 
   /** Gets the `Function` invoked by this expression, if known. */
@@ -137,6 +139,8 @@ class CallOrAllocationExpr extends Expr {
     result = this.(Call).getTarget()
     or
     result = this.(NewOrNewArrayExpr).getAllocator()
+    or
+    result = this.(DeleteOrDeleteArrayExpr).getDeallocator()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -350,6 +350,9 @@ class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSi
     or
     expr instanceof NewOrNewArrayExpr and
     result = getTranslatedAllocatorCall(expr).getInstruction(CallTag())
+    or
+    expr instanceof DeleteOrDeleteArrayExpr and
+    result = getTranslatedDeleteOrDeleteArray(expr).getInstruction(CallTag())
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -77,17 +77,17 @@ private predicate ignoreExprAndDescendants(Expr expr) {
     newExpr.getInitializer().getFullyConverted() = expr
   )
   or
+  exists(DeleteOrDeleteArrayExpr deleteExpr |
+    // Ignore the deallocator call, because we always synthesize it.
+    deleteExpr.getDeallocatorCall() = expr
+  )
+  or
   // Do not translate input/output variables in GNU asm statements
   //  getRealParent(expr) instanceof AsmStmt
   //  or
   ignoreExprAndDescendants(getRealParent(expr)) // recursive case
   or
-  // We do not yet translate destructors properly, so for now we ignore any
-  // custom deallocator call, if present.
-  exists(DeleteExpr deleteExpr | deleteExpr.getAllocatorCall() = expr)
-  or
-  exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getAllocatorCall() = expr)
-  or
+  // va_start doesn't evaluate its argument, so we don't need to translate it.
   exists(BuiltInVarArgsStart vaStartExpr |
     vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
   )
@@ -104,6 +104,12 @@ private predicate ignoreExprOnly(Expr expr) {
     newExpr.getAllocatorCall() = expr
   )
   or
+  exists(DeleteOrDeleteArrayExpr deleteExpr |
+    // Ignore the destructor call as we don't model it yet. Don't ignore
+    // its arguments, though, as they are the arguments to the deallocator.
+    deleteExpr.getDestructorCall() = expr
+  )
+  or
   // The extractor deliberately emits an `ErrorExpr` as the first argument to
   // the allocator call, if any, of a `NewOrNewArrayExpr`. That `ErrorExpr`
   // should not be translated.
@@ -111,13 +117,6 @@ private predicate ignoreExprOnly(Expr expr) {
   or
   not translateFunction(getEnclosingFunction(expr)) and
   not Raw::varHasIRFunc(getEnclosingVariable(expr))
-  or
-  // We do not yet translate destructors properly, so for now we ignore the
-  // destructor call. We do, however, translate the expression being
-  // destructed, and that expression can be a child of the destructor call.
-  exists(DeleteExpr deleteExpr | deleteExpr.getDestructorCall() = expr)
-  or
-  exists(DeleteArrayExpr deleteArrayExpr | deleteArrayExpr.getDestructorCall() = expr)
 }
 
 /**
@@ -416,7 +415,9 @@ predicate hasTranslatedLoad(Expr expr) {
   not ignoreExpr(expr) and
   not isNativeCondition(expr) and
   not isFlexibleCondition(expr) and
-  not ignoreLoad(expr)
+  not ignoreLoad(expr) and
+  // don't insert a load since we'll just substitute the constant value.
+  not isIRConstant(expr)
 }
 
 /**
@@ -823,6 +824,9 @@ abstract class TranslatedElement extends TTranslatedElement {
   /** DEPRECATED: Alias for getAst */
   deprecated Locatable getAST() { result = this.getAst() }
 
+  /** Gets the location of this element. */
+  Location getLocation() { result = this.getAst().getLocation() }
+
   /**
    * Get the first instruction to be executed in the evaluation of this element.
    */

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -1906,8 +1906,10 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize {
   final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
     resultType = getTypeForPRValue(expr.getAllocator().getParameter(0).getType()) and
     (
+      this.extentNeedsConversion() and
       // Convert the extent to `size_t`, because the AST doesn't do this already.
-      tag = AllocationExtentConvertTag() and opcode instanceof Opcode::Convert
+      tag = AllocationExtentConvertTag() and
+      opcode instanceof Opcode::Convert
       or
       tag = AllocationElementSizeTag() and opcode instanceof Opcode::Constant
       or
@@ -1918,6 +1920,7 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize {
   final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     kind instanceof GotoEdge and
     (
+      this.extentNeedsConversion() and
       tag = AllocationExtentConvertTag() and
       result = this.getInstruction(AllocationElementSizeTag())
       or
@@ -1933,7 +1936,9 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize {
 
   final override Instruction getChildSuccessor(TranslatedElement child) {
     child = this.getExtent() and
-    result = this.getInstruction(AllocationExtentConvertTag())
+    if this.extentNeedsConversion()
+    then result = this.getInstruction(AllocationExtentConvertTag())
+    else result = this.getInstruction(AllocationElementSizeTag())
   }
 
   final override string getInstructionConstantValue(InstructionTag tag) {
@@ -1945,19 +1950,31 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize {
     tag = AllocationSizeTag() and
     (
       operandTag instanceof LeftOperandTag and
-      result = this.getInstruction(AllocationExtentConvertTag())
+      (
+        if this.extentNeedsConversion()
+        then result = this.getInstruction(AllocationExtentConvertTag())
+        else result = this.getExtent().getResult()
+      )
       or
       operandTag instanceof RightOperandTag and
       result = this.getInstruction(AllocationElementSizeTag())
     )
     or
+    this.extentNeedsConversion() and
     tag = AllocationExtentConvertTag() and
     operandTag instanceof UnaryOperandTag and
     result = this.getExtent().getResult()
   }
 
-  private TranslatedExpr getExtent() {
-    result = getTranslatedExpr(expr.getExtent().getFullyConverted())
+  TranslatedExpr getExtent() { result = getTranslatedExpr(expr.getExtent().getFullyConverted()) }
+
+  /**
+   * Holds if the result of `expr.getExtent()` does not have the same type as
+   * the allocator's size parameter.
+   */
+  private predicate extentNeedsConversion() {
+    expr.getExtent().getFullyConverted().getUnspecifiedType() !=
+      expr.getAllocator().getParameter(0).getUnspecifiedType()
   }
 }
 
@@ -2017,6 +2034,66 @@ TranslatedAllocatorCall getTranslatedAllocatorCall(NewOrNewArrayExpr newExpr) {
   result.getAst() = newExpr
 }
 
+/**
+ * The IR translation of a `delete` or `delete[]`
+ * expression.
+ */
+class TranslatedDeleteOrDeleteArrayExpr extends TranslatedNonConstantExpr, TranslatedCall {
+  override DeleteOrDeleteArrayExpr expr;
+
+  final override Instruction getFirstCallTargetInstruction() {
+    result = this.getInstruction(CallTargetTag())
+  }
+
+  final override Instruction getCallTargetResult() { result = this.getInstruction(CallTargetTag()) }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    TranslatedCall.super.hasInstruction(opcode, tag, resultType)
+    or
+    tag = CallTargetTag() and
+    resultType = getFunctionGLValueType() and
+    if exists(expr.getDeallocator())
+    then opcode instanceof Opcode::FunctionAddress
+    else opcode instanceof Opcode::VirtualDeleteFunctionAddress
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    result = TranslatedCall.super.getInstructionSuccessor(tag, kind)
+    or
+    tag = CallTargetTag() and
+    kind instanceof GotoEdge and
+    result = this.getFirstArgumentOrCallInstruction()
+  }
+
+  override Function getInstructionFunction(InstructionTag tag) {
+    tag = CallTargetTag() and result = expr.getDeallocator()
+  }
+
+  final override Type getCallResultType() { result = expr.getType() }
+
+  final override TranslatedExpr getQualifier() { none() }
+
+  final override predicate hasArguments() {
+    // All deallocator calls have at least one argument.
+    any()
+  }
+
+  final override int getNumberOfArguments() {
+    // We ignore the other arguments for now as we would have to synthesize them.
+    result = 1
+  }
+
+  final override TranslatedExpr getArgument(int index) {
+    // The only argument we define is the pointer to be deallocated.
+    index = 0 and
+    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
+  }
+}
+
+TranslatedDeleteOrDeleteArrayExpr getTranslatedDeleteOrDeleteArray(DeleteOrDeleteArrayExpr newExpr) {
+  result.getAst() = newExpr
+}
+
 /**
  * Abstract class implemented by any `TranslatedElement` that has a child
  * expression that is a call to a constructor or destructor, in order to
@@ -2954,78 +3031,6 @@ class TranslatedNewArrayExpr extends TranslatedNewOrNewArrayExpr {
   }
 }
 
-/**
- * A placeholder for the translation of a `delete[]` expression.
- *
- * Proper translation is not yet implemented, but this stub implementation
- * ensures that code following a `delete[]` is not unreachable.
- */
-class TranslatedDeleteArrayExprPlaceHolder extends TranslatedSingleInstructionExpr {
-  override DeleteArrayExpr expr;
-
-  final override Instruction getFirstInstruction() {
-    result = this.getOperand().getFirstInstruction()
-  }
-
-  final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }
-
-  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    tag = OnlyInstructionTag() and
-    result = this.getParent().getChildSuccessor(this) and
-    kind instanceof GotoEdge
-  }
-
-  final override Instruction getChildSuccessor(TranslatedElement child) {
-    child = this.getOperand() and result = this.getInstruction(OnlyInstructionTag())
-  }
-
-  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    none()
-  }
-
-  final override Opcode getOpcode() { result instanceof Opcode::NoOp }
-
-  private TranslatedExpr getOperand() {
-    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
-  }
-}
-
-/**
- * A placeholder for the translation of a `delete` expression.
- *
- * Proper translation is not yet implemented, but this stub implementation
- * ensures that code following a `delete` is not unreachable.
- */
-class TranslatedDeleteExprPlaceHolder extends TranslatedSingleInstructionExpr {
-  override DeleteExpr expr;
-
-  final override Instruction getFirstInstruction() {
-    result = this.getOperand().getFirstInstruction()
-  }
-
-  final override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() }
-
-  final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    tag = OnlyInstructionTag() and
-    result = this.getParent().getChildSuccessor(this) and
-    kind instanceof GotoEdge
-  }
-
-  final override Instruction getChildSuccessor(TranslatedElement child) {
-    child = this.getOperand() and result = this.getInstruction(OnlyInstructionTag())
-  }
-
-  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    none()
-  }
-
-  final override Opcode getOpcode() { result instanceof Opcode::NoOp }
-
-  private TranslatedExpr getOperand() {
-    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
-  }
-}
-
 /**
  * The IR translation of a `ConditionDeclExpr`, which represents the value of the declared variable
  * after conversion to `bool` in code such as: