Merge branch 'felicitymay-8441-basic-query' of github.com:github/codeql into felicitymay-8441-basic-query

Swift: Add models for NSData and NSMutableData

.github/actions/cache-query-compilation/action.yml

@@ -0,0 +1,61 @@
+name: Cache query compilation
+description: Caches CodeQL compilation caches - should be run both on PRs and pushes to main.
+
+inputs:
+  key:
+    description: 'The cache key to use - should be unique to the workflow'
+    required: true
+
+outputs:
+  cache-dir:
+    description: "The directory where the cache was stored"
+    value: ${{ steps.fill-compilation-dir.outputs.compdir }}
+
+runs:
+  using: composite
+  steps:
+    # Cache the query compilation caches.
+    # calculate the merge-base with main, in a way that works both on PRs and pushes to main. 
+    - name: Calculate merge-base
+      shell: bash
+      if: ${{ github.event_name == 'pull_request' }}
+      env:
+        BASE_BRANCH: ${{ github.base_ref }}
+      run: |
+        MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
+        echo "merge_base=$MERGE_BASE" >> $GITHUB_ENV
+    - name: Read CodeQL query compilation - PR
+      if: ${{ github.event_name == 'pull_request' }}
+      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
+      with:
+        path: '**/.cache'
+        read-only: true
+        key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }} # deliberately not using the `compile-compile-main` keys here.
+        restore-keys: |
+          codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
+          codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-
+          codeql-compile-${{ inputs.key }}-main-
+    - name: Fill CodeQL query compilation cache - main
+      if: ${{ github.event_name != 'pull_request' }}
+      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
+      with:
+        path: '**/.cache'
+        key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main
+        restore-keys: | # restore from another random commit, to speed up compilation.
+          codeql-compile-${{ inputs.key }}-${{ github.ref_name }}- 
+          codeql-compile-${{ inputs.key }}-main-
+    - name: Fill compilation cache directory
+      id: fill-compilation-dir
+      shell: bash 
+      run: |
+        # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
+        mkdir -p ${COMBINED_CACHE_DIR}
+        rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
+        # copy the contents of the .cache folders into the combined cache folder.
+        cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
+        # clean up the .cache folders
+        rm -rf **/.cache/*
+
+        echo "compdir=${COMBINED_CACHE_DIR}" >> $GITHUB_OUTPUT
+      env: 
+        COMBINED_CACHE_DIR: ${{ github.workspace }}/compilation-dir

.github/workflows/compile-queries.yml

@@ -14,58 +14,26 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
-      # calculate the merge-base with main, in a way that works both on PRs and pushes to main. 
-      - name: Calculate merge-base
-        if: ${{ github.event_name == 'pull_request' }}
-        env:
-          BASE_BRANCH: ${{ github.base_ref }}
-        run: |
-          MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
-          echo "merge-base=$MERGE_BASE" >> $GITHUB_ENV
-      - name: Read CodeQL query compilation - PR
-        if: ${{ github.event_name == 'pull_request' }}
-        uses: actions/cache@v3
-        with:
-          path: '*/ql/src/.cache'
-          key: codeql-compile-pr-${{ github.sha }} # deliberately not using the `compile-compile-main` keys here.
-          restore-keys: |
-            codeql-compile-${{ github.base_ref }}-${{ env.merge-base }}
-            codeql-compile-${{ github.base_ref }}-
-            codeql-compile-main-
-      - name: Fill CodeQL query compilation cache - main
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/cache@v3
-        with:
-          path: '*/ql/src/.cache'
-          key: codeql-compile-${{ github.ref_name }}-${{ github.sha }} # just fill on main
-          restore-keys: | # restore from another random commit, to speed up compilation.
-            codeql-compile-${{ github.ref_name }}- 
-            codeql-compile-main-
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
         with:
           channel: 'release'
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: all-queries
       - name: check formatting
         run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 codeql query format --check-only
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -j0 */ql/src --keep-going --warnings=error --check-only
+        run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: |
-          # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
-          mkdir -p ${COMBINED_CACHE_DIR}
-          rm */ql/src/.cache/{lock,size}
-          # copy the contents of the .cache folders into the combined cache folder.
-          cp -r */ql/src/.cache/* ${COMBINED_CACHE_DIR}/
-          # clean up the .cache folders
-          rm -rf */ql/src/.cache/*
-
-          # compile the queries
-          codeql query compile -j0 */ql/src --keep-going --warnings=error --compilation-cache ${COMBINED_CACHE_DIR}
+        run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env: 
           COMBINED_CACHE_DIR: ${{ github.workspace }}/compilation-dir

.github/workflows/csharp-qltest.yml

@@ -0,0 +1,86 @@
+name: "C#: Run QL Tests"
+
+on:
+  push:
+    paths:
+      - "csharp/**"
+      - "shared/**"
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "csharp/**"
+      - "shared/**"
+      - .github/workflows/csharp-qltest.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+    branches:
+      - main
+      - "rc/*"
+
+defaults:
+  run:
+    working-directory: csharp
+
+jobs:
+  qlupgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check DB upgrade scripts
+        run: |
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
+      - name: Check DB downgrade scripts
+        run: |
+          echo >empty.trap
+          rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
+           --dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
+           xargs codeql execute upgrades testdb
+          diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
+  qltest:
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        slice: ["1/2", "2/2"]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: csharp-qltest-${{ matrix.slice }}
+      - name: Run QL tests
+        run: |
+          CODEQL_PATH=$(gh codeql version --format=json | jq -r .unpackedLocation)
+          # The legacy ASP extractor is not in this repo, so take the one from the nightly build
+          mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
+          # Safe guard against using the bundled extractor
+          rm -rf "$CODEQL_PATH/csharp"
+          codeql test run --threads=0 --ram 52000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup dotnet
+        uses: actions/setup-dotnet@v3
+        with:
+          dotnet-version: 6.0.202
+      - name: Extractor unit tests
+        run: |
+          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"

.github/workflows/ql-for-ql-tests.yml

@@ -47,8 +47,3 @@ jobs:
           find ql/ql/src "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Check QL compilation
-        run: |
-          "${CODEQL}" query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ql/extractor-pack" "ql/ql/src" "ql/ql/examples"
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}

.github/workflows/ruby-build.yml

@@ -86,19 +86,24 @@ jobs:
             ruby/target/release/ruby-extractor.exe
           retention-days: 1
   compile-queries:
-    runs-on: ubuntu-latest
-    env:
-      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
+    runs-on: ubuntu-latest-xl
     steps:
       - uses: actions/checkout@v3
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: ruby-build
       - name: Build Query Pack
         run: |
+          rm -rf target/packs
           codeql pack create ../shared/ssa --output target/packs
           codeql pack create ../misc/suite-helpers --output target/packs
+          codeql pack create ../shared/regex --output target/packs
           codeql pack create ql/lib --output target/packs
-          codeql pack create ql/src --output target/packs
+          codeql pack create -j0 ql/src --output target/packs --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
           PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
           codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
           (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)

.github/workflows/ruby-qltest.yml

@@ -4,7 +4,7 @@ on:
   push:
     paths:
       - "ruby/**"
-      - .github/workflows/ruby-qltest.yml
+      - .github/workflows/ruby-build.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
     branches:
@@ -28,16 +28,6 @@ defaults:
     working-directory: ruby
 
 jobs:
-  qlcompile:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
-      - name: Check QL compilation
-        run: |
-          codeql query compile --check-only --threads=0 --ram 5000 --warnings=error "ql/src" "ql/examples"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
@@ -58,17 +48,20 @@ jobs:
            xargs codeql execute upgrades testdb
           diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
   qltest:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-xl
     strategy:
       fail-fast: false
-      matrix:
-        slice: ["1/2", "2/2"]
     steps:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 5000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test
+          codeql test run --threads=0 --ram 52000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -39,6 +39,7 @@ jobs:
               - 'swift/ql/lib/codeql/swift/elements/**'
               - 'swift/ql/lib/codeql/swift/generated/**'
               - 'swift/ql/test/extractor-tests/generated/**'
+              - 'swift/ql/.generated.list'
             ql:
               - 'github/workflows/swift.yml'
               - 'swift/**/*.ql'

.gitignore

@@ -27,8 +27,6 @@
 # It's useful (though not required) to be able to unpack codeql in the ql checkout itself
 /codeql/
 
-csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
-
 # Avoid committing cached package components
 .codeql
 

.pre-commit-config.yaml

@@ -44,7 +44,7 @@ repos:
 
       - id: swift-codegen
         name: Run Swift checked in code generation
-        files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements))
+        files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
         language: system
         entry: bazel run //swift/codegen -- --quiet
         pass_filenames: false

.vscode/settings.json

@@ -1,3 +1,5 @@
 {
-    "omnisharp.autoStart": false
+  "omnisharp.autoStart": false,
+  "cmake.sourceDirectory": "${workspaceFolder}/swift",
+  "cmake.buildDirectory": "${workspaceFolder}/bazel-cmake-build"
 }

CODEOWNERS

@@ -5,7 +5,7 @@
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
 /ruby/ @github/codeql-ruby
-/swift/ @github/codeql-c
+/swift/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
 /java/kotlin-explorer/ @github/codeql-kotlin
 
@@ -45,4 +45,4 @@ WORKSPACE.bazel @github/codeql-ci-reviewers
 /.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby
-/.github/workflows/swift.yml @github/codeql-c
+/.github/workflows/swift.yml @github/codeql-swift

codeql-workspace.yml

@@ -25,7 +25,7 @@ provide:
   - "misc/suite-helpers/qlpack.yml"
   - "ruby/extractor-pack/codeql-extractor.yml"
   - "swift/extractor-pack/codeql-extractor.yml"
-  - "ql/extractor-pack/codeql-extractor.ym"
+  - "ql/extractor-pack/codeql-extractor.yml"
 
 versionPolicies:
   default:

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -257,11 +257,11 @@ namespace Semmle.Autobuild.Cpp.Tests
             Actions.GetCurrentDirectory = cwd;
             Actions.IsWindows = isWindows;
 
-            var options = new AutobuildOptions(Actions, Language.Cpp);
+            var options = new CppAutobuildOptions(Actions);
             return new CppAutobuilder(Actions, options);
         }
 
-        void TestAutobuilderScript(Autobuilder autobuilder, int expectedOutput, int commandsRun)
+        void TestAutobuilderScript(CppAutobuilder autobuilder, int expectedOutput, int commandsRun)
         {
             Assert.Equal(expectedOutput, autobuilder.GetBuildScript().Run(Actions, StartCallback, EndCallback));
 
@@ -299,7 +299,7 @@ namespace Semmle.Autobuild.Cpp.Tests
         {
             Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
             Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
-            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
+            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
             Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
             Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
             Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = 0;

cpp/autobuilder/Semmle.Autobuild.Cpp/CppAutobuilder.cs

@@ -2,9 +2,26 @@
 
 namespace Semmle.Autobuild.Cpp
 {
-    public class CppAutobuilder : Autobuilder
+    /// <summary>
+    /// Encapsulates C++ build options.
+    /// </summary>
+    public class CppAutobuildOptions : AutobuildOptionsShared
     {
-        public CppAutobuilder(IBuildActions actions, AutobuildOptions options) : base(actions, options) { }
+        public override Language Language => Language.Cpp;
+
+
+        /// <summary>
+        /// Reads options from environment variables.
+        /// Throws ArgumentOutOfRangeException for invalid arguments.
+        /// </summary>
+        public CppAutobuildOptions(IBuildActions actions) : base(actions)
+        {
+        }
+    }
+
+    public class CppAutobuilder : Autobuilder<CppAutobuildOptions>
+    {
+        public CppAutobuilder(IBuildActions actions, CppAutobuildOptions options) : base(actions, options) { }
 
         public override BuildScript GetBuildScript()
         {

cpp/autobuilder/Semmle.Autobuild.Cpp/Program.cs

@@ -11,14 +11,14 @@ namespace Semmle.Autobuild.Cpp
             try
             {
                 var actions = SystemBuildActions.Instance;
-                var options = new AutobuildOptions(actions, Language.Cpp);
+                var options = new CppAutobuildOptions(actions);
                 try
                 {
                     Console.WriteLine("CodeQL C++ autobuilder");
                     var builder = new CppAutobuilder(actions, options);
                     return builder.AttemptBuild();
                 }
-                catch(InvalidEnvironmentException ex)
+                catch (InvalidEnvironmentException ex)
                 {
                     Console.WriteLine("The environment is invalid: {0}", ex.Message);
                 }

cpp/ql/lib/change-notes/2022-11-14-deprecate-ast-gvn.md

@@ -0,0 +1,6 @@
+---
+category: deprecated
+---
+
+
+* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.

cpp/ql/lib/change-notes/2022-11-16-must-flow.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.

cpp/ql/lib/change-notes/2022-11-17-deleted-deps.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -189,18 +189,6 @@ class Folder extends Container, @folder {
    * Gets the URL of this folder.
    */
   deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
-
-  /**
-   * DEPRECATED: use `getAbsolutePath` instead.
-   * Gets the name of this folder.
-   */
-  deprecated string getName() { folders(underlyingElement(this), result) }
-
-  /**
-   * DEPRECATED: use `getBaseName` instead.
-   * Gets the last part of the folder name.
-   */
-  deprecated string getShortName() { result = this.getBaseName() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll

@@ -5,7 +5,6 @@
  */
 
 private import cpp
-import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.IR
 
 /**
@@ -25,18 +24,18 @@ abstract class MustFlowConfiguration extends string {
   /**
    * Holds if `source` is a relevant data flow source.
    */
-  abstract predicate isSource(DataFlow::Node source);
+  abstract predicate isSource(Instruction source);
 
   /**
    * Holds if `sink` is a relevant data flow sink.
    */
-  abstract predicate isSink(DataFlow::Node sink);
+  abstract predicate isSink(Operand sink);
 
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
    */
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
+  predicate isAdditionalFlowStep(Operand node1, Instruction node2) { none() }
 
   /** Holds if this configuration allows flow from arguments to parameters. */
   predicate allowInterproceduralFlow() { any() }
@@ -48,17 +47,17 @@ abstract class MustFlowConfiguration extends string {
    * included in the module `PathGraph`.
    */
   final predicate hasFlowPath(MustFlowPathNode source, MustFlowPathSink sink) {
-    this.isSource(source.getNode()) and
+    this.isSource(source.getInstruction()) and
     source.getASuccessor+() = sink
   }
 }
 
 /** Holds if `node` flows from a source. */
 pragma[nomagic]
-private predicate flowsFromSource(DataFlow::Node node, MustFlowConfiguration config) {
+private predicate flowsFromSource(Instruction node, MustFlowConfiguration config) {
   config.isSource(node)
   or
-  exists(DataFlow::Node mid |
+  exists(Instruction mid |
     step(mid, node, config) and
     flowsFromSource(mid, pragma[only_bind_into](config))
   )
@@ -66,12 +65,12 @@ private predicate flowsFromSource(DataFlow::Node node, MustFlowConfiguration con
 
 /** Holds if `node` flows to a sink. */
 pragma[nomagic]
-private predicate flowsToSink(DataFlow::Node node, MustFlowConfiguration config) {
+private predicate flowsToSink(Instruction node, MustFlowConfiguration config) {
   flowsFromSource(node, pragma[only_bind_into](config)) and
   (
-    config.isSink(node)
+    config.isSink(node.getAUse())
     or
-    exists(DataFlow::Node mid |
+    exists(Instruction mid |
       step(node, mid, config) and
       flowsToSink(mid, pragma[only_bind_into](config))
     )
@@ -198,12 +197,13 @@ private module Cached {
   }
 
   cached
-  predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    instructionToOperandStep(nodeFrom.asInstruction(), nodeTo.asOperand())
+  predicate step(Instruction nodeFrom, Instruction nodeTo) {
+    exists(Operand mid |
+      instructionToOperandStep(nodeFrom, mid) and
+      operandToInstructionStep(mid, nodeTo)
+    )
     or
-    flowThroughCallable(nodeFrom.asInstruction(), nodeTo.asInstruction())
-    or
-    operandToInstructionStep(nodeFrom.asOperand(), nodeTo.asInstruction())
+    flowThroughCallable(nodeFrom, nodeTo)
   }
 }
 
@@ -213,12 +213,12 @@ private module Cached {
  * way around.
  */
 pragma[inline]
-private Declaration getEnclosingCallable(DataFlow::Node n) {
-  pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingCallable()
+private IRFunction getEnclosingCallable(Instruction n) {
+  pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingIRFunction()
 }
 
 /** Holds if `nodeFrom` flows to `nodeTo`. */
-private predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, MustFlowConfiguration config) {
+private predicate step(Instruction nodeFrom, Instruction nodeTo, MustFlowConfiguration config) {
   exists(config) and
   Cached::step(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) and
   (
@@ -227,37 +227,37 @@ private predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, MustFlowC
     getEnclosingCallable(nodeFrom) = getEnclosingCallable(nodeTo)
   )
   or
-  config.isAdditionalFlowStep(nodeFrom, nodeTo)
+  config.isAdditionalFlowStep(nodeFrom.getAUse(), nodeTo)
 }
 
 private newtype TLocalPathNode =
-  MkLocalPathNode(DataFlow::Node n, MustFlowConfiguration config) {
+  MkLocalPathNode(Instruction n, MustFlowConfiguration config) {
     flowsToSink(n, config) and
     (
       config.isSource(n)
       or
-      exists(MustFlowPathNode mid | step(mid.getNode(), n, config))
+      exists(MustFlowPathNode mid | step(mid.getInstruction(), n, config))
     )
   }
 
 /** A `Node` that is in a path from a source to a sink. */
 class MustFlowPathNode extends TLocalPathNode {
-  DataFlow::Node n;
+  Instruction n;
 
   MustFlowPathNode() { this = MkLocalPathNode(n, _) }
 
   /** Gets the underlying node. */
-  DataFlow::Node getNode() { result = n }
+  Instruction getInstruction() { result = n }
 
   /** Gets a textual representation of this node. */
-  string toString() { result = n.toString() }
+  string toString() { result = n.getAst().toString() }
 
   /** Gets the location of this element. */
   Location getLocation() { result = n.getLocation() }
 
   /** Gets a successor node, if any. */
   MustFlowPathNode getASuccessor() {
-    step(this.getNode(), result.getNode(), this.getConfiguration())
+    step(this.getInstruction(), result.getInstruction(), this.getConfiguration())
   }
 
   /** Gets the associated configuration. */
@@ -265,7 +265,7 @@ class MustFlowPathNode extends TLocalPathNode {
 }
 
 private class MustFlowPathSink extends MustFlowPathNode {
-  MustFlowPathSink() { this.getConfiguration().isSink(this.getNode()) }
+  MustFlowPathSink() { this.getConfiguration().isSink(this.getInstruction().getAUse()) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll

@@ -1,4 +1,4 @@
-/*
+/**
  * Support for tracking tainted data through the program. This is an alias for
  * `semmle.code.cpp.ir.dataflow.DefaultTaintTracking` provided for backwards
  * compatibility.

cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll

@@ -1,4 +1,8 @@
 /**
+ * DEPRECATED: This library has been replaced with a newer version which
+ * provides better performance and precision. Use
+ * `semmle.code.cpp.valuenumbering.GlobalValueNumbering` instead.
+ *
  * Provides an implementation of Global Value Numbering.
  * See https://en.wikipedia.org/wiki/Global_value_numbering
  *
@@ -221,7 +225,7 @@ private newtype GvnBase =
  * expression with this `GVN` and using its `toString` and `getLocation`
  * methods.
  */
-class GVN extends GvnBase {
+deprecated class GVN extends GvnBase {
   GVN() { this instanceof GvnBase }
 
   /** Gets an expression that has this GVN. */
@@ -503,7 +507,7 @@ private predicate mk_Deref(GVN p, ControlFlowNode dominator, PointerDereferenceE
 
 /** Gets the global value number of expression `e`. */
 cached
-GVN globalValueNumber(Expr e) {
+deprecated GVN globalValueNumber(Expr e) {
   exists(int val, Type t |
     mk_IntConst(val, t, e) and
     result = GVN_IntConst(val, t)

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -26,11 +26,11 @@ predicate intentionallyReturnsStackPointer(Function f) {
 class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
   ReturnStackAllocatedMemoryConfig() { this = "ReturnStackAllocatedMemoryConfig" }
 
-  override predicate isSource(DataFlow::Node source) {
+  override predicate isSource(Instruction source) {
     // Holds if `source` is a node that represents the use of a stack variable
     exists(VariableAddressInstruction var, Function func |
-      var = source.asInstruction() and
-      func = var.getEnclosingFunction() and
+      var = source and
+      func = source.getEnclosingFunction() and
       var.getAstVariable() instanceof StackVariable and
       // Pointer-to-member types aren't properly handled in the dbscheme.
       not var.getResultType() instanceof PointerToMemberType and
@@ -40,7 +40,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  override predicate isSink(Operand sink) {
     // Holds if `sink` is a node that represents the `StoreInstruction` that is subsequently used in
     // a `ReturnValueInstruction`.
     // We use the `StoreInstruction` instead of the instruction that defines the
@@ -48,7 +48,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
     exists(StoreInstruction store |
       store.getDestinationAddress().(VariableAddressInstruction).getIRVariable() instanceof
         IRReturnVariable and
-      sink.asOperand() = store.getSourceValueOperand()
+      sink = store.getSourceValueOperand()
     )
   }
 
@@ -77,10 +77,10 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
    * }
    * ```
    */
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node2.asInstruction().(FieldAddressInstruction).getObjectAddressOperand() = node1.asOperand()
+  override predicate isAdditionalFlowStep(Operand node1, Instruction node2) {
+    node2.(FieldAddressInstruction).getObjectAddressOperand() = node1
     or
-    node2.asInstruction().(PointerOffsetInstruction).getLeftOperand() = node1.asOperand()
+    node2.(PointerOffsetInstruction).getLeftOperand() = node1
   }
 }
 
@@ -89,6 +89,6 @@ from
   ReturnStackAllocatedMemoryConfig conf
 where
   conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
-  source.getNode().asInstruction() = var
-select sink.getNode(), source, sink, "May return stack-allocated memory from $@.", var.getAst(),
-  var.getAst().toString()
+  source.getInstruction() = var
+select sink.getInstruction(), source, sink, "May return stack-allocated memory from $@.",
+  var.getAst(), var.getAst().toString()

cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql

@@ -22,37 +22,40 @@ import PathGraph
 class UnsafeUseOfThisConfig extends MustFlowConfiguration {
   UnsafeUseOfThisConfig() { this = "UnsafeUseOfThisConfig" }
 
-  override predicate isSource(DataFlow::Node source) { isSource(source, _, _) }
+  override predicate isSource(Instruction source) { isSource(source, _, _) }
 
-  override predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
+  override predicate isSink(Operand sink) { isSink(sink, _) }
 }
 
-/** Holds if `instr` is a `this` pointer used by the call instruction `call`. */
-predicate isSink(DataFlow::Node sink, CallInstruction call) {
+/** Holds if `sink` is a `this` pointer used by the call instruction `call`. */
+predicate isSink(Operand sink, CallInstruction call) {
   exists(PureVirtualFunction func |
     call.getStaticCallTarget() = func and
-    call.getThisArgument() = sink.asInstruction() and
+    call.getThisArgumentOperand() = sink and
     // Weed out implicit calls to destructors of a base class
     not func instanceof Destructor
   )
 }
 
-/** Holds if `init` initializes the `this` pointer in class `c`. */
-predicate isSource(DataFlow::Node source, string msg, Class c) {
-  exists(InitializeParameterInstruction init | init = source.asInstruction() |
-    (
-      exists(Constructor func |
-        not func instanceof CopyConstructor and
-        not func instanceof MoveConstructor and
-        func = init.getEnclosingFunction() and
-        msg = "construction"
-      )
-      or
-      init.getEnclosingFunction() instanceof Destructor and msg = "destruction"
-    ) and
-    init.getIRVariable() instanceof IRThisVariable and
-    init.getEnclosingFunction().getDeclaringType() = c
-  )
+/**
+ * Holds if `source` initializes the `this` pointer in class `c`.
+ *
+ * The string `msg` describes whether the enclosing function is a
+ * constructor or destructor.
+ */
+predicate isSource(InitializeParameterInstruction source, string msg, Class c) {
+  (
+    exists(Constructor func |
+      not func instanceof CopyConstructor and
+      not func instanceof MoveConstructor and
+      func = source.getEnclosingFunction() and
+      msg = "construction"
+    )
+    or
+    source.getEnclosingFunction() instanceof Destructor and msg = "destruction"
+  ) and
+  source.getIRVariable() instanceof IRThisVariable and
+  source.getEnclosingFunction().getDeclaringType() = c
 }
 
 /**
@@ -68,8 +71,8 @@ predicate flows(
 ) {
   exists(UnsafeUseOfThisConfig conf |
     conf.hasFlowPath(source, sink) and
-    isSource(source.getNode(), msg, sourceClass) and
-    isSink(sink.getNode(), call)
+    isSource(source.getInstruction(), msg, sourceClass) and
+    isSink(sink.getInstruction().getAUse(), call)
   )
 }
 

cpp/ql/src/jsf/4.09 Style/Naming.qll

@@ -1,4 +1,4 @@
-/*
+/**
  * Common functions for implementing naming conventions
  *
  * Naming rules are the following:

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ast_gvn.expected

@@ -1,3 +1,4 @@
+WARNING: Type GVN has been deprecated and may be removed in future (ast_gvn.ql:4,6-9)
 | test.cpp:5:3:5:3 | x | 5:c3-c3 6:c3-c3 |
 | test.cpp:5:7:5:8 | p0 | 5:c7-c8 6:c7-c8 |
 | test.cpp:5:7:5:13 | ... + ... | 5:c7-c13 6:c7-c13 7:c7-c7 |

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ast_uniqueness.expected

@@ -0,0 +1,3 @@
+WARNING: Predicate globalValueNumber has been deprecated and may be removed in future (ast_uniqueness.ql:7,13-30)
+WARNING: Predicate globalValueNumber has been deprecated and may be removed in future (ast_uniqueness.ql:8,30-47)
+WARNING: Type GVN has been deprecated and may be removed in future (ast_uniqueness.ql:8,18-21)

cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/diff_ir_expr.expected

@@ -1,3 +1,4 @@
+WARNING: Predicate globalValueNumber has been deprecated and may be removed in future (diff_ir_expr.ql:8,29-51)
 | test.cpp:5:3:5:13 | ... = ... | test.cpp:5:3:5:13 | ... = ... | AST only |
 | test.cpp:6:3:6:13 | ... = ... | test.cpp:6:3:6:13 | ... = ... | AST only |
 | test.cpp:7:3:7:7 | ... = ... | test.cpp:7:3:7:7 | ... = ... | AST only |

cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.expected

@@ -1,103 +1,61 @@
 edges
-| test.cpp:7:3:7:3 | this | test.cpp:8:12:8:15 | Load |
-| test.cpp:8:12:8:15 | Load | test.cpp:8:12:8:15 | this |
+| test.cpp:7:3:7:3 | B | test.cpp:8:12:8:15 | this |
 | test.cpp:8:12:8:15 | this | test.cpp:34:16:34:16 | x |
-| test.cpp:11:8:11:8 | b | test.cpp:12:5:12:5 | Load |
-| test.cpp:12:5:12:5 | (reference dereference) | test.cpp:12:5:12:5 | Unary |
-| test.cpp:12:5:12:5 | Load | test.cpp:12:5:12:5 | b |
-| test.cpp:12:5:12:5 | Unary | test.cpp:12:5:12:5 | (A)... |
-| test.cpp:12:5:12:5 | Unary | test.cpp:12:5:12:5 | (reference dereference) |
-| test.cpp:12:5:12:5 | b | test.cpp:12:5:12:5 | Unary |
-| test.cpp:15:3:15:4 | this | test.cpp:16:5:16:5 | Load |
-| test.cpp:16:5:16:5 | Load | test.cpp:16:5:16:5 | this |
-| test.cpp:16:5:16:5 | Unary | file://:0:0:0:0 | (A *)... |
-| test.cpp:16:5:16:5 | this | test.cpp:16:5:16:5 | Unary |
-| test.cpp:21:3:21:3 | Unary | test.cpp:21:13:21:13 | ConvertToNonVirtualBase |
-| test.cpp:21:3:21:3 | this | test.cpp:21:3:21:3 | Unary |
-| test.cpp:21:3:21:3 | this | test.cpp:22:12:22:15 | Load |
-| test.cpp:21:3:21:3 | this | test.cpp:25:7:25:10 | Load |
-| test.cpp:21:13:21:13 | ConvertToNonVirtualBase | test.cpp:7:3:7:3 | this |
+| test.cpp:11:8:11:8 | b | test.cpp:12:5:12:5 | b |
+| test.cpp:12:5:12:5 | (reference dereference) | test.cpp:12:5:12:5 | (A)... |
+| test.cpp:12:5:12:5 | b | test.cpp:12:5:12:5 | (reference dereference) |
+| test.cpp:15:3:15:4 | ~B | test.cpp:16:5:16:5 | this |
+| test.cpp:16:5:16:5 | this | file://:0:0:0:0 | (A *)... |
+| test.cpp:21:3:21:3 | C | test.cpp:21:13:21:13 | call to B |
+| test.cpp:21:3:21:3 | C | test.cpp:22:12:22:15 | this |
+| test.cpp:21:3:21:3 | C | test.cpp:25:7:25:10 | this |
+| test.cpp:21:13:21:13 | call to B | test.cpp:7:3:7:3 | B |
 | test.cpp:22:12:22:15 | (B *)... | test.cpp:34:16:34:16 | x |
-| test.cpp:22:12:22:15 | Load | test.cpp:22:12:22:15 | this |
-| test.cpp:22:12:22:15 | Unary | test.cpp:22:12:22:15 | (B *)... |
-| test.cpp:22:12:22:15 | this | test.cpp:22:12:22:15 | Unary |
-| test.cpp:25:7:25:10 | (B *)... | test.cpp:25:7:25:10 | Unary |
-| test.cpp:25:7:25:10 | Load | test.cpp:25:7:25:10 | this |
-| test.cpp:25:7:25:10 | Unary | test.cpp:25:7:25:10 | (A *)... |
-| test.cpp:25:7:25:10 | Unary | test.cpp:25:7:25:10 | (B *)... |
-| test.cpp:25:7:25:10 | this | test.cpp:25:7:25:10 | Unary |
-| test.cpp:31:3:31:3 | this | test.cpp:31:12:31:15 | Load |
-| test.cpp:31:11:31:15 | (B)... | test.cpp:31:11:31:15 | Unary |
+| test.cpp:22:12:22:15 | this | test.cpp:22:12:22:15 | (B *)... |
+| test.cpp:25:7:25:10 | (B *)... | test.cpp:25:7:25:10 | (A *)... |
+| test.cpp:25:7:25:10 | this | test.cpp:25:7:25:10 | (B *)... |
+| test.cpp:31:3:31:3 | D | test.cpp:31:12:31:15 | this |
+| test.cpp:31:11:31:15 | (B)... | test.cpp:31:11:31:15 | (reference to) |
 | test.cpp:31:11:31:15 | (reference to) | test.cpp:11:8:11:8 | b |
-| test.cpp:31:11:31:15 | * ... | test.cpp:31:11:31:15 | Unary |
-| test.cpp:31:11:31:15 | Unary | test.cpp:31:11:31:15 | (B)... |
-| test.cpp:31:11:31:15 | Unary | test.cpp:31:11:31:15 | (reference to) |
-| test.cpp:31:12:31:15 | Load | test.cpp:31:12:31:15 | this |
-| test.cpp:31:12:31:15 | Unary | test.cpp:31:11:31:15 | * ... |
-| test.cpp:31:12:31:15 | this | test.cpp:31:12:31:15 | Unary |
-| test.cpp:34:16:34:16 | x | test.cpp:35:3:35:3 | Load |
-| test.cpp:35:3:35:3 | Load | test.cpp:35:3:35:3 | x |
-| test.cpp:35:3:35:3 | Unary | test.cpp:35:3:35:3 | (A *)... |
-| test.cpp:35:3:35:3 | x | test.cpp:35:3:35:3 | Unary |
-| test.cpp:47:3:47:3 | this | test.cpp:48:10:48:13 | Load |
-| test.cpp:48:10:48:13 | (E *)... | test.cpp:48:10:48:13 | Unary |
-| test.cpp:48:10:48:13 | Load | test.cpp:48:10:48:13 | this |
-| test.cpp:48:10:48:13 | Unary | test.cpp:48:6:48:13 | (A *)... |
-| test.cpp:48:10:48:13 | Unary | test.cpp:48:10:48:13 | (E *)... |
-| test.cpp:48:10:48:13 | this | test.cpp:48:10:48:13 | Unary |
+| test.cpp:31:11:31:15 | * ... | test.cpp:31:11:31:15 | (B)... |
+| test.cpp:31:12:31:15 | this | test.cpp:31:11:31:15 | * ... |
+| test.cpp:34:16:34:16 | x | test.cpp:35:3:35:3 | x |
+| test.cpp:35:3:35:3 | x | test.cpp:35:3:35:3 | (A *)... |
+| test.cpp:47:3:47:3 | F | test.cpp:48:10:48:13 | this |
+| test.cpp:48:10:48:13 | (E *)... | test.cpp:48:6:48:13 | (A *)... |
+| test.cpp:48:10:48:13 | this | test.cpp:48:10:48:13 | (E *)... |
 nodes
 | file://:0:0:0:0 | (A *)... | semmle.label | (A *)... |
-| test.cpp:7:3:7:3 | this | semmle.label | this |
-| test.cpp:8:12:8:15 | Load | semmle.label | Load |
+| test.cpp:7:3:7:3 | B | semmle.label | B |
 | test.cpp:8:12:8:15 | this | semmle.label | this |
 | test.cpp:11:8:11:8 | b | semmle.label | b |
 | test.cpp:12:5:12:5 | (A)... | semmle.label | (A)... |
 | test.cpp:12:5:12:5 | (reference dereference) | semmle.label | (reference dereference) |
-| test.cpp:12:5:12:5 | Load | semmle.label | Load |
-| test.cpp:12:5:12:5 | Unary | semmle.label | Unary |
-| test.cpp:12:5:12:5 | Unary | semmle.label | Unary |
 | test.cpp:12:5:12:5 | b | semmle.label | b |
-| test.cpp:15:3:15:4 | this | semmle.label | this |
-| test.cpp:16:5:16:5 | Load | semmle.label | Load |
-| test.cpp:16:5:16:5 | Unary | semmle.label | Unary |
+| test.cpp:15:3:15:4 | ~B | semmle.label | ~B |
 | test.cpp:16:5:16:5 | this | semmle.label | this |
-| test.cpp:21:3:21:3 | Unary | semmle.label | Unary |
-| test.cpp:21:3:21:3 | this | semmle.label | this |
-| test.cpp:21:13:21:13 | ConvertToNonVirtualBase | semmle.label | ConvertToNonVirtualBase |
+| test.cpp:21:3:21:3 | C | semmle.label | C |
+| test.cpp:21:13:21:13 | call to B | semmle.label | call to B |
 | test.cpp:22:12:22:15 | (B *)... | semmle.label | (B *)... |
-| test.cpp:22:12:22:15 | Load | semmle.label | Load |
-| test.cpp:22:12:22:15 | Unary | semmle.label | Unary |
 | test.cpp:22:12:22:15 | this | semmle.label | this |
 | test.cpp:25:7:25:10 | (A *)... | semmle.label | (A *)... |
 | test.cpp:25:7:25:10 | (B *)... | semmle.label | (B *)... |
-| test.cpp:25:7:25:10 | Load | semmle.label | Load |
-| test.cpp:25:7:25:10 | Unary | semmle.label | Unary |
-| test.cpp:25:7:25:10 | Unary | semmle.label | Unary |
 | test.cpp:25:7:25:10 | this | semmle.label | this |
-| test.cpp:31:3:31:3 | this | semmle.label | this |
+| test.cpp:31:3:31:3 | D | semmle.label | D |
 | test.cpp:31:11:31:15 | (B)... | semmle.label | (B)... |
 | test.cpp:31:11:31:15 | (reference to) | semmle.label | (reference to) |
 | test.cpp:31:11:31:15 | * ... | semmle.label | * ... |
-| test.cpp:31:11:31:15 | Unary | semmle.label | Unary |
-| test.cpp:31:11:31:15 | Unary | semmle.label | Unary |
-| test.cpp:31:12:31:15 | Load | semmle.label | Load |
-| test.cpp:31:12:31:15 | Unary | semmle.label | Unary |
 | test.cpp:31:12:31:15 | this | semmle.label | this |
 | test.cpp:34:16:34:16 | x | semmle.label | x |
 | test.cpp:35:3:35:3 | (A *)... | semmle.label | (A *)... |
-| test.cpp:35:3:35:3 | Load | semmle.label | Load |
-| test.cpp:35:3:35:3 | Unary | semmle.label | Unary |
 | test.cpp:35:3:35:3 | x | semmle.label | x |
-| test.cpp:47:3:47:3 | this | semmle.label | this |
+| test.cpp:47:3:47:3 | F | semmle.label | F |
 | test.cpp:48:6:48:13 | (A *)... | semmle.label | (A *)... |
 | test.cpp:48:10:48:13 | (E *)... | semmle.label | (E *)... |
-| test.cpp:48:10:48:13 | Load | semmle.label | Load |
-| test.cpp:48:10:48:13 | Unary | semmle.label | Unary |
-| test.cpp:48:10:48:13 | Unary | semmle.label | Unary |
 | test.cpp:48:10:48:13 | this | semmle.label | this |
 #select
-| test.cpp:12:7:12:7 | call to f | test.cpp:31:3:31:3 | this | test.cpp:12:5:12:5 | (A)... | Call to pure virtual function during construction. |
-| test.cpp:16:5:16:5 | call to f | test.cpp:15:3:15:4 | this | file://:0:0:0:0 | (A *)... | Call to pure virtual function during destruction. |
-| test.cpp:25:13:25:13 | call to f | test.cpp:21:3:21:3 | this | test.cpp:25:7:25:10 | (A *)... | Call to pure virtual function during construction. |
-| test.cpp:35:6:35:6 | call to f | test.cpp:7:3:7:3 | this | test.cpp:35:3:35:3 | (A *)... | Call to pure virtual function during construction. |
-| test.cpp:35:6:35:6 | call to f | test.cpp:21:3:21:3 | this | test.cpp:35:3:35:3 | (A *)... | Call to pure virtual function during construction. |
+| test.cpp:12:7:12:7 | call to f | test.cpp:31:3:31:3 | D | test.cpp:12:5:12:5 | (A)... | Call to pure virtual function during construction. |
+| test.cpp:16:5:16:5 | call to f | test.cpp:15:3:15:4 | ~B | file://:0:0:0:0 | (A *)... | Call to pure virtual function during destruction. |
+| test.cpp:25:13:25:13 | call to f | test.cpp:21:3:21:3 | C | test.cpp:25:7:25:10 | (A *)... | Call to pure virtual function during construction. |
+| test.cpp:35:6:35:6 | call to f | test.cpp:7:3:7:3 | B | test.cpp:35:3:35:3 | (A *)... | Call to pure virtual function during construction. |
+| test.cpp:35:6:35:6 | call to f | test.cpp:21:3:21:3 | C | test.cpp:35:3:35:3 | (A *)... | Call to pure virtual function during construction. |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected

@@ -1,231 +1,117 @@
 edges
-| test.cpp:17:9:17:11 | & ... | test.cpp:17:9:17:11 | StoreValue |
-| test.cpp:17:10:17:11 | Unary | test.cpp:17:9:17:11 | & ... |
-| test.cpp:17:10:17:11 | mc | test.cpp:17:10:17:11 | Unary |
-| test.cpp:23:17:23:19 | & ... | test.cpp:23:17:23:19 | StoreValue |
-| test.cpp:23:17:23:19 | Store | test.cpp:25:9:25:11 | Load |
-| test.cpp:23:17:23:19 | StoreValue | test.cpp:23:17:23:19 | Store |
-| test.cpp:23:18:23:19 | Unary | test.cpp:23:17:23:19 | & ... |
-| test.cpp:23:18:23:19 | mc | test.cpp:23:18:23:19 | Unary |
-| test.cpp:25:9:25:11 | Load | test.cpp:25:9:25:11 | ptr |
-| test.cpp:25:9:25:11 | ptr | test.cpp:25:9:25:11 | StoreValue |
-| test.cpp:39:17:39:18 | (reference to) | test.cpp:39:17:39:18 | StoreValue |
-| test.cpp:39:17:39:18 | Store | test.cpp:41:10:41:12 | Load |
-| test.cpp:39:17:39:18 | StoreValue | test.cpp:39:17:39:18 | Store |
-| test.cpp:39:17:39:18 | Unary | test.cpp:39:17:39:18 | (reference to) |
-| test.cpp:39:17:39:18 | mc | test.cpp:39:17:39:18 | Unary |
-| test.cpp:41:9:41:12 | & ... | test.cpp:41:9:41:12 | StoreValue |
-| test.cpp:41:10:41:12 | (reference dereference) | test.cpp:41:10:41:12 | Unary |
-| test.cpp:41:10:41:12 | Load | test.cpp:41:10:41:12 | ref |
-| test.cpp:41:10:41:12 | Unary | test.cpp:41:9:41:12 | & ... |
-| test.cpp:41:10:41:12 | Unary | test.cpp:41:10:41:12 | (reference dereference) |
-| test.cpp:41:10:41:12 | ref | test.cpp:41:10:41:12 | Unary |
-| test.cpp:47:9:47:10 | (reference to) | test.cpp:47:9:47:10 | StoreValue |
-| test.cpp:47:9:47:10 | Unary | test.cpp:47:9:47:10 | (reference to) |
-| test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | Unary |
-| test.cpp:54:9:54:15 | & ... | test.cpp:54:9:54:15 | StoreValue |
-| test.cpp:54:11:54:12 | Unary | test.cpp:54:14:54:14 | a |
-| test.cpp:54:11:54:12 | mc | test.cpp:54:11:54:12 | Unary |
-| test.cpp:54:14:54:14 | Unary | test.cpp:54:9:54:15 | & ... |
-| test.cpp:54:14:54:14 | a | test.cpp:54:14:54:14 | Unary |
-| test.cpp:89:3:89:11 | Store | test.cpp:92:9:92:11 | Load |
-| test.cpp:89:9:89:11 | & ... | test.cpp:89:9:89:11 | StoreValue |
-| test.cpp:89:9:89:11 | StoreValue | test.cpp:89:3:89:11 | Store |
-| test.cpp:89:10:89:11 | Unary | test.cpp:89:9:89:11 | & ... |
-| test.cpp:89:10:89:11 | mc | test.cpp:89:10:89:11 | Unary |
-| test.cpp:92:9:92:11 | Load | test.cpp:92:9:92:11 | ptr |
-| test.cpp:92:9:92:11 | ptr | test.cpp:92:9:92:11 | StoreValue |
-| test.cpp:112:9:112:11 | Unary | test.cpp:112:9:112:11 | array to pointer conversion |
-| test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | Unary |
-| test.cpp:112:9:112:11 | array to pointer conversion | test.cpp:112:9:112:11 | StoreValue |
-| test.cpp:119:9:119:18 | & ... | test.cpp:119:9:119:18 | StoreValue |
-| test.cpp:119:11:119:13 | Left | test.cpp:119:11:119:17 | access to array |
-| test.cpp:119:11:119:13 | Unary | test.cpp:119:11:119:13 | array to pointer conversion |
-| test.cpp:119:11:119:13 | arr | test.cpp:119:11:119:13 | Unary |
-| test.cpp:119:11:119:13 | array to pointer conversion | test.cpp:119:11:119:13 | Left |
-| test.cpp:119:11:119:17 | Unary | test.cpp:119:9:119:18 | & ... |
-| test.cpp:119:11:119:17 | access to array | test.cpp:119:11:119:17 | Unary |
-| test.cpp:134:2:134:14 | Store | test.cpp:135:2:135:4 | Load |
-| test.cpp:134:8:134:10 | Left | test.cpp:134:8:134:14 | ... + ... |
-| test.cpp:134:8:134:10 | Unary | test.cpp:134:8:134:10 | array to pointer conversion |
-| test.cpp:134:8:134:10 | arr | test.cpp:134:8:134:10 | Unary |
-| test.cpp:134:8:134:10 | array to pointer conversion | test.cpp:134:8:134:10 | Left |
-| test.cpp:134:8:134:14 | ... + ... | test.cpp:134:8:134:14 | StoreValue |
-| test.cpp:134:8:134:14 | StoreValue | test.cpp:134:2:134:14 | Store |
-| test.cpp:135:2:135:4 | Left | test.cpp:135:2:135:6 | PointerAdd |
-| test.cpp:135:2:135:4 | Load | test.cpp:135:2:135:4 | ptr |
-| test.cpp:135:2:135:4 | ptr | test.cpp:135:2:135:4 | Left |
-| test.cpp:135:2:135:6 | PointerAdd | test.cpp:135:2:135:6 | StoreValue |
-| test.cpp:135:2:135:6 | Store | test.cpp:137:9:137:11 | Load |
-| test.cpp:135:2:135:6 | StoreValue | test.cpp:135:2:135:6 | Store |
-| test.cpp:137:9:137:11 | Load | test.cpp:137:9:137:11 | ptr |
-| test.cpp:137:9:137:11 | ptr | test.cpp:137:9:137:11 | StoreValue |
-| test.cpp:170:26:170:41 | (void *)... | test.cpp:170:26:170:41 | StoreValue |
-| test.cpp:170:26:170:41 | Store | test.cpp:171:10:171:23 | Load |
-| test.cpp:170:26:170:41 | StoreValue | test.cpp:170:26:170:41 | Store |
-| test.cpp:170:34:170:41 | & ... | test.cpp:170:34:170:41 | Unary |
-| test.cpp:170:34:170:41 | Unary | test.cpp:170:26:170:41 | (void *)... |
-| test.cpp:170:35:170:41 | Unary | test.cpp:170:34:170:41 | & ... |
-| test.cpp:170:35:170:41 | myLocal | test.cpp:170:35:170:41 | Unary |
-| test.cpp:171:10:171:23 | Load | test.cpp:171:10:171:23 | pointerToLocal |
-| test.cpp:171:10:171:23 | pointerToLocal | test.cpp:171:10:171:23 | StoreValue |
-| test.cpp:176:25:176:34 | Store | test.cpp:177:10:177:23 | Load |
-| test.cpp:176:25:176:34 | StoreValue | test.cpp:176:25:176:34 | Store |
-| test.cpp:176:25:176:34 | Unary | test.cpp:176:25:176:34 | array to pointer conversion |
-| test.cpp:176:25:176:34 | array to pointer conversion | test.cpp:176:25:176:34 | StoreValue |
-| test.cpp:176:25:176:34 | localArray | test.cpp:176:25:176:34 | Unary |
-| test.cpp:177:10:177:23 | (void *)... | test.cpp:177:10:177:23 | StoreValue |
-| test.cpp:177:10:177:23 | Load | test.cpp:177:10:177:23 | pointerToLocal |
-| test.cpp:177:10:177:23 | Unary | test.cpp:177:10:177:23 | (void *)... |
-| test.cpp:177:10:177:23 | pointerToLocal | test.cpp:177:10:177:23 | Unary |
-| test.cpp:182:21:182:27 | (reference to) | test.cpp:182:21:182:27 | StoreValue |
-| test.cpp:182:21:182:27 | Store | test.cpp:183:10:183:19 | Load |
-| test.cpp:182:21:182:27 | StoreValue | test.cpp:182:21:182:27 | Store |
-| test.cpp:182:21:182:27 | Unary | test.cpp:182:21:182:27 | (reference to) |
-| test.cpp:182:21:182:27 | myLocal | test.cpp:182:21:182:27 | Unary |
-| test.cpp:183:10:183:19 | (reference dereference) | test.cpp:183:10:183:19 | Unary |
-| test.cpp:183:10:183:19 | (reference to) | test.cpp:183:10:183:19 | StoreValue |
-| test.cpp:183:10:183:19 | Load | test.cpp:183:10:183:19 | refToLocal |
-| test.cpp:183:10:183:19 | Unary | test.cpp:183:10:183:19 | (reference dereference) |
-| test.cpp:183:10:183:19 | Unary | test.cpp:183:10:183:19 | (reference to) |
-| test.cpp:183:10:183:19 | refToLocal | test.cpp:183:10:183:19 | Unary |
-| test.cpp:189:16:189:16 | (reference to) | test.cpp:189:16:189:16 | StoreValue |
-| test.cpp:189:16:189:16 | Store | test.cpp:190:10:190:13 | Load |
-| test.cpp:189:16:189:16 | StoreValue | test.cpp:189:16:189:16 | Store |
-| test.cpp:189:16:189:16 | Unary | test.cpp:189:16:189:16 | (reference to) |
-| test.cpp:189:16:189:16 | p | test.cpp:189:16:189:16 | Unary |
-| test.cpp:190:10:190:13 | (reference dereference) | test.cpp:190:10:190:13 | Unary |
-| test.cpp:190:10:190:13 | (reference to) | test.cpp:190:10:190:13 | StoreValue |
-| test.cpp:190:10:190:13 | Load | test.cpp:190:10:190:13 | pRef |
-| test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference dereference) |
-| test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference to) |
-| test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | Unary |
+| test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... |
+| test.cpp:23:17:23:19 | & ... | test.cpp:23:17:23:19 | & ... |
+| test.cpp:23:17:23:19 | & ... | test.cpp:25:9:25:11 | ptr |
+| test.cpp:23:18:23:19 | mc | test.cpp:23:17:23:19 | & ... |
+| test.cpp:39:17:39:18 | (reference to) | test.cpp:39:17:39:18 | (reference to) |
+| test.cpp:39:17:39:18 | (reference to) | test.cpp:41:10:41:12 | ref |
+| test.cpp:39:17:39:18 | mc | test.cpp:39:17:39:18 | (reference to) |
+| test.cpp:41:10:41:12 | (reference dereference) | test.cpp:41:9:41:12 | & ... |
+| test.cpp:41:10:41:12 | ref | test.cpp:41:10:41:12 | (reference dereference) |
+| test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) |
+| test.cpp:54:11:54:12 | mc | test.cpp:54:14:54:14 | a |
+| test.cpp:54:14:54:14 | a | test.cpp:54:9:54:15 | & ... |
+| test.cpp:89:3:89:11 | ... = ... | test.cpp:92:9:92:11 | ptr |
+| test.cpp:89:9:89:11 | & ... | test.cpp:89:3:89:11 | ... = ... |
+| test.cpp:89:10:89:11 | mc | test.cpp:89:9:89:11 | & ... |
+| test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion |
+| test.cpp:119:11:119:13 | arr | test.cpp:119:11:119:13 | array to pointer conversion |
+| test.cpp:119:11:119:13 | array to pointer conversion | test.cpp:119:11:119:17 | access to array |
+| test.cpp:119:11:119:17 | access to array | test.cpp:119:9:119:18 | & ... |
+| test.cpp:134:2:134:14 | ... = ... | test.cpp:135:2:135:4 | ptr |
+| test.cpp:134:8:134:10 | arr | test.cpp:134:8:134:10 | array to pointer conversion |
+| test.cpp:134:8:134:10 | array to pointer conversion | test.cpp:134:8:134:14 | ... + ... |
+| test.cpp:134:8:134:14 | ... + ... | test.cpp:134:2:134:14 | ... = ... |
+| test.cpp:135:2:135:4 | ptr | test.cpp:135:2:135:6 | ... ++ |
+| test.cpp:135:2:135:6 | ... ++ | test.cpp:135:2:135:6 | ... ++ |
+| test.cpp:135:2:135:6 | ... ++ | test.cpp:137:9:137:11 | ptr |
+| test.cpp:170:26:170:41 | (void *)... | test.cpp:170:26:170:41 | (void *)... |
+| test.cpp:170:26:170:41 | (void *)... | test.cpp:171:10:171:23 | pointerToLocal |
+| test.cpp:170:34:170:41 | & ... | test.cpp:170:26:170:41 | (void *)... |
+| test.cpp:170:35:170:41 | myLocal | test.cpp:170:34:170:41 | & ... |
+| test.cpp:176:25:176:34 | array to pointer conversion | test.cpp:176:25:176:34 | array to pointer conversion |
+| test.cpp:176:25:176:34 | array to pointer conversion | test.cpp:177:10:177:23 | pointerToLocal |
+| test.cpp:176:25:176:34 | localArray | test.cpp:176:25:176:34 | array to pointer conversion |
+| test.cpp:177:10:177:23 | pointerToLocal | test.cpp:177:10:177:23 | (void *)... |
+| test.cpp:182:21:182:27 | (reference to) | test.cpp:182:21:182:27 | (reference to) |
+| test.cpp:182:21:182:27 | (reference to) | test.cpp:183:10:183:19 | refToLocal |
+| test.cpp:182:21:182:27 | myLocal | test.cpp:182:21:182:27 | (reference to) |
+| test.cpp:183:10:183:19 | (reference dereference) | test.cpp:183:10:183:19 | (reference to) |
+| test.cpp:183:10:183:19 | refToLocal | test.cpp:183:10:183:19 | (reference dereference) |
+| test.cpp:189:16:189:16 | (reference to) | test.cpp:189:16:189:16 | (reference to) |
+| test.cpp:189:16:189:16 | (reference to) | test.cpp:190:10:190:13 | pRef |
+| test.cpp:189:16:189:16 | p | test.cpp:189:16:189:16 | (reference to) |
+| test.cpp:190:10:190:13 | (reference dereference) | test.cpp:190:10:190:13 | (reference to) |
+| test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | (reference dereference) |
 nodes
 | test.cpp:17:9:17:11 | & ... | semmle.label | & ... |
-| test.cpp:17:9:17:11 | StoreValue | semmle.label | StoreValue |
-| test.cpp:17:10:17:11 | Unary | semmle.label | Unary |
 | test.cpp:17:10:17:11 | mc | semmle.label | mc |
 | test.cpp:23:17:23:19 | & ... | semmle.label | & ... |
-| test.cpp:23:17:23:19 | Store | semmle.label | Store |
-| test.cpp:23:17:23:19 | StoreValue | semmle.label | StoreValue |
-| test.cpp:23:18:23:19 | Unary | semmle.label | Unary |
+| test.cpp:23:17:23:19 | & ... | semmle.label | & ... |
 | test.cpp:23:18:23:19 | mc | semmle.label | mc |
-| test.cpp:25:9:25:11 | Load | semmle.label | Load |
-| test.cpp:25:9:25:11 | StoreValue | semmle.label | StoreValue |
 | test.cpp:25:9:25:11 | ptr | semmle.label | ptr |
 | test.cpp:39:17:39:18 | (reference to) | semmle.label | (reference to) |
-| test.cpp:39:17:39:18 | Store | semmle.label | Store |
-| test.cpp:39:17:39:18 | StoreValue | semmle.label | StoreValue |
-| test.cpp:39:17:39:18 | Unary | semmle.label | Unary |
+| test.cpp:39:17:39:18 | (reference to) | semmle.label | (reference to) |
 | test.cpp:39:17:39:18 | mc | semmle.label | mc |
 | test.cpp:41:9:41:12 | & ... | semmle.label | & ... |
-| test.cpp:41:9:41:12 | StoreValue | semmle.label | StoreValue |
 | test.cpp:41:10:41:12 | (reference dereference) | semmle.label | (reference dereference) |
-| test.cpp:41:10:41:12 | Load | semmle.label | Load |
-| test.cpp:41:10:41:12 | Unary | semmle.label | Unary |
-| test.cpp:41:10:41:12 | Unary | semmle.label | Unary |
 | test.cpp:41:10:41:12 | ref | semmle.label | ref |
 | test.cpp:47:9:47:10 | (reference to) | semmle.label | (reference to) |
-| test.cpp:47:9:47:10 | StoreValue | semmle.label | StoreValue |
-| test.cpp:47:9:47:10 | Unary | semmle.label | Unary |
 | test.cpp:47:9:47:10 | mc | semmle.label | mc |
 | test.cpp:54:9:54:15 | & ... | semmle.label | & ... |
-| test.cpp:54:9:54:15 | StoreValue | semmle.label | StoreValue |
-| test.cpp:54:11:54:12 | Unary | semmle.label | Unary |
 | test.cpp:54:11:54:12 | mc | semmle.label | mc |
-| test.cpp:54:14:54:14 | Unary | semmle.label | Unary |
 | test.cpp:54:14:54:14 | a | semmle.label | a |
-| test.cpp:89:3:89:11 | Store | semmle.label | Store |
+| test.cpp:89:3:89:11 | ... = ... | semmle.label | ... = ... |
 | test.cpp:89:9:89:11 | & ... | semmle.label | & ... |
-| test.cpp:89:9:89:11 | StoreValue | semmle.label | StoreValue |
-| test.cpp:89:10:89:11 | Unary | semmle.label | Unary |
 | test.cpp:89:10:89:11 | mc | semmle.label | mc |
-| test.cpp:92:9:92:11 | Load | semmle.label | Load |
-| test.cpp:92:9:92:11 | StoreValue | semmle.label | StoreValue |
 | test.cpp:92:9:92:11 | ptr | semmle.label | ptr |
-| test.cpp:112:9:112:11 | StoreValue | semmle.label | StoreValue |
-| test.cpp:112:9:112:11 | Unary | semmle.label | Unary |
 | test.cpp:112:9:112:11 | arr | semmle.label | arr |
 | test.cpp:112:9:112:11 | array to pointer conversion | semmle.label | array to pointer conversion |
 | test.cpp:119:9:119:18 | & ... | semmle.label | & ... |
-| test.cpp:119:9:119:18 | StoreValue | semmle.label | StoreValue |
-| test.cpp:119:11:119:13 | Left | semmle.label | Left |
-| test.cpp:119:11:119:13 | Unary | semmle.label | Unary |
 | test.cpp:119:11:119:13 | arr | semmle.label | arr |
 | test.cpp:119:11:119:13 | array to pointer conversion | semmle.label | array to pointer conversion |
-| test.cpp:119:11:119:17 | Unary | semmle.label | Unary |
 | test.cpp:119:11:119:17 | access to array | semmle.label | access to array |
-| test.cpp:134:2:134:14 | Store | semmle.label | Store |
-| test.cpp:134:8:134:10 | Left | semmle.label | Left |
-| test.cpp:134:8:134:10 | Unary | semmle.label | Unary |
+| test.cpp:134:2:134:14 | ... = ... | semmle.label | ... = ... |
 | test.cpp:134:8:134:10 | arr | semmle.label | arr |
 | test.cpp:134:8:134:10 | array to pointer conversion | semmle.label | array to pointer conversion |
 | test.cpp:134:8:134:14 | ... + ... | semmle.label | ... + ... |
-| test.cpp:134:8:134:14 | StoreValue | semmle.label | StoreValue |
-| test.cpp:135:2:135:4 | Left | semmle.label | Left |
-| test.cpp:135:2:135:4 | Load | semmle.label | Load |
 | test.cpp:135:2:135:4 | ptr | semmle.label | ptr |
-| test.cpp:135:2:135:6 | PointerAdd | semmle.label | PointerAdd |
-| test.cpp:135:2:135:6 | Store | semmle.label | Store |
-| test.cpp:135:2:135:6 | StoreValue | semmle.label | StoreValue |
-| test.cpp:137:9:137:11 | Load | semmle.label | Load |
-| test.cpp:137:9:137:11 | StoreValue | semmle.label | StoreValue |
+| test.cpp:135:2:135:6 | ... ++ | semmle.label | ... ++ |
+| test.cpp:135:2:135:6 | ... ++ | semmle.label | ... ++ |
 | test.cpp:137:9:137:11 | ptr | semmle.label | ptr |
 | test.cpp:170:26:170:41 | (void *)... | semmle.label | (void *)... |
-| test.cpp:170:26:170:41 | Store | semmle.label | Store |
-| test.cpp:170:26:170:41 | StoreValue | semmle.label | StoreValue |
+| test.cpp:170:26:170:41 | (void *)... | semmle.label | (void *)... |
 | test.cpp:170:34:170:41 | & ... | semmle.label | & ... |
-| test.cpp:170:34:170:41 | Unary | semmle.label | Unary |
-| test.cpp:170:35:170:41 | Unary | semmle.label | Unary |
 | test.cpp:170:35:170:41 | myLocal | semmle.label | myLocal |
-| test.cpp:171:10:171:23 | Load | semmle.label | Load |
-| test.cpp:171:10:171:23 | StoreValue | semmle.label | StoreValue |
 | test.cpp:171:10:171:23 | pointerToLocal | semmle.label | pointerToLocal |
-| test.cpp:176:25:176:34 | Store | semmle.label | Store |
-| test.cpp:176:25:176:34 | StoreValue | semmle.label | StoreValue |
-| test.cpp:176:25:176:34 | Unary | semmle.label | Unary |
+| test.cpp:176:25:176:34 | array to pointer conversion | semmle.label | array to pointer conversion |
 | test.cpp:176:25:176:34 | array to pointer conversion | semmle.label | array to pointer conversion |
 | test.cpp:176:25:176:34 | localArray | semmle.label | localArray |
 | test.cpp:177:10:177:23 | (void *)... | semmle.label | (void *)... |
-| test.cpp:177:10:177:23 | Load | semmle.label | Load |
-| test.cpp:177:10:177:23 | StoreValue | semmle.label | StoreValue |
-| test.cpp:177:10:177:23 | Unary | semmle.label | Unary |
 | test.cpp:177:10:177:23 | pointerToLocal | semmle.label | pointerToLocal |
 | test.cpp:182:21:182:27 | (reference to) | semmle.label | (reference to) |
-| test.cpp:182:21:182:27 | Store | semmle.label | Store |
-| test.cpp:182:21:182:27 | StoreValue | semmle.label | StoreValue |
-| test.cpp:182:21:182:27 | Unary | semmle.label | Unary |
+| test.cpp:182:21:182:27 | (reference to) | semmle.label | (reference to) |
 | test.cpp:182:21:182:27 | myLocal | semmle.label | myLocal |
 | test.cpp:183:10:183:19 | (reference dereference) | semmle.label | (reference dereference) |
 | test.cpp:183:10:183:19 | (reference to) | semmle.label | (reference to) |
-| test.cpp:183:10:183:19 | Load | semmle.label | Load |
-| test.cpp:183:10:183:19 | StoreValue | semmle.label | StoreValue |
-| test.cpp:183:10:183:19 | Unary | semmle.label | Unary |
-| test.cpp:183:10:183:19 | Unary | semmle.label | Unary |
 | test.cpp:183:10:183:19 | refToLocal | semmle.label | refToLocal |
 | test.cpp:189:16:189:16 | (reference to) | semmle.label | (reference to) |
-| test.cpp:189:16:189:16 | Store | semmle.label | Store |
-| test.cpp:189:16:189:16 | StoreValue | semmle.label | StoreValue |
-| test.cpp:189:16:189:16 | Unary | semmle.label | Unary |
+| test.cpp:189:16:189:16 | (reference to) | semmle.label | (reference to) |
 | test.cpp:189:16:189:16 | p | semmle.label | p |
 | test.cpp:190:10:190:13 | (reference dereference) | semmle.label | (reference dereference) |
 | test.cpp:190:10:190:13 | (reference to) | semmle.label | (reference to) |
-| test.cpp:190:10:190:13 | Load | semmle.label | Load |
-| test.cpp:190:10:190:13 | StoreValue | semmle.label | StoreValue |
-| test.cpp:190:10:190:13 | Unary | semmle.label | Unary |
-| test.cpp:190:10:190:13 | Unary | semmle.label | Unary |
 | test.cpp:190:10:190:13 | pRef | semmle.label | pRef |
 #select
-| test.cpp:17:9:17:11 | StoreValue | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
-| test.cpp:25:9:25:11 | StoreValue | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |
-| test.cpp:41:9:41:12 | StoreValue | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | StoreValue | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc |
-| test.cpp:47:9:47:10 | StoreValue | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | StoreValue | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc |
-| test.cpp:54:9:54:15 | StoreValue | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | StoreValue | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc |
-| test.cpp:92:9:92:11 | StoreValue | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc |
-| test.cpp:112:9:112:11 | StoreValue | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
-| test.cpp:119:9:119:18 | StoreValue | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | StoreValue | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
-| test.cpp:137:9:137:11 | StoreValue | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr |
-| test.cpp:171:10:171:23 | StoreValue | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | StoreValue | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |
-| test.cpp:177:10:177:23 | StoreValue | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | StoreValue | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray |
-| test.cpp:183:10:183:19 | StoreValue | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | StoreValue | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal |
-| test.cpp:190:10:190:13 | StoreValue | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | StoreValue | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p |
+| test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
+| test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |
+| test.cpp:41:9:41:12 | CopyValue: & ... | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | & ... | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc |
+| test.cpp:47:9:47:10 | CopyValue: (reference to) | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc |
+| test.cpp:54:9:54:15 | CopyValue: & ... | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | & ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc |
+| test.cpp:92:9:92:11 | Load: ptr | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | ptr | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc |
+| test.cpp:112:9:112:11 | Convert: array to pointer conversion | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
+| test.cpp:119:9:119:18 | CopyValue: & ... | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | & ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
+| test.cpp:137:9:137:11 | Load: ptr | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | ptr | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr |
+| test.cpp:171:10:171:23 | Load: pointerToLocal | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | pointerToLocal | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |
+| test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray |
+| test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal |
+| test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p |

csharp/.gitignore

@@ -11,4 +11,7 @@ csharp.log
 *.tlog
 .vs
 *.user
-.vscode/launch.json
+.vscode/launch.json
+
+extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
+extractor-pack

csharp/actions/create-extractor-pack/action.yml

@@ -0,0 +1,13 @@
+name: Build C# CodeQL pack
+description: Builds the C# CodeQL pack
+runs:
+  using: composite
+  steps:
+    - name: Setup dotnet
+      uses: actions/setup-dotnet@v3
+      with:
+        dotnet-version: 6.0.202
+    - name: Build Extractor
+      shell: bash
+      run: scripts/create-extractor-pack.sh
+      working-directory: csharp

csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs

@@ -403,7 +403,7 @@ namespace Semmle.Autobuild.CSharp.Tests
             actions.GetCurrentDirectory = cwd;
             actions.IsWindows = isWindows;
 
-            var options = new AutobuildOptions(actions, Language.CSharp);
+            var options = new CSharpAutobuildOptions(actions);
             return new CSharpAutobuilder(actions, options);
         }
 
@@ -576,7 +576,7 @@ namespace Semmle.Autobuild.CSharp.Tests
             actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = false;
         }
 
-        private void TestAutobuilderScript(Autobuilder autobuilder, int expectedOutput, int commandsRun)
+        private void TestAutobuilderScript(CSharpAutobuilder autobuilder, int expectedOutput, int commandsRun)
         {
             Assert.Equal(expectedOutput, autobuilder.GetBuildScript().Run(actions, StartCallback, EndCallback));
 

csharp/autobuilder/Semmle.Autobuild.CSharp/CSharpAutobuilder.cs

@@ -4,9 +4,32 @@ using Semmle.Autobuild.Shared;
 
 namespace Semmle.Autobuild.CSharp
 {
-    public class CSharpAutobuilder : Autobuilder
+    /// <summary>
+    /// Encapsulates C# build options.
+    /// </summary>
+    public class CSharpAutobuildOptions : AutobuildOptionsShared
     {
-        public CSharpAutobuilder(IBuildActions actions, AutobuildOptions options) : base(actions, options) { }
+        private const string extractorOptionPrefix = "CODEQL_EXTRACTOR_CSHARP_OPTION_";
+
+        public bool Buildless { get; }
+
+        public override Language Language => Language.CSharp;
+
+
+        /// <summary>
+        /// Reads options from environment variables.
+        /// Throws ArgumentOutOfRangeException for invalid arguments.
+        /// </summary>
+        public CSharpAutobuildOptions(IBuildActions actions) : base(actions)
+        {
+            Buildless = actions.GetEnvironmentVariable(lgtmPrefix + "BUILDLESS").AsBool("buildless", false) ||
+                actions.GetEnvironmentVariable(extractorOptionPrefix + "BUILDLESS").AsBool("buildless", false);
+        }
+    }
+
+    public class CSharpAutobuilder : Autobuilder<CSharpAutobuildOptions>
+    {
+        public CSharpAutobuilder(IBuildActions actions, CSharpAutobuildOptions options) : base(actions, options) { }
 
         public override BuildScript GetBuildScript()
         {

csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs

@@ -13,9 +13,9 @@ namespace Semmle.Autobuild.CSharp
     /// A build rule where the build command is of the form "dotnet build".
     /// Currently unused because the tracer does not work with dotnet.
     /// </summary>
-    internal class DotNetRule : IBuildRule
+    internal class DotNetRule : IBuildRule<CSharpAutobuildOptions>
     {
-        public BuildScript Analyse(Autobuilder builder, bool auto)
+        public BuildScript Analyse(IAutobuilder<CSharpAutobuildOptions> builder, bool auto)
         {
             if (!builder.ProjectsOrSolutionsToBuild.Any())
                 return BuildScript.Failure;
@@ -24,7 +24,7 @@ namespace Semmle.Autobuild.CSharp
             {
                 var notDotNetProject = builder.ProjectsOrSolutionsToBuild
                     .SelectMany(p => Enumerators.Singleton(p).Concat(p.IncludedProjects))
-                    .OfType<Project>()
+                    .OfType<Project<CSharpAutobuildOptions>>()
                     .FirstOrDefault(p => !p.DotNetProject);
                 if (notDotNetProject is not null)
                 {
@@ -56,7 +56,7 @@ namespace Semmle.Autobuild.CSharp
                 });
         }
 
-        private static BuildScript WithDotNet(Autobuilder builder, Func<string?, IDictionary<string, string>?, BuildScript> f)
+        private static BuildScript WithDotNet(IAutobuilder<AutobuildOptionsShared> builder, Func<string?, IDictionary<string, string>?, BuildScript> f)
         {
             var installDir = builder.Actions.PathCombine(builder.Options.RootDirectory, ".dotnet");
             var installScript = DownloadDotNet(builder, installDir);
@@ -92,7 +92,7 @@ namespace Semmle.Autobuild.CSharp
         /// variables needed by the installed .NET Core (<code>null</code> when no variables
         /// are needed).
         /// </summary>
-        public static BuildScript WithDotNet(Autobuilder builder, Func<IDictionary<string, string>?, BuildScript> f)
+        public static BuildScript WithDotNet(IAutobuilder<AutobuildOptionsShared> builder, Func<IDictionary<string, string>?, BuildScript> f)
             => WithDotNet(builder, (_1, env) => f(env));
 
         /// <summary>
@@ -100,7 +100,7 @@ namespace Semmle.Autobuild.CSharp
         /// .NET Core SDK. The SDK(s) will be installed at <code>installDir</code>
         /// (provided that the script succeeds).
         /// </summary>
-        private static BuildScript DownloadDotNet(Autobuilder builder, string installDir)
+        private static BuildScript DownloadDotNet(IAutobuilder<AutobuildOptionsShared> builder, string installDir)
         {
             if (!string.IsNullOrEmpty(builder.Options.DotNetVersion))
                 // Specific version supplied in configuration: always use that
@@ -137,7 +137,7 @@ namespace Semmle.Autobuild.CSharp
         ///
         /// See https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-install-script.
         /// </summary>
-        private static BuildScript DownloadDotNetVersion(Autobuilder builder, string path, string version)
+        private static BuildScript DownloadDotNetVersion(IAutobuilder<AutobuildOptionsShared> builder, string path, string version)
         {
             return BuildScript.Bind(GetInstalledSdksScript(builder.Actions), (sdks, sdksRet) =>
                 {
@@ -233,7 +233,7 @@ namespace Semmle.Autobuild.CSharp
         /// <summary>
         /// Gets the `dotnet build` script.
         /// </summary>
-        private static BuildScript GetBuildScript(Autobuilder builder, string? dotNetPath, IDictionary<string, string>? environment, string projOrSln)
+        private static BuildScript GetBuildScript(IAutobuilder<CSharpAutobuildOptions> builder, string? dotNetPath, IDictionary<string, string>? environment, string projOrSln)
         {
             var build = new CommandBuilder(builder.Actions, null, environment);
             var script = build.RunCommand(DotNetCommand(builder.Actions, dotNetPath)).

csharp/autobuilder/Semmle.Autobuild.CSharp/Program.cs

@@ -11,7 +11,7 @@ namespace Semmle.Autobuild.CSharp
             try
             {
                 var actions = SystemBuildActions.Instance;
-                var options = new AutobuildOptions(actions, Language.CSharp);
+                var options = new CSharpAutobuildOptions(actions);
                 try
                 {
                     Console.WriteLine("CodeQL C# autobuilder");

csharp/autobuilder/Semmle.Autobuild.CSharp/StandaloneBuildRule.cs

@@ -6,9 +6,9 @@ namespace Semmle.Autobuild.CSharp
     /// <summary>
     /// Build using standalone extraction.
     /// </summary>
-    internal class StandaloneBuildRule : IBuildRule
+    internal class StandaloneBuildRule : IBuildRule<CSharpAutobuildOptions>
     {
-        public BuildScript Analyse(Autobuilder builder, bool auto)
+        public BuildScript Analyse(IAutobuilder<CSharpAutobuildOptions> builder, bool auto)
         {
             BuildScript GetCommand(string? solution)
             {

csharp/autobuilder/Semmle.Autobuild.Shared/AutobuildOptions.cs

@@ -6,12 +6,12 @@ using System.Text.RegularExpressions;
 namespace Semmle.Autobuild.Shared
 {
     /// <summary>
-    /// Encapsulates build options.
+    /// Encapsulates build options shared between C# and C++.
     /// </summary>
-    public class AutobuildOptions
+    public abstract class AutobuildOptionsShared
     {
-        private const string lgtmPrefix = "LGTM_INDEX_";
-        private const string extractorOptionPrefix = "CODEQL_EXTRACTOR_CSHARP_OPTION_";
+        protected const string lgtmPrefix = "LGTM_INDEX_";
+
 
         public int SearchDepth { get; } = 3;
         public string RootDirectory { get; }
@@ -25,16 +25,16 @@ namespace Semmle.Autobuild.Shared
         public string? BuildCommand { get; }
         public IEnumerable<string> Solution { get; }
         public bool IgnoreErrors { get; }
-        public bool Buildless { get; }
+
         public bool AllSolutions { get; }
         public bool NugetRestore { get; }
-        public Language Language { get; }
+        public abstract Language Language { get; }
 
         /// <summary>
         /// Reads options from environment variables.
         /// Throws ArgumentOutOfRangeException for invalid arguments.
         /// </summary>
-        public AutobuildOptions(IBuildActions actions, Language language)
+        public AutobuildOptionsShared(IBuildActions actions)
         {
             RootDirectory = actions.GetCurrentDirectory();
             VsToolsVersion = actions.GetEnvironmentVariable(lgtmPrefix + "VSTOOLS_VERSION");
@@ -48,12 +48,8 @@ namespace Semmle.Autobuild.Shared
             Solution = actions.GetEnvironmentVariable(lgtmPrefix + "SOLUTION").AsListWithExpandedEnvVars(actions, Array.Empty<string>());
 
             IgnoreErrors = actions.GetEnvironmentVariable(lgtmPrefix + "IGNORE_ERRORS").AsBool("ignore_errors", false);
-            Buildless = actions.GetEnvironmentVariable(lgtmPrefix + "BUILDLESS").AsBool("buildless", false) ||
-                actions.GetEnvironmentVariable(extractorOptionPrefix + "BUILDLESS").AsBool("buildless", false);
             AllSolutions = actions.GetEnvironmentVariable(lgtmPrefix + "ALL_SOLUTIONS").AsBool("all_solutions", false);
             NugetRestore = actions.GetEnvironmentVariable(lgtmPrefix + "NUGET_RESTORE").AsBool("nuget_restore", true);
-
-            Language = language;
         }
     }
 

csharp/autobuilder/Semmle.Autobuild.Shared/Autobuilder.cs

@@ -9,21 +9,21 @@ namespace Semmle.Autobuild.Shared
     /// <summary>
     /// A build rule analyses the files in "builder" and outputs a build script.
     /// </summary>
-    public interface IBuildRule
+    public interface IBuildRule<TAutobuildOptions> where TAutobuildOptions : AutobuildOptionsShared
     {
         /// <summary>
         /// Analyse the files and produce a build script.
         /// </summary>
         /// <param name="builder">The files and options relating to the build.</param>
         /// <param name="auto">Whether this build rule is being automatically applied.</param>
-        BuildScript Analyse(Autobuilder builder, bool auto);
+        BuildScript Analyse(IAutobuilder<TAutobuildOptions> builder, bool auto);
     }
 
     /// <summary>
     /// A delegate used to wrap a build script in an environment where an appropriate
     /// version of .NET Core is automatically installed.
     /// </summary>
-    public delegate BuildScript WithDotNet(Autobuilder builder, Func<IDictionary<string, string>?, BuildScript> f);
+    public delegate BuildScript WithDotNet<TAutobuildOptions>(IAutobuilder<TAutobuildOptions> builder, Func<IDictionary<string, string>?, BuildScript> f) where TAutobuildOptions : AutobuildOptionsShared;
 
     /// <summary>
     /// Exception indicating that environment variables are missing or invalid.
@@ -33,6 +33,59 @@ namespace Semmle.Autobuild.Shared
         public InvalidEnvironmentException(string m) : base(m) { }
     }
 
+    public interface IAutobuilder<out TAutobuildOptions> where TAutobuildOptions : AutobuildOptionsShared
+    {
+        /// <summary>
+        /// Full file paths of files found in the project directory, as well as
+        /// their distance from the project root folder. The list is sorted
+        /// by distance in ascending order.
+        /// </summary>
+        IEnumerable<(string, int)> Paths { get; }
+
+        /// <summary>
+        /// Gets all paths matching a particular filename, as well as
+        /// their distance from the project root folder. The list is sorted
+        /// by distance in ascending order.
+        /// </summary>
+        /// <param name="name">The filename to find.</param>
+        /// <returns>Possibly empty sequence of paths with the given filename.</returns>
+        IEnumerable<(string, int)> GetFilename(string name) =>
+           Paths.Where(p => Actions.GetFileName(p.Item1) == name);
+
+        /// <summary>
+        /// List of project/solution files to build.
+        /// </summary>
+        IList<IProjectOrSolution> ProjectsOrSolutionsToBuild { get; }
+
+        /// <summary>
+        /// Gets the supplied build configuration.
+        /// </summary>
+        TAutobuildOptions Options { get; }
+
+        /// <summary>
+        /// The set of build actions used during the autobuilder.
+        /// Could be real system operations, or a stub for testing.
+        /// </summary>
+        IBuildActions Actions { get; }
+
+        /// <summary>
+        /// Log a given build event to the console.
+        /// </summary>
+        /// <param name="format">The format string.</param>
+        /// <param name="args">Inserts to the format string.</param>
+        void Log(Severity severity, string format, params object[] args);
+
+        /// <summary>
+        /// Value of CODEQL_EXTRACTOR_<LANG>_ROOT environment variable.
+        /// </summary>
+        string? CodeQLExtractorLangRoot { get; }
+
+        /// <summary>
+        /// Value of CODEQL_PLATFORM environment variable.
+        /// </summary>
+        string? CodeQlPlatform { get; }
+    }
+
     /// <summary>
     /// Main application logic, containing all data
     /// gathered from the project and filesystem.
@@ -40,7 +93,7 @@ namespace Semmle.Autobuild.Shared
     /// The overall design is intended to be extensible so that in theory,
     /// it should be possible to add new build rules without touching this code.
     /// </summary>
-    public abstract class Autobuilder
+    public abstract class Autobuilder<TAutobuildOptions> : IAutobuilder<TAutobuildOptions> where TAutobuildOptions : AutobuildOptionsShared
     {
         /// <summary>
         /// Full file paths of files found in the project directory, as well as
@@ -60,16 +113,6 @@ namespace Semmle.Autobuild.Shared
         public IEnumerable<(string, int)> GetExtensions(params string[] extensions) =>
             Paths.Where(p => extensions.Contains(Path.GetExtension(p.Item1)));
 
-        /// <summary>
-        /// Gets all paths matching a particular filename, as well as
-        /// their distance from the project root folder. The list is sorted
-        /// by distance in ascending order.
-        /// </summary>
-        /// <param name="name">The filename to find.</param>
-        /// <returns>Possibly empty sequence of paths with the given filename.</returns>
-        public IEnumerable<(string, int)> GetFilename(string name) =>
-            Paths.Where(p => Actions.GetFileName(p.Item1) == name);
-
         /// <summary>
         /// Holds if a given path, relative to the root of the source directory
         /// was found.
@@ -115,7 +158,7 @@ namespace Semmle.Autobuild.Shared
         /// <summary>
         /// Gets the supplied build configuration.
         /// </summary>
-        public AutobuildOptions Options { get; }
+        public TAutobuildOptions Options { get; }
 
         /// <summary>
         /// The set of build actions used during the autobuilder.
@@ -123,7 +166,7 @@ namespace Semmle.Autobuild.Shared
         /// </summary>
         public IBuildActions Actions { get; }
 
-        private IEnumerable<IProjectOrSolution>? FindFiles(string extension, Func<string, ProjectOrSolution> create)
+        private IEnumerable<IProjectOrSolution>? FindFiles(string extension, Func<string, ProjectOrSolution<TAutobuildOptions>> create)
         {
             var matchingFiles = GetExtensions(extension)
                 .Select(p => (ProjectOrSolution: create(p.Item1), DistanceFromRoot: p.Item2))
@@ -146,7 +189,7 @@ namespace Semmle.Autobuild.Shared
         /// solution file and tools.
         /// </summary>
         /// <param name="options">The command line options.</param>
-        protected Autobuilder(IBuildActions actions, AutobuildOptions options)
+        protected Autobuilder(IBuildActions actions, TAutobuildOptions options)
         {
             Actions = actions;
             Options = options;
@@ -167,7 +210,7 @@ namespace Semmle.Autobuild.Shared
                     foreach (var solution in options.Solution)
                     {
                         if (actions.FileExists(solution))
-                            ret.Add(new Solution(this, solution, true));
+                            ret.Add(new Solution<TAutobuildOptions>(this, solution, true));
                         else
                             Log(Severity.Error, $"The specified project or solution file {solution} was not found");
                     }
@@ -175,17 +218,17 @@ namespace Semmle.Autobuild.Shared
                 }
 
                 // First look for `.proj` files
-                ret = FindFiles(".proj", f => new Project(this, f))?.ToList();
+                ret = FindFiles(".proj", f => new Project<TAutobuildOptions>(this, f))?.ToList();
                 if (ret is not null)
                     return ret;
 
                 // Then look for `.sln` files
-                ret = FindFiles(".sln", f => new Solution(this, f, false))?.ToList();
+                ret = FindFiles(".sln", f => new Solution<TAutobuildOptions>(this, f, false))?.ToList();
                 if (ret is not null)
                     return ret;
 
                 // Finally look for language specific project files, e.g. `.csproj` files
-                ret = FindFiles(this.Options.Language.ProjectExtension, f => new Project(this, f))?.ToList();
+                ret = FindFiles(this.Options.Language.ProjectExtension, f => new Project<TAutobuildOptions>(this, f))?.ToList();
                 return ret ?? new List<IProjectOrSolution>();
             });
 

csharp/autobuilder/Semmle.Autobuild.Shared/BuildCommandAutoRule.cs

@@ -7,11 +7,11 @@ namespace Semmle.Autobuild.Shared
     /// <summary>
     /// Auto-detection of build scripts.
     /// </summary>
-    public class BuildCommandAutoRule : IBuildRule
+    public class BuildCommandAutoRule : IBuildRule<AutobuildOptionsShared>
     {
-        private readonly WithDotNet withDotNet;
+        private readonly WithDotNet<AutobuildOptionsShared> withDotNet;
 
-        public BuildCommandAutoRule(WithDotNet withDotNet)
+        public BuildCommandAutoRule(WithDotNet<AutobuildOptionsShared> withDotNet)
         {
             this.withDotNet = withDotNet;
         }
@@ -31,7 +31,7 @@ namespace Semmle.Autobuild.Shared
             "build"
         };
 
-        public BuildScript Analyse(Autobuilder builder, bool auto)
+        public BuildScript Analyse(IAutobuilder<AutobuildOptionsShared> builder, bool auto)
         {
             builder.Log(Severity.Info, "Attempting to locate build script");
 

csharp/autobuilder/Semmle.Autobuild.Shared/BuildCommandRule.cs

@@ -3,16 +3,16 @@
     /// <summary>
     /// Execute the build_command rule.
     /// </summary>
-    public class BuildCommandRule : IBuildRule
+    public class BuildCommandRule : IBuildRule<AutobuildOptionsShared>
     {
-        private readonly WithDotNet withDotNet;
+        private readonly WithDotNet<AutobuildOptionsShared> withDotNet;
 
-        public BuildCommandRule(WithDotNet withDotNet)
+        public BuildCommandRule(WithDotNet<AutobuildOptionsShared> withDotNet)
         {
             this.withDotNet = withDotNet;
         }
 
-        public BuildScript Analyse(Autobuilder builder, bool auto)
+        public BuildScript Analyse(IAutobuilder<AutobuildOptionsShared> builder, bool auto)
         {
             if (builder.Options.BuildCommand is null)
                 return BuildScript.Failure;

csharp/autobuilder/Semmle.Autobuild.Shared/MsBuildRule.cs

@@ -6,14 +6,14 @@ namespace Semmle.Autobuild.Shared
     /// <summary>
     /// A build rule using msbuild.
     /// </summary>
-    public class MsBuildRule : IBuildRule
+    public class MsBuildRule : IBuildRule<AutobuildOptionsShared>
     {
         /// <summary>
         /// The name of the msbuild command.
         /// </summary>
         private const string msBuild = "msbuild";
 
-        public BuildScript Analyse(Autobuilder builder, bool auto)
+        public BuildScript Analyse(IAutobuilder<AutobuildOptionsShared> builder, bool auto)
         {
             if (!builder.ProjectsOrSolutionsToBuild.Any())
                 return BuildScript.Failure;
@@ -27,8 +27,8 @@ namespace Semmle.Autobuild.Shared
             {
                 var firstSolution = builder.ProjectsOrSolutionsToBuild.OfType<ISolution>().FirstOrDefault();
                 vsTools = firstSolution is not null
-                                ? BuildTools.FindCompatibleVcVars(builder.Actions, firstSolution)
-                                : BuildTools.VcVarsAllBatFiles(builder.Actions).OrderByDescending(b => b.ToolsVersion).FirstOrDefault();
+                                        ? BuildTools.FindCompatibleVcVars(builder.Actions, firstSolution)
+                                        : BuildTools.VcVarsAllBatFiles(builder.Actions).OrderByDescending(b => b.ToolsVersion).FirstOrDefault();
             }
 
             if (vsTools is null && builder.Actions.IsWindows())
@@ -123,7 +123,7 @@ namespace Semmle.Autobuild.Shared
         ///
         /// Returns <code>null</code> when no version is specified.
         /// </summary>
-        public static VcVarsBatFile? GetVcVarsBatFile(Autobuilder builder)
+        public static VcVarsBatFile? GetVcVarsBatFile<TAutobuildOptions>(IAutobuilder<TAutobuildOptions> builder) where TAutobuildOptions : AutobuildOptionsShared
         {
             VcVarsBatFile? vsTools = null;
 
@@ -154,7 +154,7 @@ namespace Semmle.Autobuild.Shared
         /// <summary>
         /// Returns a script for downloading `nuget.exe` from nuget.org.
         /// </summary>
-        private static BuildScript DownloadNugetExe(Autobuilder builder, string path) =>
+        private static BuildScript DownloadNugetExe<TAutobuildOptions>(IAutobuilder<TAutobuildOptions> builder, string path) where TAutobuildOptions : AutobuildOptionsShared =>
             BuildScript.Create(_ =>
             {
                 builder.Log(Severity.Info, "Attempting to download nuget.exe");

csharp/autobuilder/Semmle.Autobuild.Shared/Project.cs

@@ -12,7 +12,7 @@ namespace Semmle.Autobuild.Shared
     /// C# project files come in 2 flavours, .Net core and msbuild, but they
     /// have the same file extension.
     /// </summary>
-    public class Project : ProjectOrSolution
+    public class Project<TAutobuildOptions> : ProjectOrSolution<TAutobuildOptions> where TAutobuildOptions : AutobuildOptionsShared
     {
         /// <summary>
         /// Holds if this project is for .Net core.
@@ -23,13 +23,13 @@ namespace Semmle.Autobuild.Shared
 
         public Version ToolsVersion { get; private set; }
 
-        private readonly Lazy<List<Project>> includedProjectsLazy;
+        private readonly Lazy<List<Project<TAutobuildOptions>>> includedProjectsLazy;
         public override IEnumerable<IProjectOrSolution> IncludedProjects => includedProjectsLazy.Value;
 
-        public Project(Autobuilder builder, string path) : base(builder, path)
+        public Project(Autobuilder<TAutobuildOptions> builder, string path) : base(builder, path)
         {
             ToolsVersion = new Version();
-            includedProjectsLazy = new Lazy<List<Project>>(() => new List<Project>());
+            includedProjectsLazy = new Lazy<List<Project<TAutobuildOptions>>>(() => new List<Project<TAutobuildOptions>>());
 
             if (!builder.Actions.FileExists(FullPath))
                 return;
@@ -70,9 +70,9 @@ namespace Semmle.Autobuild.Shared
                     }
                 }
 
-                includedProjectsLazy = new Lazy<List<Project>>(() =>
+                includedProjectsLazy = new Lazy<List<Project<TAutobuildOptions>>>(() =>
                 {
-                    var ret = new List<Project>();
+                    var ret = new List<Project<TAutobuildOptions>>();
                     // The documentation on `.proj` files is very limited, but it appears that both
                     // `<ProjectFile Include="X"/>` and `<ProjectFiles Include="X"/>` is valid
                     var mgr = new XmlNamespaceManager(projFile.NameTable);
@@ -89,7 +89,7 @@ namespace Semmle.Autobuild.Shared
                         }
 
                         var includePath = builder.Actions.PathCombine(include.Value.Split('\\', StringSplitOptions.RemoveEmptyEntries));
-                        ret.Add(new Project(builder, builder.Actions.PathCombine(DirectoryName, includePath)));
+                        ret.Add(new Project<TAutobuildOptions>(builder, builder.Actions.PathCombine(DirectoryName, includePath)));
                     }
                     return ret;
                 });

csharp/autobuilder/Semmle.Autobuild.Shared/ProjectOrSolution.cs

@@ -20,13 +20,13 @@ namespace Semmle.Autobuild.Shared
         IEnumerable<IProjectOrSolution> IncludedProjects { get; }
     }
 
-    public abstract class ProjectOrSolution : IProjectOrSolution
+    public abstract class ProjectOrSolution<TAutobuildOptions> : IProjectOrSolution where TAutobuildOptions : AutobuildOptionsShared
     {
         public string FullPath { get; }
 
         public string DirectoryName { get; }
 
-        protected ProjectOrSolution(Autobuilder builder, string path)
+        protected ProjectOrSolution(Autobuilder<TAutobuildOptions> builder, string path)
         {
             FullPath = builder.Actions.GetFullPath(path);
             DirectoryName = builder.Actions.GetDirectoryName(path) ?? "";

csharp/autobuilder/Semmle.Autobuild.Shared/Solution.cs

@@ -40,11 +40,11 @@ namespace Semmle.Autobuild.Shared
     /// <summary>
     /// A solution file on the filesystem, read using Microsoft.Build.
     /// </summary>
-    internal class Solution : ProjectOrSolution, ISolution
+    internal class Solution<TAutobuildOptions> : ProjectOrSolution<TAutobuildOptions>, ISolution where TAutobuildOptions : AutobuildOptionsShared
     {
         private readonly SolutionFile? solution;
 
-        private readonly IEnumerable<Project> includedProjects;
+        private readonly IEnumerable<Project<TAutobuildOptions>> includedProjects;
 
         public override IEnumerable<IProjectOrSolution> IncludedProjects => includedProjects;
 
@@ -57,7 +57,7 @@ namespace Semmle.Autobuild.Shared
         public string DefaultPlatformName =>
             solution is null ? "" : solution.GetDefaultPlatformName();
 
-        public Solution(Autobuilder builder, string path, bool allowProject) : base(builder, path)
+        public Solution(Autobuilder<TAutobuildOptions> builder, string path, bool allowProject) : base(builder, path)
         {
             try
             {
@@ -69,19 +69,19 @@ namespace Semmle.Autobuild.Shared
                 // that scenario as a solution with just that one project
                 if (allowProject)
                 {
-                    includedProjects = new[] { new Project(builder, path) };
+                    includedProjects = new[] { new Project<TAutobuildOptions>(builder, path) };
                     return;
                 }
 
                 builder.Log(Severity.Info, $"Unable to read solution file {path}.");
-                includedProjects = Array.Empty<Project>();
+                includedProjects = Array.Empty<Project<TAutobuildOptions>>();
                 return;
             }
 
             includedProjects = solution.ProjectsInOrder
                 .Where(p => p.ProjectType == SolutionProjectType.KnownToBeMSBuildFormat)
                 .Select(p => builder.Actions.PathCombine(DirectoryName, builder.Actions.PathCombine(p.RelativePath.Split('\\', StringSplitOptions.RemoveEmptyEntries))))
-                .Select(p => new Project(builder, p))
+                .Select(p => new Project<TAutobuildOptions>(builder, p))
                 .ToArray();
         }
 

csharp/ql/campaigns/Solorigate/lib/Solorigate.qll

@@ -1,4 +1,4 @@
-/*
+/**
  * Provides reusable predicates related to Solorigate
  */
 

csharp/ql/lib/change-notes/2022-11-17-deleted-deps.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Deleted the deprecated `getNameWithoutBrackets` predicate from the `ValueOrRefType` class in `Type.qll`.

csharp/ql/lib/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll

@@ -1,4 +1,4 @@
-/*
+/**
  * Predicates that help detect potential non-cryptographic hash functions
  *
  * By themselves, non-cryptographic functions are common and not dangerous

csharp/ql/lib/semmle/code/cil/internal/SsaImpl.qll

@@ -47,19 +47,19 @@ private module Cached {
   }
 
   cached
-  ReadAccess getAFirstRead(Definition def) {
+  ReadAccess getAFirstReadExt(DefinitionExt def) {
     exists(BasicBlock bb1, int i1, BasicBlock bb2, int i2 |
-      def.definesAt(_, bb1, i1) and
-      adjacentDefRead(def, bb1, i1, bb2, i2) and
+      def.definesAt(_, bb1, i1, _) and
+      adjacentDefReadExt(def, _, bb1, i1, bb2, i2) and
       result = bb2.getNode(i2)
     )
   }
 
   cached
-  predicate hasAdjacentReads(Definition def, ReadAccess first, ReadAccess second) {
+  predicate hasAdjacentReadsExt(DefinitionExt def, ReadAccess first, ReadAccess second) {
     exists(BasicBlock bb1, int i1, BasicBlock bb2, int i2 |
       first = bb1.getNode(i1) and
-      adjacentDefRead(def, bb1, i1, bb2, i2) and
+      adjacentDefReadExt(def, _, bb1, i1, bb2, i2) and
       second = bb2.getNode(i2)
     )
   }
@@ -68,9 +68,35 @@ private module Cached {
   Definition getAPhiInput(PhiNode phi) { phiHasInputFromBlock(phi, result, _) }
 
   cached
-  predicate lastRefBeforeRedef(Definition def, BasicBlock bb, int i, Definition next) {
-    lastRefRedef(def, bb, i, next)
+  predicate lastRefBeforeRedefExt(DefinitionExt def, BasicBlock bb, int i, DefinitionExt next) {
+    lastRefRedefExt(def, _, bb, i, next)
   }
 }
 
 import Cached
+
+private module Deprecated {
+  private import CIL
+
+  deprecated ReadAccess getAFirstRead(Definition def) {
+    exists(BasicBlock bb1, int i1, BasicBlock bb2, int i2 |
+      def.definesAt(_, bb1, i1) and
+      adjacentDefRead(def, bb1, i1, bb2, i2) and
+      result = bb2.getNode(i2)
+    )
+  }
+
+  deprecated predicate hasAdjacentReads(Definition def, ReadAccess first, ReadAccess second) {
+    exists(BasicBlock bb1, int i1, BasicBlock bb2, int i2 |
+      first = bb1.getNode(i1) and
+      adjacentDefRead(def, bb1, i1, bb2, i2) and
+      second = bb2.getNode(i2)
+    )
+  }
+
+  deprecated predicate lastRefBeforeRedef(Definition def, BasicBlock bb, int i, Definition next) {
+    lastRefRedef(def, bb, i, next)
+  }
+}
+
+import Deprecated

csharp/ql/lib/semmle/code/csharp/Type.qll

@@ -56,13 +56,6 @@ private predicate isObjectClass(Class c) { c instanceof ObjectType }
  * Either a value type (`ValueType`) or a reference type (`RefType`).
  */
 class ValueOrRefType extends DotNet::ValueOrRefType, Type, Attributable, @value_or_ref_type {
-  /**
-   * DEPRECATED: use `getUndecoratedName()` instead.
-   *
-   * Gets the name of this type without `<...>` brackets, in case it is a generic type.
-   */
-  deprecated string getNameWithoutBrackets() { types(this, _, result) }
-
   /**
    * Holds if this type has the qualified name `qualifier`.`name`.
    *

csharp/ql/lib/semmle/code/csharp/controlflow/internal/Completion.qll

@@ -103,7 +103,6 @@ abstract class Completion extends TCompletion {
    * otherwise it is a normal non-Boolean completion.
    */
   predicate isValidFor(ControlFlowElement cfe) {
-    cfe instanceof NonReturningCall and
     this = cfe.(NonReturningCall).getACompletion()
     or
     this = TThrowCompletion(cfe.(TriedControlFlowElement).getAThrownException())

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll

@@ -907,9 +907,13 @@ module TestOutput {
 
   query predicate edges(RelevantNode pred, RelevantNode succ, string attr, string val) {
     attr = "semmle.label" and
-    exists(SuccessorType t | succ = getASuccessor(pred, t) |
-      if successorTypeIsSimple(t) then val = "" else val = t.toString()
-    )
+    val =
+      strictconcat(SuccessorType t, string s |
+        succ = getASuccessor(pred, t) and
+        if successorTypeIsSimple(t) then s = "" else s = t.toString()
+      |
+        s, ", " order by s
+      )
     or
     attr = "semmle.order" and
     val =

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -90,43 +90,6 @@ private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private::External
 private import internal.FlowSummaryImplSpecific
 
-/**
- * A module importing the frameworks that provide external flow data,
- * ensuring that they are visible to the taint tracking / data flow library.
- */
-private module Frameworks {
-  private import semmle.code.csharp.frameworks.EntityFramework
-  private import semmle.code.csharp.frameworks.JsonNET
-  private import semmle.code.csharp.frameworks.ServiceStack
-  private import semmle.code.csharp.frameworks.Sql
-  private import semmle.code.csharp.frameworks.System
-  private import semmle.code.csharp.frameworks.system.CodeDom
-  private import semmle.code.csharp.frameworks.system.Collections
-  private import semmle.code.csharp.frameworks.system.collections.Generic
-  private import semmle.code.csharp.frameworks.system.collections.Specialized
-  private import semmle.code.csharp.frameworks.system.Data
-  private import semmle.code.csharp.frameworks.system.data.Common
-  private import semmle.code.csharp.frameworks.system.Diagnostics
-  private import semmle.code.csharp.frameworks.system.Linq
-  private import semmle.code.csharp.frameworks.system.Net
-  private import semmle.code.csharp.frameworks.system.net.Mail
-  private import semmle.code.csharp.frameworks.system.IO
-  private import semmle.code.csharp.frameworks.system.io.Compression
-  private import semmle.code.csharp.frameworks.system.runtime.CompilerServices
-  private import semmle.code.csharp.frameworks.system.Security
-  private import semmle.code.csharp.frameworks.system.security.Cryptography
-  private import semmle.code.csharp.frameworks.system.security.cryptography.X509Certificates
-  private import semmle.code.csharp.frameworks.system.Text
-  private import semmle.code.csharp.frameworks.system.text.RegularExpressions
-  private import semmle.code.csharp.frameworks.system.threading.Tasks
-  private import semmle.code.csharp.frameworks.system.Web
-  private import semmle.code.csharp.frameworks.system.web.ui.WebControls
-  private import semmle.code.csharp.frameworks.system.Xml
-  private import semmle.code.csharp.security.dataflow.flowsinks.Html
-  private import semmle.code.csharp.security.dataflow.flowsources.Local
-  private import semmle.code.csharp.security.dataflow.XSSSinks
-}
-
 /**
  * DEPRECATED: Define source models as data extensions instead.
  *

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -6,7 +6,6 @@ private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.FlowSummary as FlowSummary
-private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.dispatch.RuntimeCallable
 private import semmle.code.csharp.frameworks.system.Collections

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -18,6 +18,7 @@ private import semmle.code.csharp.frameworks.NHibernate
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.threading.Tasks
 private import semmle.code.cil.Ssa::Ssa as CilSsa
+private import semmle.code.cil.internal.SsaImpl as CilSsaImpl
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallableImpl() }
@@ -174,7 +175,7 @@ predicate hasNodePath(ControlFlowReachabilityConfiguration conf, ExprNode n1, No
     cfn = n1.getControlFlowNode() and
     ssaDef.getADefinition() = def and
     ssaDef.getControlFlowNode() = cfnDef and
-    n2.(SsaDefinitionNode).getDefinition() = ssaDef
+    n2.(SsaDefinitionExtNode).getDefinitionExt() = ssaDef
   )
 }
 
@@ -306,17 +307,28 @@ module LocalFlow {
     }
   }
 
+  /** An SSA definition into which another SSA definition may flow. */
+  private class SsaInputDefinitionExtNode extends SsaDefinitionExtNode {
+    SsaInputDefinitionExtNode() {
+      def instanceof Ssa::PhiNode
+      or
+      def instanceof SsaImpl::PhiReadNode
+      or
+      def instanceof LocalFlow::UncertainExplicitSsaDefinition
+    }
+  }
+
   /**
    * Holds if `nodeFrom` is a last node referencing SSA definition `def`, which
    * can reach `next`.
    */
   private predicate localFlowSsaInputFromDef(
-    Node nodeFrom, Ssa::Definition def, Ssa::Definition next
+    Node nodeFrom, SsaImpl::DefinitionExt def, SsaInputDefinitionExtNode next
   ) {
     exists(ControlFlow::BasicBlock bb, int i |
-      SsaImpl::lastRefBeforeRedef(def, bb, i, next) and
-      def.definesAt(_, bb, i) and
-      def = getSsaDefinition(nodeFrom)
+      SsaImpl::lastRefBeforeRedefExt(def, bb, i, next.getDefinitionExt()) and
+      def.definesAt(_, bb, i, _) and
+      def = getSsaDefinitionExt(nodeFrom)
     )
   }
 
@@ -324,18 +336,17 @@ module LocalFlow {
    * Holds if `read` is a last node reading SSA definition `def`, which
    * can reach `next`.
    */
-  predicate localFlowSsaInputFromExpr(
-    ControlFlow::Node read, Ssa::Definition def, Ssa::Definition next
+  predicate localFlowSsaInputFromRead(
+    Node read, SsaImpl::DefinitionExt def, SsaInputDefinitionExtNode next
   ) {
     exists(ControlFlow::BasicBlock bb, int i |
-      SsaImpl::lastRefBeforeRedef(def, bb, i, next) and
-      read = bb.getNode(i) and
-      read.getElement() instanceof AssignableRead
+      SsaImpl::lastRefBeforeRedefExt(def, bb, i, next.getDefinitionExt()) and
+      read.asExprAtNode(bb.getNode(i)) instanceof AssignableRead
     )
   }
 
-  private Ssa::Definition getSsaDefinition(Node n) {
-    result = n.(SsaDefinitionNode).getDefinition()
+  private SsaImpl::DefinitionExt getSsaDefinitionExt(Node n) {
+    result = n.(SsaDefinitionExtNode).getDefinitionExt()
     or
     result = n.(ExplicitParameterNode).getSsaDefinition()
   }
@@ -344,9 +355,9 @@ module LocalFlow {
    * Holds if there is a local use-use flow step from `nodeFrom` to `nodeTo`
    * involving SSA definition `def`.
    */
-  predicate localSsaFlowStepUseUse(Ssa::Definition def, Node nodeFrom, Node nodeTo) {
+  predicate localSsaFlowStepUseUse(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo) {
     exists(ControlFlow::Node cfnFrom, ControlFlow::Node cfnTo |
-      SsaImpl::adjacentReadPairSameVar(def, cfnFrom, cfnTo) and
+      SsaImpl::adjacentReadPairSameVarExt(def, cfnFrom, cfnTo) and
       nodeTo = TExprNode(cfnTo) and
       nodeFrom = TExprNode(cfnFrom)
     )
@@ -356,31 +367,22 @@ module LocalFlow {
    * Holds if there is a local flow step from `nodeFrom` to `nodeTo` involving
    * SSA definition `def`.
    */
-  predicate localSsaFlowStep(Ssa::Definition def, Node nodeFrom, Node nodeTo) {
+  predicate localSsaFlowStep(SsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo) {
     // Flow from SSA definition/parameter to first read
-    exists(ControlFlow::Node cfn |
-      def = getSsaDefinition(nodeFrom) and
-      nodeTo.asExprAtNode(cfn) = def.getAFirstReadAtNode(cfn)
-    )
+    def = getSsaDefinitionExt(nodeFrom) and
+    SsaImpl::firstReadSameVarExt(def, nodeTo.(ExprNode).getControlFlowNode())
     or
     // Flow from read to next read
     localSsaFlowStepUseUse(def, nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
     or
-    // Flow into phi/uncertain SSA definition node from def
-    exists(Ssa::Definition next |
-      localFlowSsaInputFromDef(nodeFrom, def, next) and
-      next = nodeTo.(SsaDefinitionNode).getDefinition()
-    |
-      def = next.(Ssa::PhiNode).getAnInput()
-      or
-      def = next.(LocalFlow::UncertainExplicitSsaDefinition).getPriorDefinition()
-    )
+    // Flow into phi (read)/uncertain SSA definition node from def
+    localFlowSsaInputFromDef(nodeFrom, def, nodeTo)
   }
 
   /**
    * Holds if the source variable of SSA definition `def` is an instance field.
    */
-  predicate usesInstanceField(Ssa::Definition def) {
+  predicate usesInstanceField(SsaImpl::DefinitionExt def) {
     exists(Ssa::SourceVariables::FieldOrPropSourceVariable fp | fp = def.getSourceVariable() |
       not fp.getAssignable().(Modifiable).isStatic()
     )
@@ -389,25 +391,23 @@ module LocalFlow {
   predicate localFlowCapturedVarStep(Node nodeFrom, ImplicitCapturedArgumentNode nodeTo) {
     // Flow from SSA definition to implicit captured variable argument
     exists(Ssa::ExplicitDefinition def, ControlFlow::Nodes::ElementNode call |
-      def = getSsaDefinition(nodeFrom) and
+      def = getSsaDefinitionExt(nodeFrom) and
       def.isCapturedVariableDefinitionFlowIn(_, call, _) and
       nodeTo = TImplicitCapturedArgumentNode(call, def.getSourceVariable().getAssignable())
     )
   }
 
   private module CilFlow {
-    private import semmle.code.cil.internal.SsaImpl as CilSsaImpl
-
     /**
      * Holds if `nodeFrom` is a last node referencing SSA definition `def`, which
      * can reach `next`.
      */
     private predicate localFlowCilSsaInput(
-      Node nodeFrom, CilSsa::Definition def, CilSsa::Definition next
+      Node nodeFrom, CilSsaImpl::DefinitionExt def, CilSsaImpl::DefinitionExt next
     ) {
-      exists(CIL::BasicBlock bb, int i | CilSsaImpl::lastRefBeforeRedef(def, bb, i, next) |
-        def.definesAt(_, bb, i) and
-        def = nodeFrom.(CilSsaDefinitionNode).getDefinition()
+      exists(CIL::BasicBlock bb, int i | CilSsaImpl::lastRefBeforeRedefExt(def, bb, i, next) |
+        def.definesAt(_, bb, i, _) and
+        def = nodeFrom.(CilSsaDefinitionExtNode).getDefinition()
         or
         nodeFrom = TCilExprNode(bb.getNode(i).(CIL::ReadAccess))
       )
@@ -417,30 +417,33 @@ module LocalFlow {
      * Holds if there is a local flow step from `nodeFrom` to `nodeTo` involving
      * CIL SSA definition `def`.
      */
-    private predicate localCilSsaFlowStep(CilSsa::Definition def, Node nodeFrom, Node nodeTo) {
+    private predicate localCilSsaFlowStep(CilSsaImpl::DefinitionExt def, Node nodeFrom, Node nodeTo) {
       // Flow into SSA definition
       exists(CIL::VariableUpdate vu |
-        vu = def.getVariableUpdate() and
+        vu = def.(CilSsa::Definition).getVariableUpdate() and
         vu.getSource() = asCilDataFlowNode(nodeFrom) and
-        def = nodeTo.(CilSsaDefinitionNode).getDefinition()
+        def = nodeTo.(CilSsaDefinitionExtNode).getDefinition()
       )
       or
       // Flow from SSA definition to first read
-      def = nodeFrom.(CilSsaDefinitionNode).getDefinition() and
-      nodeTo = TCilExprNode(CilSsaImpl::getAFirstRead(def))
+      def = nodeFrom.(CilSsaDefinitionExtNode).getDefinition() and
+      nodeTo = TCilExprNode(CilSsaImpl::getAFirstReadExt(def))
       or
       // Flow from read to next read
       exists(CIL::ReadAccess readFrom, CIL::ReadAccess readTo |
-        CilSsaImpl::hasAdjacentReads(def, readFrom, readTo) and
+        CilSsaImpl::hasAdjacentReadsExt(def, readFrom, readTo) and
         nodeTo = TCilExprNode(readTo) and
         nodeFrom = TCilExprNode(readFrom)
       )
       or
-      // Flow into phi node
-      exists(CilSsa::PhiNode phi |
+      // Flow into phi (read) node
+      exists(CilSsaImpl::DefinitionExt phi |
         localFlowCilSsaInput(nodeFrom, def, phi) and
-        phi = nodeTo.(CilSsaDefinitionNode).getDefinition() and
-        def = CilSsaImpl::getAPhiInput(phi)
+        phi = nodeTo.(CilSsaDefinitionExtNode).getDefinition()
+      |
+        phi instanceof CilSsa::PhiNode
+        or
+        phi instanceof CilSsaImpl::PhiReadNode
       )
     }
 
@@ -466,7 +469,7 @@ module LocalFlow {
   }
 
   predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
-    exists(Ssa::Definition def |
+    exists(SsaImpl::DefinitionExt def |
       localSsaFlowStep(def, nodeFrom, nodeTo) and
       not usesInstanceField(def)
     )
@@ -528,26 +531,20 @@ module LocalFlow {
 predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
   or
-  exists(Ssa::Definition def |
+  exists(SsaImpl::DefinitionExt def |
     LocalFlow::localSsaFlowStepUseUse(def, nodeFrom, nodeTo) and
     not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _) and
     not LocalFlow::usesInstanceField(def)
   )
   or
-  // Flow into phi/uncertain SSA definition node from read
-  exists(Ssa::Definition def, ControlFlow::Node read, Ssa::Definition next |
-    LocalFlow::localFlowSsaInputFromExpr(read, def, next) and
-    next = nodeTo.(SsaDefinitionNode).getDefinition() and
-    def =
-      [
-        next.(Ssa::PhiNode).getAnInput(),
-        next.(LocalFlow::UncertainExplicitSsaDefinition).getPriorDefinition()
-      ]
+  // Flow into phi (read)/uncertain SSA definition node from read
+  exists(SsaImpl::DefinitionExt def, Node read |
+    LocalFlow::localFlowSsaInputFromRead(read, def, nodeTo)
   |
-    exists(nodeFrom.asExprAtNode(read)) and
+    nodeFrom = read and
     not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
     or
-    exists(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExprAtNode(read))
+    nodeFrom.(PostUpdateNode).getPreUpdateNode() = read
   )
   or
   LocalFlow::localFlowCapturedVarStep(nodeFrom, nodeTo)
@@ -813,8 +810,8 @@ private module Cached {
       cfn.getElement() instanceof Expr
     } or
     TCilExprNode(CIL::Expr e) { e.getImplementation() instanceof CIL::BestImplementation } or
-    TCilSsaDefinitionNode(CilSsa::Definition def) or
-    TSsaDefinitionNode(Ssa::Definition def) {
+    TCilSsaDefinitionExtNode(CilSsaImpl::DefinitionExt def) or
+    TSsaDefinitionExtNode(SsaImpl::DefinitionExt def) {
       // Handled by `TExplicitParameterNode` below
       not def.(Ssa::ExplicitDefinition).getADefinition() instanceof
         AssignableDefinitions::ImplicitParameterDefinition
@@ -880,24 +877,18 @@ private module Cached {
     or
     LocalFlow::localSsaFlowStepUseUse(_, nodeFrom, nodeTo)
     or
-    exists(Ssa::Definition def |
+    exists(SsaImpl::DefinitionExt def |
       LocalFlow::localSsaFlowStep(def, nodeFrom, nodeTo) and
       LocalFlow::usesInstanceField(def)
     )
     or
-    // Flow into phi/uncertain SSA definition node from read
-    exists(Ssa::Definition def, ControlFlow::Node read, Ssa::Definition next |
-      LocalFlow::localFlowSsaInputFromExpr(read, def, next) and
-      next = nodeTo.(SsaDefinitionNode).getDefinition() and
-      def =
-        [
-          next.(Ssa::PhiNode).getAnInput(),
-          next.(LocalFlow::UncertainExplicitSsaDefinition).getPriorDefinition()
-        ]
+    // Flow into phi (read)/uncertain SSA definition node from read
+    exists(SsaImpl::DefinitionExt def, Node read |
+      LocalFlow::localFlowSsaInputFromRead(read, def, nodeTo)
     |
-      exists(nodeFrom.asExprAtNode(read))
+      nodeFrom = read
       or
-      exists(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExprAtNode(read))
+      nodeFrom.(PostUpdateNode).getPreUpdateNode() = read
     )
     or
     // Simple flow through library code is included in the exposed local
@@ -945,9 +936,11 @@ import Cached
 
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
-  exists(Ssa::Definition def | def = n.(SsaDefinitionNode).getDefinition() |
+  exists(SsaImpl::DefinitionExt def | def = n.(SsaDefinitionExtNode).getDefinitionExt() |
     def instanceof Ssa::PhiNode
     or
+    def instanceof SsaImpl::PhiReadNode
+    or
     def instanceof Ssa::ImplicitEntryDefinition
     or
     def instanceof Ssa::ImplicitCallDefinition
@@ -978,13 +971,13 @@ predicate nodeIsHidden(Node n) {
 }
 
 /** A CIL SSA definition, viewed as a node in a data flow graph. */
-class CilSsaDefinitionNode extends NodeImpl, TCilSsaDefinitionNode {
-  CilSsa::Definition def;
+class CilSsaDefinitionExtNode extends NodeImpl, TCilSsaDefinitionExtNode {
+  CilSsaImpl::DefinitionExt def;
 
-  CilSsaDefinitionNode() { this = TCilSsaDefinitionNode(def) }
+  CilSsaDefinitionExtNode() { this = TCilSsaDefinitionExtNode(def) }
 
   /** Gets the underlying SSA definition. */
-  CilSsa::Definition getDefinition() { result = def }
+  CilSsaImpl::DefinitionExt getDefinition() { result = def }
 
   override DataFlowCallable getEnclosingCallableImpl() {
     result.asCallable() = def.getBasicBlock().getFirstNode().getImplementation().getMethod()
@@ -1000,13 +993,13 @@ class CilSsaDefinitionNode extends NodeImpl, TCilSsaDefinitionNode {
 }
 
 /** An SSA definition, viewed as a node in a data flow graph. */
-class SsaDefinitionNode extends NodeImpl, TSsaDefinitionNode {
-  Ssa::Definition def;
+class SsaDefinitionExtNode extends NodeImpl, TSsaDefinitionExtNode {
+  SsaImpl::DefinitionExt def;
 
-  SsaDefinitionNode() { this = TSsaDefinitionNode(def) }
+  SsaDefinitionExtNode() { this = TSsaDefinitionExtNode(def) }
 
   /** Gets the underlying SSA definition. */
-  Ssa::Definition getDefinition() { result = def }
+  SsaImpl::DefinitionExt getDefinitionExt() { result = def }
 
   override DataFlowCallable getEnclosingCallableImpl() {
     result.asCallable() = def.getEnclosingCallable()
@@ -1014,7 +1007,9 @@ class SsaDefinitionNode extends NodeImpl, TSsaDefinitionNode {
 
   override Type getTypeImpl() { result = def.getSourceVariable().getType() }
 
-  override ControlFlow::Node getControlFlowNodeImpl() { result = def.getControlFlowNode() }
+  override ControlFlow::Node getControlFlowNodeImpl() {
+    result = def.(Ssa::Definition).getControlFlowNode()
+  }
 
   override Location getLocationImpl() { result = def.getLocation() }
 
@@ -1108,13 +1103,11 @@ private module ParameterNodes {
    * }                      }
    * ```
    */
-  class ImplicitCapturedParameterNode extends ParameterNodeImpl, SsaDefinitionNode {
-    override SsaCapturedEntryDefinition def;
-
-    ImplicitCapturedParameterNode() { def = this.getDefinition() }
+  class ImplicitCapturedParameterNode extends ParameterNodeImpl, SsaDefinitionExtNode {
+    ImplicitCapturedParameterNode() { def instanceof SsaCapturedEntryDefinition }
 
     /** Gets the captured variable that this implicit parameter models. */
-    LocalScopeVariable getVariable() { result = def.getVariable() }
+    LocalScopeVariable getVariable() { result = def.(SsaCapturedEntryDefinition).getVariable() }
 
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
       pos.isImplicitCapturedParameterPosition(def.getSourceVariable().getAssignable()) and
@@ -1349,12 +1342,12 @@ private module ReturnNodes {
    * A data-flow node that represents an assignment to an `out` or a `ref`
    * parameter.
    */
-  class OutRefReturnNode extends ReturnNode, SsaDefinitionNode {
+  class OutRefReturnNode extends ReturnNode, SsaDefinitionExtNode {
     OutRefReturnKind kind;
 
     OutRefReturnNode() {
       exists(Parameter p |
-        this.getDefinition().isLiveOutRefParameterDefinition(p) and
+        this.getDefinitionExt().(Ssa::Definition).isLiveOutRefParameterDefinition(p) and
         kind.getPosition() = p.getPosition()
       |
         p.isOut() and kind instanceof OutReturnKind
@@ -1438,11 +1431,11 @@ private module ReturnNodes {
    * }                       }
    * ```
    */
-  class ImplicitCapturedReturnNode extends ReturnNode, SsaDefinitionNode {
+  class ImplicitCapturedReturnNode extends ReturnNode, SsaDefinitionExtNode {
     private Ssa::ExplicitDefinition edef;
 
     ImplicitCapturedReturnNode() {
-      edef = this.getDefinition() and
+      edef = this.getDefinitionExt() and
       edef.isCapturedVariableDefinitionFlowOut(_, _)
     }
 
@@ -1450,8 +1443,8 @@ private module ReturnNodes {
      * Holds if the value at this node may flow out to the implicit call definition
      * at `node`, using one or more calls.
      */
-    predicate flowsOutTo(SsaDefinitionNode node, boolean additionalCalls) {
-      edef.isCapturedVariableDefinitionFlowOut(node.getDefinition(), additionalCalls)
+    predicate flowsOutTo(SsaDefinitionExtNode node, boolean additionalCalls) {
+      edef.isCapturedVariableDefinitionFlowOut(node.getDefinitionExt(), additionalCalls)
     }
 
     override ImplicitCapturedReturnKind getKind() {
@@ -1558,13 +1551,13 @@ private module OutNodes {
    * A data-flow node that reads a value returned implicitly by a callable
    * using a captured variable.
    */
-  class CapturedOutNode extends OutNode, SsaDefinitionNode {
+  class CapturedOutNode extends OutNode, SsaDefinitionExtNode {
     private DataFlowCall call;
 
     CapturedOutNode() {
       exists(ImplicitCapturedReturnNode n, boolean additionalCalls, ControlFlow::Node cfn |
         n.flowsOutTo(this, additionalCalls) and
-        cfn = this.getDefinition().getControlFlowNode()
+        cfn = this.getDefinitionExt().(Ssa::Definition).getControlFlowNode()
       |
         additionalCalls = false and call = csharpCall(_, cfn)
         or
@@ -1576,7 +1569,7 @@ private module OutNodes {
     override DataFlowCall getCall(ReturnKind kind) {
       result = call and
       kind.(ImplicitCapturedReturnKind).getVariable() =
-        this.getDefinition().getSourceVariable().getAssignable()
+        this.getDefinitionExt().getSourceVariable().getAssignable()
     }
   }
 
@@ -1857,7 +1850,7 @@ predicate readStep(Node node1, Content c, Node node2) {
     exists(ForeachStmt fs, Ssa::ExplicitDefinition def |
       x.hasDefPath(fs.getIterableExpr(), node1.getControlFlowNode(), def.getADefinition(),
         def.getControlFlowNode()) and
-      node2.(SsaDefinitionNode).getDefinition() = def and
+      node2.(SsaDefinitionExtNode).getDefinitionExt() = def and
       c instanceof ElementContent
     )
     or
@@ -1880,7 +1873,7 @@ predicate readStep(Node node1, Content c, Node node2) {
       or
       // item = variable in node1 = (..., variable, ...)
       exists(AssignableDefinitions::TupleAssignmentDefinition tad, Ssa::ExplicitDefinition def |
-        node2.(SsaDefinitionNode).getDefinition() = def and
+        node2.(SsaDefinitionExtNode).getDefinitionExt() = def and
         def.getADefinition() = tad and
         tad.getLeaf() = item and
         hasNodePath(x, node1, node2)
@@ -1889,7 +1882,7 @@ predicate readStep(Node node1, Content c, Node node2) {
       // item = variable in node1 = (..., variable, ...) in a case/is var (..., ...)
       te = any(PatternExpr pe).getAChildExpr*() and
       exists(AssignableDefinitions::LocalVariableDefinition lvd, Ssa::ExplicitDefinition def |
-        node2.(SsaDefinitionNode).getDefinition() = def and
+        node2.(SsaDefinitionExtNode).getDefinitionExt() = def and
         def.getADefinition() = lvd and
         lvd.getDeclaration() = item and
         hasNodePath(x, node1, node2)
@@ -2223,7 +2216,7 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) {
-  exists(Ssa::Definition def |
+  exists(SsaImpl::DefinitionExt def |
     LocalFlow::localSsaFlowStep(def, nodeFrom, nodeTo) and
     LocalFlow::usesInstanceField(def) and
     preservesValue = true

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll

@@ -119,10 +119,10 @@ class ParameterNode extends Node instanceof ParameterNodeImpl {
 }
 
 /** A definition, viewed as a node in a data flow graph. */
-class AssignableDefinitionNode extends Node, TSsaDefinitionNode {
+class AssignableDefinitionNode extends Node, TSsaDefinitionExtNode {
   private Ssa::ExplicitDefinition edef;
 
-  AssignableDefinitionNode() { this = TSsaDefinitionNode(edef) }
+  AssignableDefinitionNode() { this = TSsaDefinitionExtNode(edef) }
 
   /** Gets the underlying definition. */
   AssignableDefinition getDefinition() { result = this.getDefinitionAtNode(_) }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -1093,35 +1093,79 @@ private predicate adjacentDefRead(
 }
 
 private predicate adjacentDefReachesRead(
-  Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
+  Definition def, SsaInput::SourceVariable v, SsaInput::BasicBlock bb1, int i1,
+  SsaInput::BasicBlock bb2, int i2
 ) {
-  exists(SsaInput::SourceVariable v | adjacentDefRead(def, bb1, i1, bb2, i2, v) |
+  adjacentDefRead(def, bb1, i1, bb2, i2, v) and
+  (
     def.definesAt(v, bb1, i1)
     or
     SsaInput::variableRead(bb1, i1, v, true)
   )
   or
   exists(SsaInput::BasicBlock bb3, int i3 |
-    adjacentDefReachesRead(def, bb1, i1, bb3, i3) and
+    adjacentDefReachesRead(def, v, bb1, i1, bb3, i3) and
     SsaInput::variableRead(bb3, i3, _, false) and
     Impl::adjacentDefRead(def, bb3, i3, bb2, i2)
   )
 }
 
+private predicate adjacentDefReachesReadExt(
+  DefinitionExt def, SsaInput::SourceVariable v, SsaInput::BasicBlock bb1, int i1,
+  SsaInput::BasicBlock bb2, int i2
+) {
+  Impl::adjacentDefReadExt(def, v, bb1, i1, bb2, i2) and
+  (
+    def.definesAt(v, bb1, i1, _)
+    or
+    SsaInput::variableRead(bb1, i1, v, true)
+  )
+  or
+  exists(SsaInput::BasicBlock bb3, int i3 |
+    adjacentDefReachesReadExt(def, v, bb1, i1, bb3, i3) and
+    SsaInput::variableRead(bb3, i3, v, false) and
+    Impl::adjacentDefReadExt(def, v, bb3, i3, bb2, i2)
+  )
+}
+
 /** Same as `adjacentDefRead`, but skips uncertain reads. */
 pragma[nomagic]
 private predicate adjacentDefSkipUncertainReads(
   Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
 ) {
-  adjacentDefReachesRead(def, bb1, i1, bb2, i2) and
-  SsaInput::variableRead(bb2, i2, _, true)
+  exists(SsaInput::SourceVariable v |
+    adjacentDefReachesRead(def, v, bb1, i1, bb2, i2) and
+    SsaInput::variableRead(bb2, i2, v, true)
+  )
+}
+
+/** Same as `adjacentDefReadExt`, but skips uncertain reads. */
+pragma[nomagic]
+private predicate adjacentDefSkipUncertainReadsExt(
+  DefinitionExt def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
+) {
+  exists(SsaInput::SourceVariable v |
+    adjacentDefReachesReadExt(def, v, bb1, i1, bb2, i2) and
+    SsaInput::variableRead(bb2, i2, v, true)
+  )
 }
 
 private predicate adjacentDefReachesUncertainRead(
   Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
 ) {
-  adjacentDefReachesRead(def, bb1, i1, bb2, i2) and
-  SsaInput::variableRead(bb2, i2, _, false)
+  exists(SsaInput::SourceVariable v |
+    adjacentDefReachesRead(def, v, bb1, i1, bb2, i2) and
+    SsaInput::variableRead(bb2, i2, v, false)
+  )
+}
+
+private predicate adjacentDefReachesUncertainReadExt(
+  DefinitionExt def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
+) {
+  exists(SsaInput::SourceVariable v |
+    adjacentDefReachesReadExt(def, v, bb1, i1, bb2, i2) and
+    SsaInput::variableRead(bb2, i2, v, false)
+  )
 }
 
 /** Same as `lastRefRedef`, but skips uncertain reads. */
@@ -1311,6 +1355,19 @@ private module Cached {
     )
   }
 
+  /**
+   * Holds if the value defined at SSA definition `def` can reach a read at `cfn`,
+   * without passing through any other read.
+   */
+  cached
+  predicate firstReadSameVarExt(DefinitionExt def, ControlFlow::Node cfn) {
+    exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
+      def.definesAt(_, bb1, i1, _) and
+      adjacentDefSkipUncertainReadsExt(def, bb1, i1, bb2, i2) and
+      cfn = bb2.getNode(i2)
+    )
+  }
+
   /**
    * Holds if the read at `cfn2` is a read of the same SSA definition `def`
    * as the read at `cfn1`, and `cfn2` can be reached from `cfn1` without
@@ -1326,7 +1383,23 @@ private module Cached {
     )
   }
 
-  /** Same as `lastRefRedef`, but skips uncertain reads. */
+  /**
+   * Holds if the read at `cfn2` is a read of the same SSA definition `def`
+   * as the read at `cfn1`, and `cfn2` can be reached from `cfn1` without
+   * passing through another read.
+   */
+  cached
+  predicate adjacentReadPairSameVarExt(
+    DefinitionExt def, ControlFlow::Node cfn1, ControlFlow::Node cfn2
+  ) {
+    exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
+      cfn1 = bb1.getNode(i1) and
+      variableReadActual(bb1, i1, _) and
+      adjacentDefSkipUncertainReadsExt(def, bb1, i1, bb2, i2) and
+      cfn2 = bb2.getNode(i2)
+    )
+  }
+
   cached
   predicate lastRefBeforeRedef(Definition def, ControlFlow::BasicBlock bb, int i, Definition next) {
     Impl::lastRefRedef(def, bb, i, next) and
@@ -1338,6 +1411,21 @@ private module Cached {
     )
   }
 
+  cached
+  predicate lastRefBeforeRedefExt(
+    DefinitionExt def, ControlFlow::BasicBlock bb, int i, DefinitionExt next
+  ) {
+    exists(SsaInput::SourceVariable v |
+      Impl::lastRefRedefExt(def, v, bb, i, next) and
+      not SsaInput::variableRead(bb, i, v, false)
+    )
+    or
+    exists(SsaInput::BasicBlock bb0, int i0 |
+      Impl::lastRefRedefExt(def, _, bb0, i0, next) and
+      adjacentDefReachesUncertainReadExt(def, bb, i, bb0, i0)
+    )
+  }
+
   cached
   predicate lastReadSameVar(Definition def, ControlFlow::Node cfn) {
     exists(ControlFlow::BasicBlock bb, int i |
@@ -1399,6 +1487,9 @@ class DefinitionExt extends Impl::DefinitionExt {
 
   /** Gets the location of this definition. */
   Location getLocation() { result = this.(Ssa::Definition).getLocation() }
+
+  /** Gets the enclosing callable of this definition. */
+  Callable getEnclosingCallable() { result = this.(Ssa::Definition).getEnclosingCallable() }
 }
 
 /**
@@ -1412,4 +1503,8 @@ class PhiReadNode extends DefinitionExt, Impl::PhiReadNode {
   }
 
   override Location getLocation() { result = this.getBasicBlock().getLocation() }
+
+  override Callable getEnclosingCallable() {
+    result = this.getSourceVariable().getEnclosingCallable()
+  }
 }

csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll

@@ -9,7 +9,6 @@ private import semmle.code.csharp.frameworks.system.data.Entity
 private import semmle.code.csharp.frameworks.system.collections.Generic
 private import semmle.code.csharp.frameworks.Sql
 private import semmle.code.csharp.dataflow.FlowSummary
-private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
 
 /**

csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll

@@ -3,7 +3,6 @@
  */
 
 import csharp
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** Definitions relating to the `Json.NET` package. */
 module JsonNET {

csharp/ql/lib/semmle/code/csharp/frameworks/ServiceStack.qll

@@ -6,7 +6,6 @@
  */
 
 import csharp
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** A class representing a Service */
 private class ServiceClass extends Class {

csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll

@@ -7,7 +7,6 @@ private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
 private import semmle.code.csharp.frameworks.Dapper
 private import semmle.code.csharp.dataflow.DataFlow4
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** An expression containing a SQL command. */
 abstract class SqlExpr extends Expr {

csharp/ql/lib/semmle/code/csharp/frameworks/System.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import system.Reflection
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System` namespace. */
 class SystemNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/CodeDom.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.System
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.CodeDome` namespace. */
 class SystemCodeDomNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/Collections.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.System
-private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dataflow.FlowSummary
 
 /** The `System.Collections` namespace. */

csharp/ql/lib/semmle/code/csharp/frameworks/system/Data.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.System
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Data` namespace. */
 class SystemDataNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/Diagnostics.qll

@@ -2,7 +2,6 @@
 
 import semmle.code.csharp.Type
 private import semmle.code.csharp.frameworks.System
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Diagnostics` namespace. */
 class SystemDiagnosticsNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/IO.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.System
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.IO` namespace. */
 class SystemIONamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/Linq.qll

@@ -4,7 +4,6 @@
 
 private import csharp as CSharp
 private import semmle.code.csharp.frameworks.System as System
-private import semmle.code.csharp.dataflow.ExternalFlow as ExternalFlow
 
 /** Definitions relating to the `System.Linq` namespace. */
 module SystemLinq {

csharp/ql/lib/semmle/code/csharp/frameworks/system/Net.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.System
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Net` namespace. */
 class SystemNetNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/Security.qll

@@ -1,7 +1,6 @@
 /** Provides classes related to the namespace `System.Security`. */
 
 import csharp
-private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.frameworks.System
 
 /** The `System.Security` namespace. */

csharp/ql/lib/semmle/code/csharp/frameworks/system/Text.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.System
-private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dataflow.FlowSummary
 
 /** The `System.Text` namespace. */

csharp/ql/lib/semmle/code/csharp/frameworks/system/Web.qll

@@ -3,7 +3,6 @@
 import csharp
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.collections.Specialized
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Web` namespace. */
 class SystemWebNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll

@@ -3,7 +3,6 @@
 import csharp
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.dataflow.DataFlow3
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Xml` namespace. */
 class SystemXmlNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/collections/Generic.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.system.Collections
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Collections.Generic` namespace. */
 class SystemCollectionsGenericNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/collections/Specialized.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.system.Collections
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Collections.Specialized` namespace. */
 class SystemCollectionsSpecializedNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/data/Common.qll

@@ -4,7 +4,6 @@
 
 private import csharp as CSharp
 private import semmle.code.csharp.frameworks.system.Data as Data
-private import semmle.code.csharp.dataflow.ExternalFlow as ExternalFlow
 
 /** Definitions relating to the `System.Data.Common` namespace. */
 module SystemDataCommon {

csharp/ql/lib/semmle/code/csharp/frameworks/system/io/Compression.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.system.IO
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.IO.Compression` namespace. */
 class SystemIOCompressionNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/net/Mail.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.system.Net
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Net.Mail` namespace. */
 class SystemNetMailNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll

@@ -3,7 +3,6 @@
 import csharp
 private import semmle.code.csharp.frameworks.system.Runtime
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Runtime.CompilerServices` namespace. */
 class SystemRuntimeCompilerServicesNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/security/Cryptography.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.system.Security
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Security.Cryptography` namespace. */
 class SystemSecurityCryptographyNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/security/cryptography/X509Certificates.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.system.security.Cryptography
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Security.Cryptography.X509Certificates` namespace. */
 class SystemSecurityCryptographyX509CertificatesNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/text/RegularExpressions.qll

@@ -4,7 +4,6 @@
 
 import default
 import semmle.code.csharp.frameworks.system.Text
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Text.RegularExpressions` namespace. */
 class SystemTextRegularExpressionsNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/threading/Tasks.qll

@@ -3,7 +3,6 @@
 import csharp
 private import semmle.code.csharp.frameworks.system.Threading
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Threading.Tasks` namespace. */
 class SystemThreadingTasksNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/frameworks/system/web/ui/WebControls.qll

@@ -2,7 +2,6 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.system.web.UI
-private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.Web.UI.WebControls` namespace. */
 class SystemWebUIWebControlsNamespace extends Namespace {

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

@@ -19,6 +19,13 @@ abstract class RemoteFlowSource extends DataFlow::Node {
   abstract string getSourceType();
 }
 
+/**
+ * A module for importing frameworks that defines remote flow sources.
+ */
+private module RemoteFlowSources {
+  private import semmle.code.csharp.frameworks.ServiceStack
+}
+
 /** A data flow source of remote user input (ASP.NET). */
 abstract class AspNetRemoteFlowSource extends RemoteFlowSource { }
 

csharp/ql/src/Bad Practices/Magic Constants/MagicConstants.qll

@@ -10,26 +10,26 @@ private predicate trivialPositiveIntValue(string s) {
   s =
     [
       "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16",
-      "17", "18", "19", "20", "16", "32", "64", "128", "256", "512", "1024", "2048", "4096",
-      "16384", "32768", "65536", "1048576", "2147483648", "4294967296", "15", "31", "63", "127",
-      "255", "511", "1023", "2047", "4095", "16383", "32767", "65535", "1048577", "2147483647",
-      "4294967295", "0x00000001", "0x00000002", "0x00000004", "0x00000008", "0x00000010",
-      "0x00000020", "0x00000040", "0x00000080", "0x00000100", "0x00000200", "0x00000400",
-      "0x00000800", "0x00001000", "0x00002000", "0x00004000", "0x00008000", "0x00010000",
-      "0x00020000", "0x00040000", "0x00080000", "0x00100000", "0x00200000", "0x00400000",
-      "0x00800000", "0x01000000", "0x02000000", "0x04000000", "0x08000000", "0x10000000",
-      "0x20000000", "0x40000000", "0x80000000", "0x00000001", "0x00000003", "0x00000007",
-      "0x0000000f", "0x0000001f", "0x0000003f", "0x0000007f", "0x000000ff", "0x000001ff",
-      "0x000003ff", "0x000007ff", "0x00000fff", "0x00001fff", "0x00003fff", "0x00007fff",
-      "0x0000ffff", "0x0001ffff", "0x0003ffff", "0x0007ffff", "0x000fffff", "0x001fffff",
-      "0x003fffff", "0x007fffff", "0x00ffffff", "0x01ffffff", "0x03ffffff", "0x07ffffff",
-      "0x0fffffff", "0x1fffffff", "0x3fffffff", "0x7fffffff", "0xffffffff", "0x0001", "0x0002",
-      "0x0004", "0x0008", "0x0010", "0x0020", "0x0040", "0x0080", "0x0100", "0x0200", "0x0400",
-      "0x0800", "0x1000", "0x2000", "0x4000", "0x8000", "0x0001", "0x0003", "0x0007", "0x000f",
-      "0x001f", "0x003f", "0x007f", "0x00ff", "0x01ff", "0x03ff", "0x07ff", "0x0fff", "0x1fff",
-      "0x3fff", "0x7fff", "0xffff", "0x01", "0x02", "0x04", "0x08", "0x10", "0x20", "0x40", "0x80",
-      "0x01", "0x03", "0x07", "0x0f", "0x1f", "0x3f", "0x7f", "0xff", "0x00", "10", "100", "1000",
-      "10000", "100000", "1000000", "10000000", "100000000", "1000000000"
+      "17", "18", "19", "20", "32", "64", "128", "256", "512", "1024", "2048", "4096", "16384",
+      "32768", "65536", "1048576", "2147483648", "4294967296", "31", "63", "127", "255", "511",
+      "1023", "2047", "4095", "16383", "32767", "65535", "1048577", "2147483647", "4294967295",
+      "0x00000001", "0x00000002", "0x00000004", "0x00000008", "0x00000010", "0x00000020",
+      "0x00000040", "0x00000080", "0x00000100", "0x00000200", "0x00000400", "0x00000800",
+      "0x00001000", "0x00002000", "0x00004000", "0x00008000", "0x00010000", "0x00020000",
+      "0x00040000", "0x00080000", "0x00100000", "0x00200000", "0x00400000", "0x00800000",
+      "0x01000000", "0x02000000", "0x04000000", "0x08000000", "0x10000000", "0x20000000",
+      "0x40000000", "0x80000000", "0x00000003", "0x00000007", "0x0000000f", "0x0000001f",
+      "0x0000003f", "0x0000007f", "0x000000ff", "0x000001ff", "0x000003ff", "0x000007ff",
+      "0x00000fff", "0x00001fff", "0x00003fff", "0x00007fff", "0x0000ffff", "0x0001ffff",
+      "0x0003ffff", "0x0007ffff", "0x000fffff", "0x001fffff", "0x003fffff", "0x007fffff",
+      "0x00ffffff", "0x01ffffff", "0x03ffffff", "0x07ffffff", "0x0fffffff", "0x1fffffff",
+      "0x3fffffff", "0x7fffffff", "0xffffffff", "0x0001", "0x0002", "0x0004", "0x0008", "0x0010",
+      "0x0020", "0x0040", "0x0080", "0x0100", "0x0200", "0x0400", "0x0800", "0x1000", "0x2000",
+      "0x4000", "0x8000", "0x0003", "0x0007", "0x000f", "0x001f", "0x003f", "0x007f", "0x00ff",
+      "0x01ff", "0x03ff", "0x07ff", "0x0fff", "0x1fff", "0x3fff", "0x7fff", "0xffff", "0x02",
+      "0x04", "0x08", "0x10", "0x20", "0x40", "0x80", "0x01", "0x03", "0x07", "0x0f", "0x1f",
+      "0x3f", "0x7f", "0xff", "0x00", "100", "1000", "10000", "100000", "1000000", "10000000",
+      "100000000", "1000000000"
     ]
 }
 

csharp/ql/src/utils/model-generator/CaptureTypeBasedSummaryModels.ql

@@ -6,7 +6,6 @@
  * @tags model-generator
  */
 
-import semmle.code.csharp.dataflow.ExternalFlow
 import utils.modelgenerator.internal.CaptureTypeBasedSummaryModels
 
 from TypeBasedFlowTargetApi api, string flow

csharp/ql/test/library-tests/assemblies/assemblies.ql

@@ -34,7 +34,6 @@ where
   f.hasName("f") and
   g.hasName("g") and
   a.getDeclaringType() = class1 and
-  a.getDeclaringType() = class1 and
   b.getDeclaringType() = class1 and
   c.getDeclaringType() = class1 and
   not exists(c.getParameter(0).getType().(KnownType)) and

csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected

@@ -2775,7 +2775,7 @@ Assert.cs:
 #-----| true -> access to parameter b2
 
 #  140| [assertion failure] access to parameter b2
-#-----| false -> [assertion failure] access to parameter b3
+#-----| false, true -> [assertion failure] access to parameter b3
 
 #  140| access to parameter b2
 #-----| false -> [assertion success] access to parameter b3
@@ -4924,7 +4924,7 @@ ExitMethods.cs:
 #-----|  -> ...;
 
 #   22| call to method ErrorAlways
-#-----| exception(Exception) -> exit M3 (abnormal)
+#-----| exception(ArgumentException), exception(Exception) -> exit M3 (abnormal)
 
 #   22| ...;
 #-----|  -> true

csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected

@@ -160,7 +160,7 @@
 | CSharp7.cs:232:20:232:23 | null | CSharp7.cs:232:16:232:23 | SSA def(o) |
 | CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:233:18:233:23 | SSA def(i1) |
 | CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:237:18:237:18 | access to local variable o |
-| CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:248:17:248:17 | access to local variable o |
+| CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
 | CSharp7.cs:233:13:233:23 | [false] ... is ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
 | CSharp7.cs:233:13:233:23 | [true] ... is ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
 | CSharp7.cs:233:13:233:23 | [true] ... is ... | CSharp7.cs:233:13:233:33 | [true] ... && ... |
@@ -173,13 +173,14 @@
 | CSharp7.cs:235:38:235:39 | access to local variable i1 | CSharp7.cs:235:31:235:41 | $"..." |
 | CSharp7.cs:237:18:237:18 | access to local variable o | CSharp7.cs:237:23:237:31 | SSA def(s1) |
 | CSharp7.cs:237:18:237:18 | access to local variable o | CSharp7.cs:241:18:241:18 | access to local variable o |
-| CSharp7.cs:237:18:237:18 | access to local variable o | CSharp7.cs:248:17:248:17 | access to local variable o |
+| CSharp7.cs:237:18:237:18 | access to local variable o | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
 | CSharp7.cs:237:23:237:31 | SSA def(s1) | CSharp7.cs:239:41:239:42 | access to local variable s1 |
 | CSharp7.cs:239:33:239:39 | "string " | CSharp7.cs:239:31:239:44 | $"..." |
 | CSharp7.cs:239:41:239:42 | access to local variable s1 | CSharp7.cs:239:31:239:44 | $"..." |
 | CSharp7.cs:241:18:241:18 | access to local variable o | CSharp7.cs:244:18:244:18 | access to local variable o |
-| CSharp7.cs:241:18:241:18 | access to local variable o | CSharp7.cs:248:17:248:17 | access to local variable o |
-| CSharp7.cs:244:18:244:18 | access to local variable o | CSharp7.cs:248:17:248:17 | access to local variable o |
+| CSharp7.cs:241:18:241:18 | access to local variable o | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
+| CSharp7.cs:244:18:244:18 | access to local variable o | CSharp7.cs:248:9:274:9 | SSA phi read(o) |
+| CSharp7.cs:248:9:274:9 | SSA phi read(o) | CSharp7.cs:248:17:248:17 | access to local variable o |
 | CSharp7.cs:248:17:248:17 | access to local variable o | CSharp7.cs:254:27:254:27 | access to local variable o |
 | CSharp7.cs:248:17:248:17 | access to local variable o | CSharp7.cs:257:18:257:23 | SSA def(i2) |
 | CSharp7.cs:248:17:248:17 | access to local variable o | CSharp7.cs:260:18:260:23 | SSA def(i3) |

csharp/ql/test/library-tests/dataflow/local/UseUseExplosion.cs

@@ -0,0 +1,29 @@
+class C
+{
+    int Prop { get; set; }
+
+    // Should generate 100 + 100 local use-use flow steps for `x`, and not 100 * 100
+    //
+    // Generated by quick-evaling `gen/0` below:
+    //
+    // ```ql
+    // string gen(int depth) {
+    //   depth in [0 .. 100] and
+    //   (
+    //     if depth = 0
+    //     then result = ""
+    //     else result = "if (Prop > " + depth + ") { " + gen(depth - 1) + " } else Use(x);"
+    //   )
+    // }
+    //
+    // string gen() { result = "var x = 0;\n" + gen(100) + "\n" + gen(100) }
+    // ```
+    void M()
+    {
+        var x = 0;
+        if (Prop > 100) { if (Prop > 99) { if (Prop > 98) { if (Prop > 97) { if (Prop > 96) { if (Prop > 95) { if (Prop > 94) { if (Prop > 93) { if (Prop > 92) { if (Prop > 91) { if (Prop > 90) { if (Prop > 89) { if (Prop > 88) { if (Prop > 87) { if (Prop > 86) { if (Prop > 85) { if (Prop > 84) { if (Prop > 83) { if (Prop > 82) { if (Prop > 81) { if (Prop > 80) { if (Prop > 79) { if (Prop > 78) { if (Prop > 77) { if (Prop > 76) { if (Prop > 75) { if (Prop > 74) { if (Prop > 73) { if (Prop > 72) { if (Prop > 71) { if (Prop > 70) { if (Prop > 69) { if (Prop > 68) { if (Prop > 67) { if (Prop > 66) { if (Prop > 65) { if (Prop > 64) { if (Prop > 63) { if (Prop > 62) { if (Prop > 61) { if (Prop > 60) { if (Prop > 59) { if (Prop > 58) { if (Prop > 57) { if (Prop > 56) { if (Prop > 55) { if (Prop > 54) { if (Prop > 53) { if (Prop > 52) { if (Prop > 51) { if (Prop > 50) { if (Prop > 49) { if (Prop > 48) { if (Prop > 47) { if (Prop > 46) { if (Prop > 45) { if (Prop > 44) { if (Prop > 43) { if (Prop > 42) { if (Prop > 41) { if (Prop > 40) { if (Prop > 39) { if (Prop > 38) { if (Prop > 37) { if (Prop > 36) { if (Prop > 35) { if (Prop > 34) { if (Prop > 33) { if (Prop > 32) { if (Prop > 31) { if (Prop > 30) { if (Prop > 29) { if (Prop > 28) { if (Prop > 27) { if (Prop > 26) { if (Prop > 25) { if (Prop > 24) { if (Prop > 23) { if (Prop > 22) { if (Prop > 21) { if (Prop > 20) { if (Prop > 19) { if (Prop > 18) { if (Prop > 17) { if (Prop > 16) { if (Prop > 15) { if (Prop > 14) { if (Prop > 13) { if (Prop > 12) { if (Prop > 11) { if (Prop > 10) { if (Prop > 9) { if (Prop > 8) { if (Prop > 7) { if (Prop > 6) { if (Prop > 5) { if (Prop > 4) { if (Prop > 3) { if (Prop > 2) { if (Prop > 1) { } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x);
+        if (Prop > 100) { if (Prop > 99) { if (Prop > 98) { if (Prop > 97) { if (Prop > 96) { if (Prop > 95) { if (Prop > 94) { if (Prop > 93) { if (Prop > 92) { if (Prop > 91) { if (Prop > 90) { if (Prop > 89) { if (Prop > 88) { if (Prop > 87) { if (Prop > 86) { if (Prop > 85) { if (Prop > 84) { if (Prop > 83) { if (Prop > 82) { if (Prop > 81) { if (Prop > 80) { if (Prop > 79) { if (Prop > 78) { if (Prop > 77) { if (Prop > 76) { if (Prop > 75) { if (Prop > 74) { if (Prop > 73) { if (Prop > 72) { if (Prop > 71) { if (Prop > 70) { if (Prop > 69) { if (Prop > 68) { if (Prop > 67) { if (Prop > 66) { if (Prop > 65) { if (Prop > 64) { if (Prop > 63) { if (Prop > 62) { if (Prop > 61) { if (Prop > 60) { if (Prop > 59) { if (Prop > 58) { if (Prop > 57) { if (Prop > 56) { if (Prop > 55) { if (Prop > 54) { if (Prop > 53) { if (Prop > 52) { if (Prop > 51) { if (Prop > 50) { if (Prop > 49) { if (Prop > 48) { if (Prop > 47) { if (Prop > 46) { if (Prop > 45) { if (Prop > 44) { if (Prop > 43) { if (Prop > 42) { if (Prop > 41) { if (Prop > 40) { if (Prop > 39) { if (Prop > 38) { if (Prop > 37) { if (Prop > 36) { if (Prop > 35) { if (Prop > 34) { if (Prop > 33) { if (Prop > 32) { if (Prop > 31) { if (Prop > 30) { if (Prop > 29) { if (Prop > 28) { if (Prop > 27) { if (Prop > 26) { if (Prop > 25) { if (Prop > 24) { if (Prop > 23) { if (Prop > 22) { if (Prop > 21) { if (Prop > 20) { if (Prop > 19) { if (Prop > 18) { if (Prop > 17) { if (Prop > 16) { if (Prop > 15) { if (Prop > 14) { if (Prop > 13) { if (Prop > 12) { if (Prop > 11) { if (Prop > 10) { if (Prop > 9) { if (Prop > 8) { if (Prop > 7) { if (Prop > 6) { if (Prop > 5) { if (Prop > 4) { if (Prop > 3) { if (Prop > 2) { if (Prop > 1) { } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x); } else Use(x);
+    }
+
+    void Use(int i) { }
+}

csharp/ql/test/library-tests/dataflow/ssa-large/Large.cs

@@ -2886,7 +2886,7 @@ public class Large
     //   (
     //     if depth = 0
     //     then result = ""
-    //     else else result = "if (Prop > " + depth + ") { " + gen(depth - 1, var) + " } else Use(" + var + ");"
+    //     else result = "if (Prop > " + depth + ") { " + gen(depth - 1, var) + " } else Use(" + var + ");"
     //   )
     // }
     // 

csharp/scripts/create-extractor-pack.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+set -eux
+
+if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+  platform="linux64"
+  dotnet_platform="linux-x64"
+elif [[ "$OSTYPE" == "darwin"* ]]; then
+  platform="osx64"
+  dotnet_platform="osx-x64"
+else
+  echo "Unknown OS"
+  exit 1
+fi
+
+rm -rf extractor-pack
+mkdir -p extractor-pack
+mkdir -p extractor-pack/tools/${platform}
+
+function dotnet_publish {
+  dotnet publish --self-contained --configuration Release --runtime ${dotnet_platform} -p:RuntimeFrameworkVersion=6.0.4 $1 --output extractor-pack/tools/${platform}
+}
+
+dotnet_publish extractor/Semmle.Extraction.CSharp.Standalone
+dotnet_publish extractor/Semmle.Extraction.CSharp.Driver
+dotnet_publish autobuilder/Semmle.Autobuild.CSharp
+
+cp -r codeql-extractor.yml tools/* downgrades tools ql/lib/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme.stats extractor-pack/

docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst

@@ -312,7 +312,7 @@ For more information, see "`Using CodeQL query packs in the CodeQL action <https
 Including query help for custom CodeQL queries in SARIF files
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-If you use the CodeQL CLI to to run code scanning analyses on third party CI/CD systems,
+If you use the CodeQL CLI to run code scanning analyses on third party CI/CD systems,
 you can include the query help for your custom queries in SARIF files generated during an analysis.
 After uploading the SARIF file to GitHub, the query help is shown in the code scanning UI for any
 alerts generated by the custom queries.

docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst

@@ -3,7 +3,9 @@
 Basic query for C and C++ code
 ==============================
 
-Learn to write and run a simple CodeQL query using LGTM.
+Learn to write and run a simple CodeQL query using Visual Studio Code with the CodeQL extension.
+
+.. include:: ../reusables/setup-to-run-queries.rst
 
 About the query
 ---------------
@@ -14,62 +16,67 @@ The query we're going to run performs a basic search of the code for ``if`` stat
 
    if (error) { }
 
-Running the query
------------------
+Finding a CodeQL database to experiment with
+--------------------------------------------
 
-#. In the main search box on LGTM.com, search for the project you want to query. For tips, see `Searching <https://lgtm.com/help/lgtm/searching>`__.
+Before you start writing queries for C or C++ code, you need a CodeQL database to run them against. The simplest way to do this is to download a database for a repository that uses C or C++ directly from GitHub.com.
 
-#. Click the project in the search results.
+#. In Visual Studio Code, click the **QL** icon |codeql-ext-icon| in the left sidebar to display the CodeQL extension. 
 
-#. Click **Query this project**.
+#. Click **From GitHub** or the GitHub logo |github-db| at the top of the CodeQL extension to open an entry field.
 
-   This opens the query console. (For information about using this, see `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.)
+#. Copy the URL for the repository into the field and press the keyboard **Enter** key. For example, https://github.com/protocolbuffers/protobuf.
 
-   .. pull-quote::
+#. Optionally, if the repository has more than one CodeQL database available, select ``cpp`` to download the database created from the C and/or C++ code. 
 
-      Note
+Information about the download progress for the database is shown in the bottom right corner of Visual Studio Code. When the download is complete, the database is shown with a check mark in the **Databases** section of the CodeQL extension.
 
-      Alternatively, you can go straight to the query console by clicking **Query console** (at the top of any page), selecting **C/C++** from the **Language** drop-down list, then choosing one or more projects to query from those displayed in the **Project** drop-down list.
+.. image:: ../images/codeql-for-visual-studio-code/database-selected.png
+       :align: center
+       :width: 500
 
-#. Copy the following query into the text box in the query console:
+Running a quick query
+---------------------
+
+The CodeQL extension for Visual Studio Code adds several **CodeQL:** commands to the command palette including **Quick Query**, which you can use to run a query without any set up.
+
+#. From the command palette in Visual Studio Code, select **CodeQL: Quick Query**.
+
+#. After a momment, a new tab *quick-query.ql* is opened, ready for you to write a query for your currently selected CodeQL database (here a ``cpp`` database).
+
+   .. image:: ../images/codeql-for-visual-studio-code/quick-query-tab.png
+       :align: center
+
+#. In the quick query tab, delete ``select ""`` and paste the following query beneath the import statement ``import cpp``.
 
    .. code-block:: ql
 
-      import cpp
-
       from IfStmt ifstmt, BlockStmt block
       where ifstmt.getThen() = block and
         block.getNumStmt() = 0
       select ifstmt, "This 'if' statement is redundant."
 
-   LGTM checks whether your query compiles and, if all is well, the **Run** button changes to green to indicate that you can go ahead and run the query.
+#. Save the query in its default location (a temporary "Quick Queries" directory under the workspace for ``GitHub.vscode-codeql/quick-queries``).
 
-#. Click **Run**.
+#. Right-click in the query window and select **CodeQL: Run Query**. (Alternatively, run the command from the Command Palette.)
 
-   The name of the project you are querying, and the ID of the most recently analyzed commit to the project, are listed below the query box. To the right of this is an icon that indicates the progress of the query operation:
+   The query will take a few moments to return results. When the query completes, the results are displayed in a CodeQL Query Results window, alongside the query window.
+   
+   The query results are listed in two columns, corresponding to the two expressions in the ``select`` clause of the query. The first column corresponds to the expression ``ifstmt`` and is linked to the location in the source code of the project where ``ifstmt`` occurs. The second column is the alert message.
 
-   .. image:: ../images/query-progress.png
-       :align: center
+.. image:: ../images/codeql-for-visual-studio-code/basic-cpp-query-results-1.png
+    :align: center
 
-   .. pull-quote::
+If any matching code is found, click a link in the ``ifstmt`` column to open the file and highlight the matching ``if`` statement.
 
-      Note
+.. image:: ../images/codeql-for-visual-studio-code/basic-cpp-query-results-2.png
+    :align: center
 
-      Your query is always run against the most recently analyzed commit to the selected project.
+.. pull-quote::
 
-   The query will take a few moments to return results. When the query completes, the results are displayed below the project name. The query results are listed in two columns, corresponding to the two expressions in the ``select`` clause of the query. The first column corresponds to the expression ``ifstmt`` and is linked to the location in the source code of the project where ``ifstmt`` occurs. The second column is the alert message.
+   Note
 
-   ➤ `Example query results <https://lgtm.com/query/4242591143131494898/>`__
-
-   .. pull-quote::
-
-      Note
-
-      An ellipsis (…) at the bottom of the table indicates that the entire list is not displayed—click it to show more results.
-
-#. If any matching code is found, click a link in the ``ifstmt`` column to view the ``if`` statement in the code viewer.
-
-   The matching ``if`` statement is highlighted with a yellow background in the code viewer. If any code in the file also matches a query from the standard query library for that language, you will see a red alert message at the appropriate point within the code.
+   If you want to move your experimental query somewhere more permanent, you need to move the whole ``Quick Queries`` directory. The directory is a CodeQL pack with a ``qlpack.yml`` file that defines the content as queries for C/C++ CodeQL databases. For more information about CodeQL packs, see ":ref:`Working with CodeQL packs in Visual Studio Code <working-with-codeql-packs-in-visual-studio-code>`."
 
 About the query structure
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -120,7 +127,7 @@ In this case, identifying the ``if`` statement with the empty ``then`` branch as
 
 To exclude ``if`` statements that have an ``else`` branch:
 
-#. Extend the ``where`` clause to include the following extra condition:
+#. Edit your query and extend the ``where`` clause to include the following extra condition:
 
    .. code-block:: ql
 
@@ -134,14 +141,20 @@ To exclude ``if`` statements that have an ``else`` branch:
         block.getNumStmt() = 0 and
         not ifstmt.hasElse()
 
-#. Click **Run**.
+#. Re-run the query.
 
    There are now fewer results because ``if`` statements with an ``else`` branch are no longer reported.
 
-➤ `See this in the query console <https://lgtm.com/query/1899933116489579248/>`__
-
 Further reading
 ---------------
 
 .. include:: ../reusables/cpp-further-reading.rst
 .. include:: ../reusables/codeql-ref-tools-further-reading.rst
+
+.. |codeql-ext-icon| image:: ../images/codeql-for-visual-studio-code/codeql-extension-icon.png
+  :width: 20
+  :alt: Icon for the CodeQL extension.
+
+.. |github-db| image:: ../images/codeql-for-visual-studio-code/add-codeql-db-github.png
+  :width: 20
+  :alt: Icon for the CodeQL extension option to download a CodeQL database from GitHub.