Yeast: Appease the clippy

YEAST: Make some more fixes to rules.

.gitattributes

@@ -71,6 +71,3 @@ go/extractor/opencsv/CSVReader.java -text
 # `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
-
-# Auto-generated modeling for Python
-python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true

.github/workflows/close-stale.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@v8
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'

.github/workflows/codeql-analysis.yml

@@ -28,9 +28,9 @@ jobs:
 
     steps:
     - name: Setup dotnet
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: 8.0.100
+        dotnet-version: 7.0.102
 
     - name: Checkout repository
       uses: actions/checkout@v4

.github/workflows/csharp-qltest.yml

@@ -72,15 +72,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Setup dotnet
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: 8.0.100
+          dotnet-version: 7.0.102
       - name: Extractor unit tests
         run: |
-          dotnet test -p:RuntimeFrameworkVersion=8.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.0 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest

.github/workflows/go-tests-other-os.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
         id: go
@@ -50,7 +50,7 @@ jobs:
     runs-on: windows-latest-xl
     steps:
       - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
         id: go

.github/workflows/go-tests.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
         id: go

.github/workflows/mad_modelDiff.yml

@@ -12,7 +12,6 @@ on:
       - main
     paths:
       - "java/ql/src/utils/modelgenerator/**/*.*"
-      - "misc/scripts/models-as-data/*.*"
       - ".github/workflows/mad_modelDiff.yml"
 
 permissions:
@@ -62,9 +61,8 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
-            mkdir -p $MODELS/$SHORTNAME
-            mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
+            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
+            mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
             cd ..
           }
 
@@ -87,16 +85,16 @@ jobs:
           set -x
           MODELS=`pwd`/tmp-models
           ls -1 tmp-models/
-          for m in $MODELS/*/main/*.model.yml ; do
+          for m in $MODELS/*_main.model.yml ; do
             t="${m/main/"pr"}"
             basename=`basename $m`
-            name="diff_${basename/.model.yml/""}"
+            name="diff_${basename/_main.model.yml/""}"
             (diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
           done
       - uses: actions/upload-artifact@v3
         with:
           name: models
-          path: tmp-models/**/**/*.model.yml
+          path: tmp-models/*.model.yml
           retention-days: 20
       - uses: actions/upload-artifact@v3
         with:

CODEOWNERS

@@ -44,4 +44,3 @@ WORKSPACE.bazel @github/codeql-ci-reviewers
 
 # Misc
 /misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
-/misc/scripts/generate-code-scanning-query-list.py @RasmusWL

config/identical-files.json

@@ -53,6 +53,14 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
+  "DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
+    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
+    "go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
+  ],
   "SsaReadPosition Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
@@ -454,6 +462,23 @@
     "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
     "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
   ],
+  "TypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
+  ],
+  "SummaryTypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
+  ],
+  "AccessPathSyntax": [
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
+    "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
+    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/AccessPathSyntax.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/AccessPathSyntax.qll"
+  ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
     "ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
@@ -473,6 +498,10 @@
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
     "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
   ],
+  "Typo database": [
+    "javascript/ql/src/Expressions/TypoDatabase.qll",
+    "ql/ql/src/codeql_ql/style/TypoDatabase.qll"
+  ],
   "Swift declarations test file": [
     "swift/ql/test/extractor-tests/declarations/declarations.swift",
     "swift/ql/test/library-tests/ast/declarations.swift"
@@ -505,4 +534,4 @@
     "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
   ]
-}
+}

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -326,7 +326,7 @@ namespace Semmle.Autobuild.Cpp.Tests
         public void TestCppAutobuilderSuccess()
         {
             Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
-            Actions.RunProcess[@"cmd.exe /C scratch\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
+            Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
             Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program^ Files^ ^(x86^)\Microsoft^ Visual^ Studio^ 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
             Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
             Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
@@ -337,11 +337,10 @@ namespace Semmle.Autobuild.Cpp.Tests
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = true;
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true;
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
-            Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CPP_SCRATCH_DIR"] = "scratch";
             Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
             Actions.EnumerateDirectories[@"C:\Project"] = "";
-            Actions.CreateDirectories.Add(@"scratch\.nuget");
-            Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"scratch\.nuget\nuget.exe"));
+            Actions.CreateDirectories.Add(@"C:\Project\.nuget");
+            Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
 
             var autobuilder = CreateAutoBuilder(true);
             var solution = new TestSolution(@"C:\Project\test.sln");

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
     <Nullable>enable</Nullable>
@@ -11,12 +11,12 @@
   <ItemGroup>
     <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
     <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.6.2" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.4">
+    <PackageReference Include="xunit" Version="2.4.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
   </ItemGroup>
 
   <ItemGroup>

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
     <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
     <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
     <ApplicationIcon />
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="17.8.3" />
+    <PackageReference Include="Microsoft.Build" Version="17.3.2" />
   </ItemGroup>
 
   <ItemGroup>

cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties

@@ -1,3 +0,0 @@
-description: Expose whether a function was prototyped or not
-compatibility: backwards
-function_prototyped.rel: delete

cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/functions.ql

@@ -1,9 +0,0 @@
-class Function extends @function {
-  string toString() { none() }
-}
-
-from Function fun, string name, int kind, int kind_new
-where
-  functions(fun, name, kind) and
-  if kind = 7 or kind = 8 then kind_new = 0 else kind_new = kind
-select fun, name, kind_new

cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support more function types
-compatibility: full
-functions.rel: run functions.qlo

cpp/downgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/upgrade.properties

@@ -1,6 +1,5 @@
 description: Support C++17 if and switch initializers
 compatibility: partial
-constexpr_if_initialization.rel: delete
 if_initialization.rel: delete
 switch_initialization.rel: delete
 exprparents.rel: run exprparents.qlo

cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/attribute_args.ql

@@ -1,17 +0,0 @@
-class AttributeArg extends @attribute_arg {
-  string toString() { none() }
-}
-
-class Attribute extends @attribute {
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-from AttributeArg arg, int kind, int kind_new, Attribute attr, int index, Location location
-where
-  attribute_args(arg, kind, attr, index, location) and
-  if arg instanceof @attribute_arg_expr then kind_new = 0 else kind_new = kind
-select arg, kind_new, attr, index, location

cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/upgrade.properties

@@ -1,4 +0,0 @@
-description: Support expression attribute arguments
-compatibility: partial
-attribute_arg_expr.rel: delete
-attribute_args.rel: run attribute_args.qlo

cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/upgrade.properties

@@ -1,2 +0,0 @@
-description: Revert removal of uniqueness constraint on link_targets/2
-compatibility: backwards

cpp/ql/lib/CHANGELOG.md

@@ -1,41 +1,3 @@
-## 0.12.4
-
-### Minor Analysis Improvements
-
-* Deleted many deprecated predicates and classes with uppercase `XML`, `SSA`, `SAL`, `SQL`, etc. in their names. Use the PascalCased versions instead.
-* Deleted the deprecated `StrcatFunction` class, use `semmle.code.cpp.models.implementations.Strcat.qll` instead.
-
-## 0.12.3
-
-### Deprecated APIs
-
-* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
-
-### New Features
-
-* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
-
-### Minor Analysis Improvements
-
-* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
-* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
-* The deprecated `DefaultTaintTracking` library has been removed.
-* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
-
-### Bug Fixes
-
-* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
-
-## 0.12.2
-
-No user-facing changes.
-
-## 0.12.1
-
-### New Features
-
-* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
-
 ## 0.12.0
 
 ### Breaking Changes

cpp/ql/lib/DefaultOptions.qll

@@ -52,18 +52,17 @@ class Options extends string {
   /**
    * Holds if a call to this function will never return.
    *
-   * By default, this holds for `exit`, `_exit`, `_Exit`, `abort`,
-   * `__assert_fail`, `longjmp`, `__builtin_unreachable` and any
-   * function with a `noreturn` or `__noreturn__` attribute or
-   * `noreturn` specifier.
+   * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
+   * `longjmp`, `__builtin_unreachable` and any function with a
+   * `noreturn` attribute or specifier.
    */
   predicate exits(Function f) {
-    f.getAnAttribute().hasName(["noreturn", "__noreturn__"])
+    f.getAnAttribute().hasName("noreturn")
     or
     f.getASpecifier().hasName("noreturn")
     or
     f.hasGlobalOrStdName([
-        "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
+        "exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
     or
     CustomOptions::exits(f) // old Options.qll

cpp/ql/lib/change-notes/released/0.12.1.md

@@ -1,5 +0,0 @@
-## 0.12.1
-
-### New Features
-
-* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.

cpp/ql/lib/change-notes/released/0.12.2.md

@@ -1,3 +0,0 @@
-## 0.12.2
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.3.md

@@ -1,20 +0,0 @@
-## 0.12.3
-
-### Deprecated APIs
-
-* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
-
-### New Features
-
-* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
-
-### Minor Analysis Improvements
-
-* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
-* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
-* The deprecated `DefaultTaintTracking` library has been removed.
-* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
-
-### Bug Fixes
-
-* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.

cpp/ql/lib/change-notes/released/0.12.4.md

@@ -1,6 +0,0 @@
-## 0.12.4
-
-### Minor Analysis Improvements
-
-* Deleted many deprecated predicates and classes with uppercase `XML`, `SSA`, `SAL`, `SQL`, etc. in their names. Use the PascalCased versions instead.
-* Deleted the deprecated `StrcatFunction` class, use `semmle.code.cpp.models.implementations.Strcat.qll` instead.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.4
+lastReleaseVersion: 0.12.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.4
+version: 0.12.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -380,6 +380,9 @@ class Class extends UserType {
    */
   predicate isPod() { is_pod_class(underlyingElement(this)) }
 
+  /** DEPRECATED: Alias for isPod */
+  deprecated predicate isPOD() { this.isPod() }
+
   /**
    * Holds if this class, struct or union is a standard-layout class
    * [N4140 9(7)]. Also holds for structs in C programs.

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -112,16 +112,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   predicate isDeleted() { function_deleted(underlyingElement(this)) }
 
-  /**
-   * Holds if this function has a prototyped interface.
-   *
-   * Functions generally have a prototyped interface, unless they are
-   * K&R-style functions either without any forward function declaration,
-   * or with all the forward declarations omitting the parameters of the
-   * function.
-   */
-  predicate isPrototyped() { function_prototyped(underlyingElement(this)) }
-
   /**
    * Holds if this function is explicitly defaulted with the `= default`
    * specifier.
@@ -328,7 +318,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   MetricFunction getMetrics() { result = this }
 
   /** Holds if this function calls the function `f`. */
-  pragma[nomagic]
   predicate calls(Function f) { this.calls(f, _) }
 
   /**
@@ -339,6 +328,10 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
     exists(FunctionCall call |
       call.getEnclosingFunction() = this and call.getTarget() = f and call = l
     )
+    or
+    exists(DestructorCall call |
+      call.getEnclosingFunction() = this and call.getTarget() = f and call = l
+    )
   }
 
   /** Holds if this function accesses a function or variable or enumerator `a`. */
@@ -882,17 +875,3 @@ class BuiltInFunction extends Function {
 }
 
 private predicate suppressUnusedThis(Function f) { any() }
-
-/**
- * A C++ user-defined literal [N4140 13.5.8].
- */
-class UserDefinedLiteral extends Function {
-  UserDefinedLiteral() { functions(underlyingElement(this), _, 7) }
-}
-
-/**
- * A C++ deduction guide [N4659 17.9].
- */
-class DeductionGuide extends Function {
-  DeductionGuide() { functions(underlyingElement(this), _, 8) }
-}

cpp/ql/lib/semmle/code/cpp/PODType03.qll

@@ -104,6 +104,9 @@ predicate isPodClass03(Class c) {
   )
 }
 
+/** DEPRECATED: Alias for isPodClass03 */
+deprecated predicate isPODClass03 = isPodClass03/1;
+
 /**
  * Holds if `t` is a POD type, according to the rules specified in
  * C++03 3.9(10):
@@ -123,3 +126,6 @@ predicate isPodType03(Type t) {
     isPodType03(ut.(SpecifiedType).getUnspecifiedType())
   )
 }
+
+/** DEPRECATED: Alias for isPodType03 */
+deprecated predicate isPODType03 = isPodType03/1;

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -281,11 +281,6 @@ class AttributeArgument extends Element, @attribute_arg {
     attribute_arg_constant(underlyingElement(this), unresolveElement(result))
   }
 
-  /**
-   * Gets the value of this argument, if its value is an expression.
-   */
-  Expr getValueExpr() { attribute_arg_expr(underlyingElement(this), unresolveElement(result)) }
-
   /**
    * Gets the attribute to which this is an argument.
    */
@@ -313,10 +308,7 @@ class AttributeArgument extends Element, @attribute_arg {
           else
             if underlyingElement(this) instanceof @attribute_arg_constant_expr
             then tail = this.getValueConstant().toString()
-            else
-              if underlyingElement(this) instanceof @attribute_arg_expr
-              then tail = this.getValueExpr().toString()
-              else tail = this.getValueText()
+            else tail = this.getValueText()
         ) and
         result = prefix + tail
       )

cpp/ql/lib/semmle/code/cpp/XML.qll

@@ -32,6 +32,9 @@ class XmlLocatable extends @xmllocatable, TXmlLocatable {
   string toString() { none() } // overridden in subclasses
 }
 
+/** DEPRECATED: Alias for XmlLocatable */
+deprecated class XMLLocatable = XmlLocatable;
+
 /**
  * An `XmlParent` is either an `XmlElement` or an `XmlFile`,
  * both of which can contain other elements.
@@ -92,6 +95,9 @@ class XmlParent extends @xmlparent {
   string toString() { result = this.getName() }
 }
 
+/** DEPRECATED: Alias for XmlParent */
+deprecated class XMLParent = XmlParent;
+
 /** An XML file. */
 class XmlFile extends XmlParent, File {
   XmlFile() { xmlEncoding(this, _) }
@@ -113,8 +119,14 @@ class XmlFile extends XmlParent, File {
 
   /** Gets a DTD associated with this XML file. */
   XmlDtd getADtd() { xmlDTDs(result, _, _, _, this) }
+
+  /** DEPRECATED: Alias for getADtd */
+  deprecated XmlDtd getADTD() { result = this.getADtd() }
 }
 
+/** DEPRECATED: Alias for XmlFile */
+deprecated class XMLFile = XmlFile;
+
 /**
  * An XML document type definition (DTD).
  *
@@ -151,6 +163,9 @@ class XmlDtd extends XmlLocatable, @xmldtd {
   }
 }
 
+/** DEPRECATED: Alias for XmlDtd */
+deprecated class XMLDTD = XmlDtd;
+
 /**
  * An XML element in an XML file.
  *
@@ -206,6 +221,9 @@ class XmlElement extends @xmlelement, XmlParent, XmlLocatable {
   override string toString() { result = this.getName() }
 }
 
+/** DEPRECATED: Alias for XmlElement */
+deprecated class XMLElement = XmlElement;
+
 /**
  * An attribute that occurs inside an XML element.
  *
@@ -236,6 +254,9 @@ class XmlAttribute extends @xmlattribute, XmlLocatable {
   override string toString() { result = this.getName() + "=" + this.getValue() }
 }
 
+/** DEPRECATED: Alias for XmlAttribute */
+deprecated class XMLAttribute = XmlAttribute;
+
 /**
  * A namespace used in an XML file.
  *
@@ -252,6 +273,9 @@ class XmlNamespace extends XmlLocatable, @xmlnamespace {
   /** Gets the URI of this namespace. */
   string getUri() { xmlNs(this, _, result, _) }
 
+  /** DEPRECATED: Alias for getUri */
+  deprecated string getURI() { result = this.getUri() }
+
   /** Holds if this namespace has no prefix. */
   predicate isDefault() { this.getPrefix() = "" }
 
@@ -262,6 +286,9 @@ class XmlNamespace extends XmlLocatable, @xmlnamespace {
   }
 }
 
+/** DEPRECATED: Alias for XmlNamespace */
+deprecated class XMLNamespace = XmlNamespace;
+
 /**
  * A comment in an XML file.
  *
@@ -282,6 +309,9 @@ class XmlComment extends @xmlcomment, XmlLocatable {
   override string toString() { result = this.getText() }
 }
 
+/** DEPRECATED: Alias for XmlComment */
+deprecated class XMLComment = XmlComment;
+
 /**
  * A sequence of characters that occurs between opening and
  * closing tags of an XML element, excluding other elements.
@@ -305,3 +335,6 @@ class XmlCharacters extends @xmlcharacters, XmlLocatable {
   /** Gets a printable representation of this XML character sequence. */
   override string toString() { result = this.getCharacters() }
 }
+
+/** DEPRECATED: Alias for XmlCharacters */
+deprecated class XMLCharacters = XmlCharacters;

cpp/ql/lib/semmle/code/cpp/commons/NULL.qll

@@ -5,6 +5,9 @@ class NullMacro extends Macro {
   NullMacro() { this.getHead() = "NULL" }
 }
 
+/** DEPRECATED: Alias for NullMacro */
+deprecated class NULLMacro = NullMacro;
+
 /** A use of the NULL macro. */
 class NULL extends Literal {
   NULL() { exists(NullMacro nm | this = nm.getAnInvocation().getAnExpandedElement()) }

cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll

@@ -0,0 +1,22 @@
+import cpp
+
+/**
+ * DEPRECATED: use `semmle.code.cpp.models.implementations.Strcat.qll` instead.
+ *
+ * A function that concatenates the string from its second argument
+ * to the string from its first argument, for example `strcat`.
+ */
+deprecated class StrcatFunction extends Function {
+  StrcatFunction() {
+    this.getName() =
+      [
+        "strcat", // strcat(dst, src)
+        "strncat", // strncat(dst, src, max_amount)
+        "wcscat", // wcscat(dst, src)
+        "_mbscat", // _mbscat(dst, src)
+        "wcsncat", // wcsncat(dst, src, max_amount)
+        "_mbsncat", // _mbsncat(dst, src, max_amount)
+        "_mbsncat_l" // _mbsncat_l(dst, src, max_amount, locale)
+      ]
+  }
+}

cpp/ql/lib/semmle/code/cpp/commons/StringConcatenation.qll

@@ -1,101 +0,0 @@
-/**
- * A library for detecting general string concatenations.
- */
-
-import cpp
-import semmle.code.cpp.models.implementations.Strcat
-import semmle.code.cpp.models.interfaces.FormattingFunction
-private import semmle.code.cpp.dataflow.new.DataFlow
-
-/**
- * A call that performs a string concatenation. A string can be either a C
- * string (i.e., a value of type `char*`), or a C++ string (i.e., a value of
- * type `std::string`).
- */
-class StringConcatenation extends Call {
-  StringConcatenation() {
-    // sprintf-like functions, i.e., concat through formatting
-    this instanceof FormattingFunctionCall
-    or
-    this.getTarget() instanceof StrcatFunction
-    or
-    this.getTarget() instanceof StrlcatFunction
-    or
-    // operator+ and ostream (<<) concat
-    exists(Call call, Operator op |
-      call.getTarget() = op and
-      op.hasQualifiedName(["std", "bsl"], ["operator+", "operator<<"]) and
-      op.getType()
-          .stripType()
-          .(UserType)
-          .hasQualifiedName(["std", "bsl"], ["basic_string", "basic_ostream"]) and
-      this = call
-    )
-  }
-
-  /**
-   * Gets an operand of this concatenation (one of the string operands being
-   * concatenated).
-   * Will not return out param for sprintf-like functions, but will consider the format string
-   * to be part of the operands.
-   */
-  Expr getAnOperand() {
-    // The result is an argument of 'this' (a call)
-    result = this.getAnArgument() and
-    // addresses odd behavior with overloaded operators
-    // i.e., "call to operator+" appearing as an operand
-    // occurs in cases like `string s = s1 + s2 + s3`, which is represented as
-    // `string s = (s1.operator+(s2)).operator+(s3);`
-    // By limiting to non-calls we get the leaf operands (the variables or raw strings)
-    // also, by not enumerating allowed types (variables and strings) we avoid issues
-    // with missed corner cases or extensions/changes to CodeQL in the future which might
-    // invalidate that approach.
-    not result instanceof Call and
-    // Limit the result type to string
-    (
-      result.getUnderlyingType().stripType().getName() = "char"
-      or
-      result
-          .getType()
-          .getUnspecifiedType()
-          .(UserType)
-          .hasQualifiedName(["std", "bsl"], "basic_string")
-    ) and
-    // when 'this' is a `FormattingFunctionCall` the result must be the format string argument
-    // or one of the formatting arguments
-    (
-      this instanceof FormattingFunctionCall
-      implies
-      (
-        result = this.(FormattingFunctionCall).getFormat()
-        or
-        exists(int n |
-          result = this.getArgument(n) and
-          n >= this.(FormattingFunctionCall).getTarget().getFirstFormatArgumentIndex()
-        )
-      )
-    )
-  }
-
-  /**
-   * Gets the data flow node representing the concatenation result.
-   */
-  DataFlow::Node getResultNode() {
-    if this.getTarget() instanceof StrcatFunction
-    then
-      result.asDefiningArgument() =
-        this.getArgument(this.getTarget().(StrcatFunction).getParamDest())
-      or
-      // Hardcoding it is also the return
-      result.asExpr() = this.(Call)
-    else
-      if this.getTarget() instanceof StrlcatFunction
-      then (
-        result.asDefiningArgument() =
-          this.getArgument(this.getTarget().(StrlcatFunction).getParamDest())
-      ) else
-        if this instanceof FormattingFunctionCall
-        then result.asDefiningArgument() = this.(FormattingFunctionCall).getOutputArgument(_)
-        else result.asExpr() = this.(Call)
-  }
-}

cpp/ql/lib/semmle/code/cpp/controlflow/Guards.qll

@@ -7,7 +7,371 @@ import cpp
 import semmle.code.cpp.controlflow.BasicBlocks
 import semmle.code.cpp.controlflow.SSA
 import semmle.code.cpp.controlflow.Dominance
-import IRGuards
+
+/**
+ * A Boolean condition that guards one or more basic blocks. This includes
+ * operands of logical operators but not switch statements.
+ */
+class GuardCondition extends Expr {
+  GuardCondition() { is_condition(this) }
+
+  /**
+   * Holds if this condition controls `block`, meaning that `block` is only
+   * entered if the value of this condition is `testIsTrue`.
+   *
+   * Illustration:
+   *
+   * ```
+   * [                    (testIsTrue)                        ]
+   * [             this ----------------succ ---- controlled  ]
+   * [               |                    |                   ]
+   * [ (testIsFalse) |                     ------ ...         ]
+   * [             other                                      ]
+   * ```
+   *
+   * The predicate holds if all paths to `controlled` go via the `testIsTrue`
+   * edge of the control-flow graph. In other words, the `testIsTrue` edge
+   * must dominate `controlled`. This means that `controlled` must be
+   * dominated by both `this` and `succ` (the target of the `testIsTrue`
+   * edge). It also means that any other edge into `succ` must be a back-edge
+   * from a node which is dominated by `succ`.
+   *
+   * The short-circuit boolean operations have slightly surprising behavior
+   * here: because the operation itself only dominates one branch (due to
+   * being short-circuited) then it will only control blocks dominated by the
+   * true (for `&&`) or false (for `||`) branch.
+   */
+  cached
+  predicate controls(BasicBlock controlled, boolean testIsTrue) {
+    // This condition must determine the flow of control; that is, this
+    // node must be a top-level condition.
+    this.controlsBlock(controlled, testIsTrue)
+    or
+    exists(BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
+      this = binop and
+      lhs = binop.getLeftOperand() and
+      rhs = binop.getRightOperand() and
+      lhs.controls(controlled, testIsTrue) and
+      rhs.controls(controlled, testIsTrue)
+    )
+    or
+    exists(GuardCondition ne, GuardCondition operand |
+      this = operand and
+      operand = ne.(NotExpr).getOperand() and
+      ne.controls(controlled, testIsTrue.booleanNot())
+    )
+  }
+
+  /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
+  cached
+  predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
+    compares_lt(this, left, right, k, isLessThan, testIsTrue)
+  }
+
+  /**
+   * Holds if (determined by this guard) `left < right + k` must be `isLessThan` in `block`.
+   * If `isLessThan = false` then this implies `left >= right + k`.
+   */
+  cached
+  predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
+    exists(boolean testIsTrue |
+      compares_lt(this, left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
+    )
+  }
+
+  /** Holds if (determined by this guard) `left == right + k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */
+  cached
+  predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
+    compares_eq(this, left, right, k, areEqual, testIsTrue)
+  }
+
+  /**
+   * Holds if (determined by this guard) `left == right + k` must be `areEqual` in `block`.
+   * If `areEqual = false` then this implies `left != right + k`.
+   */
+  cached
+  predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
+    exists(boolean testIsTrue |
+      compares_eq(this, left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
+    )
+  }
+
+  /**
+   * Holds if this condition controls `block`, meaning that `block` is only
+   * entered if the value of this condition is `testIsTrue`. This helper
+   * predicate does not necessarily hold for binary logical operations like
+   * `&&` and `||`. See the detailed explanation on predicate `controls`.
+   */
+  private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
+    exists(BasicBlock thisblock | thisblock.contains(this) |
+      exists(BasicBlock succ |
+        testIsTrue = true and succ = this.getATrueSuccessor()
+        or
+        testIsTrue = false and succ = this.getAFalseSuccessor()
+      |
+        bbDominates(succ, controlled) and
+        forall(BasicBlock pred | pred.getASuccessor() = succ |
+          pred = thisblock or bbDominates(succ, pred) or not reachable(pred)
+        )
+      )
+    )
+  }
+}
+
+private predicate is_condition(Expr guard) {
+  guard.isCondition()
+  or
+  is_condition(guard.(BinaryLogicalOperation).getAnOperand())
+  or
+  exists(NotExpr cond | is_condition(cond) and cond.getOperand() = guard)
+}
+
+/*
+ * Simplification of equality expressions:
+ * Simplify conditions in the source to the canonical form l op r + k.
+ */
+
+/**
+ * Holds if `left == right + k` is `areEqual` given that test is `testIsTrue`.
+ *
+ * Beware making mistaken logical implications here relating `areEqual` and `testIsTrue`.
+ */
+private predicate compares_eq(
+  Expr test, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
+) {
+  /* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */
+  exists(boolean eq | simple_comparison_eq(test, left, right, k, eq) |
+    areEqual = true and testIsTrue = eq
+    or
+    areEqual = false and testIsTrue = eq.booleanNot()
+  )
+  or
+  logical_comparison_eq(test, left, right, k, areEqual, testIsTrue)
+  or
+  /* a == b + k => b == a - k */
+  exists(int mk | k = -mk | compares_eq(test, right, left, mk, areEqual, testIsTrue))
+  or
+  complex_eq(test, left, right, k, areEqual, testIsTrue)
+  or
+  /* (x is true => (left == right + k)) => (!x is false => (left == right + k)) */
+  exists(boolean isFalse | testIsTrue = isFalse.booleanNot() |
+    compares_eq(test.(NotExpr).getOperand(), left, right, k, areEqual, isFalse)
+  )
+}
+
+/**
+ * If `test => part` and `part => left == right + k` then `test => left == right + k`.
+ * Similarly for the case where `test` is false.
+ */
+private predicate logical_comparison_eq(
+  BinaryLogicalOperation test, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
+) {
+  exists(boolean partIsTrue, Expr part | test.impliesValue(part, partIsTrue, testIsTrue) |
+    compares_eq(part, left, right, k, areEqual, partIsTrue)
+  )
+}
+
+/** Rearrange various simple comparisons into `left == right + k` form. */
+private predicate simple_comparison_eq(
+  ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual
+) {
+  left = cmp.getLeftOperand() and
+  cmp.getOperator() = "==" and
+  right = cmp.getRightOperand() and
+  k = 0 and
+  areEqual = true
+  or
+  left = cmp.getLeftOperand() and
+  cmp.getOperator() = "!=" and
+  right = cmp.getRightOperand() and
+  k = 0 and
+  areEqual = false
+}
+
+private predicate complex_eq(
+  ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
+) {
+  sub_eq(cmp, left, right, k, areEqual, testIsTrue)
+  or
+  add_eq(cmp, left, right, k, areEqual, testIsTrue)
+}
+
+// left - x == right + c => left == right + (c+x)
+// left == (right - x) + c => left == right + (c-x)
+private predicate sub_eq(
+  ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
+) {
+  exists(SubExpr lhs, int c, int x |
+    compares_eq(cmp, lhs, right, c, areEqual, testIsTrue) and
+    left = lhs.getLeftOperand() and
+    x = int_value(lhs.getRightOperand()) and
+    k = c + x
+  )
+  or
+  exists(SubExpr rhs, int c, int x |
+    compares_eq(cmp, left, rhs, c, areEqual, testIsTrue) and
+    right = rhs.getLeftOperand() and
+    x = int_value(rhs.getRightOperand()) and
+    k = c - x
+  )
+}
+
+// left + x == right + c => left == right + (c-x)
+// left == (right + x) + c => left == right + (c+x)
+private predicate add_eq(
+  ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
+) {
+  exists(AddExpr lhs, int c, int x |
+    compares_eq(cmp, lhs, right, c, areEqual, testIsTrue) and
+    (
+      left = lhs.getLeftOperand() and x = int_value(lhs.getRightOperand())
+      or
+      left = lhs.getRightOperand() and x = int_value(lhs.getLeftOperand())
+    ) and
+    k = c - x
+  )
+  or
+  exists(AddExpr rhs, int c, int x |
+    compares_eq(cmp, left, rhs, c, areEqual, testIsTrue) and
+    (
+      right = rhs.getLeftOperand() and x = int_value(rhs.getRightOperand())
+      or
+      right = rhs.getRightOperand() and x = int_value(rhs.getLeftOperand())
+    ) and
+    k = c + x
+  )
+}
+
+/*
+ * Simplification of inequality expressions:
+ * Simplify conditions in the source to the canonical form l < r + k.
+ */
+
+/** Holds if `left < right + k` evaluates to `isLt` given that test is `testIsTrue`. */
+private predicate compares_lt(
+  Expr test, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
+) {
+  /* In the simple case, the test is the comparison, so isLt = testIsTrue */
+  simple_comparison_lt(test, left, right, k) and isLt = true and testIsTrue = true
+  or
+  simple_comparison_lt(test, left, right, k) and isLt = false and testIsTrue = false
+  or
+  logical_comparison_lt(test, left, right, k, isLt, testIsTrue)
+  or
+  complex_lt(test, left, right, k, isLt, testIsTrue)
+  or
+  /* (not (left < right + k)) => (left >= right + k) */
+  exists(boolean isGe | isLt = isGe.booleanNot() |
+    compares_ge(test, left, right, k, isGe, testIsTrue)
+  )
+  or
+  /* (x is true => (left < right + k)) => (!x is false => (left < right + k)) */
+  exists(boolean isFalse | testIsTrue = isFalse.booleanNot() |
+    compares_lt(test.(NotExpr).getOperand(), left, right, k, isLt, isFalse)
+  )
+}
+
+/** `(a < b + k) => (b > a - k) => (b >= a + (1-k))` */
+private predicate compares_ge(
+  Expr test, Expr left, Expr right, int k, boolean isGe, boolean testIsTrue
+) {
+  exists(int onemk | k = 1 - onemk | compares_lt(test, right, left, onemk, isGe, testIsTrue))
+}
+
+/**
+ * If `test => part` and `part => left < right + k` then `test => left < right + k`.
+ * Similarly for the case where `test` evaluates false.
+ */
+private predicate logical_comparison_lt(
+  BinaryLogicalOperation test, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
+) {
+  exists(boolean partIsTrue, Expr part | test.impliesValue(part, partIsTrue, testIsTrue) |
+    compares_lt(part, left, right, k, isLt, partIsTrue)
+  )
+}
+
+/** Rearrange various simple comparisons into `left < right + k` form. */
+private predicate simple_comparison_lt(ComparisonOperation cmp, Expr left, Expr right, int k) {
+  left = cmp.getLeftOperand() and
+  cmp.getOperator() = "<" and
+  right = cmp.getRightOperand() and
+  k = 0
+  or
+  left = cmp.getLeftOperand() and
+  cmp.getOperator() = "<=" and
+  right = cmp.getRightOperand() and
+  k = 1
+  or
+  right = cmp.getLeftOperand() and
+  cmp.getOperator() = ">" and
+  left = cmp.getRightOperand() and
+  k = 0
+  or
+  right = cmp.getLeftOperand() and
+  cmp.getOperator() = ">=" and
+  left = cmp.getRightOperand() and
+  k = 1
+}
+
+private predicate complex_lt(
+  ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
+) {
+  sub_lt(cmp, left, right, k, isLt, testIsTrue)
+  or
+  add_lt(cmp, left, right, k, isLt, testIsTrue)
+}
+
+// left - x < right + c => left < right + (c+x)
+// left < (right - x) + c => left < right + (c-x)
+private predicate sub_lt(
+  ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
+) {
+  exists(SubExpr lhs, int c, int x |
+    compares_lt(cmp, lhs, right, c, isLt, testIsTrue) and
+    left = lhs.getLeftOperand() and
+    x = int_value(lhs.getRightOperand()) and
+    k = c + x
+  )
+  or
+  exists(SubExpr rhs, int c, int x |
+    compares_lt(cmp, left, rhs, c, isLt, testIsTrue) and
+    right = rhs.getLeftOperand() and
+    x = int_value(rhs.getRightOperand()) and
+    k = c - x
+  )
+}
+
+// left + x < right + c => left < right + (c-x)
+// left < (right + x) + c => left < right + (c+x)
+private predicate add_lt(
+  ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
+) {
+  exists(AddExpr lhs, int c, int x |
+    compares_lt(cmp, lhs, right, c, isLt, testIsTrue) and
+    (
+      left = lhs.getLeftOperand() and x = int_value(lhs.getRightOperand())
+      or
+      left = lhs.getRightOperand() and x = int_value(lhs.getLeftOperand())
+    ) and
+    k = c - x
+  )
+  or
+  exists(AddExpr rhs, int c, int x |
+    compares_lt(cmp, left, rhs, c, isLt, testIsTrue) and
+    (
+      right = rhs.getLeftOperand() and x = int_value(rhs.getRightOperand())
+      or
+      right = rhs.getRightOperand() and x = int_value(rhs.getLeftOperand())
+    ) and
+    k = c + x
+  )
+}
+
+/** The `int` value of integer constant expression. */
+private int int_value(Expr e) {
+  e.getUnderlyingType() instanceof IntegralType and
+  result = e.getValue().toInt()
+}
 
 /** An `SsaDefinition` with an additional predicate `isLt`. */
 class GuardedSsa extends SsaDefinition {

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -5,8 +5,6 @@
 
 import cpp
 import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
-private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
 
 /**
  * Holds if `block` consists of an `UnreachedInstruction`.
@@ -203,30 +201,12 @@ private class GuardConditionFromIR extends GuardCondition {
    * `&&` and `||`. See the detailed explanation on predicate `controls`.
    */
   private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
-    exists(IRBlock irb, Instruction instr |
+    exists(IRBlock irb |
       ir.controls(irb, testIsTrue) and
-      instr = irb.getAnInstruction() and
-      instr.getAst().(ControlFlowNode).getBasicBlock() = controlled and
-      not isUnreachedBlock(irb) and
-      not this.excludeAsControlledInstruction(instr)
+      irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
+      not isUnreachedBlock(irb)
     )
   }
-
-  private predicate excludeAsControlledInstruction(Instruction instr) {
-    // Exclude the temporaries generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      instr = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      instr = tce.getInstruction(ConditionValueTrueStoreTag())
-      or
-      instr = tce.getInstruction(ConditionValueTrueTempAddressTag())
-      or
-      instr = tce.getInstruction(ConditionValueFalseTempAddressTag())
-    )
-    or
-    // Exclude unreached instructions, as their AST is the whole function and not a block.
-    instr instanceof UnreachedInstruction
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll

@@ -110,8 +110,8 @@ private predicate loopConditionAlwaysUponEntry(ControlFlowNode loop, Expr condit
  * should be in this relation.
  */
 pragma[noinline]
-private predicate isFunction(@element el) {
-  el instanceof @function
+private predicate isFunction(Element el) {
+  el instanceof Function
   or
   el.(Expr).getParent() = el
 }
@@ -122,7 +122,7 @@ private predicate isFunction(@element el) {
  */
 pragma[noopt]
 private predicate callHasNoTarget(@funbindexpr fc) {
-  exists(@function f |
+  exists(Function f |
     funbind(fc, f) and
     not isFunction(f)
   )

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll

@@ -54,6 +54,18 @@ private predicate functionSignature(Function f, string qualifiedName, int nparam
   not f.isStatic()
 }
 
+/**
+ * Holds if the set of viable implementations that can be called by `call`
+ * might be improved by knowing the call context.
+ */
+predicate mayBenefitFromCallContext(DataFlowCall call, Function f) { none() }
+
+/**
+ * Gets a viable dispatch target of `call` in the context `ctx`. This is
+ * restricted to those `call`s for which a context might make a difference.
+ */
+Function viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) { none() }
+
 /** A parameter position represented by an integer. */
 class ParameterPosition extends int {
   ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * Provides an implementation of global (interprocedural) taint tracking.
  * This file re-exports the local (intraprocedural) taint-tracking analysis
  * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -14,8 +12,6 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural taint tracking analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the taint tracking library must define its own unique extension of
@@ -55,7 +51,7 @@ private import TaintTrackingParameter::Private
  * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
  * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
  */
-abstract deprecated class Configuration extends DataFlow::Configuration {
+abstract class Configuration extends DataFlow::Configuration {
   bindingset[this]
   Configuration() { any() }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * Provides an implementation of global (interprocedural) taint tracking.
  * This file re-exports the local (intraprocedural) taint-tracking analysis
  * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -14,8 +12,6 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural taint tracking analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the taint tracking library must define its own unique extension of
@@ -55,7 +51,7 @@ private import TaintTrackingParameter::Private
  * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
  * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
  */
-abstract deprecated class Configuration extends DataFlow::Configuration {
+abstract class Configuration extends DataFlow::Configuration {
   bindingset[this]
   Configuration() { any() }
 

cpp/ql/lib/semmle/code/cpp/internal/ResolveGlobalVariable.qll

@@ -24,8 +24,8 @@ private predicate isGlobalWithMangledNameAndWithoutDefinition(@mangledname name,
  * a unique global variable `complete` with the same name that does have a definition.
  */
 private predicate hasTwinWithDefinition(@globalvariable incomplete, @globalvariable complete) {
-  not variable_instantiation(incomplete, complete) and
   exists(@mangledname name |
+    not variable_instantiation(incomplete, complete) and
     isGlobalWithMangledNameAndWithoutDefinition(name, incomplete) and
     isGlobalWithMangledNameAndWithDefinition(name, complete)
   )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -0,0 +1,21 @@
+/**
+ * DEPRECATED: Use `semmle.code.cpp.ir.dataflow.TaintTracking` as a replacement.
+ *
+ * An IR taint tracking library that uses an IR DataFlow configuration to track
+ * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
+ */
+
+import cpp
+import semmle.code.cpp.security.Security
+private import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl as DefaultTaintTrackingImpl
+
+deprecated predicate predictableOnlyFlow = DefaultTaintTrackingImpl::predictableOnlyFlow/1;
+
+deprecated predicate tainted = DefaultTaintTrackingImpl::tainted/2;
+
+deprecated predicate taintedIncludingGlobalVars =
+  DefaultTaintTrackingImpl::taintedIncludingGlobalVars/3;
+
+deprecated predicate globalVarFromId = DefaultTaintTrackingImpl::globalVarFromId/1;
+
+deprecated module TaintedWithPath = DefaultTaintTrackingImpl::TaintedWithPath;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -249,7 +249,9 @@ private predicate functionSignature(Function f, string qualifiedName, int nparam
  * Holds if the set of viable implementations that can be called by `call`
  * might be improved by knowing the call context.
  */
-predicate mayBenefitFromCallContext(DataFlowCall call) { mayBenefitFromCallContext(call, _, _) }
+predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable f) {
+  mayBenefitFromCallContext(call, f, _)
+}
 
 /**
  * Holds if `call` is a call through a function pointer, and the pointer

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -10,12 +10,10 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-deprecated import FlowStateString
+import FlowStateString
 private import codeql.util.Unit
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural data flow analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the global data flow library must define its own unique extension
@@ -50,7 +48,7 @@ private import codeql.util.Unit
  * should instead depend on a `DataFlow2::Configuration`, a
  * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
  */
-abstract deprecated class Configuration extends string {
+abstract class Configuration extends string {
   bindingset[this]
   Configuration() { any() }
 
@@ -191,7 +189,7 @@ abstract deprecated class Configuration extends string {
  * Good performance cannot be guaranteed in the presence of such recursion, so
  * it should be replaced by using more than one copy of the data flow library.
  */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
+abstract private class ConfigurationRecursionPrevention extends Configuration {
   bindingset[this]
   ConfigurationRecursionPrevention() { any() }
 
@@ -212,7 +210,7 @@ abstract deprecated private class ConfigurationRecursionPrevention extends Confi
   }
 }
 
-deprecated private FlowState relevantState(Configuration config) {
+private FlowState relevantState(Configuration config) {
   config.isSource(_, result) or
   config.isSink(_, result) or
   config.isBarrier(_, result) or
@@ -221,17 +219,17 @@ deprecated private FlowState relevantState(Configuration config) {
 }
 
 private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
+  TMkConfigState(Configuration config, FlowState state) {
     state = relevantState(config) or state instanceof FlowStateEmpty
   }
 
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
 
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
 
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
 
-deprecated private module Config implements FullStateConfigSig {
+private module Config implements FullStateConfigSig {
   class FlowState = TConfigState;
 
   predicate isSource(Node source, FlowState state) {
@@ -298,13 +296,13 @@ deprecated private module Config implements FullStateConfigSig {
   predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
-deprecated private import Impl<Config> as I
+private import Impl<Config> as I
 
 /**
  * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
  * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
  */
-deprecated class PathNode instanceof I::PathNode {
+class PathNode instanceof I::PathNode {
   /** Gets a textual representation of this element. */
   final string toString() { result = super.toString() }
 
@@ -331,10 +329,10 @@ deprecated class PathNode instanceof I::PathNode {
   final Node getNode() { result = super.getNode() }
 
   /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
+  final FlowState getState() { result = getState(super.getState()) }
 
   /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  final Configuration getConfiguration() { result = getConfig(super.getState()) }
 
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -349,9 +347,9 @@ deprecated class PathNode instanceof I::PathNode {
   final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }
 
-deprecated module PathGraph = I::PathGraph;
+module PathGraph = I::PathGraph;
 
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
+private predicate hasFlow(Node source, Node sink, Configuration config) {
   exists(PathNode source0, PathNode sink0 |
     hasFlowPath(source0, sink0, config) and
     source0.getNode() = source and
@@ -359,10 +357,10 @@ deprecated private predicate hasFlow(Node source, Node sink, Configuration confi
   )
 }
 
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
   I::flowPath(source, sink) and source.getConfiguration() = config
 }
 
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
 
-deprecated predicate flowsTo = hasFlow/3;
+predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -20,10 +20,4 @@ module CppDataFlow implements InputSig {
   Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }
 
   predicate getAdditionalFlowIntoCallNodeTerm = Private::getAdditionalFlowIntoCallNodeTerm/2;
-
-  predicate validParameterAliasStep = Private::validParameterAliasStep/2;
-
-  predicate mayBenefitFromCallContext = Private::mayBenefitFromCallContext/1;
-
-  predicate viableImplInCallContext = Private::viableImplInCallContext/2;
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -6,7 +6,6 @@ private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
-private import Node0ToString
 
 cached
 private module Cached {
@@ -59,41 +58,6 @@ private module Cached {
 import Cached
 private import Nodes0
 
-/**
- * A module for calculating the number of stars (i.e., `*`s) needed for various
- * dataflow node `toString` predicates.
- */
-module NodeStars {
-  private int getNumberOfIndirections(Node n) {
-    result = n.(RawIndirectOperand).getIndirectionIndex()
-    or
-    result = n.(RawIndirectInstruction).getIndirectionIndex()
-    or
-    result = n.(VariableNode).getIndirectionIndex()
-    or
-    result = n.(PostUpdateNodeImpl).getIndirectionIndex()
-    or
-    result = n.(FinalParameterNode).getIndirectionIndex()
-  }
-
-  private int maxNumberOfIndirections() { result = max(getNumberOfIndirections(_)) }
-
-  private string repeatStars(int n) {
-    n = 0 and result = ""
-    or
-    n = [1 .. maxNumberOfIndirections()] and
-    result = "*" + repeatStars(n - 1)
-  }
-
-  /**
-   * Gets the number of stars (i.e., `*`s) needed to produce the `toString`
-   * output for `n`.
-   */
-  string stars(Node n) { result = repeatStars(getNumberOfIndirections(n)) }
-}
-
-import NodeStars
-
 class Node0Impl extends TIRDataFlowNode0 {
   /**
    * INTERNAL: Do not use.
@@ -174,7 +138,11 @@ abstract class InstructionNode0 extends Node0Impl {
 
   override DataFlowType getType() { result = getInstructionType(instr, _) }
 
-  override string toStringImpl() { result = instructionToString(instr) }
+  override string toStringImpl() {
+    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = instr.getAst().toString()
+  }
 
   override Location getLocationImpl() {
     if exists(instr.getAst().getLocation())
@@ -219,7 +187,11 @@ abstract class OperandNode0 extends Node0Impl {
 
   override DataFlowType getType() { result = getOperandType(op, _) }
 
-  override string toStringImpl() { result = operandToString(op) }
+  override string toStringImpl() {
+    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = op.getDef().getAst().toString()
+  }
 
   override Location getLocationImpl() {
     if exists(op.getDef().getAst().getLocation())
@@ -1177,55 +1149,3 @@ private int countNumberOfBranchesUsingParameter(SwitchInstruction switch, Parame
       )
   )
 }
-
-/**
- * Holds if the data-flow step from `node1` to `node2` can be used to
- * determine where side-effects may return from a callable.
- * For C/C++, this means that the step from `node1` to `node2` not only
- * preserves the value, but also preserves the identity of the value.
- * For example, the assignment to `x` that reads the value of `*p` in
- * ```cpp
- * int* p = ...
- * int x = *p;
- * ```
- * does not preserve the identity of `*p`.
- */
-bindingset[node1, node2]
-pragma[inline_late]
-predicate validParameterAliasStep(Node node1, Node node2) {
-  // When flow-through summaries are computed we track which parameters flow to out-going parameters.
-  // In an example such as:
-  // ```
-  // modify(int* px) { *px = source(); }
-  // void modify_copy(int* p) {
-  //   int x = *p;
-  //   modify(&x);
-  // }
-  // ```
-  // since dataflow tracks each indirection as a separate SSA variable dataflow
-  // sees the above roughly as
-  // ```
-  // modify(int* px, int deref_px) { deref_px = source(); }
-  // void modify_copy(int* p, int deref_p) {
-  //   int x = deref_p;
-  //   modify(&x, x);
-  // }
-  // ```
-  // and when dataflow computes flow from a parameter to a post-update node to
-  // conclude which parameters are "updated" by the call to `modify_copy` it
-  // finds flow from `x [post update]` to `deref_p [post update]`.
-  // To prevent this we exclude steps that don't preserve identity. We do this
-  // by excluding flow from the right-hand side of `StoreInstruction`s to the
-  // `StoreInstruction`. This is sufficient because, for flow-through summaries,
-  // we're only interested in indirect parameters such as `deref_p` in the
-  // exampe above (i.e., the parameters with a non-zero indirection index), and
-  // if that ever flows to the right-hand side of a `StoreInstruction` then
-  // there must have been a dereference to reduce its indirection index down to
-  // 0.
-  not exists(Operand operand |
-    node1.asOperand() = operand and
-    node2.asInstruction().(StoreInstruction).getSourceValueOperand() = operand
-  )
-  // TODO: Also block flow through models that don't preserve identity such
-  // as `strdup`.
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -15,21 +15,20 @@ private import ModelUtil
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
-private import Node0ToString
 
 /**
  * The IR dataflow graph consists of the following nodes:
- * - `Node0`, which injects most instructions and operands directly into the
- *    dataflow graph.
+ * - `Node0`, which injects most instructions and operands directly into the dataflow graph.
  * - `VariableNode`, which is used to model flow through global variables.
- * - `PostUpdateNodeImpl`, which is used to model the state of an object after
- *    an update after a number of loads.
- * - `SsaPhiNode`, which represents phi nodes as computed by the shared SSA
- *    library.
- * - `RawIndirectOperand`, which represents the value of `operand` after
- *    loading the address a number of times.
- * - `RawIndirectInstruction`, which represents the value of `instr` after
- *    loading the address a number of times.
+ * - `PostFieldUpdateNode`, which is used to model the state of a field after a value has been stored
+ * into an address after a number of loads.
+ * - `SsaPhiNode`, which represents phi nodes as computed by the shared SSA library.
+ * - `IndirectArgumentOutNode`, which represents the value of an argument (and its indirections) after
+ * it leaves a function call.
+ * - `RawIndirectOperand`, which represents the value of `operand` after loading the address a number
+ * of times.
+ * - `RawIndirectInstruction`, which represents the value of `instr` after loading the address a number
+ * of times.
  */
 cached
 private newtype TIRDataFlowNode =
@@ -38,13 +37,14 @@ private newtype TIRDataFlowNode =
     indirectionIndex =
       [getMinIndirectionsForType(var.getUnspecifiedType()) .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
   } or
-  TPostUpdateNodeImpl(Operand operand, int indirectionIndex) {
-    operand = any(FieldAddress fa).getObjectAddressOperand() and
-    indirectionIndex = [0 .. Ssa::countIndirectionsForCppType(Ssa::getLanguageType(operand))]
-    or
-    Ssa::isModifiableByCall(operand, indirectionIndex)
+  TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
+    indirectionIndex =
+      [1 .. Ssa::countIndirectionsForCppType(operand.getObjectAddress().getResultLanguageType())]
   } or
   TSsaPhiNode(Ssa::PhiNode phi) or
+  TIndirectArgumentOutNode(ArgumentOperand operand, int indirectionIndex) {
+    Ssa::isModifiableByCall(operand, indirectionIndex)
+  } or
   TRawIndirectOperand0(Node0Impl node, int indirectionIndex) {
     Ssa::hasRawIndirectOperand(node.asOperand(), indirectionIndex)
   } or
@@ -84,7 +84,7 @@ private predicate parameterIsRedefined(Parameter p) {
 class FieldAddress extends Operand {
   FieldAddressInstruction fai;
 
-  FieldAddress() { fai = this.getDef() and not Ssa::ignoreOperand(this) }
+  FieldAddress() { fai = this.getDef() }
 
   /** Gets the field associated with this instruction. */
   Field getField() { result = fai.getField() }
@@ -260,71 +260,6 @@ class Node extends TIRDataFlowNode {
    */
   Expr asDefiningArgument() { result = this.asDefiningArgument(_) }
 
-  /**
-   * Gets the definition associated with this node, if any.
-   *
-   * For example, consider the following example
-   * ```cpp
-   * int x = 42;     // 1
-   * x = 34;         // 2
-   * ++x;            // 3
-   * x++;            // 4
-   * x += 1;         // 5
-   * int y = x += 2; // 6
-   * ```
-   * - For (1) the result is `42`.
-   * - For (2) the result is `x = 34`.
-   * - For (3) the result is `++x`.
-   * - For (4) the result is `x++`.
-   * - For (5) the result is `x += 1`.
-   * - For (6) there are two results:
-   *   - For the definition generated by `x += 2` the result is `x += 2`
-   *   - For the definition generated by `int y = ...` the result is
-   *     also `x += 2`.
-   *
-   * For assignments, `node.asDefinition()` and `node.asExpr()` will both exist
-   * for the same dataflow node. However, for expression such as `x++` that
-   * both write to `x` and read the current value of `x`, `node.asDefinition()`
-   * will give the node corresponding to the value after the increment, and
-   * `node.asExpr()` will give the node corresponding to the value before the
-   * increment. For an example of this, consider the following:
-   *
-   * ```cpp
-   * sink(x++);
-   * ```
-   * in the above program, there will not be flow from a node `n` such that
-   * `n.asDefinition() instanceof IncrementOperation` to the argument of `sink`
-   * since the value passed to `sink` is the value before to the increment.
-   * However, there will be dataflow from a node `n` such that
-   * `n.asExpr() instanceof IncrementOperation` since the result of evaluating
-   * the expression `x++` is passed to `sink`.
-   */
-  Expr asDefinition() {
-    exists(StoreInstruction store |
-      store = this.asInstruction() and
-      result = asDefinitionImpl(store)
-    )
-  }
-
-  /**
-   * Gets the indirect definition at a given indirection corresponding to this
-   * node, if any.
-   *
-   * See the comments on `Node.asDefinition` for examples.
-   */
-  Expr asIndirectDefinition(int indirectionIndex) {
-    exists(StoreInstruction store |
-      this.(IndirectInstruction).hasInstructionAndIndirectionIndex(store, indirectionIndex) and
-      result = asDefinitionImpl(store)
-    )
-  }
-
-  /**
-   * Gets the indirect definition at some indirection corresponding to this
-   * node, if any.
-   */
-  Expr asIndirectDefinition() { result = this.asIndirectDefinition(_) }
-
   /**
    * Gets the argument that defines this `DefinitionByReferenceNode`, if any.
    *
@@ -437,12 +372,7 @@ class Node extends TIRDataFlowNode {
    * `x.set(taint())` is a partial definition of `x`, and `transfer(&x, taint())` is
    * a partial definition of `&x`).
    */
-  Expr asPartialDefinition() {
-    exists(PartialDefinitionNode pdn | this = pdn |
-      pdn.getIndirectionIndex() > 0 and
-      result = pdn.getDefinedExpr()
-    )
-  }
+  Expr asPartialDefinition() { result = this.(PartialDefinitionNode).getDefinedExpr() }
 
   /**
    * Gets an upper bound on the type of this node.
@@ -486,6 +416,13 @@ class Node extends TIRDataFlowNode {
   }
 }
 
+private string toExprString(Node n) {
+  result = n.asExpr(0).toString()
+  or
+  not exists(n.asExpr()) and
+  result = n.asIndirectExpr(0, 1).toString() + " indirection"
+}
+
 /**
  * A class that lifts pre-SSA dataflow nodes to regular dataflow nodes.
  */
@@ -548,53 +485,37 @@ Type stripPointer(Type t) {
   result = t.(FunctionPointerIshType).getBaseType()
 }
 
-/**
- * INTERNAL: Do not use.
- */
-class PostUpdateNodeImpl extends PartialDefinitionNode, TPostUpdateNodeImpl {
-  int indirectionIndex;
-  Operand operand;
-
-  PostUpdateNodeImpl() { this = TPostUpdateNodeImpl(operand, indirectionIndex) }
-
-  override Declaration getFunction() { result = operand.getUse().getEnclosingFunction() }
-
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-  /** Gets the operand associated with this node. */
-  Operand getOperand() { result = operand }
-
-  /** Gets the indirection index associated with this node. */
-  override int getIndirectionIndex() { result = indirectionIndex }
-
-  override Location getLocationImpl() { result = operand.getLocation() }
-
-  final override Node getPreUpdateNode() {
-    indirectionIndex > 0 and
-    hasOperandAndIndex(result, operand, indirectionIndex)
-    or
-    indirectionIndex = 0 and
-    result.asOperand() = operand
-  }
-
-  final override Expr getDefinedExpr() {
-    result = operand.getDef().getUnconvertedResultExpression()
-  }
-}
-
 /**
  * INTERNAL: do not use.
  *
  * The node representing the value of a field after it has been updated.
  */
-class PostFieldUpdateNode extends PostUpdateNodeImpl {
+class PostFieldUpdateNode extends TPostFieldUpdateNode, PartialDefinitionNode {
+  int indirectionIndex;
   FieldAddress fieldAddress;
 
-  PostFieldUpdateNode() { operand = fieldAddress.getObjectAddressOperand() }
+  PostFieldUpdateNode() { this = TPostFieldUpdateNode(fieldAddress, indirectionIndex) }
+
+  override Declaration getFunction() { result = fieldAddress.getUse().getEnclosingFunction() }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
 
   FieldAddress getFieldAddress() { result = fieldAddress }
 
-  Field getUpdatedField() { result = this.getFieldAddress().getField() }
+  Field getUpdatedField() { result = fieldAddress.getField() }
+
+  int getIndirectionIndex() { result = indirectionIndex }
+
+  override Node getPreUpdateNode() {
+    hasOperandAndIndex(result, pragma[only_bind_into](fieldAddress).getObjectAddressOperand(),
+      indirectionIndex)
+  }
+
+  override Expr getDefinedExpr() {
+    result = fieldAddress.getObjectAddress().getUnconvertedResultExpression()
+  }
+
+  override Location getLocationImpl() { result = fieldAddress.getLocation() }
 
   override string toStringImpl() { result = this.getPreUpdateNode() + " [post update]" }
 }
@@ -779,12 +700,10 @@ class IndirectParameterNode extends Node instanceof IndirectInstruction {
   override Location getLocationImpl() { result = this.getParameter().getLocation() }
 
   override string toStringImpl() {
-    exists(string prefix | prefix = stars(this) |
-      result = prefix + this.getParameter().toString()
-      or
-      not exists(this.getParameter()) and
-      result = prefix + "this"
-    )
+    result = this.getParameter().toString() + " indirection"
+    or
+    not exists(this.getParameter()) and
+    result = "this indirection"
   }
 }
 
@@ -832,8 +751,13 @@ class IndirectReturnNode extends Node {
  * A node representing the indirection of a value after it
  * has been returned from a function.
  */
-class IndirectArgumentOutNode extends PostUpdateNodeImpl {
-  override ArgumentOperand operand;
+class IndirectArgumentOutNode extends Node, TIndirectArgumentOutNode, PartialDefinitionNode {
+  ArgumentOperand operand;
+  int indirectionIndex;
+
+  IndirectArgumentOutNode() { this = TIndirectArgumentOutNode(operand, indirectionIndex) }
+
+  int getIndirectionIndex() { result = indirectionIndex }
 
   int getArgumentIndex() {
     exists(CallInstruction call | call.getArgumentOperand(result) = operand)
@@ -845,16 +769,24 @@ class IndirectArgumentOutNode extends PostUpdateNodeImpl {
 
   Function getStaticCallTarget() { result = this.getCallInstruction().getStaticCallTarget() }
 
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Declaration getFunction() { result = this.getCallInstruction().getEnclosingFunction() }
+
+  override Node getPreUpdateNode() { hasOperandAndIndex(result, operand, indirectionIndex) }
+
   override string toStringImpl() {
-    exists(string prefix | if indirectionIndex > 0 then prefix = "" else prefix = "pointer to " |
-      // This string should be unique enough to be helpful but common enough to
-      // avoid storing too many different strings.
-      result = prefix + this.getStaticCallTarget().getName() + " output argument"
-      or
-      not exists(this.getStaticCallTarget()) and
-      result = prefix + "output argument"
-    )
+    // This string should be unique enough to be helpful but common enough to
+    // avoid storing too many different strings.
+    result = this.getStaticCallTarget().getName() + " output argument"
+    or
+    not exists(this.getStaticCallTarget()) and
+    result = "output argument"
   }
+
+  override Location getLocationImpl() { result = operand.getLocation() }
+
+  override Expr getDefinedExpr() { result = operand.getDef().getUnconvertedResultExpression() }
 }
 
 /**
@@ -959,8 +891,7 @@ private Type getTypeImpl0(Type t, int indirectionIndex) {
  *
  * If `indirectionIndex` cannot be stripped off `t`, an `UnknownType` is returned.
  */
-bindingset[t, indirectionIndex]
-pragma[inline_late]
+bindingset[indirectionIndex]
 Type getTypeImpl(Type t, int indirectionIndex) {
   result = getTypeImpl0(t, indirectionIndex)
   or
@@ -1012,7 +943,7 @@ private module RawIndirectNodes {
     }
 
     override string toStringImpl() {
-      result = stars(this) + operandNode(this.getOperand()).toStringImpl()
+      result = operandNode(this.getOperand()).toStringImpl() + " indirection"
     }
   }
 
@@ -1054,7 +985,7 @@ private module RawIndirectNodes {
     }
 
     override string toStringImpl() {
-      result = stars(this) + instructionNode(this.getInstruction()).toStringImpl()
+      result = instructionNode(this.getInstruction()).toStringImpl() + " indirection"
     }
   }
 
@@ -1147,7 +1078,9 @@ class FinalParameterNode extends Node, TFinalParameterNode {
     result instanceof UnknownDefaultLocation
   }
 
-  override string toStringImpl() { result = stars(this) + p.toString() }
+  override string toStringImpl() {
+    if indirectionIndex > 1 then result = p.toString() + " indirection" else result = p.toString()
+  }
 }
 
 /**
@@ -1209,6 +1142,22 @@ private module GetConvertedResultExpression {
   }
 
   private Expr getConvertedResultExpressionImpl0(Instruction instr) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedAssignOperation tao |
+      result = tao.getExpr() and
+      instr = tao.getInstruction(any(AssignmentStoreTag tag))
+    )
+    or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedCrementOperation tco |
+      result = tco.getExpr() and
+      instr = tco.getInstruction(any(CrementStoreTag tag))
+    )
+    or
     // IR construction inserts an additional cast to a `size_t` on the extent
     // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
     // a result for `getConvertedResultExpression`. We remap this here so that
@@ -1216,7 +1165,7 @@ private module GetConvertedResultExpression {
     // represents the extent.
     exists(TranslatedNonConstantAllocationSize tas |
       result = tas.getExtent().getExpr() and
-      instr = tas.getInstruction(AllocationExtentConvertTag())
+      instr = tas.getInstruction(any(AllocationExtentConvertTag tag))
     )
     or
     // There's no instruction that returns `ParenthesisExpr`, but some queries
@@ -1225,39 +1174,6 @@ private module GetConvertedResultExpression {
       result = ttc.getExpr().(ParenthesisExpr) and
       instr = ttc.getResult()
     )
-    or
-    // Certain expressions generate `CopyValueInstruction`s only when they
-    // are needed. Examples of this include crement operations and compound
-    // assignment operations. For example:
-    // ```cpp
-    // int x = ...
-    // int y = x++;
-    // ```
-    // this generate IR like:
-    // ```
-    // r1(glval<int>) = VariableAddress[x] :
-    // r2(int)        = Constant[0]        :
-    // m3(int)        = Store[x]           : &:r1, r2
-    // r4(glval<int>) = VariableAddress[y] :
-    // r5(glval<int>) = VariableAddress[x] :
-    // r6(int)        = Load[x]            : &:r5, m3
-    // r7(int)        = Constant[1]        :
-    // r8(int)        = Add                : r6, r7
-    // m9(int)        = Store[x]           : &:r5, r8
-    // r11(int)       = CopyValue         : r6
-    // m12(int)       = Store[y]          : &:r4, r11
-    // ```
-    // When the `CopyValueInstruction` is not generated there is no instruction
-    // whose `getConvertedResultExpression` maps back to the expression. When
-    // such an instruction doesn't exist it means that the old value is not
-    // needed, and in that case the only value that will propagate forward in
-    // the program is the value that's been updated. So in those cases we just
-    // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
-    exists(TranslatedCoreExpr tco |
-      tco.getInstruction(_) = instr and
-      tco.producesExprResult() and
-      result = asDefinitionImpl0(instr)
-    )
   }
 
   private Expr getConvertedResultExpressionImpl(Instruction instr) {
@@ -1266,75 +1182,6 @@ private module GetConvertedResultExpression {
     not exists(getConvertedResultExpressionImpl0(instr)) and
     result = instr.getConvertedResultExpression()
   }
-
-  /**
-   * Gets the result for `node.asDefinition()` (when `node` is the instruction
-   * node that wraps `store`) in the cases where `store.getAst()` should not be
-   * used to define the result of `node.asDefinition()`.
-   */
-  private Expr asDefinitionImpl0(StoreInstruction store) {
-    // For an expression such as `i += 2` we pretend that the generated
-    // `StoreInstruction` contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedAssignOperation tao |
-      store = tao.getInstruction(AssignmentStoreTag()) and
-      result = tao.getExpr()
-    )
-    or
-    // Similarly for `i++` and `++i` we pretend that the generated
-    // `StoreInstruction` is contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedCrementOperation tco |
-      store = tco.getInstruction(CrementStoreTag()) and
-      result = tco.getExpr()
-    )
-  }
-
-  /**
-   * Holds if the expression returned by `store.getAst()` should not be
-   * returned as the result of `node.asDefinition()` when `node` is the
-   * instruction node that wraps `store`.
-   */
-  private predicate excludeAsDefinitionResult(StoreInstruction store) {
-    // Exclude the store to the temporary generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      store = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      store = tce.getInstruction(ConditionValueTrueStoreTag())
-    )
-  }
-
-  /**
-   * Gets the expression that represents the result of `StoreInstruction` for
-   * dataflow purposes.
-   *
-   * For example, consider the following example
-   * ```cpp
-   * int x = 42;     // 1
-   * x = 34;         // 2
-   * ++x;            // 3
-   * x++;            // 4
-   * x += 1;         // 5
-   * int y = x += 2; // 6
-   * ```
-   * For (1) the result is `42`.
-   * For (2) the result is `x = 34`.
-   * For (3) the result is `++x`.
-   * For (4) the result is `x++`.
-   * For (5) the result is `x += 1`.
-   * For (6) there are two results:
-   *   - For the `StoreInstruction` generated by `x += 2` the result
-   *     is `x += 2`
-   *   - For the `StoreInstruction` generated by `int y = ...` the result
-   *     is also `x += 2`
-   */
-  Expr asDefinitionImpl(StoreInstruction store) {
-    not exists(asDefinitionImpl0(store)) and
-    not excludeAsDefinitionResult(store) and
-    result = store.getAst().(Expr).getUnconverted()
-    or
-    result = asDefinitionImpl0(store)
-  }
 }
 
 private import GetConvertedResultExpression
@@ -1394,21 +1241,11 @@ abstract private class ExprNodeBase extends Node {
   final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() }
 }
 
-/**
- * Holds if there exists a dataflow node whose `asExpr(n)` should evaluate
- * to `e`.
- */
-private predicate exprNodeShouldBe(Expr e, int n) {
-  exprNodeShouldBeInstruction(_, e, n) or
-  exprNodeShouldBeOperand(_, e, n) or
-  exprNodeShouldBeIndirectOutNode(_, e, n)
-}
-
 private class InstructionExprNode extends ExprNodeBase, InstructionNode {
   InstructionExprNode() {
     exists(Expr e, int n |
       exprNodeShouldBeInstruction(this, e, n) and
-      not exprNodeShouldBe(e, n + 1)
+      not exprNodeShouldBeInstruction(_, e, n + 1)
     )
   }
 
@@ -1419,7 +1256,7 @@ private class OperandExprNode extends ExprNodeBase, OperandNode {
   OperandExprNode() {
     exists(Expr e, int n |
       exprNodeShouldBeOperand(this, e, n) and
-      not exprNodeShouldBe(e, n + 1)
+      not exprNodeShouldBeOperand(_, e, n + 1)
     )
   }
 
@@ -1720,10 +1557,6 @@ abstract class PostUpdateNode extends Node {
  * ```
  */
 abstract private class PartialDefinitionNode extends PostUpdateNode {
-  /** Gets the indirection index of this node. */
-  abstract int getIndirectionIndex();
-
-  /** Gets the expression that is partially defined by this node. */
   abstract Expr getDefinedExpr();
 }
 
@@ -1738,8 +1571,6 @@ abstract private class PartialDefinitionNode extends PostUpdateNode {
  * `getVariableAccess()` equal to `x`.
  */
 class DefinitionByReferenceNode extends IndirectArgumentOutNode {
-  DefinitionByReferenceNode() { this.getIndirectionIndex() > 0 }
-
   /** Gets the unconverted argument corresponding to this node. */
   Expr getArgument() { result = this.getAddressOperand().getDef().getUnconvertedResultExpression() }
 
@@ -1791,7 +1622,9 @@ class VariableNode extends Node, TVariableNode {
     result instanceof UnknownDefaultLocation
   }
 
-  override string toStringImpl() { result = stars(this) + v.toString() }
+  override string toStringImpl() {
+    if indirectionIndex = 1 then result = v.toString() else result = v.toString() + " indirection"
+  }
 }
 
 /**
@@ -2251,25 +2084,6 @@ class Content extends TContent {
   abstract predicate impliesClearOf(Content c);
 }
 
-private module ContentStars {
-  private int maxNumberOfIndirections() { result = max(any(Content c).getIndirectionIndex()) }
-
-  private string repeatStars(int n) {
-    n = 0 and result = ""
-    or
-    n = [1 .. maxNumberOfIndirections()] and
-    result = "*" + repeatStars(n - 1)
-  }
-
-  /**
-   * Gets the number of stars (i.e., `*`s) needed to produce the `toString`
-   * output for `c`.
-   */
-  string contentStars(Content c) { result = repeatStars(c.getIndirectionIndex() - 1) }
-}
-
-private import ContentStars
-
 /** A reference through a non-union instance field. */
 class FieldContent extends Content, TFieldContent {
   Field f;
@@ -2277,7 +2091,11 @@ class FieldContent extends Content, TFieldContent {
 
   FieldContent() { this = TFieldContent(f, indirectionIndex) }
 
-  override string toString() { result = contentStars(this) + f.toString() }
+  override string toString() {
+    indirectionIndex = 1 and result = f.toString()
+    or
+    indirectionIndex > 1 and result = f.toString() + " indirection"
+  }
 
   Field getField() { result = f }
 
@@ -2306,7 +2124,11 @@ class UnionContent extends Content, TUnionContent {
 
   UnionContent() { this = TUnionContent(u, bytes, indirectionIndex) }
 
-  override string toString() { result = contentStars(this) + u.toString() }
+  override string toString() {
+    indirectionIndex = 1 and result = u.toString()
+    or
+    indirectionIndex > 1 and result = u.toString() + " indirection"
+  }
 
   /** Gets a field of the underlying union of this `UnionContent`, if any. */
   Field getAField() { result = u.getAField() and getFieldSize(result) = bytes }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DebugPrinting.qll

@@ -1,24 +0,0 @@
-/**
- * This file contains the class that implements the _debug_ version of
- * `toString` for `Instruction` and `Operand` dataflow nodes.
- */
-
-private import semmle.code.cpp.ir.IR
-private import codeql.util.Unit
-private import Node0ToString
-private import DataFlowUtil
-
-private class DebugNode0ToString extends Node0ToString {
-  DebugNode0ToString() {
-    // Silence warning about `this` not being bound.
-    exists(this)
-  }
-
-  override string instructionToString(Instruction i) { result = i.getDumpString() }
-
-  override string operandToString(Operand op) {
-    result = op.getDumpString() + " @ " + op.getUse().getResultId()
-  }
-
-  override string toExprString(Node n) { none() }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll

@@ -0,0 +1,668 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * An IR taint tracking library that uses an IR DataFlow configuration to track
+ * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
+ */
+
+import cpp
+import semmle.code.cpp.security.Security
+private import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.ResolveCall
+private import semmle.code.cpp.controlflow.IRGuards
+private import semmle.code.cpp.models.interfaces.Taint
+private import semmle.code.cpp.models.interfaces.DataFlow
+private import semmle.code.cpp.ir.dataflow.TaintTracking
+private import semmle.code.cpp.ir.dataflow.TaintTracking2
+private import semmle.code.cpp.ir.dataflow.TaintTracking3
+private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+
+/**
+ * A predictable instruction is one where an external user can predict
+ * the value. For example, a literal in the source code is considered
+ * predictable.
+ */
+private predicate predictableInstruction(Instruction instr) {
+  instr instanceof ConstantInstruction
+  or
+  instr instanceof StringConstantInstruction
+  or
+  // This could be a conversion on a string literal
+  predictableInstruction(instr.(UnaryInstruction).getUnary())
+}
+
+/**
+ * Functions that we should only allow taint to flow through (to the return
+ * value) if all but the source argument are 'predictable'.  This is done to
+ * emulate the old security library's implementation rather than due to any
+ * strong belief that this is the right approach.
+ *
+ * Note that the list itself is not very principled; it consists of all the
+ * functions listed in the old security library's [default] `isPureFunction`
+ * that have more than one argument, but are not in the old taint tracking
+ * library's `returnArgument` predicate.
+ */
+predicate predictableOnlyFlow(string name) {
+  name =
+    [
+      "strcasestr", "strchnul", "strchr", "strchrnul", "strcmp", "strcspn", "strncmp", "strndup",
+      "strnlen", "strrchr", "strspn", "strstr", "strtod", "strtof", "strtol", "strtoll", "strtoq",
+      "strtoul"
+    ]
+}
+
+private DataFlow::Node getNodeForSource(Expr source) {
+  isUserInput(source, _) and
+  result = getNodeForExpr(source)
+}
+
+private DataFlow::Node getNodeForExpr(Expr node) {
+  node = DataFlow::ExprFlowCached::asExprInternal(result)
+  or
+  // Some of the sources in `isUserInput` are intended to match the value of
+  // an expression, while others (those modeled below) are intended to match
+  // the taint that propagates out of an argument, like the `char *` argument
+  // to `gets`. It's impossible here to tell which is which, but the "access
+  // to argv" source is definitely not intended to match an output argument,
+  // and it causes false positives if we let it.
+  //
+  // This case goes together with the similar (but not identical) rule in
+  // `nodeIsBarrierIn`.
+  result = DataFlow::definitionByReferenceNodeFromArgument(node) and
+  not argv(node.(VariableAccess).getTarget())
+}
+
+private predicate conflatePointerAndPointee(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  // Flow from `op` to `*op`.
+  exists(Operand operand, int indirectionIndex |
+    nodeHasOperand(nodeFrom, operand, indirectionIndex) and
+    nodeHasOperand(nodeTo, operand, indirectionIndex - 1)
+  )
+  or
+  // Flow from `instr` to `*instr`.
+  exists(Instruction instr, int indirectionIndex |
+    nodeHasInstruction(nodeFrom, instr, indirectionIndex) and
+    nodeHasInstruction(nodeTo, instr, indirectionIndex - 1)
+  )
+}
+
+private module DefaultTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
+
+  predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
+
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
+
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    conflatePointerAndPointee(nodeFrom, nodeTo)
+  }
+}
+
+private module DefaultTaintTrackingFlow = TaintTracking::Global<DefaultTaintTrackingConfig>;
+
+private module ToGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
+
+  predicate isSink(DataFlow::Node sink) { sink.asVariable() instanceof GlobalOrNamespaceVariable }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
+    or
+    readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
+  }
+
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
+
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+}
+
+private module ToGlobalVarTaintTrackingFlow = TaintTracking::Global<ToGlobalVarTaintTrackingConfig>;
+
+private module FromGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // This set of sources should be reasonably small, which is good for
+    // performance since the set of sinks is very large.
+    ToGlobalVarTaintTrackingFlow::flowTo(source)
+  }
+
+  predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    // Additional step for flow out of variables. There is no flow _into_
+    // variables in this configuration, so this step only serves to take flow
+    // out of a variable that's a source.
+    readsVariable(n2.asInstruction(), n1.asVariable())
+  }
+
+  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
+
+  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+}
+
+private module FromGlobalVarTaintTrackingFlow =
+  TaintTracking::Global<FromGlobalVarTaintTrackingConfig>;
+
+private predicate readsVariable(LoadInstruction load, Variable var) {
+  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
+}
+
+private predicate writesVariable(StoreInstruction store, Variable var) {
+  store.getDestinationAddress().(VariableAddressInstruction).getAstVariable() = var
+}
+
+/**
+ * A variable that has any kind of upper-bound check anywhere in the program.  This is
+ * biased towards being inclusive because there are a lot of valid ways of doing an
+ * upper bounds checks if we don't consider where it occurs, for example:
+ * ```
+ *   if (x < 10) { sink(x); }
+ *
+ *   if (10 > y) { sink(y); }
+ *
+ *   if (z > 10) { z = 10; }
+ *   sink(z);
+ * ```
+ */
+// TODO: This coarse overapproximation, ported from the old taint tracking
+// library, could be replaced with an actual semantic check that a particular
+// variable _access_ is guarded by an upper-bound check. We probably don't want
+// to do this right away since it could expose a lot of FPs that were
+// previously suppressed by this predicate by coincidence.
+private predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+private predicate nodeIsBarrierEqualityCandidate(
+  DataFlow::Node node, Operand access, Variable checkedVar
+) {
+  exists(Instruction instr | instr = node.asOperand().getDef() |
+    readsVariable(instr, checkedVar) and
+    any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
+  )
+}
+
+cached
+private module Cached {
+  cached
+  predicate nodeIsBarrier(DataFlow::Node node) {
+    exists(Variable checkedVar, Instruction instr | instr = node.asOperand().getDef() |
+      readsVariable(instr, checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+    or
+    exists(Variable checkedVar, Operand access |
+      /*
+       * This node is guarded by a condition that forces the accessed variable
+       * to equal something else.  For example:
+       * ```
+       * x = taintsource()
+       * if (x == 10) {
+       *   taintsink(x); // not considered tainted
+       * }
+       * ```
+       */
+
+      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
+      readsVariable(access.getDef(), checkedVar)
+    )
+  }
+
+  cached
+  predicate nodeIsBarrierIn(DataFlow::Node node) {
+    // don't use dataflow into taint sources, as this leads to duplicate results.
+    exists(Expr source | isUserInput(source, _) |
+      source = DataFlow::ExprFlowCached::asExprInternal(node)
+      or
+      // This case goes together with the similar (but not identical) rule in
+      // `getNodeForSource`.
+      node = DataFlow::definitionByReferenceNodeFromArgument(source)
+    )
+    or
+    // don't use dataflow into binary instructions if both operands are unpredictable
+    exists(BinaryInstruction iTo |
+      iTo = node.asInstruction() and
+      not predictableInstruction(iTo.getLeft()) and
+      not predictableInstruction(iTo.getRight()) and
+      // propagate taint from either the pointer or the offset, regardless of predictability
+      not iTo instanceof PointerArithmeticInstruction
+    )
+    or
+    // don't use dataflow through calls to pure functions if two or more operands
+    // are unpredictable
+    exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
+      iTo = node.asInstruction() and
+      isPureFunction(iTo.getStaticCallTarget().getName()) and
+      iFrom1 = iTo.getAnArgument() and
+      iFrom2 = iTo.getAnArgument() and
+      not predictableInstruction(iFrom1) and
+      not predictableInstruction(iFrom2) and
+      iFrom1 != iFrom2
+    )
+  }
+
+  cached
+  Element adjustedSink(DataFlow::Node sink) {
+    // TODO: is it more appropriate to use asConvertedExpr here and avoid
+    // `getConversion*`? Or will that cause us to miss some cases where there's
+    // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
+    // pretend there was flow to the converted `Expr` for the sake of
+    // compatibility.
+    sink.asExpr().getConversion*() = result
+    or
+    // For compatibility, send flow from arguments to parameters, even for
+    // functions with no body.
+    exists(FunctionCall call, int i |
+      sink.asExpr() = call.getArgument(pragma[only_bind_into](i)) and
+      result = resolveCall(call).getParameter(pragma[only_bind_into](i))
+    )
+    or
+    // For compatibility, send flow into a `Variable` if there is flow to any
+    // Load or Store of that variable.
+    exists(CopyInstruction copy |
+      copy.getSourceValue() = sink.asInstruction() and
+      (
+        readsVariable(copy, result) or
+        writesVariable(copy, result)
+      ) and
+      not hasUpperBoundsCheck(result)
+    )
+    or
+    // For compatibility, send flow into a `NotExpr` even if it's part of a
+    // short-circuiting condition and thus might get skipped.
+    result.(NotExpr).getOperand() = sink.asExpr()
+    or
+    // Taint postfix and prefix crement operations when their operand is tainted.
+    result.(CrementOperation).getAnOperand() = sink.asExpr()
+    or
+    // Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
+    result.(AssignOperation).getAnOperand() = sink.asExpr()
+    or
+    result =
+      sink.asOperand()
+          .(SideEffectOperand)
+          .getUse()
+          .(ReadSideEffectInstruction)
+          .getArgumentDef()
+          .getUnconvertedResultExpression()
+  }
+
+  /**
+   * Step to return value of a modeled function when an input taints the
+   * dereference of the return value.
+   */
+  cached
+  predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
+      n1 = callInput(call, modelIn) and
+      (
+        func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
+        or
+        func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
+      ) and
+      call.getStaticCallTarget() = func and
+      modelOut.isReturnValueDeref() and
+      call = n2.asInstruction()
+    )
+  }
+}
+
+private import Cached
+
+/**
+ * Holds if `tainted` may contain taint from `source`.
+ *
+ * A tainted expression is either directly user input, or is
+ * computed from user input in a way that users can probably
+ * control the exact output of the computation.
+ *
+ * This doesn't include data flow through global variables.
+ * If you need that you must call `taintedIncludingGlobalVars`.
+ */
+cached
+predicate tainted(Expr source, Element tainted) {
+  exists(DataFlow::Node sink |
+    DefaultTaintTrackingFlow::flow(getNodeForSource(source), sink) and
+    tainted = adjustedSink(sink)
+  )
+}
+
+/**
+ * Holds if `tainted` may contain taint from `source`, where the taint passed
+ * through a global variable named `globalVar`.
+ *
+ * A tainted expression is either directly user input, or is
+ * computed from user input in a way that users can probably
+ * control the exact output of the computation.
+ *
+ * This version gives the same results as tainted but also includes
+ * data flow through global variables.
+ *
+ * The parameter `globalVar` is the qualified name of the last global variable
+ * used to move the value from source to tainted. If the taint did not pass
+ * through a global variable, then `globalVar = ""`.
+ */
+cached
+predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
+  tainted(source, tainted) and
+  globalVar = ""
+  or
+  exists(
+    DataFlow::VariableNode variableNode, GlobalOrNamespaceVariable global, DataFlow::Node sink
+  |
+    global = variableNode.getVariable() and
+    ToGlobalVarTaintTrackingFlow::flow(getNodeForSource(source), variableNode) and
+    FromGlobalVarTaintTrackingFlow::flow(variableNode, sink) and
+    tainted = adjustedSink(sink) and
+    global = globalVarFromId(globalVar)
+  )
+}
+
+/**
+ * Gets the global variable whose qualified name is `id`. Use this predicate
+ * together with `taintedIncludingGlobalVars`. Example:
+ *
+ * ```
+ * exists(string varName |
+ *   taintedIncludingGlobalVars(source, tainted, varName) and
+ *   var = globalVarFromId(varName)
+ * )
+ * ```
+ */
+GlobalOrNamespaceVariable globalVarFromId(string id) { id = result.getQualifiedName() }
+
+/**
+ * Provides definitions for augmenting source/sink pairs with data-flow paths
+ * between them. From a `@kind path-problem` query, import this module in the
+ * global scope, extend `TaintTrackingConfiguration`, and use `taintedWithPath`
+ * in place of `tainted`.
+ *
+ * Importing this module will also import the query predicates that contain the
+ * taint paths.
+ */
+module TaintedWithPath {
+  private newtype TSingleton = MkSingleton()
+
+  /**
+   * A taint-tracking configuration that matches sources and sinks in the same
+   * way as the `tainted` predicate.
+   *
+   * Override `isSink` and `taintThroughGlobals` as needed, but do not provide
+   * a characteristic predicate.
+   */
+  class TaintTrackingConfiguration extends TSingleton {
+    /** Override this to specify which elements are sources in this configuration. */
+    predicate isSource(Expr source) { exists(getNodeForSource(source)) }
+
+    /** Override this to specify which elements are sinks in this configuration. */
+    abstract predicate isSink(Element e);
+
+    /** Override this to specify which expressions are barriers in this configuration. */
+    predicate isBarrier(Expr e) { nodeIsBarrier(getNodeForExpr(e)) }
+
+    /**
+     * Override this predicate to `any()` to allow taint to flow through global
+     * variables.
+     */
+    predicate taintThroughGlobals() { none() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = "TaintTrackingConfiguration" }
+  }
+
+  private module AdjustedConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+      exists(TaintTrackingConfiguration cfg, Expr e |
+        cfg.isSource(e) and source = getNodeForExpr(e)
+      )
+    }
+
+    predicate isSink(DataFlow::Node sink) {
+      exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
+    }
+
+    predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+      conflatePointerAndPointee(n1, n2)
+      or
+      // Steps into and out of global variables
+      exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
+        writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
+        or
+        readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
+      )
+      or
+      additionalTaintStep(n1, n2)
+    }
+
+    predicate isBarrier(DataFlow::Node node) {
+      exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
+    }
+
+    predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+
+    predicate neverSkip(Node node) { none() }
+  }
+
+  private module AdjustedFlow = TaintTracking::Global<AdjustedConfig>;
+
+  /*
+   * A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
+   * inverse of) `adjustedSink`. For example, an `Expr` maps to all its
+   * conversions, and a `Variable` maps to all loads and stores from it. Because
+   * the path node is part of the tuple that constitutes the alert, this leads
+   * to duplicate alerts.
+   *
+   * To avoid showing duplicates, we edit the graph to replace the final node
+   * coming from the data-flow library with a node that matches exactly the
+   * `Element` sink that's requested.
+   *
+   * The same is done for sources.
+   */
+
+  private newtype TPathNode =
+    TWrapPathNode(AdjustedFlow::PathNode n) or
+    // There's a single newtype constructor for both sources and sinks since
+    // that makes it easiest to deal with the case where source = sink.
+    TEndpointPathNode(Element e) {
+      exists(DataFlow::Node sourceNode, DataFlow::Node sinkNode |
+        AdjustedFlow::flow(sourceNode, sinkNode)
+      |
+        sourceNode = getNodeForExpr(e) and
+        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
+        or
+        e = adjustedSink(sinkNode) and
+        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSink(e))
+      )
+    }
+
+  /** An opaque type used for the nodes of a data-flow path. */
+  class PathNode extends TPathNode {
+    /** Gets a textual representation of this element. */
+    string toString() { none() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      none()
+    }
+  }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  module Private {
+    /** Gets a predecessor `PathNode` of `pathNode`, if any. */
+    PathNode getAPredecessor(PathNode pathNode) { edges(result, pathNode) }
+
+    /** Gets the element that `pathNode` wraps, if any. */
+    Element getElementFromPathNode(PathNode pathNode) {
+      exists(DataFlow::Node node | node = pathNode.(WrapPathNode).inner().getNode() |
+        result = node.asInstruction().getAst()
+        or
+        result = node.asOperand().getDef().getAst()
+      )
+      or
+      result = pathNode.(EndpointPathNode).inner()
+    }
+  }
+
+  private class WrapPathNode extends PathNode, TWrapPathNode {
+    AdjustedFlow::PathNode inner() { this = TWrapPathNode(result) }
+
+    override string toString() { result = this.inner().toString() }
+
+    override predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      this.inner().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+  }
+
+  private class EndpointPathNode extends PathNode, TEndpointPathNode {
+    Expr inner() { this = TEndpointPathNode(result) }
+
+    override string toString() { result = this.inner().toString() }
+
+    override predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      this.inner()
+          .getLocation()
+          .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+  }
+
+  /** A PathNode whose `Element` is a source. It may also be a sink. */
+  private class InitialPathNode extends EndpointPathNode {
+    InitialPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSource(this.inner())) }
+  }
+
+  /** A PathNode whose `Element` is a sink. It may also be a source. */
+  private class FinalPathNode extends EndpointPathNode {
+    FinalPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSink(this.inner())) }
+  }
+
+  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+  query predicate edges(PathNode a, PathNode b) {
+    AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
+    or
+    // To avoid showing trivial-looking steps, we _replace_ the last node instead
+    // of adding an edge out of it.
+    exists(WrapPathNode sinkNode |
+      AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
+      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
+    )
+    or
+    // Same for the first node
+    exists(WrapPathNode sourceNode |
+      AdjustedFlow::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
+      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner())
+    )
+    or
+    // Finally, handle the case where the path goes directly from a source to a
+    // sink, meaning that they both need to be translated.
+    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
+      AdjustedFlow::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
+      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner()) and
+      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
+    )
+  }
+
+  /**
+   * Holds if there is flow from `arg` to `out` across a call that can by summarized by the flow
+   * from `par` to `ret` within it, in the graph of data flow path explanations.
+   */
+  query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
+    AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
+      ret.(WrapPathNode).inner(), out.(WrapPathNode).inner())
+    or
+    // To avoid showing trivial-looking steps, we _replace_ the last node instead
+    // of adding an edge out of it.
+    exists(WrapPathNode sinkNode |
+      AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
+        ret.(WrapPathNode).inner(), sinkNode.inner()) and
+      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
+    )
+    or
+    // Same for the first node
+    exists(WrapPathNode sourceNode |
+      AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
+        ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
+      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
+    )
+    or
+    // Finally, handle the case where the path goes directly from a source to a
+    // sink, meaning that they both need to be translated.
+    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
+      AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
+        ret.(WrapPathNode).inner(), sinkNode.inner()) and
+      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
+      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
+    )
+  }
+
+  /** Holds if `n` is a node in the graph of data flow path explanations. */
+  query predicate nodes(PathNode n, string key, string val) {
+    key = "semmle.label" and val = n.toString()
+  }
+
+  /**
+   * Holds if `tainted` may contain taint from `source`, where `sourceNode` and
+   * `sinkNode` are the corresponding `PathNode`s that can be used in a query
+   * to provide path explanations. Extend `TaintTrackingConfiguration` to use
+   * this predicate.
+   *
+   * A tainted expression is either directly user input, or is computed from
+   * user input in a way that users can probably control the exact output of
+   * the computation.
+   */
+  predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
+    exists(DataFlow::Node flowSource, DataFlow::Node flowSink |
+      source = sourceNode.(InitialPathNode).inner() and
+      flowSource = getNodeForExpr(source) and
+      AdjustedFlow::flow(flowSource, flowSink) and
+      tainted = adjustedSink(flowSink) and
+      tainted = sinkNode.(FinalPathNode).inner()
+    )
+  }
+
+  private predicate isGlobalVariablePathNode(WrapPathNode n) {
+    n.inner().getNode().asVariable() instanceof GlobalOrNamespaceVariable
+    or
+    n.inner().getNode().asIndirectVariable() instanceof GlobalOrNamespaceVariable
+  }
+
+  private predicate edgesWithoutGlobals(PathNode a, PathNode b) {
+    edges(a, b) and
+    not isGlobalVariablePathNode(a) and
+    not isGlobalVariablePathNode(b)
+  }
+
+  /**
+   * Holds if `tainted` can be reached from a taint source without passing
+   * through a global variable.
+   */
+  predicate taintedWithoutGlobals(Element tainted) {
+    exists(PathNode sourceNode, FinalPathNode sinkNode |
+      AdjustedConfig::isSource(sourceNode.(WrapPathNode).inner().getNode()) and
+      edgesWithoutGlobals+(sourceNode, sinkNode) and
+      tainted = sinkNode.inner()
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Node0ToString.qll

@@ -1,53 +0,0 @@
-/**
- * This file imports the class that is used to construct the strings used by
- * `Node.ToString`.
- *
- * Normally, this file should just import `NormalNode0ToString` to compute the
- * efficient `toString`, but for debugging purposes one can import
- * `DebugPrinting.qll` to better correlate the dataflow nodes with their
- * underlying instructions and operands.
- */
-
-private import semmle.code.cpp.ir.IR
-private import codeql.util.Unit
-private import DataFlowUtil
-import NormalNode0ToString // Change this import to control which version should be used.
-
-/** An abstract class to control the behavior of `Node.toString`. */
-abstract class Node0ToString extends Unit {
-  /**
-   * Gets the string that should be used by `OperandNode.toString` to print the
-   * dataflow node whose underlying operand is `op.`
-   */
-  abstract string operandToString(Operand op);
-
-  /**
-   * Gets the string that should be used by `InstructionNode.toString` to print
-   * the dataflow node whose underlying instruction is `instr`.
-   */
-  abstract string instructionToString(Instruction i);
-
-  /**
-   * Gets the string representation of the `Expr` associated with `n`, if any.
-   */
-  abstract string toExprString(Node n);
-}
-
-/**
- * Gets the string that should be used by `OperandNode.toString` to print the
- * dataflow node whose underlying operand is `op.`
- */
-string operandToString(Operand op) { result = any(Node0ToString s).operandToString(op) }
-
-/**
- * Gets the string that should be used by `InstructionNode.toString` to print
- * the dataflow node whose underlying instruction is `instr`.
- */
-string instructionToString(Instruction instr) {
-  result = any(Node0ToString s).instructionToString(instr)
-}
-
-/**
- * Gets the string representation of the `Expr` associated with `n`, if any.
- */
-string toExprString(Node n) { result = any(Node0ToString s).toExprString(n) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll

@@ -1,36 +0,0 @@
-/**
- * This file contains the class that implements the non-debug version of
- * `toString` for `Instruction` and `Operand` dataflow nodes.
- */
-
-private import semmle.code.cpp.ir.IR
-private import codeql.util.Unit
-private import Node0ToString
-private import DataFlowUtil
-private import DataFlowPrivate
-
-private class NormalNode0ToString extends Node0ToString {
-  NormalNode0ToString() {
-    // Silence warning about `this` not being bound.
-    exists(this)
-  }
-
-  override string instructionToString(Instruction i) {
-    if i.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = i.getAst().toString()
-  }
-
-  override string operandToString(Operand op) {
-    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = op.getDef().getAst().toString()
-  }
-
-  override string toExprString(Node n) {
-    result = n.asExpr(0).toString()
-    or
-    not exists(n.asExpr()) and
-    result = stars(n) + n.asIndirectExpr(0, 1).toString()
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintDataFlowRelevantIR.qll

@@ -1,12 +0,0 @@
-private import cpp
-private import semmle.code.cpp.ir.IR
-private import SsaInternals as Ssa
-
-/**
- * A property provider that hides all instructions and operands that are not relevant for IR dataflow.
- */
-class DataFlowRelevantIRPropertyProvider extends IRPropertyProvider {
-  override predicate shouldPrintOperand(Operand operand) { not Ssa::ignoreOperand(operand) }
-
-  override predicate shouldPrintInstruction(Instruction instr) { not Ssa::ignoreInstruction(instr) }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -1,7 +1,6 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 private import SsaInternals as Ssa
 private import PrintIRUtilities
 
@@ -34,9 +33,9 @@ private string getNodeProperty(Node node, string key) {
   key = "flow" and
   result =
     strictconcat(string flow, boolean to, int order1, int order2 |
-      flow = getFromFlow(node, order1, order2) + "->" + stars(node) + "@" and to = false
+      flow = getFromFlow(node, order1, order2) + "->" + starsForNode(node) + "@" and to = false
       or
-      flow = stars(node) + "@->" + getToFlow(node, order1, order2) and to = true
+      flow = starsForNode(node) + "@->" + getToFlow(node, order1, order2) and to = true
     |
       flow, ", " order by to, order1, order2, flow
     )
@@ -60,4 +59,8 @@ class LocalFlowPropertyProvider extends IRPropertyProvider {
       result = getNodeProperty(node, key)
     )
   }
+
+  override predicate shouldPrintOperand(Operand operand) { not Ssa::ignoreOperand(operand) }
+
+  override predicate shouldPrintInstruction(Instruction instr) { not Ssa::ignoreInstruction(instr) }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

@@ -7,14 +7,37 @@ private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 
+private string stars(int k) {
+  k =
+    [0 .. max([
+            any(RawIndirectInstruction n).getIndirectionIndex(),
+            any(RawIndirectOperand n).getIndirectionIndex()
+          ]
+      )] and
+  (if k = 0 then result = "" else result = "*" + stars(k - 1))
+}
+
+string starsForNode(Node node) {
+  exists(int indirectionIndex |
+    node.(IndirectInstruction).hasInstructionAndIndirectionIndex(_, indirectionIndex) or
+    node.(IndirectOperand).hasOperandAndIndirectionIndex(_, indirectionIndex)
+  |
+    result = stars(indirectionIndex)
+  )
+  or
+  not node instanceof IndirectInstruction and
+  not node instanceof IndirectOperand and
+  result = ""
+}
+
 private Instruction getInstruction(Node n, string stars) {
   result = [n.asInstruction(), n.(RawIndirectInstruction).getInstruction()] and
-  stars = stars(n)
+  stars = starsForNode(n)
 }
 
 private Operand getOperand(Node n, string stars) {
   result = [n.asOperand(), n.(RawIndirectOperand).getOperand()] and
-  stars = stars(n)
+  stars = starsForNode(n)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -16,15 +16,6 @@ private module SourceVariables {
       ind = [0 .. countIndirectionsForCppType(base.getLanguageType()) + 1]
     }
 
-  private int maxNumberOfIndirections() { result = max(SourceVariable sv | | sv.getIndirection()) }
-
-  private string repeatStars(int n) {
-    n = 0 and result = ""
-    or
-    n = [1 .. maxNumberOfIndirections()] and
-    result = "*" + repeatStars(n - 1)
-  }
-
   class SourceVariable extends TSourceVariable {
     SsaInternals0::SourceVariable base;
     int ind;
@@ -41,7 +32,13 @@ private module SourceVariables {
     SsaInternals0::SourceVariable getBaseVariable() { result = base }
 
     /** Gets a textual representation of this element. */
-    string toString() { result = repeatStars(this.getIndirection()) + base.toString() }
+    string toString() {
+      ind = 0 and
+      result = this.getBaseVariable().toString()
+      or
+      ind > 0 and
+      result = this.getBaseVariable().toString() + " indirection"
+    }
 
     /**
      * Gets the number of loads performed on the base source variable
@@ -149,16 +146,11 @@ private newtype TDefOrUseImpl =
 private predicate isGlobalUse(
   GlobalLikeVariable v, IRFunction f, int indirection, int indirectionIndex
 ) {
-  // Generate a "global use" at the end of the function body if there's a
-  // direct definition somewhere in the body of the function
-  indirection =
-    min(int cand, VariableAddressInstruction vai |
-      vai.getEnclosingIRFunction() = f and
-      vai.getAstVariable() = v and
-      isDef(_, _, _, vai, cand, indirectionIndex)
-    |
-      cand
-    )
+  exists(VariableAddressInstruction vai |
+    vai.getEnclosingIRFunction() = f and
+    vai.getAstVariable() = v and
+    isDef(_, _, _, vai, indirection, indirectionIndex)
+  )
 }
 
 private predicate isGlobalDefImpl(
@@ -452,57 +444,6 @@ class FinalParameterUse extends UseImpl, TFinalParameterUse {
   }
 }
 
-/**
- * A use that models a synthetic "last use" of a global variable just before a
- * function returns.
- *
- * We model global variable flow by:
- * - Inserting a last use of any global variable that's modified by a function
- * - Flowing from the last use to the `VariableNode` that represents the global
- *   variable.
- * - Flowing from the `VariableNode` to an "initial def" of the global variable
- * in any function that may read the global variable.
- * - Flowing from the initial definition to any subsequent uses of the global
- *   variable in the function body.
- *
- * For example, consider the following pair of functions:
- * ```cpp
- * int global;
- * int source();
- * void sink(int);
- *
- * void set_global() {
- *   global = source();
- * }
- *
- * void read_global() {
- *  sink(global);
- * }
- * ```
- * we insert global uses and defs so that (from the point-of-view of dataflow)
- * the above scenario looks like:
- * ```cpp
- * int global; // (1)
- * int source();
- * void sink(int);
- *
- * void set_global() {
- *   global = source();
- *   __global_use(global); // (2)
- * }
- *
- * void read_global() {
- *  global = __global_def; // (3)
- *  sink(global); // (4)
- * }
- * ```
- * and flow from `source()` to the argument of `sink` is then modeled as
- * follows:
- * 1. Flow from `source()` to `(2)` (via SSA).
- * 2. Flow from `(2)` to `(1)` (via a `jumpStep`).
- * 3. Flow from `(1)` to `(3)` (via a `jumpStep`).
- * 4. Flow from `(3)` to `(4)` (via SSA).
- */
 class GlobalUse extends UseImpl, TGlobalUse {
   GlobalLikeVariable global;
   IRFunction f;
@@ -550,12 +491,6 @@ class GlobalUse extends UseImpl, TGlobalUse {
   override BaseSourceVariableInstruction getBase() { none() }
 }
 
-/**
- * A definition that models a synthetic "initial definition" of a global
- * variable just after the function entry point.
- *
- * See the QLDoc for `GlobalUse` for how this is used.
- */
 class GlobalDefImpl extends DefOrUseImpl, TGlobalDefImpl {
   GlobalLikeVariable global;
   IRFunction f;
@@ -609,10 +544,7 @@ class GlobalDefImpl extends DefOrUseImpl, TGlobalDefImpl {
  */
 predicate adjacentDefRead(DefOrUse defOrUse1, UseOrPhi use) {
   exists(IRBlock bb1, int i1, SourceVariable v |
-    defOrUse1
-        .asDefOrUse()
-        .hasIndexInBlock(pragma[only_bind_out](bb1), pragma[only_bind_out](i1),
-          pragma[only_bind_out](v))
+    defOrUse1.asDefOrUse().hasIndexInBlock(bb1, i1, v)
   |
     exists(IRBlock bb2, int i2, DefinitionExt def |
       adjacentDefReadExt(pragma[only_bind_into](def), pragma[only_bind_into](bb1),
@@ -634,11 +566,7 @@ predicate adjacentDefRead(DefOrUse defOrUse1, UseOrPhi use) {
  * flows to `useOrPhi`.
  */
 private predicate globalDefToUse(GlobalDef globalDef, UseOrPhi useOrPhi) {
-  exists(IRBlock bb1, int i1, SourceVariable v |
-    globalDef
-        .hasIndexInBlock(pragma[only_bind_out](bb1), pragma[only_bind_out](i1),
-          pragma[only_bind_out](v))
-  |
+  exists(IRBlock bb1, int i1, SourceVariable v | globalDef.hasIndexInBlock(bb1, i1, v) |
     exists(IRBlock bb2, int i2 |
       adjacentDefReadExt(_, pragma[only_bind_into](bb1), pragma[only_bind_into](i1),
         pragma[only_bind_into](bb2), pragma[only_bind_into](i2)) and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -417,42 +417,60 @@ class BaseCallVariable extends AbstractBaseSourceVariable, TBaseCallVariable {
   override CppType getLanguageType() { result = getResultLanguageType(call) }
 }
 
-private module IsModifiableAtImpl {
-  pragma[nomagic]
-  private predicate isUnderlyingIndirectionType(Type t) {
-    t = any(Indirection ind).getUnderlyingType()
-  }
+/**
+ * Holds if the value pointed to by `operand` can potentially be
+ * modified be the caller.
+ */
+predicate isModifiableByCall(ArgumentOperand operand, int indirectionIndex) {
+  exists(CallInstruction call, int index, CppType type |
+    indirectionIndex = [1 .. countIndirectionsForCppType(type)] and
+    type = getLanguageType(operand) and
+    call.getArgumentOperand(index) = operand and
+    if index = -1
+    then
+      // A qualifier is "modifiable" if:
+      // 1. the member function is not const specified, or
+      // 2. the member function is `const` specified, but returns a pointer or reference
+      // type that is non-const.
+      //
+      // To see why this is necessary, consider the following function:
+      // ```
+      // struct C {
+      //   void* data_;
+      //   void* data() const { return data; }
+      // };
+      // ...
+      // C c;
+      // memcpy(c.data(), source, 16)
+      // ```
+      // the data pointed to by `c.data_` is potentially modified by the call to `memcpy` even though
+      // `C::data` has a const specifier. So we further place the restriction that the type returned
+      // by `call` should not be of the form `const T*` (for some deeply const type `T`).
+      if call.getStaticCallTarget() instanceof Cpp::ConstMemberFunction
+      then
+        exists(PointerOrArrayOrReferenceType resultType |
+          resultType = call.getResultType() and
+          not resultType.isDeeplyConstBelow()
+        )
+      else any()
+    else
+      // An argument is modifiable if it's a non-const pointer or reference type.
+      isModifiableAt(type, indirectionIndex)
+  )
+}
 
-  /**
-   * Holds if the `indirectionIndex`'th dereference of a value of type
-   * `cppType` is a type that can be modified (either by modifying the value
-   * itself or one of its fields if it's a class type).
-   *
-   * For example, a value of type `const int* const` cannot be modified
-   * at any indirection index (because it's a constant pointer to constant
-   * data), and a value of type `int *const *` is modifiable at indirection index
-   * 2 only.
-   *
-   * A value of type `const S2* s2` where `s2` is
-   * ```cpp
-   * struct S { int x; }
-   * ```
-   * can be modified at indirection index 1. This is to ensure that we generate
-   * a `PostUpdateNode` for the argument corresponding to the `s2` parameter in
-   * an example such as:
-   * ```cpp
-   * void set_field(const S2* s2)
-   * {
-   *  s2->s->x = 42;
-   * }
-   * ```
-   */
-  bindingset[cppType, indirectionIndex]
-  pragma[inline_late]
-  private predicate impl(CppType cppType, int indirectionIndex) {
-    exists(Type pointerType, Type base |
-      isUnderlyingIndirectionType(pointerType) and
-      cppType.hasUnderlyingType(pointerType, _) and
+/**
+ * Holds if `t` is a pointer or reference type that supports at least `indirectionIndex` number
+ * of indirections, and the `indirectionIndex` indirection cannot be modfiied by passing a
+ * value of `t` to a function.
+ */
+private predicate isModifiableAtImpl(CppType cppType, int indirectionIndex) {
+  indirectionIndex = [1 .. countIndirectionsForCppType(cppType)] and
+  (
+    exists(Type pointerType, Type base, Type t |
+      pointerType = t.getUnderlyingType() and
+      pointerType = any(Indirection ind).getUnderlyingType() and
+      cppType.hasType(t, _) and
       base = getTypeImpl(pointerType, indirectionIndex)
     |
       // The value cannot be modified if it has a const specifier,
@@ -462,114 +480,28 @@ private module IsModifiableAtImpl {
       // one of the members was modified.
       exists(base.stripType().(Cpp::Class).getAField())
     )
-  }
-
-  /**
-   * Holds if `cppType` is modifiable with an indirection index of at least 1.
-   *
-   * This predicate factored out into a separate predicate for two reasons:
-   * - This predicate needs to be recursive because, if a type is modifiable
-   * at indirection `i`, then it's also modifiable at indirection index `i+1`
-   * (because the pointer could be completely re-assigned at indirection `i`).
-   * - We special-case indirection index `0` so that pointer arguments that can
-   * be modified at some index always have a `PostUpdateNode` at indiretion
-   * index 0 even though the 0'th indirection can never be modified by a
-   * callee.
-   */
-  private predicate isModifiableAtImplAtLeast1(CppType cppType, int indirectionIndex) {
-    indirectionIndex = [1 .. countIndirectionsForCppType(cppType)] and
-    (
-      impl(cppType, indirectionIndex)
-      or
-      // If the `indirectionIndex`'th dereference of a type can be modified
-      // then so can the  `indirectionIndex + 1`'th dereference.
-      isModifiableAtImplAtLeast1(cppType, indirectionIndex - 1)
-    )
-  }
-
-  /**
-   * Holds if `cppType` is modifiable at indirection index 0.
-   *
-   * In reality, the 0'th indirection of a pointer (i.e., the pointer itself)
-   * can never be modified by a callee, but it is sometimes useful to be able
-   * to specify the value of the pointer, as its coming out of a function, as
-   * a source of dataflow since the shared library's reverse-read mechanism
-   * then ensures that field-flow is accounted for.
-   */
-  private predicate isModifiableAtImplAt0(CppType cppType) { impl(cppType, 0) }
-
-  /**
-   * Holds if `t` is a pointer or reference type that supports at least
-   * `indirectionIndex` number of indirections, and the `indirectionIndex`
-   * indirection cannot be modfiied by passing a value of `t` to a function.
-   */
-  private predicate isModifiableAtImpl(CppType cppType, int indirectionIndex) {
-    isModifiableAtImplAtLeast1(cppType, indirectionIndex)
     or
-    indirectionIndex = 0 and
-    isModifiableAtImplAt0(cppType)
-  }
-
-  /**
-   * Holds if `t` is a type with at least `indirectionIndex` number of
-   * indirections, and the `indirectionIndex` indirection can be modified by
-   * passing a value of type `t` to a function function.
-   */
-  bindingset[indirectionIndex]
-  predicate isModifiableAt(CppType cppType, int indirectionIndex) {
-    isModifiableAtImpl(cppType, indirectionIndex)
-    or
-    exists(PointerWrapper pw, Type t |
-      cppType.hasType(t, _) and
-      t.stripType() = pw and
-      not pw.pointsToConst()
-    )
-  }
-
-  /**
-   * Holds if the value pointed to by `operand` can potentially be
-   * modified be the caller.
-   */
-  predicate isModifiableByCall(ArgumentOperand operand, int indirectionIndex) {
-    exists(CallInstruction call, int index, CppType type |
-      indirectionIndex = [0 .. countIndirectionsForCppType(type)] and
-      type = getLanguageType(operand) and
-      call.getArgumentOperand(index) = operand and
-      if index = -1
-      then
-        // A qualifier is "modifiable" if:
-        // 1. the member function is not const specified, or
-        // 2. the member function is `const` specified, but returns a pointer or reference
-        // type that is non-const.
-        //
-        // To see why this is necessary, consider the following function:
-        // ```
-        // struct C {
-        //   void* data_;
-        //   void* data() const { return data; }
-        // };
-        // ...
-        // C c;
-        // memcpy(c.data(), source, 16)
-        // ```
-        // the data pointed to by `c.data_` is potentially modified by the call to `memcpy` even though
-        // `C::data` has a const specifier. So we further place the restriction that the type returned
-        // by `call` should not be of the form `const T*` (for some deeply const type `T`).
-        if call.getStaticCallTarget() instanceof Cpp::ConstMemberFunction
-        then
-          exists(PointerOrArrayOrReferenceType resultType |
-            resultType = call.getResultType() and
-            not resultType.isDeeplyConstBelow()
-          )
-        else any()
-      else
-        // An argument is modifiable if it's a non-const pointer or reference type.
-        isModifiableAt(type, indirectionIndex)
-    )
-  }
+    // If the `indirectionIndex`'th dereference of a type can be modified
+    // then so can the  `indirectionIndex + 1`'th dereference.
+    isModifiableAtImpl(cppType, indirectionIndex - 1)
+  )
 }
 
-import IsModifiableAtImpl
+/**
+ * Holds if `t` is a type with at least `indirectionIndex` number of indirections,
+ * and the `indirectionIndex` indirection can be modified by passing a value of
+ * type `t` to a function function.
+ */
+bindingset[indirectionIndex]
+predicate isModifiableAt(CppType cppType, int indirectionIndex) {
+  isModifiableAtImpl(cppType, indirectionIndex)
+  or
+  exists(PointerWrapper pw, Type t |
+    cppType.hasType(t, _) and
+    t.stripType() = pw and
+    not pw.pointsToConst()
+  )
+}
 
 abstract class BaseSourceVariableInstruction extends Instruction {
   /** Gets the base source variable accessed by this instruction. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * Provides an implementation of global (interprocedural) taint tracking.
  * This file re-exports the local (intraprocedural) taint-tracking analysis
  * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -14,8 +12,6 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural taint tracking analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the taint tracking library must define its own unique extension of
@@ -55,7 +51,7 @@ private import TaintTrackingParameter::Private
  * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
  * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
  */
-abstract deprecated class Configuration extends DataFlow::Configuration {
+abstract class Configuration extends DataFlow::Configuration {
   bindingset[this]
   Configuration() { any() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * Provides an implementation of global (interprocedural) taint tracking.
  * This file re-exports the local (intraprocedural) taint-tracking analysis
  * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -14,8 +12,6 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural taint tracking analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the taint tracking library must define its own unique extension of
@@ -55,7 +51,7 @@ private import TaintTrackingParameter::Private
  * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
  * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
  */
-abstract deprecated class Configuration extends DataFlow::Configuration {
+abstract class Configuration extends DataFlow::Configuration {
   bindingset[this]
   Configuration() { any() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * Provides an implementation of global (interprocedural) taint tracking.
  * This file re-exports the local (intraprocedural) taint-tracking analysis
  * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -14,8 +12,6 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private
 
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
  * A configuration of interprocedural taint tracking analysis. This defines
  * sources, sinks, and any other configurable aspect of the analysis. Each
  * use of the taint tracking library must define its own unique extension of
@@ -55,7 +51,7 @@ private import TaintTrackingParameter::Private
  * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
  * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
  */
-abstract deprecated class Configuration extends DataFlow::Configuration {
+abstract class Configuration extends DataFlow::Configuration {
   bindingset[this]
   Configuration() { any() }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -1068,3 +1068,6 @@ module Ssa {
 
   predicate hasUnreachedInstruction = Cached::hasUnreachedInstructionCached/1;
 }
+
+/** DEPRECATED: Alias for Ssa */
+deprecated module SSA = Ssa;

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionInternal.qll

@@ -3,6 +3,13 @@ import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.reachability.Rea
 import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.reachability.Dominance as Dominance
 import semmle.code.cpp.ir.implementation.aliased_ssa.IR as NewIR
 import semmle.code.cpp.ir.implementation.internal.TInstruction::AliasedSsaInstructions as SsaInstructions
+
+/** DEPRECATED: Alias for SsaInstructions */
+deprecated module SSAInstructions = SsaInstructions;
+
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import AliasedSSA as Alias
 import semmle.code.cpp.ir.implementation.internal.TOperand::AliasedSsaOperands as SsaOperands
+
+/** DEPRECATED: Alias for SsaOperands */
+deprecated module SSAOperands = SsaOperands;

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstructionInternal.qll

@@ -2,3 +2,6 @@ import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as IRConstruction
 import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSAConstruction as UnaliasedSsa
 import semmle.code.cpp.ir.implementation.aliased_ssa.internal.SSAConstruction as AliasedSsa
+
+/** DEPRECATED: Alias for AliasedSsa */
+deprecated module AliasedSSA = AliasedSsa;

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll

@@ -23,8 +23,9 @@ private module Internal {
   newtype TOperand =
     // RAW
     TRegisterOperand(TRawInstruction useInstr, RegisterOperandTag tag, TRawInstruction defInstr) {
-      defInstr = unique( | | RawConstruction::getRegisterOperandDefinition(useInstr, tag)) and
-      not RawConstruction::isInCycle(useInstr)
+      defInstr = RawConstruction::getRegisterOperandDefinition(useInstr, tag) and
+      not RawConstruction::isInCycle(useInstr) and
+      strictcount(RawConstruction::getRegisterOperandDefinition(useInstr, tag)) = 1
     } or
     // Placeholder for Phi and Chi operands in stages that don't have the corresponding instructions
     TNoOperand() { none() } or

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -1068,3 +1068,6 @@ module Ssa {
 
   predicate hasUnreachedInstruction = Cached::hasUnreachedInstructionCached/1;
 }
+
+/** DEPRECATED: Alias for Ssa */
+deprecated module SSA = Ssa;

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll

@@ -4,6 +4,13 @@ import semmle.code.cpp.ir.implementation.raw.internal.reachability.Dominance as
 import semmle.code.cpp.ir.implementation.unaliased_ssa.IR as NewIR
 import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as RawStage
 import semmle.code.cpp.ir.implementation.internal.TInstruction::UnaliasedSsaInstructions as SsaInstructions
+
+/** DEPRECATED: Alias for SsaInstructions */
+deprecated module SSAInstructions = SsaInstructions;
+
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 import SimpleSSA as Alias
 import semmle.code.cpp.ir.implementation.internal.TOperand::UnaliasedSsaOperands as SsaOperands
+
+/** DEPRECATED: Alias for SsaOperands */
+deprecated module SSAOperands = SsaOperands;

cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll

@@ -227,7 +227,7 @@ class CppType extends TCppType {
   predicate hasType(Type type, boolean isGLValue) { none() }
 
   /**
-   * Holds if this type represents the C++ unspecified type `type`. If `isGLValue` is `true`, then this type
+   * Holds if this type represents the C++ type `type`. If `isGLValue` is `true`, then this type
    * represents a glvalue of type `type`. Otherwise, it represents a prvalue of type `type`.
    */
   final predicate hasUnspecifiedType(Type type, boolean isGLValue) {
@@ -236,18 +236,6 @@ class CppType extends TCppType {
       type = specifiedType.getUnspecifiedType()
     )
   }
-
-  /**
-   * Holds if this type represents the C++ type `type` (after resolving
-   * typedefs). If `isGLValue` is `true`, then this type represents a glvalue
-   * of type `type`. Otherwise, it represents a prvalue of type `type`.
-   */
-  final predicate hasUnderlyingType(Type type, boolean isGLValue) {
-    exists(Type typedefType |
-      this.hasType(typedefType, isGLValue) and
-      type = typedefType.getUnderlyingType()
-    )
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll

@@ -27,12 +27,10 @@ private class StandardDeallocationFunction extends DeallocationFunction {
     or
     this.hasGlobalOrStdName([
         // --- Windows Memory Management for Windows Drivers
-        "ExFreePool", "ExFreePoolWithTag", "ExDeleteTimer", "IoFreeIrp", "IoFreeMdl",
-        "IoFreeErrorLogEntry", "IoFreeWorkItem", "MmFreeContiguousMemory",
-        "MmFreeContiguousMemorySpecifyCache", "MmFreeNonCachedMemory", "MmFreeMappingAddress",
-        "MmFreePagesFromMdl", "MmUnmapReservedMapping", "MmUnmapLockedPages",
-        "NdisFreeGenericObject", "NdisFreeMemory", "NdisFreeMemoryWithTag", "NdisFreeMdl",
-        "NdisFreeNetBufferListPool", "NdisFreeNetBufferPool",
+        "ExFreePoolWithTag", "ExDeleteTimer", "IoFreeMdl", "IoFreeWorkItem", "IoFreeErrorLogEntry",
+        "MmFreeContiguousMemory", "MmFreeContiguousMemorySpecifyCache", "MmFreeNonCachedMemory",
+        "MmFreeMappingAddress", "MmFreePagesFromMdl", "MmUnmapReservedMapping",
+        "MmUnmapLockedPages",
         // --- Windows Global / Local legacy allocation
         "LocalFree", "GlobalFree", "LocalReAlloc", "GlobalReAlloc",
         // --- Windows System Services allocation
@@ -49,7 +47,6 @@ private class StandardDeallocationFunction extends DeallocationFunction {
     this.hasGlobalOrStdName([
         // --- Windows Memory Management for Windows Drivers
         "ExFreeToLookasideListEx", "ExFreeToPagedLookasideList", "ExFreeToNPagedLookasideList",
-        "NdisFreeMemoryWithTagPriority", "StorPortFreeMdl", "StorPortFreePool",
         // --- NetBSD pool manager
         "pool_put", "pool_cache_put"
       ]) and

cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -123,7 +123,7 @@ private class StdSequenceContainerData extends TaintFunction {
 /**
  * The standard container functions `push_back` and `push_front`.
  */
-class StdSequenceContainerPush extends MemberFunction {
+private class StdSequenceContainerPush extends TaintFunction {
   StdSequenceContainerPush() {
     this.getClassAndName("push_back") instanceof Vector or
     this.getClassAndName(["push_back", "push_front"]) instanceof Deque or
@@ -131,17 +131,6 @@ class StdSequenceContainerPush extends MemberFunction {
     this.getClassAndName(["push_back", "push_front"]) instanceof List
   }
 
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-}
-
-private class StdSequenceContainerPushModel extends StdSequenceContainerPush, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to qualifier
     input.isParameterDeref(0) and
@@ -171,7 +160,7 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
 /**
  * The standard container functions `insert` and `insert_after`.
  */
-class StdSequenceContainerInsert extends MemberFunction {
+private class StdSequenceContainerInsert extends TaintFunction {
   StdSequenceContainerInsert() {
     this.getClassAndName("insert") instanceof Deque or
     this.getClassAndName("insert") instanceof List or
@@ -192,9 +181,7 @@ class StdSequenceContainerInsert extends MemberFunction {
    * Gets the index of a parameter to this function that is an iterator.
    */
   int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
-}
 
-private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to container itself (qualifier) and return value
     (
@@ -266,28 +253,11 @@ private class StdSequenceContainerAt extends TaintFunction {
 }
 
 /**
- * The standard `emplace` function.
+ * The standard vector `emplace` function.
  */
-class StdSequenceEmplace extends MemberFunction {
-  StdSequenceEmplace() {
-    this.getClassAndName("emplace") instanceof Vector
-    or
-    this.getClassAndName("emplace") instanceof List
-    or
-    this.getClassAndName("emplace") instanceof Deque
-  }
+class StdVectorEmplace extends TaintFunction {
+  StdVectorEmplace() { this.getClassAndName("emplace") instanceof Vector }
 
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-}
-
-private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
     // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -299,36 +269,12 @@ private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction
   }
 }
 
-/**
- * The standard vector `emplace` function.
- */
-class StdVectorEmplace extends StdSequenceEmplace {
-  StdVectorEmplace() { this.getDeclaringType() instanceof Vector }
-}
-
 /**
  * The standard vector `emplace_back` function.
  */
-class StdSequenceEmplaceBack extends MemberFunction {
-  StdSequenceEmplaceBack() {
-    this.getClassAndName("emplace_back") instanceof Vector
-    or
-    this.getClassAndName("emplace_back") instanceof List
-    or
-    this.getClassAndName("emplace_back") instanceof Deque
-  }
+class StdVectorEmplaceBack extends TaintFunction {
+  StdVectorEmplaceBack() { this.getClassAndName("emplace_back") instanceof Vector }
 
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-}
-
-private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier
     // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -336,10 +282,3 @@ private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintF
     output.isQualifierObject()
   }
 }
-
-/**
- * The standard vector `emplace_back` function.
- */
-class StdVectorEmplaceBack extends StdSequenceEmplaceBack {
-  StdVectorEmplaceBack() { this.getDeclaringType() instanceof Vector }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

@@ -99,11 +99,9 @@ private class StdStringConstructor extends Constructor, StdStringTaintFunction {
 /**
  * The `std::string` function `c_str`.
  */
-class StdStringCStr extends MemberFunction {
+private class StdStringCStr extends StdStringTaintFunction {
   StdStringCStr() { this.getClassAndName("c_str") instanceof StdBasicString }
-}
 
-private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and
@@ -114,11 +112,9 @@ private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
 /**
  * The `std::string` function `data`.
  */
-class StdStringData extends MemberFunction {
+private class StdStringData extends StdStringTaintFunction {
   StdStringData() { this.getClassAndName("data") instanceof StdBasicString }
-}
 
-private class StdStringDataModel extends StdStringData, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -9,9 +9,8 @@
 import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Taint
 
-pragma[nomagic]
 private Type stripTopLevelSpecifiersOnly(Type t) {
-  result = stripTopLevelSpecifiersOnly(pragma[only_bind_out](t.(SpecifiedType).getBaseType()))
+  result = stripTopLevelSpecifiersOnly(t.(SpecifiedType).getBaseType())
   or
   result = t and
   not t instanceof SpecifiedType

cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeAnalysisUtils.qll

@@ -355,13 +355,13 @@ private predicate linearAccessImpl(Expr expr, VariableAccess v, float p, float q
  * `cmpWithLinearBound(guard, v, Greater(), true)` and
  * `cmpWithLinearBound(guard, v, Lesser(),  false)` hold.
  * If `guard` is `4 - v > 5` then
- * `cmpWithLinearBound(guard, v, Lesser(),  true)` and
- * `cmpWithLinearBound(guard, v, Greater(), false)` hold.
+ * `cmpWithLinearBound(guard, v, Lesser(),  false)` and
+ * `cmpWithLinearBound(guard, v, Greater(), true)` hold.
  *
- * If an actual bound for `v` is needed, use `upperBound` or `lowerBound`.
- * This predicate can be used if you just want to check whether a variable
- * is bounded, or to restrict a more expensive analysis to just guards that
- * bound a variable.
+ * A more sophisticated predicate, such as `boundFromGuard`, is needed
+ * to compute an actual bound for `v`. This predicate can be used if
+ * you just want to check whether a variable is bounded, or to restrict
+ * a more expensive analysis to just guards that bound a variable.
  */
 predicate cmpWithLinearBound(
   ComparisonOperation guard, VariableAccess v,

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll

@@ -25,8 +25,4 @@ module CppLangImplConstant implements LangSig<Sem, FloatDelta> {
    * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
    */
   predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }
-
-  predicate includeConstantBounds() { any() }
-
-  predicate includeRelativeBounds() { none() }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll

@@ -173,11 +173,11 @@ private module ModulusAnalysisInstantiated implements ModulusAnalysisSig<Sem> {
 }
 
 module ConstantStage =
-  RangeStage<SemLocation, Sem, FloatDelta, AllBounds, FloatOverflow, CppLangImplConstant,
+  RangeStage<SemLocation, Sem, FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
     SignAnalysis, ModulusAnalysisInstantiated>;
 
 module RelativeStage =
-  RangeStage<SemLocation, Sem, FloatDelta, AllBounds, FloatOverflow, CppLangImplRelative,
+  RangeStage<SemLocation, Sem, FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
     SignAnalysis, ModulusAnalysisInstantiated>;
 
 private newtype TSemReason =

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll

@@ -57,8 +57,4 @@ module CppLangImplRelative implements LangSig<Sem, FloatDelta> {
    * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
    */
   predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }
-
-  predicate includeConstantBounds() { none() }
-
-  predicate includeRelativeBounds() { any() }
 }

cpp/ql/lib/semmle/code/cpp/security/Security.qll

@@ -45,7 +45,7 @@ class SecurityOptions extends string {
   /**
    * The argument of the given function is filled in from user input.
    */
-  deprecated predicate userInputArgument(FunctionCall functionCall, int arg) {
+  predicate userInputArgument(FunctionCall functionCall, int arg) {
     exists(string fname |
       functionCall.getTarget().hasGlobalOrStdName(fname) and
       exists(functionCall.getArgument(arg)) and
@@ -73,7 +73,7 @@ class SecurityOptions extends string {
   /**
    * The return value of the given function is filled in from user input.
    */
-  deprecated predicate userInputReturned(FunctionCall functionCall) {
+  predicate userInputReturned(FunctionCall functionCall) {
     exists(string fname |
       functionCall.getTarget().getName() = fname and
       (
@@ -91,8 +91,12 @@ class SecurityOptions extends string {
 
   /**
    * DEPRECATED: Users should override `userInputReturned()` instead.
+   *
+   * note: this function is not formally tagged as `deprecated` since the
+   * new `userInputReturned` uses it to provide compatibility with older
+   * custom SecurityOptions.qll files.
    */
-  deprecated predicate userInputReturn(string function) { none() }
+  predicate userInputReturn(string function) { none() }
 
   /**
    * The argument of the given function is used for running a process or loading
@@ -113,7 +117,7 @@ class SecurityOptions extends string {
    * computed from user input. Such expressions are treated as
    * sources of taint.
    */
-  deprecated predicate isUserInput(Expr expr, string cause) {
+  predicate isUserInput(Expr expr, string cause) {
     exists(FunctionCall fc, int i |
       this.userInputArgument(fc, i) and
       expr = fc.getArgument(i) and
@@ -174,17 +178,17 @@ predicate argv(Parameter argv) {
 predicate isPureFunction(string name) { exists(SecurityOptions opts | opts.isPureFunction(name)) }
 
 /** Convenience accessor for SecurityOptions.userInputArgument */
-deprecated predicate userInputArgument(FunctionCall functionCall, int arg) {
+predicate userInputArgument(FunctionCall functionCall, int arg) {
   exists(SecurityOptions opts | opts.userInputArgument(functionCall, arg))
 }
 
 /** Convenience accessor for SecurityOptions.userInputReturn */
-deprecated predicate userInputReturned(FunctionCall functionCall) {
+predicate userInputReturned(FunctionCall functionCall) {
   exists(SecurityOptions opts | opts.userInputReturned(functionCall))
 }
 
 /** Convenience accessor for SecurityOptions.isUserInput */
-deprecated predicate isUserInput(Expr expr, string cause) {
+predicate isUserInput(Expr expr, string cause) {
   exists(SecurityOptions opts | opts.isUserInput(expr, cause))
 }
 

cpp/ql/lib/semmle/code/cpp/security/SecurityOptions.qll

@@ -23,7 +23,7 @@ class CustomSecurityOptions extends SecurityOptions {
     none() // rules to match custom functions replace this line
   }
 
-  deprecated override predicate userInputArgument(FunctionCall functionCall, int arg) {
+  override predicate userInputArgument(FunctionCall functionCall, int arg) {
     SecurityOptions.super.userInputArgument(functionCall, arg)
     or
     exists(string fname |
@@ -36,7 +36,7 @@ class CustomSecurityOptions extends SecurityOptions {
     )
   }
 
-  deprecated override predicate userInputReturned(FunctionCall functionCall) {
+  override predicate userInputReturned(FunctionCall functionCall) {
     SecurityOptions.super.userInputReturned(functionCall)
     or
     exists(string fname |

cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll

@@ -0,0 +1,10 @@
+/**
+ * Support for tracking tainted data through the program. This is an alias for
+ * `semmle.code.cpp.ir.dataflow.DefaultTaintTracking` provided for backwards
+ * compatibility.
+ *
+ * Prefer to use `semmle.code.cpp.dataflow.TaintTracking` or
+ * `semmle.code.cpp.ir.dataflow.TaintTracking` when designing new queries.
+ */
+
+import semmle.code.cpp.ir.dataflow.DefaultTaintTracking

cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll

@@ -0,0 +1,654 @@
+/**
+ * DEPRECATED: we now use `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`,
+ * which is based on the IR but designed to behave similarly to this old
+ * library.
+ *
+ * Provides the implementation of `semmle.code.cpp.security.TaintTracking`. Do
+ * not import this file directly.
+ */
+
+import cpp
+import Security
+
+/** Expressions that change the value of a variable */
+private predicate valueSource(Expr expr) {
+  exists(AssignExpr ae | expr = ae.getLValue())
+  or
+  exists(FunctionCall fc, int i |
+    userInputArgument(fc, i) and
+    expr = fc.getArgument(i)
+  )
+  or
+  exists(FunctionCall c, int arg |
+    copyValueBetweenArguments(c.getTarget(), _, arg) and
+    expr = c.getArgument(arg)
+  )
+  or
+  exists(FunctionCall c, int arg |
+    c.getTarget().getParameter(arg).getType() instanceof ReferenceType and
+    expr = c.getArgument(arg)
+  )
+}
+
+/** Expressions that are inside an expression that changes the value of a variable */
+private predicate insideValueSource(Expr expr) {
+  valueSource(expr)
+  or
+  insideValueSource(expr.getParent()) and
+  // A modification of array[offset] does not modify offset
+  not expr.getParent().(ArrayExpr).getArrayOffset() = expr
+}
+
+private predicate isPointer(Type type) {
+  type instanceof PointerType or
+  isPointer(type.(ReferenceType).getBaseType())
+}
+
+/**
+ * Tracks data flow from src to dest.
+ * If this is used in the left side of an assignment src and dest should be swapped
+ */
+private predicate moveToDependingOnSide(Expr src, Expr dest) {
+  exists(ParenthesisExpr e |
+    src = e.getAChild() and
+    dest = e
+  )
+  or
+  exists(ArrayExpr e |
+    src = e.getArrayBase() and
+    dest = e
+  )
+  or
+  exists(PointerDereferenceExpr e |
+    src = e.getOperand() and
+    dest = e
+  )
+  or
+  exists(AddressOfExpr e |
+    src = e.getOperand() and
+    dest = e
+  )
+  or
+  // if var+offset is tainted, then so is var
+  exists(VariableAccess base, BinaryOperation binop |
+    dest = binop and
+    (base = binop.getLeftOperand() or base = binop.getRightOperand()) and
+    isPointer(base.getType()) and
+    base.getTarget() instanceof LocalScopeVariable and
+    src = base and
+    // flow through pointer-pointer subtraction is dubious, the result should be
+    // a number bounded by the size of the pointed-to thing.
+    not binop instanceof PointerDiffExpr
+  )
+  or
+  exists(UnaryOperation unop |
+    dest = unop and
+    unop.getAnOperand() = src
+  )
+  or
+  exists(BinaryOperation binop |
+    dest = binop and
+    binop.getLeftOperand() = src and
+    predictable(binop.getRightOperand())
+  )
+  or
+  exists(BinaryOperation binop |
+    dest = binop and
+    binop.getRightOperand() = src and
+    predictable(binop.getLeftOperand())
+  )
+  or
+  exists(Cast cast |
+    dest = cast and
+    src = cast.getExpr()
+  )
+  or
+  exists(ConditionalExpr cond |
+    cond = dest and
+    (
+      cond.getThen() = src or
+      cond.getElse() = src
+    )
+  )
+}
+
+/**
+ * Track value flow between functions.
+ * Handles the following cases:
+ * - If an argument to a function is tainted, all the usages of the parameter inside the function are tainted
+ * - If a function obtains input from the user internally and returns it, all calls to the function are tainted
+ * - If an argument to a function is tainted and that parameter is returned, all calls to the function are not tainted
+ *   (this is done to avoid false positives). Because of this we need to track if the tainted element came from an argument
+ *   or not, and for that we use destFromArg
+ */
+deprecated private predicate betweenFunctionsValueMoveTo(
+  Element src, Element dest, boolean destFromArg
+) {
+  not unreachable(src) and
+  not unreachable(dest) and
+  (
+    exists(Call call, int i |
+      src = call.getArgument(i) and
+      resolveCallWithParam(call, _, i, dest) and
+      destFromArg = true
+    )
+    or
+    // Only move the return of the function to the function itself if the value didn't came from an
+    // argument, or else we would taint all the calls to one function if one argument is tainted
+    // somewhere
+    exists(Function f, ReturnStmt ret |
+      ret.getEnclosingFunction() = f and
+      src = ret.getExpr() and
+      destFromArg = false and
+      dest = f
+    )
+    or
+    exists(Call call, Function f |
+      f = resolveCall(call) and
+      src = f and
+      dest = call and
+      destFromArg = false
+    )
+    or
+    // If a parameter of type reference is tainted inside a function, taint the argument too
+    exists(Call call, int pi, Parameter p |
+      resolveCallWithParam(call, _, pi, p) and
+      p.getType() instanceof ReferenceType and
+      src = p and
+      dest = call.getArgument(pi) and
+      destFromArg = false
+    )
+  )
+}
+
+// predicate folding for proper join-order
+// bad magic: pushes down predicate that ruins join-order
+pragma[nomagic]
+deprecated private predicate resolveCallWithParam(Call call, Function called, int i, Parameter p) {
+  called = resolveCall(call) and
+  p = called.getParameter(i)
+}
+
+/** A variable for which flow through is allowed. */
+deprecated library class FlowVariable extends Variable {
+  FlowVariable() {
+    (
+      this instanceof LocalScopeVariable or
+      this instanceof GlobalOrNamespaceVariable
+    ) and
+    not argv(this)
+  }
+}
+
+/** A local scope variable for which flow through is allowed. */
+deprecated library class FlowLocalScopeVariable extends Variable {
+  FlowLocalScopeVariable() { this instanceof LocalScopeVariable }
+}
+
+deprecated private predicate insideFunctionValueMoveTo(Element src, Element dest) {
+  not unreachable(src) and
+  not unreachable(dest) and
+  (
+    // Taint all variable usages when one is tainted
+    // This function taints global variables but doesn't taint from a global variable (see globalVariableValueMoveTo)
+    exists(FlowLocalScopeVariable v |
+      src = v and
+      dest = v.getAnAccess() and
+      not insideValueSource(dest)
+    )
+    or
+    exists(FlowVariable v |
+      src = v.getAnAccess() and
+      dest = v and
+      insideValueSource(src)
+    )
+    or
+    // Taint all union usages when one is tainted
+    // This function taints global variables but doesn't taint from a global variable (see globalVariableValueMoveTo)
+    exists(FlowLocalScopeVariable v, FieldAccess a |
+      unionAccess(v, _, a) and
+      src = v and
+      dest = a and
+      not insideValueSource(dest)
+    )
+    or
+    exists(FlowVariable v, FieldAccess a |
+      unionAccess(v, _, a) and
+      src = a and
+      dest = v and
+      insideValueSource(src)
+    )
+    or
+    // If a pointer is tainted, taint the original variable
+    exists(FlowVariable p, FlowVariable v, AddressOfExpr e |
+      p.getAnAssignedValue() = e and
+      e.getOperand() = v.getAnAccess() and
+      src = p and
+      dest = v
+    )
+    or
+    // If a reference is tainted, taint the original variable
+    exists(FlowVariable r, FlowVariable v |
+      r.getType() instanceof ReferenceType and
+      r.getInitializer().getExpr() = v.getAnAccess() and
+      src = r and
+      dest = v
+    )
+    or
+    exists(Variable var |
+      var = dest and
+      var.getInitializer().getExpr() = src
+    )
+    or
+    exists(AssignExpr ae |
+      src = ae.getRValue() and
+      dest = ae.getLValue()
+    )
+    or
+    exists(CommaExpr comma |
+      comma = dest and
+      comma.getRightOperand() = src
+    )
+    or
+    exists(FunctionCall c, int sourceArg, int destArg |
+      copyValueBetweenArguments(c.getTarget(), sourceArg, destArg) and
+      // Only consider copies from `printf`-like functions if the format is a string
+      (
+        exists(FormattingFunctionCall ffc, FormatLiteral format |
+          ffc = c and
+          format = ffc.getFormat() and
+          format.getConversionChar(sourceArg - ffc.getTarget().getNumberOfParameters()) = ["s", "S"]
+        )
+        or
+        not c.(FormattingFunctionCall).getFormat() instanceof FormatLiteral
+        or
+        not c instanceof FormattingFunctionCall
+      ) and
+      src = c.getArgument(sourceArg) and
+      dest = c.getArgument(destArg)
+    )
+    or
+    exists(FunctionCall c, int sourceArg |
+      returnArgument(c.getTarget(), sourceArg) and
+      src = c.getArgument(sourceArg) and
+      dest = c
+    )
+    or
+    exists(FormattingFunctionCall formattingSend, int arg, FormatLiteral format |
+      dest = formattingSend and
+      formattingSend.getArgument(arg) = src and
+      format = formattingSend.getFormat() and
+      format.getConversionChar(arg - formattingSend.getTarget().getNumberOfParameters()) =
+        ["s", "S", "@"]
+    )
+    or
+    // Expressions computed from tainted data are also tainted
+    exists(FunctionCall call | dest = call and isPureFunction(call.getTarget().getName()) |
+      call.getAnArgument() = src and
+      forall(Expr arg | arg = call.getAnArgument() | arg = src or predictable(arg)) and
+      // flow through `strlen` tends to cause dubious results, if the length is
+      // bounded.
+      not call.getTarget().getName() = "strlen"
+    )
+    or
+    exists(Element a, Element b |
+      moveToDependingOnSide(a, b) and
+      if insideValueSource(a) then (src = b and dest = a) else (src = a and dest = b)
+    )
+  )
+}
+
+/**
+ * Handles data flow from global variables to its usages.
+ * The tainting for the global variable itself is done at insideFunctionValueMoveTo.
+ */
+private predicate globalVariableValueMoveTo(GlobalOrNamespaceVariable src, Expr dest) {
+  not unreachable(dest) and
+  (
+    exists(GlobalOrNamespaceVariable v |
+      src = v and
+      dest = v.getAnAccess() and
+      not insideValueSource(dest)
+    )
+    or
+    exists(GlobalOrNamespaceVariable v, FieldAccess a |
+      unionAccess(v, _, a) and
+      src = v and
+      dest = a and
+      not insideValueSource(dest)
+    )
+  )
+}
+
+private predicate unionAccess(Variable v, Field f, FieldAccess a) {
+  f.getDeclaringType() instanceof Union and
+  a.getTarget() = f and
+  a.getQualifier() = v.getAnAccess()
+}
+
+deprecated GlobalOrNamespaceVariable globalVarFromId(string id) {
+  if result instanceof NamespaceVariable
+  then id = result.getNamespace() + "::" + result.getName()
+  else id = result.getName()
+}
+
+/**
+ * A variable that has any kind of upper-bound check anywhere in the program.  This is
+ * biased towards being inclusive because there are a lot of valid ways of doing an
+ * upper bounds checks if we don't consider where it occurs, for example:
+ * ```
+ *   if (x < 10) { sink(x); }
+ *
+ *   if (10 > y) { sink(y); }
+ *
+ *   if (z > 10) { z = 10; }
+ *   sink(z);
+ * ```
+ */
+private predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+cached
+deprecated private predicate taintedWithArgsAndGlobalVars(
+  Element src, Element dest, boolean destFromArg, string globalVar
+) {
+  isUserInput(src, _) and
+  not unreachable(src) and
+  dest = src and
+  destFromArg = false and
+  globalVar = ""
+  or
+  exists(Element other, boolean otherFromArg, string otherGlobalVar |
+    taintedWithArgsAndGlobalVars(src, other, otherFromArg, otherGlobalVar)
+  |
+    not unreachable(dest) and
+    not hasUpperBoundsCheck(dest) and
+    (
+      // Direct flow from one expression to another.
+      betweenFunctionsValueMoveTo(other, dest, destFromArg) and
+      (destFromArg = true or otherFromArg = false) and
+      globalVar = otherGlobalVar
+      or
+      insideFunctionValueMoveTo(other, dest) and
+      destFromArg = otherFromArg and
+      globalVar = otherGlobalVar
+      or
+      exists(GlobalOrNamespaceVariable v |
+        v = other and
+        globalVariableValueMoveTo(v, dest) and
+        destFromArg = false and
+        v = globalVarFromId(globalVar)
+      )
+    )
+  )
+}
+
+/**
+ * A tainted expression is either directly user input, or is
+ * computed from user input in a way that users can probably
+ * control the exact output of the computation.
+ *
+ * This doesn't include data flow through global variables.
+ * If you need that you must call taintedIncludingGlobalVars.
+ */
+deprecated predicate tainted(Expr source, Element tainted) {
+  taintedWithArgsAndGlobalVars(source, tainted, _, "")
+}
+
+/**
+ * A tainted expression is either directly user input, or is
+ * computed from user input in a way that users can probably
+ * control the exact output of the computation.
+ *
+ * This version gives the same results as tainted but also includes
+ * data flow through global variables.
+ *
+ * The parameter `globalVar` is the name of the last global variable used to move the
+ * value from source to tainted.
+ */
+deprecated predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
+  taintedWithArgsAndGlobalVars(source, tainted, _, globalVar)
+}
+
+/**
+ * A predictable expression is one where an external user can predict
+ * the value. For example, a literal in the source code is considered
+ * predictable.
+ */
+private predicate predictable(Expr expr) {
+  expr instanceof Literal
+  or
+  exists(BinaryOperation binop | binop = expr |
+    predictable(binop.getLeftOperand()) and predictable(binop.getRightOperand())
+  )
+  or
+  exists(UnaryOperation unop | unop = expr | predictable(unop.getOperand()))
+}
+
+private int maxArgIndex(Function f) {
+  result =
+    max(FunctionCall fc, int toMax |
+      fc.getTarget() = f and toMax = fc.getNumberOfArguments() - 1
+    |
+      toMax
+    )
+}
+
+/** Functions that copy the value of one argument to another */
+private predicate copyValueBetweenArguments(Function f, int sourceArg, int destArg) {
+  f.hasGlobalOrStdName("memcpy") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalName("__builtin___memcpy_chk") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalOrStdName("memmove") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalOrStdName("strcat") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalName("_mbscat") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalOrStdName("wcscat") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalOrStdName("strncat") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalName("_mbsncat") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalName("wcsncat") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalOrStdName("strcpy") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalName("_mbscpy") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalOrStdName("wcscpy") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalOrStdName("strncpy") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalName("_mbsncpy") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalOrStdName("wcsncpy") and sourceArg = 1 and destArg = 0
+  or
+  f.hasGlobalName("inet_aton") and sourceArg = 0 and destArg = 1
+  or
+  f.hasGlobalName("inet_pton") and sourceArg = 1 and destArg = 2
+  or
+  f.hasGlobalOrStdName("strftime") and sourceArg in [2 .. maxArgIndex(f)] and destArg = 0
+  or
+  exists(FormattingFunction ff | ff = f |
+    sourceArg in [ff.getFormatParameterIndex() .. maxArgIndex(f)] and
+    destArg = ff.getOutputParameterIndex(false)
+  )
+}
+
+/** Functions where if one of the arguments is tainted, the result should be tainted */
+private predicate returnArgument(Function f, int sourceArg) {
+  f.hasGlobalName("memcpy") and sourceArg = 0
+  or
+  f.hasGlobalName("__builtin___memcpy_chk") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("memmove") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("strcat") and sourceArg = 0
+  or
+  f.hasGlobalName("_mbscat") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("wcsncat") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("strncat") and sourceArg = 0
+  or
+  f.hasGlobalName("_mbsncat") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("wcsncat") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("strcpy") and sourceArg = 0
+  or
+  f.hasGlobalName("_mbscpy") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("wcscpy") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("strncpy") and sourceArg = 0
+  or
+  f.hasGlobalName("_mbsncpy") and sourceArg = 0
+  or
+  f.hasGlobalOrStdName("wcsncpy") and sourceArg = 0
+  or
+  f.hasGlobalName("inet_ntoa") and sourceArg = 0
+  or
+  f.hasGlobalName("inet_addr") and sourceArg = 0
+  or
+  f.hasGlobalName("inet_network") and sourceArg = 0
+  or
+  f.hasGlobalName("inet_ntoa") and sourceArg = 0
+  or
+  f.hasGlobalName("inet_makeaddr") and
+  (sourceArg = 0 or sourceArg = 1)
+  or
+  f.hasGlobalName("inet_lnaof") and sourceArg = 0
+  or
+  f.hasGlobalName("inet_netof") and sourceArg = 0
+  or
+  f.hasGlobalName("gethostbyname") and sourceArg = 0
+  or
+  f.hasGlobalName("gethostbyaddr") and sourceArg = 0
+}
+
+/**
+ * Resolve potential target function(s) for `call`.
+ *
+ * If `call` is a call through a function pointer (`ExprCall`) or
+ * targets a virtual method, simple data flow analysis is performed
+ * in order to identify target(s).
+ */
+deprecated Function resolveCall(Call call) {
+  result = call.getTarget()
+  or
+  result = call.(DataSensitiveCallExpr).resolve()
+}
+
+/** A data sensitive call expression. */
+abstract deprecated library class DataSensitiveCallExpr extends Expr {
+  DataSensitiveCallExpr() { not unreachable(this) }
+
+  abstract Expr getSrc();
+
+  cached
+  abstract Function resolve();
+
+  /**
+   * Whether `src` can flow to this call expression.
+   *
+   * Searches backwards from `getSrc()` to `src`.
+   */
+  predicate flowsFrom(Element src, boolean allowFromArg) {
+    src = this.getSrc() and allowFromArg = true
+    or
+    exists(Element other, boolean allowOtherFromArg | this.flowsFrom(other, allowOtherFromArg) |
+      exists(boolean otherFromArg | betweenFunctionsValueMoveToStatic(src, other, otherFromArg) |
+        otherFromArg = true and allowOtherFromArg = true and allowFromArg = true
+        or
+        otherFromArg = false and allowFromArg = false
+      )
+      or
+      insideFunctionValueMoveTo(src, other) and allowFromArg = allowOtherFromArg
+      or
+      globalVariableValueMoveTo(src, other) and allowFromArg = true
+    )
+  }
+}
+
+/** Call through a function pointer. */
+deprecated library class DataSensitiveExprCall extends DataSensitiveCallExpr, ExprCall {
+  override Expr getSrc() { result = this.getExpr() }
+
+  override Function resolve() {
+    exists(FunctionAccess fa | this.flowsFrom(fa, true) | result = fa.getTarget())
+  }
+}
+
+/** Call to a virtual function. */
+deprecated library class DataSensitiveOverriddenFunctionCall extends DataSensitiveCallExpr,
+  FunctionCall
+{
+  DataSensitiveOverriddenFunctionCall() {
+    exists(this.getTarget().(VirtualFunction).getAnOverridingFunction())
+  }
+
+  override Expr getSrc() { result = this.getQualifier() }
+
+  override MemberFunction resolve() {
+    exists(NewExpr new |
+      this.flowsFrom(new, true) and
+      memberFunctionFromNewExpr(new, result) and
+      result.overrides*(this.getTarget().(VirtualFunction))
+    )
+  }
+}
+
+private predicate memberFunctionFromNewExpr(NewExpr new, MemberFunction f) {
+  f = new.getAllocatedType().(Class).getAMemberFunction()
+}
+
+/** Same as `betweenFunctionsValueMoveTo`, but calls are resolved to their static target. */
+private predicate betweenFunctionsValueMoveToStatic(Element src, Element dest, boolean destFromArg) {
+  not unreachable(src) and
+  not unreachable(dest) and
+  (
+    exists(FunctionCall call, Function called, int i |
+      src = call.getArgument(i) and
+      called = call.getTarget() and
+      dest = called.getParameter(i) and
+      destFromArg = true
+    )
+    or
+    // Only move the return of the function to the function itself if the value didn't came from an
+    // argument, or else we would taint all the calls to one function if one argument is tainted
+    // somewhere
+    exists(Function f, ReturnStmt ret |
+      ret.getEnclosingFunction() = f and
+      src = ret.getExpr() and
+      destFromArg = false and
+      dest = f
+    )
+    or
+    exists(FunctionCall call, Function f |
+      call.getTarget() = f and
+      src = f and
+      dest = call and
+      destFromArg = false
+    )
+    or
+    // If a parameter of type reference is tainted inside a function, taint the argument too
+    exists(FunctionCall call, Function f, int pi, Parameter p |
+      call.getTarget() = f and
+      f.getParameter(pi) = p and
+      p.getType() instanceof ReferenceType and
+      src = p and
+      dest = call.getArgument(pi) and
+      destFromArg = false
+    )
+  )
+}

cpp/ql/lib/semmle/code/cpp/security/flowafterfree/FlowAfterFree.qll

@@ -1,171 +0,0 @@
-/**
- * General library for finding flow from a pointer being freed to a user-specified sink
- */
-
-import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-private import semmle.code.cpp.ir.IR
-
-/**
- * Holds if `(b1, i1)` strictly post-dominates `(b2, i2)`
- */
-bindingset[i1, i2]
-predicate strictlyPostDominates(IRBlock b1, int i1, IRBlock b2, int i2) {
-  b1 = b2 and
-  i1 > i2
-  or
-  b1.strictlyPostDominates(b2)
-}
-
-/**
- * Holds if `(b1, i1)` strictly dominates `(b2, i2)`
- */
-bindingset[i1, i2]
-predicate strictlyDominates(IRBlock b1, int i1, IRBlock b2, int i2) {
-  b1 = b2 and
-  i1 < i2
-  or
-  b1.strictlyDominates(b2)
-}
-
-/**
- * The signature for a module that is used to specify the inputs to the `FlowFromFree` module.
- */
-signature module FlowFromFreeParamSig {
-  /**
-   * Holds if `n.asExpr() = e` and `n` is a sink in the `FlowFromFreeConfig`
-   * module.
-   */
-  predicate isSink(DataFlow::Node n, Expr e);
-
-  /**
-   * Holds if `dealloc` is a deallocation expression and `e` is an expression such
-   * that `isFree(_, e)` holds for some `isFree` predicate satisfying `isSinkSig`,
-   * and this source-sink pair should be excluded from the analysis.
-   */
-  bindingset[dealloc, e]
-  predicate isExcluded(DeallocationExpr dealloc, Expr e);
-
-  /**
-   * Holds if `sink` should be considered a `sink` when the source of flow is `source`.
-   */
-  bindingset[source, sink]
-  default predicate sourceSinkIsRelated(DataFlow::Node source, DataFlow::Node sink) { any() }
-}
-
-/**
- * Constructs a `FlowFromFreeConfig` module that can be used to find flow between
- * a pointer being freed by some deallocation function, and a user-specified sink.
- *
- * In order to reduce false positives, the set of sinks is restricted to only those
- * that satisfy at least one of the following two criteria:
- * 1. The source dominates the sink, or
- * 2. The sink post-dominates the source.
- */
-module FlowFromFree<FlowFromFreeParamSig P> {
-  private module FlowFromFreeConfig implements DataFlow::StateConfigSig {
-    class FlowState instanceof Expr {
-      FlowState() { isFree(_, _, this, _) }
-
-      string toString() { result = super.toString() }
-    }
-
-    predicate isSource(DataFlow::Node node, FlowState state) { isFree(node, _, state, _) }
-
-    pragma[inline]
-    predicate isSink(DataFlow::Node sink, FlowState state) {
-      exists(Expr e, DataFlow::Node source, DeallocationExpr dealloc |
-        P::isSink(sink, e) and
-        isFree(source, _, state, dealloc) and
-        e != state and
-        not P::isExcluded(dealloc, e) and
-        P::sourceSinkIsRelated(source, sink)
-      )
-    }
-
-    predicate isBarrierIn(DataFlow::Node n) {
-      n.asIndirectExpr() = any(AddressOfExpr aoe)
-      or
-      n.asIndirectExpr() = any(Call call).getAnArgument()
-      or
-      exists(Expr e |
-        n.asIndirectExpr() = e.(PointerDereferenceExpr).getOperand() or
-        n.asIndirectExpr() = e.(ArrayExpr).getArrayBase()
-      |
-        e = any(StoreInstruction store).getDestinationAddress().getUnconvertedResultExpression()
-      )
-      or
-      n.asExpr() instanceof ArrayExpr
-    }
-  }
-
-  import DataFlow::GlobalWithState<FlowFromFreeConfig>
-}
-
-/**
- * Holds if `outgoing` is a dataflow node that represents the pointer passed to
- * `dealloc` after the call returns (i.e., the post-update node associated with
- * the argument to `dealloc`), and `incoming` is the corresponding argument
- * node going into `dealloc` (i.e., the pre-update node of `outgoing`).
- */
-predicate isFree(DataFlow::Node outgoing, DataFlow::Node incoming, Expr e, DeallocationExpr dealloc) {
-  exists(Expr conv |
-    e = conv.getUnconverted() and
-    conv = dealloc.getFreedExpr().getFullyConverted() and
-    incoming = outgoing.(DataFlow::PostUpdateNode).getPreUpdateNode() and
-    conv = incoming.asConvertedExpr()
-  ) and
-  // Ignore realloc functions
-  not exists(dealloc.(FunctionCall).getTarget().(AllocationFunction).getReallocPtrArg())
-}
-
-/**
- * Holds if `fc` is a function call that is the result of expanding
- * the `ExFreePool` macro.
- */
-predicate isExFreePoolCall(FunctionCall fc, Expr e) {
-  e = fc.getArgument(0) and
-  (
-    exists(MacroInvocation mi |
-      mi.getMacroName() = "ExFreePool" and
-      mi.getExpr() = fc
-    )
-    or
-    fc.getTarget().hasGlobalName("ExFreePool")
-  )
-}
-
-/**
- * Holds if either `source` strictly dominates `sink`, or `sink` strictly
- * post-dominates `source`.
- */
-bindingset[source, sink]
-predicate defaultSourceSinkIsRelated(DataFlow::Node source, DataFlow::Node sink) {
-  exists(IRBlock b1, int i1, IRBlock b2, int i2 |
-    source.hasIndexInBlock(b1, i1) and
-    sink.hasIndexInBlock(b2, i2)
-  |
-    strictlyDominates(b1, i1, b2, i2)
-    or
-    strictlyPostDominates(b2, i2, b1, i1)
-  )
-}
-
-/**
- * `dealloc1` is a deallocation expression, `e` is an expression that dereferences a
- * pointer, and the `(dealloc1, e)` pair should be excluded by the `FlowFromFree` library.
- *
- * Note that `e` is not necessarily the expression deallocated by `dealloc1`. It will
- * be bound to the second deallocation as identified by the `FlowFromFree` library.
- *
- * From https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmfreepagesfrommdl:
- * "After calling MmFreePagesFromMdl, the caller must also call ExFreePool
- * to release the memory that was allocated for the MDL structure."
- */
-bindingset[dealloc1, e]
-predicate isExcludedMmFreePageFromMdl(DeallocationExpr dealloc1, Expr e) {
-  exists(DeallocationExpr dealloc2 | isFree(_, _, e, dealloc2) |
-    dealloc1.(FunctionCall).getTarget().hasGlobalName("MmFreePagesFromMdl") and
-    isExFreePoolCall(dealloc2, _)
-  )
-}

cpp/ql/lib/semmle/code/cpp/security/flowafterfree/UseAfterFree.qll

@@ -1,159 +0,0 @@
-/**
- * General library for tracing Use After Free vulnerabilities.
- */
-
-import cpp
-private import semmle.code.cpp.security.flowafterfree.FlowAfterFree
-private import semmle.code.cpp.ir.IR
-
-/**
- * Holds if `call` is a call to a function that obviously
- * doesn't dereference its `i`'th argument.
- */
-private predicate externalCallNeverDereferences(FormattingFunctionCall call, int arg) {
-  exists(int formatArg |
-    pragma[only_bind_out](call.getFormatArgument(formatArg)) =
-      pragma[only_bind_out](call.getArgument(arg)) and
-    call.getFormat().(FormatLiteral).getConvSpec(formatArg) != "%s"
-  )
-}
-
-/**
- * Holds if `e` is a use. A use is a pointer dereference or a
- * parameter to a call with no function definition.
- * Uses in deallocation expressions (e.g., free) are excluded.
- * Default isUse definition for an expression.
- */
-predicate isUse0(Expr e) {
-  not isFree(_, _, e, _) and
-  (
-    // TODO: use DirectDefereferencedByOperation in Dereferenced.qll
-    e = any(PointerDereferenceExpr pde).getOperand()
-    or
-    e = any(PointerFieldAccess pfa).getQualifier()
-    or
-    e = any(ArrayExpr ae).getArrayBase()
-    or
-    e = any(Call call).getQualifier()
-    or
-    // Assume any function without a body will dereference the pointer
-    exists(int i, Call call, Function f |
-      e = call.getArgument(i) and
-      f = call.getTarget() and
-      not f.hasEntryPoint() and
-      // Exclude known functions we know won't dereference the pointer.
-      // For example, a call such as `printf("%p", myPointer)`.
-      not externalCallNeverDereferences(call, i)
-    )
-  )
-}
-
-private module ParameterSinks {
-  import semmle.code.cpp.ir.ValueNumbering
-
-  private predicate flowsToUse(DataFlow::Node n) {
-    isUse0(n.asExpr())
-    or
-    exists(DataFlow::Node succ |
-      flowsToUse(succ) and
-      DataFlow::localFlowStep(n, succ)
-    )
-  }
-
-  private predicate flowsFromParam(DataFlow::Node n) {
-    flowsToUse(n) and
-    (
-      n.asParameter().getUnspecifiedType() instanceof PointerType
-      or
-      exists(DataFlow::Node prev |
-        flowsFromParam(prev) and
-        DataFlow::localFlowStep(prev, n)
-      )
-    )
-  }
-
-  private predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-    flowsFromParam(n1) and
-    flowsFromParam(n2) and
-    DataFlow::localFlowStep(n1, n2)
-  }
-
-  private predicate paramToUse(DataFlow::Node n1, DataFlow::Node n2) = fastTC(step/2)(n1, n2)
-
-  private predicate hasFlow(
-    DataFlow::Node source, InitializeParameterInstruction init, DataFlow::Node sink
-  ) {
-    pragma[only_bind_out](source.asParameter()) = pragma[only_bind_out](init.getParameter()) and
-    paramToUse(source, sink) and
-    isUse0(sink.asExpr())
-  }
-
-  private InitializeParameterInstruction getAnAlwaysDereferencedParameter0() {
-    exists(DataFlow::Node source, DataFlow::Node sink, IRBlock b1, int i1, IRBlock b2, int i2 |
-      hasFlow(pragma[only_bind_into](source), result, pragma[only_bind_into](sink)) and
-      source.hasIndexInBlock(b1, pragma[only_bind_into](i1)) and
-      sink.hasIndexInBlock(b2, pragma[only_bind_into](i2)) and
-      strictlyPostDominates(b2, i2, b1, i1)
-    )
-  }
-
-  private CallInstruction getAnAlwaysReachedCallInstruction() {
-    exists(IRFunction f | result.getBlock().postDominates(f.getEntryBlock()))
-  }
-
-  pragma[nomagic]
-  private predicate callHasTargetAndArgument(Function f, int i, Instruction argument) {
-    exists(CallInstruction call |
-      call.getStaticCallTarget() = f and
-      call.getArgument(i) = argument and
-      call = getAnAlwaysReachedCallInstruction()
-    )
-  }
-
-  pragma[nomagic]
-  private predicate initializeParameterInFunction(Function f, int i) {
-    exists(InitializeParameterInstruction init |
-      pragma[only_bind_out](init.getEnclosingFunction()) = f and
-      init.hasIndex(i) and
-      init = getAnAlwaysDereferencedParameter()
-    )
-  }
-
-  pragma[nomagic]
-  private predicate alwaysDereferencedArgumentHasValueNumber(ValueNumber vn) {
-    exists(int i, Function f, Instruction argument |
-      callHasTargetAndArgument(f, i, argument) and
-      initializeParameterInFunction(pragma[only_bind_into](f), pragma[only_bind_into](i)) and
-      vn.getAnInstruction() = argument
-    )
-  }
-
-  InitializeParameterInstruction getAnAlwaysDereferencedParameter() {
-    result = getAnAlwaysDereferencedParameter0()
-    or
-    exists(ValueNumber vn |
-      alwaysDereferencedArgumentHasValueNumber(vn) and
-      vn.getAnInstruction() = result
-    )
-  }
-}
-
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon
-
-/**
- * Holds if `n` represents the expression `e`, and `e` is a pointer that is
- * guaranteed to be dereferenced (either because it's an operand of a
- * dereference operation, or because it's an argument to a function that
- * always dereferences the parameter).
- */
-predicate isUse(DataFlow::Node n, Expr e) {
-  isUse0(e) and n.asExpr() = e
-  or
-  exists(CallInstruction call, InitializeParameterInstruction init |
-    n.asOperand().getDef().getUnconvertedResultExpression() = e and
-    pragma[only_bind_into](init) = ParameterSinks::getAnAlwaysDereferencedParameter() and
-    viableParamArg(call, DataFlow::instructionNode(init), n) and
-    pragma[only_bind_out](init.getEnclosingFunction()) =
-      pragma[only_bind_out](call.getStaticCallTarget())
-  )
-}

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -356,8 +356,6 @@ case @function.kind of
 | 4 = @conversion_function
 | 5 = @operator
 | 6 = @builtin_function     // GCC built-in functions, e.g. __builtin___memcpy_chk
-| 7 = @user_defined_literal
-| 8 = @deduction_guide
 ;
 */
 
@@ -407,8 +405,6 @@ function_deleted(unique int id: @function ref);
 
 function_defaulted(unique int id: @function ref);
 
-function_prototyped(unique int id: @function ref)
-
 member_function_this_type(
     unique int id: @function ref,
     int this_type: @type ref
@@ -939,7 +935,6 @@ case @attribute_arg.kind of
 | 2 = @attribute_arg_constant
 | 3 = @attribute_arg_type
 | 4 = @attribute_arg_constant_expr
-| 5 = @attribute_arg_expr
 ;
 
 attribute_arg_value(
@@ -954,10 +949,6 @@ attribute_arg_constant(
     unique int arg: @attribute_arg ref,
     int constant: @expr ref
 )
-attribute_arg_expr(
-    unique int arg: @attribute_arg ref,
-    int expr: @expr ref
-)
 attribute_arg_name(
     unique int arg: @attribute_arg ref,
     string name: string ref
@@ -2156,7 +2147,7 @@ includes(
 );
 
 link_targets(
-    int id: @link_target,
+    unique int id: @link_target,
     int binary: @file ref
 );
 

cpp/ql/lib/upgrades/098850d25c4e9d417eb74c1bef9deb2f9d2dc417/upgrade.properties

@@ -1,6 +1,3 @@
 description: Remove the old CFG tables
 compatibility: full
 
-falsecond.rel: delete
-successors.rel: delete
-truecond.rel: delete