set CompileForOverlayEval in java pack

.bazelrc

@@ -30,13 +30,6 @@ common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
 
-# we only configure a nightly toolchain
-common --@rules_rust//rust/toolchain/channel=nightly
-
-# rust does not like the gold linker, while bazel does by default, so let's avoid using it
-common:linux --linkopt=-fuse-ld=lld
-common:macos --linkopt=-fuse-ld=lld
-
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
 common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
 

.github/workflows/go-tests-other-os.yml

@@ -0,0 +1,35 @@
+name: "Go: Run Tests - Other OS"
+on:
+  pull_request:
+    paths:
+      - "go/**"
+      - "!go/documentation/**"
+      - "!go/ql/**" # don't run other-os if only ql/ files changed
+      - .github/workflows/go-tests-other-os.yml
+      - .github/actions/**
+      - codeql-workspace.yml
+      - MODULE.bazel
+      - .bazelrc
+      - misc/bazel/**
+
+permissions:
+  contents: read
+
+jobs:
+  test-mac:
+    name: Test MacOS
+    runs-on: macos-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run tests
+        uses: ./go/actions/test
+
+  test-win:
+    name: Test Windows
+    runs-on: windows-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run tests
+        uses: ./go/actions/test

.github/workflows/go-tests-rtjo.yml

@@ -0,0 +1,22 @@
+name: "Go: Run RTJO Tests"
+on:
+  pull_request:
+    types:
+      - labeled
+
+permissions:
+  contents: read
+
+jobs:
+  test-linux:
+    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
+    name: RTJO Test Linux (Ubuntu)
+    runs-on: ubuntu-latest-xl
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run tests
+        uses: ./go/actions/test
+        with:
+          run-code-checks: true
+          dynamic-join-order-mode: all

.github/workflows/go-tests.yml

@@ -1,6 +1,6 @@
 name: "Go: Run Tests"
 on:
-  pull_request:
+  push:
     paths:
       - "go/**"
       - "!go/documentation/**"
@@ -8,6 +8,17 @@ on:
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "go/**"
+      - "!go/documentation/**"      
+      - "shared/**"
+      - .github/workflows/go-tests.yml
+      - .github/actions/**
+      - codeql-workspace.yml
       - MODULE.bazel
       - .bazelrc
       - misc/bazel/**

MODULE.bazel

@@ -15,7 +15,7 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.11")
-bazel_dep(name = "rules_go", version = "0.56.1")
+bazel_dep(name = "rules_go", version = "0.50.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
@@ -28,7 +28,7 @@ bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.63.0")
+bazel_dep(name = "rules_rust", version = "0.58.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -37,11 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
 
-# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
-# a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
-# we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
-# required in this repo
-RUST_VERSION = "nightly/2025-08-01"
+RUST_VERSION = "1.86.0"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -51,29 +47,6 @@ rust.toolchain(
         "x86_64-apple-darwin",
         "aarch64-apple-darwin",
     ],
-    # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
-    sha256s = {
-        "2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4",
-        "2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7",
-        "2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773",
-        "2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f",
-        "2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6",
-        "2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e",
-        "2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0",
-        "2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50",
-        "2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69",
-        "2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef",
-        "2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a",
-        "2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b",
-        "2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47",
-        "2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1",
-        "2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41",
-        "2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f",
-        "2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d",
-        "2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8",
-        "2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4",
-        "2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e",
-    },
     versions = [RUST_VERSION],
 )
 use_repo(rust, "rust_toolchains")
@@ -233,7 +206,6 @@ use_repo(
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
     "kotlin-compiler-2.2.0-Beta1",
-    "kotlin-compiler-2.2.20-Beta2",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -246,7 +218,6 @@ use_repo(
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
     "kotlin-compiler-embeddable-2.2.0-Beta1",
-    "kotlin-compiler-embeddable-2.2.20-Beta2",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -259,11 +230,10 @@ use_repo(
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
     "kotlin-stdlib-2.2.0-Beta1",
-    "kotlin-stdlib-2.2.20-Beta2",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.25.0")
+go_sdk.download(version = "1.24.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/lib/CHANGELOG.md

@@ -1,17 +1,3 @@
-## 0.4.15
-
-No user-facing changes.
-
-## 0.4.14
-
-No user-facing changes.
-
-## 0.4.13
-
-### Bug Fixes
-
-* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
-
 ## 0.4.12
 
 ### Minor Analysis Improvements

actions/ql/lib/change-notes/released/0.4.13.md

@@ -1,5 +0,0 @@
-## 0.4.13
-
-### Bug Fixes
-
-* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.

actions/ql/lib/change-notes/released/0.4.14.md

@@ -1,3 +0,0 @@
-## 0.4.14
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.15.md

@@ -1,3 +0,0 @@
-## 0.4.15
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.15
+lastReleaseVersion: 0.4.12

actions/ql/lib/codeql/actions/Helper.qll

@@ -72,7 +72,7 @@ string normalizePath(string path) {
       then result = path
       else
         // foo -> GITHUB_WORKSPACE/foo
-        if path.regexpMatch("^[^$/~].*")
+        if path.regexpMatch("^[^/~].*")
         then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "")
         else
           // ~/foo -> ~/foo

actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -1,7 +1,6 @@
 private import actions
 private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
-private import codeql.actions.security.ControlChecks
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
 
@@ -66,16 +65,6 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink {
   override string getCommand() { result = "unknown" }
 }
 
-/**
- * Gets the event that is relevant for the given node in the context of argument injection.
- *
- * This is used to highlight the event in the query results when an alert is raised.
- */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
-  inPrivilegedContext(node.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(node.asExpr(), result, "argument-injection"))
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a code script.
@@ -99,16 +88,6 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
       run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -4,7 +4,6 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 import codeql.actions.security.UntrustedCheckoutQuery
-import codeql.actions.security.ControlChecks
 
 string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
 
@@ -263,10 +262,8 @@ class ArtifactPoisoningSink extends DataFlow::Node {
 
   ArtifactPoisoningSink() {
     download.getAFollowingStep() = poisonable and
-    // excluding artifacts downloaded to the temporary directory
+    // excluding artifacts downloaded to /tmp
     not download.getPath().regexpMatch("^/tmp.*") and
-    not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
-    not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
     (
       poisonable.(Run).getScript() = this.asExpr() and
       (
@@ -293,16 +290,6 @@ class ArtifactPoisoningSink extends DataFlow::Node {
   string getPath() { result = download.getPath() }
 }
 
-/**
- * Gets the event that is relevant for the given node in the context of artifact poisoning.
- *
- * This is used to highlight the event in the query results when an alert is raised.
- */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
-  inPrivilegedContext(node.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(node.asExpr(), result, "artifact-poisoning"))
-}
-
 /**
  * A taint-tracking configuration for unsafe artifacts
  * that is used may lead to artifact poisoning
@@ -329,16 +316,6 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe artifacts that is used in an insecure way. */

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -3,8 +3,6 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
-import codeql.actions.security.ControlChecks
-import codeql.actions.security.CachePoisoningQuery
 
 class CodeInjectionSink extends DataFlow::Node {
   CodeInjectionSink() {
@@ -13,46 +11,6 @@ class CodeInjectionSink extends DataFlow::Node {
   }
 }
 
-/**
- * Get the relevant event for the sink in CodeInjectionCritical.ql.
- */
-Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
-  // exclude cases where the sink is a JS script and the expression uses toJson
-  not exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = sink.asExpr() and
-    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
-  )
-}
-
-/**
- * Get the relevant event for the sink in CachePoisoningViaCodeInjection.ql.
- */
-Event getRelevantCachePoisoningEventForSink(DataFlow::Node sink) {
-  exists(LocalJob job |
-    job = sink.asExpr().getEnclosingJob() and
-    job.getATriggerEvent() = result and
-    // job can be triggered by an external user
-    result.isExternallyTriggerable() and
-    // excluding privileged workflows since they can be exploited in easier circumstances
-    // which is covered by `actions/code-injection/critical`
-    not job.isPrivilegedExternallyTriggerable(result) and
-    (
-      // the workflow runs in the context of the default branch
-      runsOnDefaultBranch(result)
-      or
-      // the workflow caller runs in the context of the default branch
-      result.getName() = "workflow_call" and
-      exists(ExternalJob caller |
-        caller.getCallee() = job.getLocation().getFile().getRelativePath() and
-        runsOnDefaultBranch(caller.getATriggerEvent())
-      )
-    )
-  )
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a code script.
@@ -77,18 +35,6 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantCriticalEventForSink(sink).getLocation()
-    or
-    result = getRelevantCachePoisoningEventForSink(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll

@@ -3,20 +3,11 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
-import codeql.actions.security.ControlChecks
 
 private class CommandInjectionSink extends DataFlow::Node {
   CommandInjectionSink() { madSink(this, "command-injection") }
 }
 
-/** Get the relevant event for the sink in CommandInjectionCritical.ql. */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["command-injection", "code-injection"])
-  )
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a system command.
@@ -25,16 +16,6 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

@@ -72,25 +72,6 @@ class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink {
   EnvPathInjectionFromMaDSink() { madSink(this, "envpath-injection") }
 }
 
-/**
- * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is "artifact".
- */
-Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["untrusted-checkout", "artifact-poisoning"])
-  ) and
-  sink instanceof EnvPathInjectionFromFileReadSink
-}
-
-/**
- * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is not "artifact".
- */
-Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection"))
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate an environment variable.
@@ -127,18 +108,6 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
-    or
-    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */

actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -126,32 +126,6 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink {
   EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") }
 }
 
-/**
- * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is "artifact".
- */
-Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check
-        .protects(sink.asExpr(), result,
-          ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
-  ) and
-  (
-    sink instanceof EnvVarInjectionFromFileReadSink or
-    madSink(sink, "envvar-injection")
-  )
-}
-
-/**
- * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is not "artifact".
- */
-Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["envvar-injection", "code-injection"])
-  )
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate an environment variable.
@@ -189,18 +163,6 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
-    or
-    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.15
+version: 0.4.13-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,15 +1,3 @@
-## 0.6.7
-
-No user-facing changes.
-
-## 0.6.6
-
-No user-facing changes.
-
-## 0.6.5
-
-No user-facing changes.
-
 ## 0.6.4
 
 No user-facing changes.

actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql

@@ -21,12 +21,18 @@ import codeql.actions.security.ControlChecks
 from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event
 where
   EnvPathInjectionFlow::flowPath(source, sink) and
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
   (
     not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    event = getRelevantNonArtifactEventInPrivilegedContext(sink.getNode())
+    not exists(ControlCheck check |
+      check.protects(sink.getNode().asExpr(), event, "code-injection")
+    )
     or
     source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    event = getRelevantArtifactEventInPrivilegedContext(sink.getNode())
+    not exists(ControlCheck check |
+      check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
+    ) and
+    sink.getNode() instanceof EnvPathInjectionFromFileReadSink
   )
 select sink.getNode(), source, sink,
   "Potential PATH environment variable injection in $@, which may be controlled by an external user ($@).",

actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql

@@ -22,15 +22,26 @@ import codeql.actions.security.ControlChecks
 from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Event event
 where
   EnvVarInjectionFlow::flowPath(source, sink) and
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
   // exclude paths to file read sinks from non-artifact sources
   (
     // source is text
     not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    event = getRelevantNonArtifactEventInPrivilegedContext(sink.getNode())
+    not exists(ControlCheck check |
+      check.protects(sink.getNode().asExpr(), event, ["envvar-injection", "code-injection"])
+    )
     or
     // source is an artifact or a file from an untrusted checkout
     source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    event = getRelevantArtifactEventInPrivilegedContext(sink.getNode())
+    not exists(ControlCheck check |
+      check
+          .protects(sink.getNode().asExpr(), event,
+            ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
+    ) and
+    (
+      sink.getNode() instanceof EnvVarInjectionFromFileReadSink or
+      madSink(sink.getNode(), "envvar-injection")
+    )
   )
 select sink.getNode(), source, sink,
   "Potential environment variable injection in $@, which may be controlled by an external user ($@).",

actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql

@@ -22,8 +22,15 @@ import codeql.actions.security.ControlChecks
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
 where
   CodeInjectionFlow::flowPath(source, sink) and
-  event = getRelevantCriticalEventForSink(sink.getNode()) and
-  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName() and
+  not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.getNode().asExpr() and
+    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
+  )
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()

actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql

@@ -18,13 +18,30 @@ import codeql.actions.security.CachePoisoningQuery
 import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks
 
-from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob job, Event event
 where
   CodeInjectionFlow::flowPath(source, sink) and
-  event = getRelevantCachePoisoningEventForSink(sink.getNode()) and
+  job = sink.getNode().asExpr().getEnclosingJob() and
+  job.getATriggerEvent() = event and
+  // job can be triggered by an external user
+  event.isExternallyTriggerable() and
   // the checkout is not controlled by an access check
   not exists(ControlCheck check |
     check.protects(source.getNode().asExpr(), event, "code-injection")
+  ) and
+  // excluding privileged workflows since they can be exploited in easier circumstances
+  // which is covered by `actions/code-injection/critical`
+  not job.isPrivilegedExternallyTriggerable(event) and
+  (
+    // the workflow runs in the context of the default branch
+    runsOnDefaultBranch(event)
+    or
+    // the workflow caller runs in the context of the default branch
+    event.getName() = "workflow_call" and
+    exists(ExternalJob caller |
+      caller.getCallee() = job.getLocation().getFile().getRelativePath() and
+      runsOnDefaultBranch(caller.getATriggerEvent())
+    )
   )
 select sink.getNode(), source, sink,
   "Unprivileged code injection in $@, which may lead to cache poisoning ($@).", sink,

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql

@@ -19,7 +19,10 @@ import codeql.actions.security.ControlChecks
 from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink, Event event
 where
   ArtifactPoisoningFlow::flowPath(source, sink) and
-  event = getRelevantEventInPrivilegedContext(sink.getNode())
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  not exists(ControlCheck check |
+    check.protects(sink.getNode().asExpr(), event, "artifact-poisoning")
+  )
 select sink.getNode(), source, sink,
   "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().toString(), event, event.getName()

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md

@@ -1,6 +1,6 @@
 ## Overview
 
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
 
 ## Recommendation
 
@@ -32,7 +32,7 @@ jobs:
 
       - uses: actions/setup-node@v1
       - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install
           npm build
 
       - uses: completely/fakeaction@v2

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md

@@ -1,6 +1,6 @@
 ## Overview
 
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
 
 ## Recommendation
 
@@ -32,7 +32,7 @@ jobs:
 
       - uses: actions/setup-node@v1
       - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install
           npm build
 
       - uses: completely/fakeaction@v2

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md

@@ -1,6 +1,6 @@
 ## Overview
 
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
 
 ## Recommendation
 
@@ -32,7 +32,7 @@ jobs:
 
       - uses: actions/setup-node@v1
       - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install
           npm build
 
       - uses: completely/fakeaction@v2

actions/ql/src/change-notes/released/0.6.5.md

@@ -1,3 +0,0 @@
-## 0.6.5
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.6.md

@@ -1,3 +0,0 @@
-## 0.6.6
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.7.md

@@ -1,3 +0,0 @@
-## 0.6.7
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.7
+lastReleaseVersion: 0.6.4

actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql

@@ -21,7 +21,10 @@ import codeql.actions.security.ControlChecks
 from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event
 where
   CommandInjectionFlow::flowPath(source, sink) and
-  event = getRelevantEventInPrivilegedContext(sink.getNode())
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  not exists(ControlCheck check |
+    check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"])
+  )
 select sink.getNode(), source, sink,
   "Potential command injection in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()

actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql

@@ -20,7 +20,10 @@ import codeql.actions.security.ControlChecks
 from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink, Event event
 where
   ArgumentInjectionFlow::flowPath(source, sink) and
-  event = getRelevantEventInPrivilegedContext(sink.getNode())
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  not exists(ControlCheck check |
+    check.protects(sink.getNode().asExpr(), event, "argument-injection")
+  )
 select sink.getNode(), source, sink,
   "Potential argument injection in $@ command, which may be controlled by an external user ($@).",
   sink, sink.getNode().(ArgumentInjectionSink).getCommand(), event, event.getName()

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.7
+version: 0.6.5-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning93.yml

@@ -1,19 +0,0 @@
-on:
-  workflow_run:
-    workflows:
-      - Benchmark
-    types:
-      - completed
-
-jobs:
-  benchmark:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download From PR
-        uses: actions/download-artifact@v4
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          run-id: ${{ github.event.workflow_run.id }}
-          path: ${{ runner.temp }}/artifacts/
-      - run: npm install

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning94.yml

@@ -1,19 +0,0 @@
-on:
-  workflow_run:
-    workflows:
-      - Benchmark
-    types:
-      - completed
-
-jobs:
-  benchmark:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download From PR
-        uses: actions/download-artifact@v4
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          run-id: ${{ github.event.workflow_run.id }}
-          path: /tmp/artifacts/
-      - run: npm install

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning95.yml

@@ -1,19 +0,0 @@
-on:
-  workflow_run:
-    workflows:
-      - Benchmark
-    types:
-      - completed
-
-jobs:
-  benchmark:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download From PR
-        uses: actions/download-artifact@v4
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          run-id: ${{ github.event.workflow_run.id }}
-          path: $RUNNER_TEMP/artifacts/
-      - run: npm install

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml

@@ -1,18 +0,0 @@
-on:
-  workflow_run:
-    workflows:
-      - Benchmark
-    types:
-      - completed
-
-jobs:
-  benchmark:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download From PR
-        uses: actions/download-artifact@v4
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          run-id: ${{ github.event.workflow_run.id }}
-      - run: npm install

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning97.yml

@@ -1,19 +0,0 @@
-on:
-  workflow_run:
-    workflows:
-      - Benchmark
-    types:
-      - completed
-
-jobs:
-  benchmark:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download From PR
-        uses: actions/download-artifact@v4
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          run-id: ${{ github.event.workflow_run.id }}
-          path: ${{  runner.temp  }}/artifacts/
-      - run: npm install

actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected

@@ -13,7 +13,6 @@ edges
 | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config |
 | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config |
-| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | provenance | Config |
 | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config |
 | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config |
@@ -45,8 +44,6 @@ nodes
 | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
 | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot |
-| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | semmle.label | npm install |
 | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step |
@@ -69,7 +66,6 @@ subpaths
 | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
 | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | npm install | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
 | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |

actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected

@@ -13,7 +13,6 @@ edges
 | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config |
 | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config |
-| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | provenance | Config |
 | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config |
 | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config |
@@ -45,8 +44,6 @@ nodes
 | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
 | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot |
-| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | semmle.label | npm install |
 | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step |

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -51,16 +51,6 @@ edges
 | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step |
 | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step |
 | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step |
-| .github/workflows/artifactpoisoning93.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning93.yml:13:9:19:6 | Uses Step |
-| .github/workflows/artifactpoisoning93.yml:13:9:19:6 | Uses Step | .github/workflows/artifactpoisoning93.yml:19:9:19:24 | Run Step |
-| .github/workflows/artifactpoisoning94.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning94.yml:13:9:19:6 | Uses Step |
-| .github/workflows/artifactpoisoning94.yml:13:9:19:6 | Uses Step | .github/workflows/artifactpoisoning94.yml:19:9:19:24 | Run Step |
-| .github/workflows/artifactpoisoning95.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning95.yml:13:9:19:6 | Uses Step |
-| .github/workflows/artifactpoisoning95.yml:13:9:19:6 | Uses Step | .github/workflows/artifactpoisoning95.yml:19:9:19:24 | Run Step |
-| .github/workflows/artifactpoisoning96.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step |
-| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:9:18:24 | Run Step |
-| .github/workflows/artifactpoisoning97.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning97.yml:13:9:19:6 | Uses Step |
-| .github/workflows/artifactpoisoning97.yml:13:9:19:6 | Uses Step | .github/workflows/artifactpoisoning97.yml:19:9:19:25 | Run Step |
 | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:16:9:19:59 | Run Step: pr_number |
 | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step |
 | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step |

config/identical-files.json

@@ -231,10 +231,35 @@
     "java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
     "java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
   ],
+  "CryptoAlgorithms Python/JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
+    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
+    "ruby/ql/lib/codeql/ruby/security/CryptoAlgorithms.qll",
+    "rust/ql/lib/codeql/rust/security/CryptoAlgorithms.qll"
+  ],
+  "CryptoAlgorithmNames Python/JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll",
+    "python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll",
+    "ruby/ql/lib/codeql/ruby/security/internal/CryptoAlgorithmNames.qll",
+    "rust/ql/lib/codeql/rust/security/internal/CryptoAlgorithmNames.qll"
+  ],
+  "SensitiveDataHeuristics Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
+    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
+    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
+    "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll",
+    "rust/ql/lib/codeql/rust/security/internal/SensitiveDataHeuristics.qll"
+  ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
     "ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
   ],
+  "Concepts Python/Ruby/JS": [
+    "python/ql/lib/semmle/python/internal/ConceptsShared.qll",
+    "ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
+    "javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll",
+    "rust/ql/lib/codeql/rust/internal/ConceptsShared.qll"
+  ],
   "ApiGraphModels": [
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",

cpp/bulk_generation_targets.yml

@@ -2,9 +2,6 @@ language: cpp
 strategy: dca
 destination: cpp/ql/lib/ext/generated
 targets:
-- name: glibc
-  with-sinks: false
-  with-sources: false
 - name: zlib
   with-sinks: false
   with-sources: false

cpp/ql/lib/CHANGELOG.md

@@ -1,38 +1,3 @@
-## 5.4.1
-
-### Minor Analysis Improvements
-
-* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards.
-* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables.
-* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number.
-
-## 5.4.0
-
-### New Features
-
-* Exposed various SSA-related classes (`Definition`, `PhiNode`, `ExplicitDefinition`, `DirectExplicitDefinition`, and `IndirectExplicitDefinition`) which were previously only usable inside the internal dataflow directory.
-
-### Minor Analysis Improvements
-
-* The `cpp/overrun-write` query now recognizes more bound checks and thus produces fewer false positives.
-
-## 5.3.0
-
-### Deprecated APIs
-
-* The `UnknownDefaultLocation`, `UnknownExprLocation`, and `UnknownStmtLocation` classes have been deprecated. Use `UnknownLocation` instead.
-
-### New Features
-
-* Added a `isFinalValueOfParameter` predicate to `DataFlow::Node` which holds when a dataflow node represents the final value of an output parameter of a function.
-
-### Minor Analysis Improvements
-
-* The `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.
-* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.
-* Added support for `__fp16 _Complex` and `__bf16 _Complex` types
-* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.
-
 ## 5.2.0
 
 ### Deprecated APIs

cpp/ql/lib/change-notes/2025-06-20-oracle-oci-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.

cpp/ql/lib/change-notes/2025-06-24-float16 copy.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.

cpp/ql/lib/change-notes/2025-06-24-float16.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for `__fp16 _Complex` and `__bf16 _Complex` types

cpp/ql/lib/change-notes/2025-06-27-locations.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The `UnknownDefaultLocation`, `UnknownExprLocation`, and `UnknownStmtLocation` classes have been deprecated. Use `UnknownLocation` instead.

cpp/ql/lib/change-notes/released/5.3.0.md

@@ -1,16 +0,0 @@
-## 5.3.0
-
-### Deprecated APIs
-
-* The `UnknownDefaultLocation`, `UnknownExprLocation`, and `UnknownStmtLocation` classes have been deprecated. Use `UnknownLocation` instead.
-
-### New Features
-
-* Added a `isFinalValueOfParameter` predicate to `DataFlow::Node` which holds when a dataflow node represents the final value of an output parameter of a function.
-
-### Minor Analysis Improvements
-
-* The `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.
-* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.
-* Added support for `__fp16 _Complex` and `__bf16 _Complex` types
-* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.

cpp/ql/lib/change-notes/released/5.4.0.md

@@ -1,9 +0,0 @@
-## 5.4.0
-
-### New Features
-
-* Exposed various SSA-related classes (`Definition`, `PhiNode`, `ExplicitDefinition`, `DirectExplicitDefinition`, and `IndirectExplicitDefinition`) which were previously only usable inside the internal dataflow directory.
-
-### Minor Analysis Improvements
-
-* The `cpp/overrun-write` query now recognizes more bound checks and thus produces fewer false positives.

cpp/ql/lib/change-notes/released/5.4.1.md

@@ -1,7 +0,0 @@
-## 5.4.1
-
-### Minor Analysis Improvements
-
-* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards.
-* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables.
-* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.1
+lastReleaseVersion: 5.2.0

cpp/ql/lib/ext/Windows.model.yml

@@ -32,18 +32,4 @@ extensions:
       - ["", "", False, "CommandLineToArgvA", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
       - ["", "", False, "CommandLineToArgvW", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
       # fileapi.h
-      - ["", "", False, "ReadFileEx", "", "", "Argument[*3].Field[@hEvent]", "Argument[4].Parameter[*2].Field[@hEvent]", "value", "manual"]
-      # processthreadsapi.h
-      - ["", "", False, "CreateThread", "", "", "Argument[@3]", "Argument[2].Parameter[@0]", "value", "manual"]
-      - ["", "", False, "CreateRemoteThread", "", "", "Argument[@4]", "Argument[3].Parameter[@0]", "value", "manual"]
-      - ["", "", False, "CreateRemoteThreadEx", "", "", "Argument[@4]", "Argument[3].Parameter[@0]", "value", "manual"]
-      # wdm.h
-      - ["", "", False, "RtlCopyVolatileMemory", "", "", "Argument[*@1]", "Argument[*@0]", "value", "manual"]
-      - ["", "", False, "RtlCopyDeviceMemory", "", "", "Argument[*@1]", "Argument[*@0]", "value", "manual"]
-      - ["", "", False, "RtlCopyMemory", "", "", "Argument[*@1]", "Argument[*@0]", "value", "manual"]
-      - ["", "", False, "RtlCopyMemoryNonTemporal", "", "", "Argument[*@1]", "Argument[*@0]", "value", "manual"]
-      - ["", "", False, "RtlCopyUnicodeString", "", "", "Argument[*1].Field[*Buffer]", "Argument[*0].Field[*Buffer]", "value", "manual"]
-      - ["", "", False, "RtlMoveMemory", "", "", "Argument[*@1]", "Argument[*@0]", "value", "manual"]
-      - ["", "", False, "RtlMoveVolatileMemory", "", "", "Argument[*@1]", "Argument[*@0]", "value", "manual"]
-      # winternl.h
-      - ["", "", False, "RtlInitUnicodeString", "", "", "Argument[*1]", "Argument[*0].Field[*Buffer]", "value", "manual"]
+      - ["", "", False, "ReadFileEx", "", "", "Argument[*3].Field[@hEvent]", "Argument[4].Parameter[*2].Field[@hEvent]", "value", "manual"]

cpp/ql/lib/ext/pthread.model.yml

@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["", "", False, "pthread_create", "", "", "Argument[@3]", "Argument[2].Parameter[@0]", "value", "manual"]

cpp/ql/lib/ext/std.thread.model.yml

@@ -1,11 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "thread", True, "thread", "", "", "Argument[*@1]", "Argument[0].Parameter[@0]", "value", "manual"]
-      - ["std", "thread", True, "thread", "", "", "Argument[*@2]", "Argument[0].Parameter[@1]", "value", "manual"]
-      - ["std", "thread", True, "thread", "", "", "Argument[*@3]", "Argument[0].Parameter[@2]", "value", "manual"]
-      - ["std", "thread", True, "thread", "", "", "Argument[*@4]", "Argument[0].Parameter[@3]", "value", "manual"]
-      - ["std", "thread", True, "thread", "", "", "Argument[*@5]", "Argument[0].Parameter[@4]", "value", "manual"]
-      

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 5.4.1
+version: 5.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Concept.qll

@@ -57,9 +57,7 @@ class RequiresExpr extends Expr, @requires_expr {
 /**
  * A C++ requirement in a requires expression.
  */
-class RequirementExpr extends Expr {
-  RequirementExpr() { this.getParent() instanceof RequiresExpr }
-}
+class RequirementExpr extends Expr { }
 
 /**
  * A C++ simple requirement in a requires expression.
@@ -72,6 +70,7 @@ class RequirementExpr extends Expr {
  */
 class SimpleRequirementExpr extends RequirementExpr {
   SimpleRequirementExpr() {
+    this.getParent() instanceof RequiresExpr and
     not this instanceof TypeRequirementExpr and
     not this instanceof CompoundRequirementExpr and
     not this instanceof NestedRequirementExpr
@@ -90,6 +89,8 @@ class SimpleRequirementExpr extends RequirementExpr {
  * with `T` a template parameter, then `typename T::a_field;` is a type requirement.
  */
 class TypeRequirementExpr extends RequirementExpr, TypeName {
+  TypeRequirementExpr() { this.getParent() instanceof RequiresExpr }
+
   override string getAPrimaryQlClass() { result = "TypeRequirementExpr" }
 }
 
@@ -139,7 +140,7 @@ class CompoundRequirementExpr extends RequirementExpr, @compound_requirement {
  * with `T` a template parameter, then `requires std::is_same<T, int>::value;` is
  * a nested requirement.
  */
-class NestedRequirementExpr extends RequirementExpr, @nested_requirement {
+class NestedRequirementExpr extends Expr, @nested_requirement {
   override string toString() { result = "requires ..." }
 
   override string getAPrimaryQlClass() { result = "NestedRequirementExpr" }
@@ -162,7 +163,7 @@ class NestedRequirementExpr extends RequirementExpr, @nested_requirement {
  * then `C<int, 1>` is a concept id expression that refers to
  * the concept `C`.
  */
-class ConceptIdExpr extends Expr, @concept_id {
+class ConceptIdExpr extends RequirementExpr, @concept_id {
   override string toString() {
     result = this.getConcept().getName() + "<...>"
     or

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -57,18 +57,6 @@ private Class getRootType(FieldAccess fa) {
   )
 }
 
-/**
- * Gets the size of `v`. This predicate does not have a result when the
- * unspecified type of `v` is a `ReferenceType`.
- */
-private int getVariableSize(Variable v) {
-  exists(Type t |
-    t = v.getUnspecifiedType() and
-    not t instanceof ReferenceType and
-    result = t.getSize()
-  )
-}
-
 /**
  * Gets the size of the buffer access at `va`.
  */
@@ -76,8 +64,12 @@ private int getSize(VariableAccess va) {
   exists(Variable v | va.getTarget() = v |
     // If `v` is not a field then the size of the buffer is just
     // the size of the type of `v`.
-    not v instanceof Field and
-    result = getVariableSize(v)
+    exists(Type t |
+      t = v.getUnspecifiedType() and
+      not v instanceof Field and
+      not t instanceof ReferenceType and
+      result = t.getSize()
+    )
     or
     exists(Class c, int trueSize |
       // Otherwise, we find the "outermost" object and compute the size
@@ -100,7 +92,7 @@ private int getSize(VariableAccess va) {
       // buffer is `12 - 4 = 8`.
       c = getRootType(va) and
       // we calculate the size based on the last field, to avoid including any padding after it
-      trueSize = max(Field f | | f.getOffsetInClass(c) + getVariableSize(f)) and
+      trueSize = max(Field f | | f.getOffsetInClass(c) + f.getUnspecifiedType().getSize()) and
       result = trueSize - v.(Field).getOffsetInClass(c)
     )
   )

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -936,77 +936,6 @@ private module Cached {
     ValueNumber getUnary() { result.getAnInstruction() = instr.getUnary() }
   }
 
-  signature predicate sinkSig(Instruction instr);
-
-  private module BooleanInstruction<sinkSig/1 isSink> {
-    /**
-     * Holds if `i1` flows to `i2` in a single step and `i2` is not an
-     * instruction that produces a value of Boolean type.
-     */
-    private predicate stepToNonBoolean(Instruction i1, Instruction i2) {
-      not i2.getResultIRType() instanceof IRBooleanType and
-      (
-        i2.(CopyInstruction).getSourceValue() = i1
-        or
-        i2.(ConvertInstruction).getUnary() = i1
-        or
-        i2.(BuiltinExpectCallInstruction).getArgument(0) = i1
-      )
-    }
-
-    private predicate rev(Instruction instr) {
-      isSink(instr)
-      or
-      exists(Instruction instr1 |
-        rev(instr1) and
-        stepToNonBoolean(instr, instr1)
-      )
-    }
-
-    private predicate hasBooleanType(Instruction instr) {
-      instr.getResultIRType() instanceof IRBooleanType
-    }
-
-    private predicate fwd(Instruction instr) {
-      rev(instr) and
-      (
-        hasBooleanType(instr)
-        or
-        exists(Instruction instr0 |
-          fwd(instr0) and
-          stepToNonBoolean(instr0, instr)
-        )
-      )
-    }
-
-    private predicate prunedStep(Instruction i1, Instruction i2) {
-      fwd(i1) and
-      fwd(i2) and
-      stepToNonBoolean(i1, i2)
-    }
-
-    private predicate stepsPlus(Instruction i1, Instruction i2) =
-      doublyBoundedFastTC(prunedStep/2, hasBooleanType/1, isSink/1)(i1, i2)
-
-    /**
-     * Gets the Boolean-typed instruction that defines `instr` before any
-     * integer conversions are applied, if any.
-     */
-    Instruction get(Instruction instr) {
-      isSink(instr) and
-      (
-        result = instr
-        or
-        stepsPlus(result, instr)
-      ) and
-      hasBooleanType(result)
-    }
-  }
-
-  private predicate isUnaryComparesEqLeft(Instruction instr) {
-    unary_compares_eq(_, instr.getAUse(), 0, _, _)
-  }
-
   /**
    * Holds if `left == right + k` is `areEqual` given that test is `testIsTrue`.
    *
@@ -1037,19 +966,14 @@ private module Cached {
     )
     or
     compares_eq(test.(BuiltinExpectCallValueNumber).getCondition(), left, right, k, areEqual, value)
+  }
+
+  private predicate isConvertedBool(Instruction instr) {
+    instr.getResultIRType() instanceof IRBooleanType
     or
-    exists(Operand l, BooleanValue bv |
-      // 1. test = value -> int(l) = 0 is !bv
-      unary_compares_eq(test, l, 0, bv.getValue().booleanNot(), value) and
-      // 2. l = bv -> left + right is areEqual
-      compares_eq(valueNumber(BooleanInstruction<isUnaryComparesEqLeft/1>::get(l.getDef())), left,
-        right, k, areEqual, bv)
-      // We want this to hold:
-      // `test = value -> left + right is areEqual`
-      // Applying 2 we need to show:
-      // `test = value -> l = bv`
-      // And `l = bv` holds by `int(l) = 0 is !bv`
-    )
+    isConvertedBool(instr.(ConvertInstruction).getUnary())
+    or
+    isConvertedBool(instr.(BuiltinExpectCallInstruction).getCondition())
   }
 
   /**
@@ -1082,11 +1006,19 @@ private module Cached {
       k = k1 + k2
     )
     or
-    // See argument for why this is correct in compares_eq
-    exists(Operand l, BooleanValue bv |
-      unary_compares_eq(test, l, 0, bv.getValue().booleanNot(), value) and
-      unary_compares_eq(valueNumber(BooleanInstruction<isUnaryComparesEqLeft/1>::get(l.getDef())),
-        op, k, areEqual, bv)
+    exists(CompareValueNumber cmp, Operand left, Operand right, AbstractValue v |
+      test = cmp and
+      pragma[only_bind_into](cmp)
+          .hasOperands(pragma[only_bind_into](left), pragma[only_bind_into](right)) and
+      isConvertedBool(left.getDef()) and
+      int_value(right.getDef()) = 0 and
+      unary_compares_eq(valueNumberOfOperand(left), op, k, areEqual, v)
+    |
+      cmp instanceof CompareNEValueNumber and
+      v = value
+      or
+      cmp instanceof CompareEQValueNumber and
+      v.getDualValue() = value
     )
     or
     unary_compares_eq(test.(BuiltinExpectCallValueNumber).getCondition(), op, k, areEqual, value)
@@ -1184,26 +1116,70 @@ private module Cached {
     )
   }
 
-  private predicate isBuiltInExpectArg(Instruction instr) {
-    instr = any(BuiltinExpectCallInstruction buildinExpect).getArgument(0)
-  }
-
   /** A call to the builtin operation `__builtin_expect`. */
   private class BuiltinExpectCallInstruction extends CallInstruction {
     BuiltinExpectCallInstruction() { this.getStaticCallTarget().hasName("__builtin_expect") }
 
     /** Gets the condition of this call. */
-    Instruction getCondition() {
-      result = BooleanInstruction<isBuiltInExpectArg/1>::get(this.getArgument(0))
+    Instruction getCondition() { result = this.getConditionOperand().getDef() }
+
+    Operand getConditionOperand() {
+      // The first parameter of `__builtin_expect` has type `long`. So we skip
+      // the conversion when inferring guards.
+      result = this.getArgument(0).(ConvertInstruction).getUnaryOperand()
     }
   }
 
+  /**
+   * Holds if `left == right + k` is `areEqual` if `cmp` evaluates to `value`,
+   * and `cmp` is an instruction that compares the value of
+   * `__builtin_expect(left == right + k, _)` to `0`.
+   */
+  private predicate builtin_expect_eq(
+    CompareValueNumber cmp, Operand left, Operand right, int k, boolean areEqual,
+    AbstractValue value
+  ) {
+    exists(BuiltinExpectCallValueNumber call, Instruction const, AbstractValue innerValue |
+      int_value(const) = 0 and
+      cmp.hasOperands(call.getAUse(), const.getAUse()) and
+      compares_eq(call.getCondition(), left, right, k, areEqual, innerValue)
+    |
+      cmp instanceof CompareNEValueNumber and
+      value = innerValue
+      or
+      cmp instanceof CompareEQValueNumber and
+      value.getDualValue() = innerValue
+    )
+  }
+
   private predicate complex_eq(
     ValueNumber cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
   ) {
     sub_eq(cmp, left, right, k, areEqual, value)
     or
     add_eq(cmp, left, right, k, areEqual, value)
+    or
+    builtin_expect_eq(cmp, left, right, k, areEqual, value)
+  }
+
+  /**
+   * Holds if `op == k` is `areEqual` if `cmp` evaluates to `value`, and `cmp` is
+   * an instruction that compares the value of `__builtin_expect(op == k, _)` to `0`.
+   */
+  private predicate unary_builtin_expect_eq(
+    CompareValueNumber cmp, Operand op, int k, boolean areEqual, AbstractValue value
+  ) {
+    exists(BuiltinExpectCallValueNumber call, Instruction const, AbstractValue innerValue |
+      int_value(const) = 0 and
+      cmp.hasOperands(call.getAUse(), const.getAUse()) and
+      unary_compares_eq(call.getCondition(), op, k, areEqual, innerValue)
+    |
+      cmp instanceof CompareNEValueNumber and
+      value = innerValue
+      or
+      cmp instanceof CompareEQValueNumber and
+      value.getDualValue() = innerValue
+    )
   }
 
   private predicate unary_complex_eq(
@@ -1212,6 +1188,8 @@ private module Cached {
     unary_sub_eq(test, op, k, areEqual, value)
     or
     unary_add_eq(test, op, k, areEqual, value)
+    or
+    unary_builtin_expect_eq(test, op, k, areEqual, value)
   }
 
   /*
@@ -1237,15 +1215,6 @@ private module Cached {
     exists(AbstractValue dual | value = dual.getDualValue() |
       compares_lt(test.(LogicalNotValueNumber).getUnary(), left, right, k, isLt, dual)
     )
-    or
-    compares_lt(test.(BuiltinExpectCallValueNumber).getCondition(), left, right, k, isLt, value)
-    or
-    // See argument for why this is correct in compares_eq
-    exists(Operand l, BooleanValue bv |
-      unary_compares_eq(test, l, 0, bv.getValue().booleanNot(), value) and
-      compares_lt(valueNumber(BooleanInstruction<isUnaryComparesEqLeft/1>::get(l.getDef())), left,
-        right, k, isLt, bv)
-    )
   }
 
   /** Holds if `op < k` evaluates to `isLt` given that `test` evaluates to `value`. */
@@ -1265,15 +1234,6 @@ private module Cached {
       int_value(const) = k1 and
       k = k1 + k2
     )
-    or
-    compares_lt(test.(BuiltinExpectCallValueNumber).getCondition(), op, k, isLt, value)
-    or
-    // See argument for why this is correct in compares_eq
-    exists(Operand l, BooleanValue bv |
-      unary_compares_eq(test, l, 0, bv.getValue().booleanNot(), value) and
-      compares_lt(valueNumber(BooleanInstruction<isUnaryComparesEqLeft/1>::get(l.getDef())), op, k,
-        isLt, bv)
-    )
   }
 
   /** `(a < b + k) => (b > a - k) => (b >= a + (1-k))` */

cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll

@@ -15,13 +15,6 @@ class StandardSsa extends SsaHelper {
 }
 
 /**
- * NOTE: If possible, prefer the SSA classes exposed by the new dataflow
- * library:
- * ```
- * import semmle.code.cpp.dataflow.new.DataFlow
- * // use `DataFlow::Ssa::Definition`
- * ```
- *
  * A definition of one or more SSA variables, including phi node definitions.
  * An _SSA variable_, as defined in the literature, is effectively the pair of
  * an `SsaDefinition d` and a `StackVariable v`, written `(d, v)` in this

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -1,5 +1,6 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.DataFlow
 private import DataFlowPrivate
 private import DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
@@ -59,7 +60,7 @@ private module VirtualDispatch {
      * `resolve` predicate to stitch that information together and resolve the
      * call.
      */
-    abstract Node getDispatchValue();
+    abstract DataFlow::Node getDispatchValue();
 
     /** Gets a candidate target for this call. */
     abstract Function resolve();
@@ -71,13 +72,17 @@ private module VirtualDispatch {
      * parameter is true when the search is allowed to continue backwards into
      * a parameter; non-recursive callers should pass `_` for `allowFromArg`.
      */
-    predicate flowsFrom(Node src, boolean allowFromArg) {
+    predicate flowsFrom(DataFlow::Node src, boolean allowFromArg) {
       src = this.getDispatchValue() and allowFromArg = true
       or
-      exists(Node other, boolean allowOtherFromArg | this.flowsFrom(other, allowOtherFromArg) |
+      exists(DataFlow::Node other, boolean allowOtherFromArg |
+        this.flowsFrom(other, allowOtherFromArg)
+      |
         // Call argument
         exists(DataFlowCall call, Position i |
-          other.(ParameterNode).isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
+          other
+              .(DataFlow::ParameterNode)
+              .isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
           src.(ArgumentNode).argumentOf(call, pragma[only_bind_into](pragma[only_bind_out](i)))
         ) and
         allowOtherFromArg = true and
@@ -91,7 +96,7 @@ private module VirtualDispatch {
         allowFromArg = false
         or
         // Local flow
-        localFlowStep(src, other) and
+        DataFlow::localFlowStep(src, other) and
         allowFromArg = allowOtherFromArg
         or
         // Flow from global variable to load.
@@ -154,11 +159,11 @@ private module VirtualDispatch {
   private class DataSensitiveExprCall extends DataSensitiveCall {
     DataSensitiveExprCall() { not exists(this.getStaticCallTarget()) }
 
-    override Node getDispatchValue() { result.asOperand() = this.getCallTargetOperand() }
+    override DataFlow::Node getDispatchValue() { result.asOperand() = this.getCallTargetOperand() }
 
     override Function resolve() {
       exists(FunctionInstruction fi |
-        this.flowsFrom(instructionNode(fi), _) and
+        this.flowsFrom(DataFlow::instructionNode(fi), _) and
         result = fi.getFunctionSymbol()
       ) and
       (
@@ -181,7 +186,7 @@ private module VirtualDispatch {
       )
     }
 
-    override Node getDispatchValue() { result.asInstruction() = this.getArgument(-1) }
+    override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getArgument(-1) }
 
     override MemberFunction resolve() {
       exists(Class overridingClass |
@@ -208,7 +213,7 @@ private module VirtualDispatch {
     pragma[noinline]
     private predicate hasFlowFromCastFrom(Class derivedClass) {
       exists(ConvertToBaseInstruction toBase |
-        this.flowsFrom(instructionNode(toBase), _) and
+        this.flowsFrom(DataFlow::instructionNode(toBase), _) and
         derivedClass = toBase.getDerivedClass()
       )
     }
@@ -265,7 +270,7 @@ private predicate mayBenefitFromCallContext(
   exists(InitializeParameterInstruction init |
     not exists(call.getStaticCallTarget()) and
     init.getEnclosingFunction() = f.getUnderlyingCallable() and
-    call.flowsFrom(instructionNode(init), _) and
+    call.flowsFrom(DataFlow::instructionNode(init), _) and
     init.getParameter().getIndex() = arg
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -4,7 +4,7 @@ private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
-private import SsaImpl as Ssa
+private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
 private import Node0ToString
@@ -332,13 +332,6 @@ private module IndirectInstructions {
 
 import IndirectInstructions
 
-predicate isPostUpdateNodeImpl(Operand operand, int indirectionIndex) {
-  operand = any(FieldAddress fa).getObjectAddressOperand() and
-  indirectionIndex = [0 .. Ssa::countIndirectionsForCppType(Ssa::getLanguageType(operand))]
-  or
-  Ssa::isModifiableByCall(operand, indirectionIndex)
-}
-
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
 
@@ -1389,89 +1382,16 @@ predicate neverSkipInPathGraph(Node n) {
   exists(n.asIndirectDefinition())
 }
 
-private newtype TLambdaCallKind =
-  TFunctionPointer() or
-  TFunctor()
-
-class LambdaCallKind extends TLambdaCallKind {
-  predicate isFunctionPointer() { this = TFunctionPointer() }
-
-  predicate isFunctor() { this = TFunctor() }
-
-  string toString() {
-    this.isFunctionPointer() and
-    result = "Function pointer kind"
-    or
-    this.isFunctor() and
-    result = "Functor kind"
-  }
-}
-
-private class ConstructorCallInstruction extends CallInstruction {
-  Cpp::Class constructedType;
-
-  ConstructorCallInstruction() {
-    this.getStaticCallTarget().(Cpp::Constructor).getDeclaringType() = constructedType
-  }
-
-  Cpp::Class getConstructedType() { result = constructedType }
-}
-
-private class OperatorCall extends Cpp::MemberFunction {
-  OperatorCall() { this.hasName("operator()") }
-}
-
-private predicate isFunctorCreationWithoutConstructor(Node creation, OperatorCall operator) {
-  exists(UninitializedInstruction init, Instruction dest |
-    // A construction of an object with no constructor. In this case we use
-    // the `UninitializedInstruction` as the creation node.
-    init = creation.asInstruction() and
-    dest = init.getDestinationAddress() and
-    not any(ConstructorCallInstruction constructorCall).getThisArgument() = dest and
-    operator.getDeclaringType() = init.getResultType()
-  )
-  or
-  // Workaround for an extractor bug. In this snippet:
-  // ```
-  // struct S { };
-  // void f(S);
-  // f(S());
-  // ```
-  // The expression `S()` is represented as a 0 literal in the database.
-  exists(ConstantValueInstruction constant |
-    constant.getValue() = "0" and
-    creation.asInstruction() = constant and
-    constant.getResultType() = operator.getDeclaringType()
-  )
-}
-
-private predicate isFunctorCreationWithConstructor(Node creation, OperatorCall operator) {
-  exists(DataFlowCall constructorCall, IndirectionPosition pos |
-    // A construction of an object with a constructor. In this case we use
-    // the post-update node of the qualifier
-    pos.getArgumentIndex() = -1 and
-    isArgumentNode(creation.(PostUpdateNode).getPreUpdateNode(), constructorCall, pos) and
-    operator.getDeclaringType() =
-      constructorCall.asCallInstruction().(ConstructorCallInstruction).getConstructedType()
-  )
-}
+class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
 predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
-  kind.isFunctionPointer() and
-  creation.asInstruction().(FunctionAddressInstruction).getFunctionSymbol() = c.asSourceCallable()
-  or
-  kind.isFunctor() and
-  exists(OperatorCall operator | operator = c.asSourceCallable() |
-    isFunctorCreationWithoutConstructor(creation, operator)
-    or
-    isFunctorCreationWithConstructor(creation, operator)
-  )
+  creation.asInstruction().(FunctionAddressInstruction).getFunctionSymbol() = c.asSourceCallable() and
+  exists(kind)
 }
 
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
-  kind.isFunctionPointer() and
   (
     call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode()
     or
@@ -1480,15 +1400,8 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
     // has a result for `getStaticCallTarget`.
     not exists(call.getStaticCallTarget()) and
     call.asCallInstruction().getCallTargetOperand() = receiver.asOperand()
-  )
-  or
-  kind.isFunctor() and
-  (
-    call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode()
-    or
-    not exists(call.getStaticCallTarget()) and
-    call.asCallInstruction().getThisArgumentOperand() = receiver.asOperand()
-  )
+  ) and
+  exists(kind)
 }
 
 /** Extra data-flow steps needed for lambda flow analysis. */
@@ -1989,23 +1902,19 @@ module IteratorFlow {
 
     predicate allowFlowIntoUncertainDef(IteratorSsa::UncertainWriteDefinition def) { any() }
 
-    class GuardValue = Void;
-
     class Guard extends Void {
-      predicate hasValueBranchEdge(
-        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue val
-      ) {
+      predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
         none()
       }
 
-      predicate valueControlsBranchEdge(
-        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue val
+      predicate controlsBranchEdge(
+        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch
       ) {
         none()
       }
     }
 
-    predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, GuardValue val) {
+    predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
       none()
     }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -13,7 +13,7 @@ private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import DataFlowPrivate
 private import ModelUtil
-private import SsaImpl as SsaImpl
+private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
 private import Node0ToString
@@ -39,35 +39,38 @@ private newtype TIRDataFlowNode =
   TNode0(Node0Impl node) { DataFlowImplCommon::forceCachingInSameStage() } or
   TGlobalLikeVariableNode(GlobalLikeVariable var, int indirectionIndex) {
     indirectionIndex =
-      [getMinIndirectionsForType(var.getUnspecifiedType()) .. SsaImpl::getMaxIndirectionsForType(var.getUnspecifiedType())]
+      [getMinIndirectionsForType(var.getUnspecifiedType()) .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
   } or
   TPostUpdateNodeImpl(Operand operand, int indirectionIndex) {
-    isPostUpdateNodeImpl(operand, indirectionIndex)
+    operand = any(FieldAddress fa).getObjectAddressOperand() and
+    indirectionIndex = [0 .. Ssa::countIndirectionsForCppType(Ssa::getLanguageType(operand))]
+    or
+    Ssa::isModifiableByCall(operand, indirectionIndex)
   } or
-  TSsaSynthNode(SsaImpl::SynthNode n) or
+  TSsaSynthNode(Ssa::SynthNode n) or
   TSsaIteratorNode(IteratorFlow::IteratorFlowNode n) or
   TRawIndirectOperand0(Node0Impl node, int indirectionIndex) {
-    SsaImpl::hasRawIndirectOperand(node.asOperand(), indirectionIndex)
+    Ssa::hasRawIndirectOperand(node.asOperand(), indirectionIndex)
   } or
   TRawIndirectInstruction0(Node0Impl node, int indirectionIndex) {
     not exists(node.asOperand()) and
-    SsaImpl::hasRawIndirectInstruction(node.asInstruction(), indirectionIndex)
+    Ssa::hasRawIndirectInstruction(node.asInstruction(), indirectionIndex)
   } or
   TFinalParameterNode(Parameter p, int indirectionIndex) {
-    exists(SsaImpl::FinalParameterUse use |
+    exists(Ssa::FinalParameterUse use |
       use.getParameter() = p and
       use.getIndirectionIndex() = indirectionIndex
     )
   } or
-  TFinalGlobalValue(SsaImpl::GlobalUse globalUse) or
-  TInitialGlobalValue(SsaImpl::GlobalDef globalUse) or
+  TFinalGlobalValue(Ssa::GlobalUse globalUse) or
+  TInitialGlobalValue(Ssa::GlobalDef globalUse) or
   TBodyLessParameterNodeImpl(Parameter p, int indirectionIndex) {
     // Rule out parameters of catch blocks.
     not exists(p.getCatchBlock()) and
     // We subtract one because `getMaxIndirectionsForType` returns the maximum
     // indirection for a glvalue of a given type, and this doesn't apply to
     // parameters.
-    indirectionIndex = [0 .. SsaImpl::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1] and
+    indirectionIndex = [0 .. Ssa::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1] and
     not any(InitializeParameterInstruction init).getParameter() = p
   } or
   TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn)
@@ -78,7 +81,7 @@ private newtype TIRDataFlowNode =
 class FieldAddress extends Operand {
   FieldAddressInstruction fai;
 
-  FieldAddress() { fai = this.getDef() and not SsaImpl::ignoreOperand(this) }
+  FieldAddress() { fai = this.getDef() and not Ssa::ignoreOperand(this) }
 
   /** Gets the field associated with this instruction. */
   Field getField() { result = fai.getField() }
@@ -123,7 +126,7 @@ predicate conversionFlow(
     )
     or
     additional = true and
-    SsaImpl::isAdditionalConversionFlow(opFrom, instrTo)
+    Ssa::isAdditionalConversionFlow(opFrom, instrTo)
   )
   or
   isPointerArith = true and
@@ -180,7 +183,7 @@ class Node extends TIRDataFlowNode {
     or
     this.asOperand().getUse() = block.getInstruction(i)
     or
-    exists(SsaImpl::SynthNode ssaNode |
+    exists(Ssa::SynthNode ssaNode |
       this.(SsaSynthNode).getSynthNode() = ssaNode and
       ssaNode.getBasicBlock() = block and
       ssaNode.getIndex() = i
@@ -361,10 +364,10 @@ class Node extends TIRDataFlowNode {
    * pointed to by `p`.
    */
   Expr asDefinition(boolean uncertain) {
-    exists(StoreInstruction store, SsaImpl::Definition def |
+    exists(StoreInstruction store, Ssa::Definition def |
       store = this.asInstruction() and
       result = asDefinitionImpl(store) and
-      SsaImpl::defToNode(this, def, _) and
+      Ssa::defToNode(this, def, _) and
       if def.isCertain() then uncertain = false else uncertain = true
     )
   }
@@ -485,23 +488,6 @@ class Node extends TIRDataFlowNode {
     result = this.(IndirectParameterNode).getParameter()
   }
 
-  /**
-   * Holds if this node represents the `indirectionIndex`'th indirection of
-   * the value of an output parameter `p` just before reaching the end of a function.
-   */
-  predicate isFinalValueOfParameter(Parameter p, int indirectionIndex) {
-    exists(FinalParameterNode n | n = this |
-      p = n.getParameter() and
-      indirectionIndex = n.getIndirectionIndex()
-    )
-  }
-
-  /**
-   * Holds if this node represents the value of an output parameter `p`
-   * just before reaching the end of a function.
-   */
-  predicate isFinalValueOfParameter(Parameter p) { this.isFinalValueOfParameter(p, _) }
-
   /**
    * Gets the variable corresponding to this node, if any. This can be used for
    * modeling flow in and out of global variables.
@@ -624,7 +610,7 @@ class OperandNode extends Node, Node0 {
  * For example, `stripPointers(int*&)` is `int*` and `stripPointers(int*)` is `int`.
  */
 Type stripPointer(Type t) {
-  result = any(SsaImpl::Indirection ind | ind.getType() = t).getBaseType()
+  result = any(Ssa::Indirection ind | ind.getType() = t).getBaseType()
   or
   result = t.(PointerToMemberType).getBaseType()
   or
@@ -691,12 +677,12 @@ class PostFieldUpdateNode extends PostUpdateNodeImpl {
  * in a data flow graph.
  */
 class SsaSynthNode extends Node, TSsaSynthNode {
-  SsaImpl::SynthNode node;
+  Ssa::SynthNode node;
 
   SsaSynthNode() { this = TSsaSynthNode(node) }
 
   /** Gets the synthesized SSA node associated with this node. */
-  SsaImpl::SynthNode getSynthNode() { result = node }
+  Ssa::SynthNode getSynthNode() { result = node }
 
   override DataFlowCallable getEnclosingCallable() {
     result.asSourceCallable() = this.getFunction()
@@ -779,12 +765,12 @@ class SideEffectOperandNode extends Node instanceof IndirectOperand {
  * from a function body.
  */
 class FinalGlobalValue extends Node, TFinalGlobalValue {
-  SsaImpl::GlobalUse globalUse;
+  Ssa::GlobalUse globalUse;
 
   FinalGlobalValue() { this = TFinalGlobalValue(globalUse) }
 
   /** Gets the underlying SSA use. */
-  SsaImpl::GlobalUse getGlobalUse() { result = globalUse }
+  Ssa::GlobalUse getGlobalUse() { result = globalUse }
 
   override DataFlowCallable getEnclosingCallable() {
     result.asSourceCallable() = this.getFunction()
@@ -811,12 +797,12 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {
  * a function body.
  */
 class InitialGlobalValue extends Node, TInitialGlobalValue {
-  SsaImpl::GlobalDef globalDef;
+  Ssa::GlobalDef globalDef;
 
   InitialGlobalValue() { this = TInitialGlobalValue(globalDef) }
 
   /** Gets the underlying SSA definition. */
-  SsaImpl::GlobalDef getGlobalDef() { result = globalDef }
+  Ssa::GlobalDef getGlobalDef() { result = globalDef }
 
   override DataFlowCallable getEnclosingCallable() {
     result.asSourceCallable() = this.getFunction()
@@ -1239,7 +1225,7 @@ import RawIndirectNodes
 /**
  * INTERNAL: do not use.
  *
- * A node representing the value of an output parameter
+ * A node representing the value of an update parameter
  * just before reaching the end of a function.
  */
 class FinalParameterNode extends Node, TFinalParameterNode {
@@ -1285,11 +1271,11 @@ class UninitializedNode extends Node {
   LocalVariable v;
 
   UninitializedNode() {
-    exists(SsaImpl::Definition def, SsaImpl::SourceVariable sv |
+    exists(Ssa::Definition def, Ssa::SourceVariable sv |
       def.getIndirectionIndex() = 0 and
       def.getValue().asInstruction() instanceof UninitializedInstruction and
-      SsaImpl::defToNode(this, def, sv) and
-      v = sv.getBaseVariable().(SsaImpl::BaseIRVariable).getIRVariable().getAst()
+      Ssa::defToNode(this, def, sv) and
+      v = sv.getBaseVariable().(Ssa::BaseIRVariable).getIRVariable().getAst()
     )
   }
 
@@ -1719,7 +1705,7 @@ private module Cached {
   cached
   predicate flowsToBackEdge(Node n) {
     exists(Node succ, IRBlock bb1, IRBlock bb2 |
-      SsaImpl::ssaFlow(n, succ) and
+      Ssa::ssaFlow(n, succ) and
       bb1 = n.getBasicBlock() and
       bb2 = succ.getBasicBlock() and
       bb1 != bb2 and
@@ -1817,7 +1803,7 @@ private module Cached {
   predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
     (
       // Def-use/Use-use flow
-      SsaImpl::ssaFlow(nodeFrom, nodeTo)
+      Ssa::ssaFlow(nodeFrom, nodeTo)
       or
       IteratorFlow::localFlowStep(nodeFrom, nodeTo)
       or
@@ -1830,7 +1816,7 @@ private module Cached {
       |
         simpleOperandLocalFlowStep(iFrom, opTo) and
         // Omit when the instruction node also represents the operand.
-        not iFrom = SsaImpl::getIRRepresentationOfOperand(opTo)
+        not iFrom = Ssa::getIRRepresentationOfOperand(opTo)
       )
       or
       // Indirect operand -> (indirect) instruction flow
@@ -1903,7 +1889,7 @@ private module Cached {
       // We also want a write coming out of an `OutNode` to flow `nodeTo`.
       // This is different from `reverseFlowInstruction` since `nodeFrom` can never
       // be an `OutNode` when it's defined by an instruction.
-      SsaImpl::outNodeHasAddressAndIndex(nodeFrom, address, indirectionIndex)
+      Ssa::outNodeHasAddressAndIndex(nodeFrom, address, indirectionIndex)
     )
   }
 
@@ -2096,7 +2082,7 @@ private newtype TContent =
   TFieldContent(Field f, int indirectionIndex) {
     // the indirection index for field content starts at 1 (because `TFieldContent` is thought of as
     // the address of the field, `FieldAddress` in the IR).
-    indirectionIndex = [1 .. SsaImpl::getMaxIndirectionsForType(f.getUnspecifiedType())] and
+    indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(f.getUnspecifiedType())] and
     // Reads and writes of union fields are tracked using `UnionContent`.
     not f.getDeclaringType() instanceof Union
   } or
@@ -2108,9 +2094,7 @@ private newtype TContent =
       // field can be read by any read of the union's fields. Again, the indirection index
       // is 1-based (because 0 is considered the address).
       indirectionIndex =
-        [1 .. max(SsaImpl::getMaxIndirectionsForType(getAFieldWithSize(u, bytes)
-                    .getUnspecifiedType())
-          )]
+        [1 .. max(Ssa::getMaxIndirectionsForType(getAFieldWithSize(u, bytes).getUnspecifiedType()))]
     )
   } or
   TElementContent(int indirectionIndex) {
@@ -2353,7 +2337,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
       controls(g, result, edge)
     )
     or
-    result = SsaImpl::BarrierGuard<guardChecksNode/3>::getABarrierNode()
+    result = Ssa::BarrierGuard<guardChecksNode/3>::getABarrierNode()
   }
 
   /**
@@ -2452,7 +2436,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
     )
     or
     result =
-      SsaImpl::BarrierGuardWithIntParam<guardChecksIndirectNode/4>::getABarrierNode(indirectionIndex)
+      Ssa::BarrierGuardWithIntParam<guardChecksIndirectNode/4>::getABarrierNode(indirectionIndex)
   }
 }
 
@@ -2489,7 +2473,7 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
       controls(g, result, edge)
     )
     or
-    result = SsaImpl::BarrierGuard<guardChecksNode/3>::getABarrierNode()
+    result = Ssa::BarrierGuard<guardChecksNode/3>::getABarrierNode()
   }
 
   bindingset[value, n]
@@ -2519,7 +2503,7 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
     )
     or
     result =
-      SsaImpl::BarrierGuardWithIntParam<guardChecksIndirectNode/4>::getABarrierNode(indirectionIndex)
+      Ssa::BarrierGuardWithIntParam<guardChecksIndirectNode/4>::getABarrierNode(indirectionIndex)
   }
 }
 
@@ -2575,16 +2559,3 @@ Function getARuntimeTarget(Call call) {
     result = DataFlowImplCommon::viableCallableLambda(dfCall, _).asSourceCallable()
   )
 }
-
-/** A module that provides static single assignment (SSA) information. */
-module Ssa {
-  class Definition = SsaImpl::Definition;
-
-  class ExplicitDefinition = SsaImpl::ExplicitDefinition;
-
-  class DirectExplicitDefinition = SsaImpl::DirectExplicitDefinition;
-
-  class IndirectExplicitDefinition = SsaImpl::IndirectExplicitDefinition;
-
-  class PhiNode = SsaImpl::PhiNode;
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll

@@ -151,7 +151,7 @@ private module Cached {
     )
     or
     // Similarly for `i++` and `++i` we pretend that the generated
-    // `StoreInstruction` contains the result of the expression even though
+    // `StoreInstruction` is contains the result of the expression even though
     // this isn't totally aligned with the C/C++ standard.
     exists(TranslatedCrementOperation tco |
       store = tco.getInstruction(CrementStoreTag()) and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -4,15 +4,15 @@
  */
 
 private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
+private import semmle.code.cpp.ir.dataflow.DataFlow
 private import DataFlowUtil
 private import DataFlowPrivate
-private import SsaImpl as Ssa
+private import SsaInternals as Ssa
 
 /**
  * Gets the instruction that goes into `input` for `call`.
  */
-Node callInput(CallInstruction call, FunctionInput input) {
+DataFlow::Node callInput(CallInstruction call, FunctionInput input) {
   // An argument or qualifier
   exists(int index |
     result.asOperand() = call.getArgumentOperand(index) and
@@ -62,8 +62,8 @@ Node callOutput(CallInstruction call, FunctionOutput output) {
   result = callOutputWithIndirectionIndex(call, output, _)
 }
 
-Node callInput(CallInstruction call, FunctionInput input, int d) {
-  exists(Node n | n = callInput(call, input) and d > 0 |
+DataFlow::Node callInput(CallInstruction call, FunctionInput input, int d) {
+  exists(DataFlow::Node n | n = callInput(call, input) and d > 0 |
     // An argument or qualifier
     hasOperandAndIndex(result, n.asOperand(), d)
     or
@@ -85,7 +85,7 @@ private IndirectReturnOutNode getIndirectReturnOutNode(CallInstruction call, int
  */
 bindingset[d]
 Node callOutput(CallInstruction call, FunctionOutput output, int d) {
-  exists(Node n, int indirectionIndex |
+  exists(DataFlow::Node n, int indirectionIndex |
     n = callOutputWithIndirectionIndex(call, output, indirectionIndex) and d > 0
   |
     // The return value

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintDataFlowRelevantIR.qll

@@ -1,6 +1,6 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
-private import SsaImpl as Ssa
+private import SsaInternals as Ssa
 
 /**
  * A property provider that hides all instructions and operands that are not relevant for IR dataflow.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -2,7 +2,7 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import SsaImpl as Ssa
+private import SsaInternals as Ssa
 private import PrintIRUtilities
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -1,4 +1,4 @@
-private import codeql.ssa.Ssa as Ssa
+private import codeql.ssa.Ssa as SsaImplCommon
 private import semmle.code.cpp.ir.IR
 private import DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
@@ -12,7 +12,7 @@ private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
 private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedInitialization
 private import DataFlowPrivate
-import SsaImplCommon
+import SsaInternalsCommon
 
 private module SourceVariables {
   cached
@@ -143,14 +143,7 @@ private predicate isGlobalUse(
     min(int cand, VariableAddressInstruction vai |
       vai.getEnclosingIRFunction() = f and
       vai.getAstVariable() = v and
-      (
-        isDef(_, _, _, vai, cand, indirectionIndex)
-        or
-        exists(Operand operand |
-          isUse(_, operand, vai, cand, indirectionIndex) and
-          isPostUpdateNodeImpl(operand, indirectionIndex)
-        )
-      )
+      isDef(_, _, _, vai, cand, indirectionIndex)
     |
       cand
     )
@@ -160,10 +153,6 @@ private predicate isGlobalDefImpl(
   GlobalLikeVariable v, IRFunction f, int indirection, int indirectionIndex
 ) {
   exists(VariableAddressInstruction vai |
-    // The right-hand side of an initialization of a global variable
-    // creates its own `IRFunction`. We don't want flow into that `IRFunction`
-    // since the variable is only initialized once.
-    not vai.getEnclosingFunction() = v and
     vai.getEnclosingIRFunction() = f and
     vai.getAstVariable() = v and
     isUse(_, _, vai, indirection, indirectionIndex) and
@@ -891,7 +880,7 @@ private predicate baseSourceVariableIsGlobal(
   )
 }
 
-private module SsaInput implements Ssa::InputSig<Location> {
+private module SsaInput implements SsaImplCommon::InputSig<Location> {
   import InputSigCommon
   import SourceVariables
 
@@ -965,11 +954,9 @@ class GlobalDef extends Definition {
   GlobalLikeVariable getVariable() { result = impl.getVariable() }
 }
 
-private module SsaImpl = Ssa::Make<Location, SsaInput>;
+private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
 
 private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationInputSig {
-  private import codeql.util.Boolean
-
   class Expr extends Instruction {
     Expr() {
       exists(IRBlock bb, int i |
@@ -1001,14 +988,10 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
     result instanceof FalseEdge
   }
 
-  class GuardValue = Boolean;
-
   class Guard instanceof IRGuards::IRGuardCondition {
     string toString() { result = super.toString() }
 
-    predicate hasValueBranchEdge(
-      SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue branch
-    ) {
+    predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
       exists(EdgeKind kind |
         super.getBlock() = bb1 and
         kind = getConditionalEdge(branch) and
@@ -1016,14 +999,12 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
       )
     }
 
-    predicate valueControlsBranchEdge(
-      SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, GuardValue branch
-    ) {
-      this.hasValueBranchEdge(bb1, bb2, branch)
+    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+      this.hasBranchEdge(bb1, bb2, branch)
     }
   }
 
-  predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, GuardValue branch) {
+  predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
     guard.(IRGuards::IRGuardCondition).controls(bb, branch)
   }
 
@@ -1052,8 +1033,7 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
   }
 
   private predicate guardChecks(
-    DataFlowIntegrationInput::Guard g, SsaImpl::Definition def,
-    DataFlowIntegrationInput::GuardValue branch, int indirectionIndex
+    DataFlowIntegrationInput::Guard g, SsaImpl::Definition def, boolean branch, int indirectionIndex
   ) {
     exists(UseImpl use |
       guardChecksNode(g, use.getNode(), branch, indirectionIndex) and
@@ -1132,11 +1112,9 @@ class PhiNode extends Definition instanceof SsaImpl::PhiNode {
 
 /** An static single assignment (SSA) definition. */
 class Definition extends SsaImpl::Definition {
-  private Definition getAPhiInputOrPriorDefinition() {
-    result = this.(PhiNode).getAnInput()
-    or
-    SsaImpl::uncertainWriteDefinitionInput(this, result)
-  }
+  // TODO: Include prior definitions of uncertain writes or rename predicate
+  // i.e. the disjunct `SsaImpl::uncertainWriteDefinitionInput(this, result)`
+  private Definition getAPhiInputOrPriorDefinition() { result = this.(PhiNode).getAnInput() }
 
   /**
    * Gets a definition that ultimately defines this SSA definition and is
@@ -1147,36 +1125,6 @@ class Definition extends SsaImpl::Definition {
     not result instanceof PhiNode
   }
 
-  /** Gets an `Operand` that represents a use of this definition. */
-  Operand getAUse() {
-    exists(SourceVariable sv, IRBlock bb, int i, UseImpl use |
-      ssaDefReachesRead(sv, this, bb, i) and
-      use.hasIndexInBlock(bb, i, sv) and
-      result = use.getNode().asOperand()
-    )
-  }
-
-  /**
-   * Gets an `Operand` that represents an indirect use of this definition.
-   *
-   * The use is indirect because the operand represents a pointer that points
-   * to the value written by this definition. For example in:
-   * ```cpp
-   * 1. int x = 42;
-   * 2. int* p = &x;
-   * ```
-   * There is an `ExplicitDefinition` corresponding to `x = 42` on line 1 and
-   * the definition has an indirect use on line 2 because `&x` points to the
-   * value that was defined by the definition.
-   */
-  Operand getAnIndirectUse(int indirectionIndex) {
-    exists(SourceVariable sv, IRBlock bb, int i, UseImpl use |
-      ssaDefReachesRead(sv, this, bb, i) and
-      use.hasIndexInBlock(bb, i, sv) and
-      result = use.getNode().asIndirectOperand(indirectionIndex)
-    )
-  }
-
   /**
    * INTERNAL: Do not use.
    */
@@ -1209,63 +1157,4 @@ class Definition extends SsaImpl::Definition {
   Type getUnspecifiedType() { result = this.getUnderlyingType().getUnspecifiedType() }
 }
 
-/**
- * An SSA definition that corresponds to an explicit definition.
- */
-class ExplicitDefinition extends Definition, SsaImpl::WriteDefinition {
-  DefImpl def;
-
-  ExplicitDefinition() {
-    exists(IRBlock bb, int i, SourceVariable sv |
-      this.definesAt(sv, bb, i) and
-      def.hasIndexInBlock(sv, bb, i)
-    )
-  }
-
-  /**
-   * Gets the `Instruction` computing the value that is written to the
-   * associated SSA variable by this SSA definition.
-   *
-   * If `this.getIndirectionIndex() = 0` (i.e., if `this` is an instance of
-   * `DirectExplicitDefinition`) then the SSA variable is present in the source
-   * code.
-   * However, if `this.getIndirectionIndex() > 0` (i.e., if `this` is an
-   * instance of `IndirectExplicitDefinition`) then the SSA variable associated
-   * with this definition represents the memory pointed to by a variable in the
-   * source code.
-   */
-  Instruction getAssignedInstruction() { result = def.getValue().asInstruction() }
-}
-
-/**
- * An explicit SSA definition that writes an indirect value to a pointer.
- *
- * For example in:
- * ```cpp
- * int x = 42;  // (1)
- * int* p = &x; // (2)
- * ```
- * There are three `ExplicitDefinition`:
- * 1. A `DirectExplicitDefinition` at (1) which writes `42` to the SSA variable
- * corresponding to `x`.
- * 2. A `DirectExplicitDefinition` at (2) which writes `&x` to the SSA variable
- * corresponding to `p`.
- * 3. A `IndirectExplicitDefinition` at (2) which writes `*&x` (i.e., `x`) to
- * the SSA variable corresponding to `*p`.
- */
-class IndirectExplicitDefinition extends ExplicitDefinition {
-  IndirectExplicitDefinition() { this.getIndirectionIndex() > 0 }
-}
-
-/**
- * An SSA definition that corresponds to an explicit definition.
- *
- * Unlike `ExplicitDefinition` this class does not include indirect
- * explicit definition. See `IndirectExplicitDefinition` if you want to include
- * those.
- */
-class DirectExplicitDefinition extends ExplicitDefinition {
-  DirectExplicitDefinition() { this.getIndirectionIndex() = 0 }
-}
-
 import SsaCached

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -5,7 +5,7 @@ private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.models.interfaces.SideEffect
 private import DataFlowUtil
 private import DataFlowPrivate
-private import SsaImpl as Ssa
+private import SsaInternals as Ssa
 private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.cpp.ir.dataflow.FlowSteps
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -42,7 +42,6 @@ private newtype TOpcode =
   TCompareGT() or
   TCompareLE() or
   TCompareGE() or
-  TSpaceship() or
   TPointerAdd() or
   TPointerSub() or
   TPointerDiff() or
@@ -93,9 +92,7 @@ private newtype TOpcode =
   TUninitializedGroup() or
   TInlineAsm() or
   TUnreached() or
-  TNewObj() or
-  TTypeidExpr() or
-  TTypeidType()
+  TNewObj()
 
 /**
  * An opcode that specifies the operation performed by an `Instruction`.
@@ -766,15 +763,6 @@ module Opcode {
     final override string toString() { result = "CompareGE" }
   }
 
-  /**
-   * The `Opcode` for a `SpaceshipInstruction`.
-   *
-   * See the `SpaceshipInstruction` documentation for more details.
-   */
-  class Spaceship extends BinaryOpcode, TSpaceship {
-    final override string toString() { result = "Spaceship" }
-  }
-
   /**
    * The `Opcode` for a `PointerAddInstruction`.
    *
@@ -1293,29 +1281,4 @@ module Opcode {
   class NewObj extends Opcode, TNewObj {
     final override string toString() { result = "NewObj" }
   }
-
-  /**
-   * The `Opcode` for a `TypeidInstruction`.
-   *
-   * See the `TypeidInstruction` documentation for more details.
-   */
-  abstract class Typeid extends Opcode { }
-
-  /**
-   * The `Opcode` for a `TypeidExprInstruction`.
-   *
-   * See the `TypeidExprInstruction` documentation for more details.
-   */
-  class TypeidExpr extends Typeid, UnaryOpcode, TTypeidExpr {
-    final override string toString() { result = "TypeidExpr" }
-  }
-
-  /**
-   * The `Opcode` for a `TypeidTypeInstruction`.
-   *
-   * See the `TypeidTypeInstruction` documentation for more details.
-   */
-  class TypeidType extends Typeid, TTypeidType {
-    final override string toString() { result = "TypeidType" }
-  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -725,20 +725,6 @@ class UninitializedInstruction extends VariableInstruction {
    * Gets the variable that is uninitialized.
    */
   final Language::Variable getLocalVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /**
-   * Gets the operand that provides the address of the location to which the
-   * uninitialized value will be stored.
-   */
-  final AddressOperand getDestinationAddressOperand() { result = this.getAnOperand() }
-
-  /**
-   * Gets the instruction whose result provides the address of the location to
-   * which the value will be stored, if an exact definition is available.
-   */
-  final Instruction getDestinationAddress() {
-    result = this.getDestinationAddressOperand().getDef()
-  }
 }
 
 /**
@@ -1604,13 +1590,6 @@ class CompareGEInstruction extends RelationalInstruction {
   override predicate isStrict() { none() }
 }
 
-/**
- * An instruction that represents a three-way comparison operator.
- */
-class SpaceshipInstruction extends BinaryInstruction {
-  SpaceshipInstruction() { this.getOpcode() instanceof Opcode::Spaceship }
-}
-
 /**
  * An instruction that branches to one of multiple successor instructions based on the value of an
  * integer operand.
@@ -2300,26 +2279,3 @@ class NextVarArgInstruction extends UnaryInstruction {
 class NewObjInstruction extends Instruction {
   NewObjInstruction() { this.getOpcode() instanceof Opcode::NewObj }
 }
-
-/**
- * An instruction that returns the type info for its operand.
- */
-class TypeidInstruction extends Instruction {
-  TypeidInstruction() { this.getOpcode() instanceof Opcode::Typeid }
-}
-
-/**
- * An instruction that returns the type info for its operand, where the
- * operand occurs as an expression in the AST.
- */
-class TypeidExprInstruction extends TypeidInstruction, UnaryInstruction {
-  TypeidExprInstruction() { this.getOpcode() instanceof Opcode::TypeidExpr }
-}
-
-/**
- * An instruction that returns the type info for its operand, where the
- * operand occurs as a type in the AST.
- */
-class TypeidTypeInstruction extends TypeidInstruction {
-  TypeidTypeInstruction() { this.getOpcode() instanceof Opcode::TypeidType }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll

@@ -43,23 +43,6 @@ newtype TValueNumber =
   } or
   TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
 
-/**
- * A `ConvertInstruction` which converts data of type `T` to data of type `U`
- * where `T` and `U` only differ in specifiers. For example, if `T` is `int`
- * and `U` is `const T` this is a conversion from a non-const integer to a
- * const integer.
- *
- * Generally, the value number of a converted value is different from the value
- * number of an unconverted value, but conversions which only modify specifiers
- * leave the resulting value bitwise identical to the old value.
- */
-class TypePreservingConvertInstruction extends ConvertInstruction {
-  TypePreservingConvertInstruction() {
-    pragma[only_bind_out](this.getResultType().getUnspecifiedType()) =
-      pragma[only_bind_out](this.getUnary().getResultType().getUnspecifiedType())
-  }
-}
-
 /**
  * A `CopyInstruction` whose source operand's value is congruent to the definition of that source
  * operand.
@@ -233,7 +216,6 @@ private predicate unaryValueNumber(
   not instr instanceof InheritanceConversionInstruction and
   not instr instanceof CopyInstruction and
   not instr instanceof FieldAddressInstruction and
-  not instr instanceof TypePreservingConvertInstruction and
   instr.getOpcode() = opcode and
   tvalueNumber(instr.getUnary()) = operand
 }
@@ -369,10 +351,6 @@ private TValueNumber nonUniqueValueNumber(Instruction instr) {
       or
       // The value number of a copy is just the value number of its source value.
       result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
-      or
-      // The value number of a type-preserving conversion is just the value
-      // number of the unconverted value.
-      result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
     )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -725,20 +725,6 @@ class UninitializedInstruction extends VariableInstruction {
    * Gets the variable that is uninitialized.
    */
   final Language::Variable getLocalVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /**
-   * Gets the operand that provides the address of the location to which the
-   * uninitialized value will be stored.
-   */
-  final AddressOperand getDestinationAddressOperand() { result = this.getAnOperand() }
-
-  /**
-   * Gets the instruction whose result provides the address of the location to
-   * which the value will be stored, if an exact definition is available.
-   */
-  final Instruction getDestinationAddress() {
-    result = this.getDestinationAddressOperand().getDef()
-  }
 }
 
 /**
@@ -1604,13 +1590,6 @@ class CompareGEInstruction extends RelationalInstruction {
   override predicate isStrict() { none() }
 }
 
-/**
- * An instruction that represents a three-way comparison operator.
- */
-class SpaceshipInstruction extends BinaryInstruction {
-  SpaceshipInstruction() { this.getOpcode() instanceof Opcode::Spaceship }
-}
-
 /**
  * An instruction that branches to one of multiple successor instructions based on the value of an
  * integer operand.
@@ -2300,26 +2279,3 @@ class NextVarArgInstruction extends UnaryInstruction {
 class NewObjInstruction extends Instruction {
   NewObjInstruction() { this.getOpcode() instanceof Opcode::NewObj }
 }
-
-/**
- * An instruction that returns the type info for its operand.
- */
-class TypeidInstruction extends Instruction {
-  TypeidInstruction() { this.getOpcode() instanceof Opcode::Typeid }
-}
-
-/**
- * An instruction that returns the type info for its operand, where the
- * operand occurs as an expression in the AST.
- */
-class TypeidExprInstruction extends TypeidInstruction, UnaryInstruction {
-  TypeidExprInstruction() { this.getOpcode() instanceof Opcode::TypeidExpr }
-}
-
-/**
- * An instruction that returns the type info for its operand, where the
- * operand occurs as a type in the AST.
- */
-class TypeidTypeInstruction extends TypeidInstruction {
-  TypeidTypeInstruction() { this.getOpcode() instanceof Opcode::TypeidType }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll

@@ -43,23 +43,6 @@ newtype TValueNumber =
   } or
   TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
 
-/**
- * A `ConvertInstruction` which converts data of type `T` to data of type `U`
- * where `T` and `U` only differ in specifiers. For example, if `T` is `int`
- * and `U` is `const T` this is a conversion from a non-const integer to a
- * const integer.
- *
- * Generally, the value number of a converted value is different from the value
- * number of an unconverted value, but conversions which only modify specifiers
- * leave the resulting value bitwise identical to the old value.
- */
-class TypePreservingConvertInstruction extends ConvertInstruction {
-  TypePreservingConvertInstruction() {
-    pragma[only_bind_out](this.getResultType().getUnspecifiedType()) =
-      pragma[only_bind_out](this.getUnary().getResultType().getUnspecifiedType())
-  }
-}
-
 /**
  * A `CopyInstruction` whose source operand's value is congruent to the definition of that source
  * operand.
@@ -233,7 +216,6 @@ private predicate unaryValueNumber(
   not instr instanceof InheritanceConversionInstruction and
   not instr instanceof CopyInstruction and
   not instr instanceof FieldAddressInstruction and
-  not instr instanceof TypePreservingConvertInstruction and
   instr.getOpcode() = opcode and
   tvalueNumber(instr.getUnary()) = operand
 }
@@ -369,10 +351,6 @@ private TValueNumber nonUniqueValueNumber(Instruction instr) {
       or
       // The value number of a copy is just the value number of its source value.
       result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
-      or
-      // The value number of a type-preserving conversion is just the value
-      // number of the unconverted value.
-      result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
     )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -96,8 +96,7 @@ newtype TInstructionTag =
     exists(Expr e | exists(e.getImplicitDestructorCall(index))) or
     exists(Stmt s | exists(s.getImplicitDestructorCall(index)))
   } or
-  CoAwaitBranchTag() or
-  BoolToIntConversionTag()
+  CoAwaitBranchTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() { result = getInstructionTagId(this) }
@@ -287,6 +286,4 @@ string getInstructionTagId(TInstructionTag tag) {
   )
   or
   tag = CoAwaitBranchTag() and result = "CoAwaitBranch"
-  or
-  tag = BoolToIntConversionTag() and result = "BoolToIntConversion"
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -509,41 +509,6 @@ predicate hasTranslatedSyntheticTemporaryObject(Expr expr) {
   not expr.hasLValueToRValueConversion()
 }
 
-Opcode comparisonOpcode(ComparisonOperation expr) {
-  expr instanceof EQExpr and result instanceof Opcode::CompareEQ
-  or
-  expr instanceof NEExpr and result instanceof Opcode::CompareNE
-  or
-  expr instanceof LTExpr and result instanceof Opcode::CompareLT
-  or
-  expr instanceof GTExpr and result instanceof Opcode::CompareGT
-  or
-  expr instanceof LEExpr and result instanceof Opcode::CompareLE
-  or
-  expr instanceof GEExpr and result instanceof Opcode::CompareGE
-}
-
-private predicate parentExpectsBool(Expr child) {
-  any(NotExpr notExpr).getOperand() = child
-  or
-  usedAsCondition(child)
-}
-
-/**
- * Holds if `expr` should have a `TranslatedSyntheticBoolToIntConversion` on it.
- */
-predicate hasTranslatedSyntheticBoolToIntConversion(Expr expr) {
-  not ignoreExpr(expr) and
-  not isIRConstant(expr) and
-  not parentExpectsBool(expr) and
-  expr.getUnspecifiedType() instanceof IntType and
-  (
-    expr instanceof NotExpr
-    or
-    exists(comparisonOpcode(expr))
-  )
-}
-
 class StaticInitializedStaticLocalVariable extends StaticLocalVariable {
   StaticInitializedStaticLocalVariable() {
     this.hasInitializer() and
@@ -682,9 +647,6 @@ newtype TTranslatedElement =
   // A temporary object that we had to synthesize ourselves, so that we could do a field access or
   // method call on a prvalue.
   TTranslatedSyntheticTemporaryObject(Expr expr) { hasTranslatedSyntheticTemporaryObject(expr) } or
-  TTranslatedSyntheticBoolToIntConversion(Expr expr) {
-    hasTranslatedSyntheticBoolToIntConversion(expr)
-  } or
   // For expressions that would not otherwise generate an instruction.
   TTranslatedResultCopy(Expr expr) {
     not ignoreExpr(expr) and

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -216,8 +216,7 @@ abstract class TranslatedCoreExpr extends TranslatedExpr {
     not hasTranslatedLoad(expr) and
     not hasTranslatedSyntheticTemporaryObject(expr) and
     // If there's a result copy, then this expression's result is the copy.
-    not exprNeedsCopyIfNotLoaded(expr) and
-    not hasTranslatedSyntheticBoolToIntConversion(expr)
+    not exprNeedsCopyIfNotLoaded(expr)
   }
 }
 
@@ -359,12 +358,11 @@ class TranslatedConditionValue extends TranslatedCoreExpr, ConditionContext,
 }
 
 /**
- * The IR translation of a node synthesized to adjust the value category or type of its operand.
+ * The IR translation of a node synthesized to adjust the value category of its operand.
  * One of:
  * - `TranslatedLoad` - Convert from glvalue to prvalue by loading from the location.
  * - `TranslatedSyntheticTemporaryObject` - Convert from prvalue to glvalue by storing to a
  *   temporary variable.
- * - `TranslatedSyntheticBoolToIntConversion` - Convert a prvalue Boolean to a prvalue integer.
  */
 abstract class TranslatedValueCategoryAdjustment extends TranslatedExpr {
   final override Instruction getFirstInstruction(EdgeKind kind) {
@@ -515,45 +513,6 @@ class TranslatedSyntheticTemporaryObject extends TranslatedValueCategoryAdjustme
   }
 }
 
-class TranslatedSyntheticBoolToIntConversion extends TranslatedValueCategoryAdjustment,
-  TTranslatedSyntheticBoolToIntConversion
-{
-  TranslatedSyntheticBoolToIntConversion() { this = TTranslatedSyntheticBoolToIntConversion(expr) }
-
-  override string toString() { result = "Bool-to-int conversion of " + expr.toString() }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    opcode instanceof Opcode::Convert and
-    tag = BoolToIntConversionTag() and
-    resultType = getIntType()
-  }
-
-  override predicate isResultGLValue() { none() }
-
-  override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
-    tag = BoolToIntConversionTag() and
-    result = this.getParent().getChildSuccessor(this, kind)
-  }
-
-  override Instruction getALastInstructionInternal() {
-    result = this.getInstruction(BoolToIntConversionTag())
-  }
-
-  override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
-    child = this.getOperand() and
-    result = this.getInstruction(BoolToIntConversionTag()) and
-    kind instanceof GotoEdge
-  }
-
-  override Instruction getResult() { result = this.getInstruction(BoolToIntConversionTag()) }
-
-  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = BoolToIntConversionTag() and
-    operandTag instanceof UnaryOperandTag and
-    result = this.getOperand().getResult()
-  }
-}
-
 /**
  * IR translation of an expression that simply returns its result. We generate an otherwise useless
  * `CopyValue` instruction for these expressions so that there is at least one instruction
@@ -1835,9 +1794,18 @@ private Opcode binaryArithmeticOpcode(BinaryArithmeticOperation expr) {
   expr instanceof PointerDiffExpr and result instanceof Opcode::PointerDiff
 }
 
-private Opcode spaceShipOpcode(SpaceshipExpr expr) {
-  exists(expr) and
-  result instanceof Opcode::Spaceship
+private Opcode comparisonOpcode(ComparisonOperation expr) {
+  expr instanceof EQExpr and result instanceof Opcode::CompareEQ
+  or
+  expr instanceof NEExpr and result instanceof Opcode::CompareNE
+  or
+  expr instanceof LTExpr and result instanceof Opcode::CompareLT
+  or
+  expr instanceof GTExpr and result instanceof Opcode::CompareGT
+  or
+  expr instanceof LEExpr and result instanceof Opcode::CompareLE
+  or
+  expr instanceof GEExpr and result instanceof Opcode::CompareGE
 }
 
 /**
@@ -1899,8 +1867,7 @@ class TranslatedBinaryOperation extends TranslatedSingleInstructionExpr {
   override Opcode getOpcode() {
     result = binaryArithmeticOpcode(expr) or
     result = binaryBitwiseOpcode(expr) or
-    result = comparisonOpcode(expr) or
-    result = spaceShipOpcode(expr)
+    result = comparisonOpcode(expr)
   }
 
   override Type getExprType() {
@@ -4179,8 +4146,7 @@ predicate exprNeedsCopyIfNotLoaded(Expr expr) {
 private predicate exprImmediatelyDiscarded(Expr expr) {
   exists(ExprStmt s |
     s = expr.getParent() and
-    not exists(StmtExpr se | s = se.getStmt().(BlockStmt).getLastStmt()) and
-    not exists(expr.getConversion())
+    not exists(StmtExpr se | s = se.getStmt().(BlockStmt).getLastStmt())
   )
   or
   exists(CommaExpr c | c.getLeftOperand() = expr)
@@ -4218,52 +4184,3 @@ class TranslatedAssumeExpr extends TranslatedSingleInstructionExpr {
     none()
   }
 }
-
-class TranslatedTypeidExpr extends TranslatedSingleInstructionExpr {
-  override TypeidOperator expr;
-
-  final override Opcode getOpcode() {
-    exists(this.getOperand()) and
-    result instanceof Opcode::TypeidExpr
-    or
-    not exists(this.getOperand()) and
-    result instanceof Opcode::TypeidType
-  }
-
-  final override Instruction getFirstInstruction(EdgeKind kind) {
-    result = this.getOperand().getFirstInstruction(kind)
-    or
-    not exists(this.getOperand()) and
-    result = this.getInstruction(OnlyInstructionTag()) and
-    kind instanceof GotoEdge
-  }
-
-  override Instruction getALastInstructionInternal() {
-    result = this.getInstruction(OnlyInstructionTag())
-  }
-
-  final override TranslatedElement getChildInternal(int id) {
-    id = 0 and result = this.getOperand()
-  }
-
-  final override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
-    tag = OnlyInstructionTag() and
-    result = this.getParent().getChildSuccessor(this, kind)
-  }
-
-  final override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
-    child = this.getOperand() and
-    result = this.getInstruction(OnlyInstructionTag()) and
-    kind instanceof GotoEdge
-  }
-
-  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = OnlyInstructionTag() and
-    result = this.getOperand().getResult() and
-    operandTag instanceof UnaryOperandTag
-  }
-
-  private TranslatedExpr getOperand() {
-    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -725,20 +725,6 @@ class UninitializedInstruction extends VariableInstruction {
    * Gets the variable that is uninitialized.
    */
   final Language::Variable getLocalVariable() { result = var.(IRUserVariable).getVariable() }
-
-  /**
-   * Gets the operand that provides the address of the location to which the
-   * uninitialized value will be stored.
-   */
-  final AddressOperand getDestinationAddressOperand() { result = this.getAnOperand() }
-
-  /**
-   * Gets the instruction whose result provides the address of the location to
-   * which the value will be stored, if an exact definition is available.
-   */
-  final Instruction getDestinationAddress() {
-    result = this.getDestinationAddressOperand().getDef()
-  }
 }
 
 /**
@@ -1604,13 +1590,6 @@ class CompareGEInstruction extends RelationalInstruction {
   override predicate isStrict() { none() }
 }
 
-/**
- * An instruction that represents a three-way comparison operator.
- */
-class SpaceshipInstruction extends BinaryInstruction {
-  SpaceshipInstruction() { this.getOpcode() instanceof Opcode::Spaceship }
-}
-
 /**
  * An instruction that branches to one of multiple successor instructions based on the value of an
  * integer operand.
@@ -2300,26 +2279,3 @@ class NextVarArgInstruction extends UnaryInstruction {
 class NewObjInstruction extends Instruction {
   NewObjInstruction() { this.getOpcode() instanceof Opcode::NewObj }
 }
-
-/**
- * An instruction that returns the type info for its operand.
- */
-class TypeidInstruction extends Instruction {
-  TypeidInstruction() { this.getOpcode() instanceof Opcode::Typeid }
-}
-
-/**
- * An instruction that returns the type info for its operand, where the
- * operand occurs as an expression in the AST.
- */
-class TypeidExprInstruction extends TypeidInstruction, UnaryInstruction {
-  TypeidExprInstruction() { this.getOpcode() instanceof Opcode::TypeidExpr }
-}
-
-/**
- * An instruction that returns the type info for its operand, where the
- * operand occurs as a type in the AST.
- */
-class TypeidTypeInstruction extends TypeidInstruction {
-  TypeidTypeInstruction() { this.getOpcode() instanceof Opcode::TypeidType }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll

@@ -43,23 +43,6 @@ newtype TValueNumber =
   } or
   TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
 
-/**
- * A `ConvertInstruction` which converts data of type `T` to data of type `U`
- * where `T` and `U` only differ in specifiers. For example, if `T` is `int`
- * and `U` is `const T` this is a conversion from a non-const integer to a
- * const integer.
- *
- * Generally, the value number of a converted value is different from the value
- * number of an unconverted value, but conversions which only modify specifiers
- * leave the resulting value bitwise identical to the old value.
- */
-class TypePreservingConvertInstruction extends ConvertInstruction {
-  TypePreservingConvertInstruction() {
-    pragma[only_bind_out](this.getResultType().getUnspecifiedType()) =
-      pragma[only_bind_out](this.getUnary().getResultType().getUnspecifiedType())
-  }
-}
-
 /**
  * A `CopyInstruction` whose source operand's value is congruent to the definition of that source
  * operand.
@@ -233,7 +216,6 @@ private predicate unaryValueNumber(
   not instr instanceof InheritanceConversionInstruction and
   not instr instanceof CopyInstruction and
   not instr instanceof FieldAddressInstruction and
-  not instr instanceof TypePreservingConvertInstruction and
   instr.getOpcode() = opcode and
   tvalueNumber(instr.getUnary()) = operand
 }
@@ -369,10 +351,6 @@ private TValueNumber nonUniqueValueNumber(Instruction instr) {
       or
       // The value number of a copy is just the value number of its source value.
       result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
-      or
-      // The value number of a type-preserving conversion is just the value
-      // number of the unconverted value.
-      result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
     )
   )
 }

cpp/ql/lib/semmle/code/cpp/security/FunctionWithWrappers.qll

@@ -17,6 +17,7 @@
 
 import cpp
 import PrintfLike
+private import semmle.code.cpp.ir.dataflow.ResolveCall
 
 bindingset[index]
 private string toCause(Function func, int index) {
@@ -36,9 +37,9 @@ private predicate wrapperFunctionStep(
   not target.isVirtual() and
   not source.isVirtual() and
   source.hasDefinition() and
-  exists(FunctionCall call, Expr arg, Parameter sourceParam |
+  exists(Call call, Expr arg, Parameter sourceParam |
     // there is a 'call' to 'target' with argument 'arg' at index 'targetParamIndex'
-    target = call.getTarget() and
+    target = resolveCall(call) and
     arg = call.getArgument(targetParamIndex) and
     // 'call' is enclosed in 'source'
     source = call.getEnclosingFunction() and
@@ -153,8 +154,8 @@ abstract class FunctionWithWrappers extends Function {
    * Whether 'arg' is an argument in a call to an outermost wrapper function of 'this' function.
    */
   predicate outermostWrapperFunctionCall(Expr arg, string callChain) {
-    exists(Function targetFunc, FunctionCall call, int argIndex |
-      targetFunc = call.getTarget() and
+    exists(Function targetFunc, Call call, int argIndex |
+      targetFunc = resolveCall(call) and
       this.wrapperFunction(targetFunc, argIndex, callChain) and
       (
         exists(Function sourceFunc | sourceFunc = call.getEnclosingFunction() |

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll

@@ -53,12 +53,44 @@
 
 private import cpp
 private import semmle.code.cpp.ir.dataflow.internal.ProductFlow
-private import semmle.code.cpp.security.ProductFlowUtils.ProductFlowUtils
 private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.controlflow.IRGuards
 private import codeql.util.Unit
 private import semmle.code.cpp.rangeanalysis.new.RangeAnalysisUtil
 
+private VariableAccess getAVariableAccess(Expr e) { e.getAChild*() = result }
+
+/**
+ * Gets a (sub)expression that may be the result of evaluating `size`.
+ *
+ * For example, `getASizeCandidate(a ? b : c)` gives `a ? b : c`, `b` and `c`.
+ */
+bindingset[size]
+pragma[inline_late]
+private Expr getASizeCandidate(Expr size) {
+  result = size
+  or
+  result = [size.(ConditionalExpr).getThen(), size.(ConditionalExpr).getElse()]
+}
+
+/**
+ * Holds if the `(n, state)` pair represents the source of flow for the size
+ * expression associated with `alloc`.
+ */
+predicate hasSize(HeuristicAllocationExpr alloc, DataFlow::Node n, int state) {
+  exists(VariableAccess va, Expr size, int delta, Expr s |
+    size = alloc.getSizeExpr() and
+    s = getASizeCandidate(size) and
+    // Get the unique variable in a size expression like `x` in `malloc(x + 1)`.
+    va = unique( | | getAVariableAccess(s)) and
+    // Compute `delta` as the constant difference between `x` and `x + 1`.
+    bounded1(any(Instruction instr | instr.getUnconvertedResultExpression() = s),
+      any(LoadInstruction load | load.getUnconvertedResultExpression() = va), delta) and
+    n.asExpr() = va and
+    state = delta
+  )
+}
+
 /**
  * Gets the virtual dispatch branching limit when calculating field flow while searching
  * for flow from an allocation to the construction of an out-of-bounds pointer.
@@ -68,6 +100,125 @@ private import semmle.code.cpp.rangeanalysis.new.RangeAnalysisUtil
  */
 int allocationToInvalidPointerFieldFlowBranchLimit() { result = 0 }
 
+/**
+ * A module that encapsulates a barrier guard to remove false positives from flow like:
+ * ```cpp
+ * char *p = new char[size];
+ * // ...
+ * unsigned n = size;
+ * // ...
+ * if(n < size) {
+ *   use(*p[n]);
+ * }
+ * ```
+ * In this case, the sink pair identified by the product flow library (without any additional barriers)
+ * would be `(p, n)` (where `n` is the `n` in `p[n]`), because there exists a pointer-arithmetic
+ * instruction `pai = a + b` such that:
+ * 1. the allocation flows to `a`, and
+ * 2. `b <= n` where `n` is the `n` in `p[n]`
+ * but because there's a strict comparison that compares `n` against the size of the allocation this
+ * snippet is fine.
+ */
+private module SizeBarrier {
+  private module SizeBarrierConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+      // The sources is the same as in the sources for the second
+      // projection in the `AllocToInvalidPointerConfig` module.
+      hasSize(_, source, _) and
+      InterestingPointerAddInstruction::isInterestingSize(source)
+    }
+
+    int fieldFlowBranchLimit() { result = allocationToInvalidPointerFieldFlowBranchLimit() }
+
+    /**
+     * Holds if `small <= large + k` holds if `g` evaluates to `testIsTrue`.
+     */
+    additional predicate isSink(
+      DataFlow::Node small, DataFlow::Node large, IRGuardCondition g, int k, boolean testIsTrue
+    ) {
+      // The sink is any "large" side of a relational comparison. i.e., the `large` expression
+      // in a guard such as `small <= large + k`.
+      g.comparesLt(small.asOperand(), large.asOperand(), k + 1, true, testIsTrue)
+    }
+
+    predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) }
+  }
+
+  module SizeBarrierFlow = DataFlow::Global<SizeBarrierConfig>;
+
+  private int getASizeAddend(DataFlow::Node node) {
+    exists(DataFlow::Node source |
+      SizeBarrierFlow::flow(source, node) and
+      hasSize(_, source, result)
+    )
+  }
+
+  /**
+   * Holds if `small <= large + k` holds if `g` evaluates to `edge`.
+   */
+  private predicate operandGuardChecks(
+    IRGuardCondition g, Operand small, DataFlow::Node large, int k, boolean edge
+  ) {
+    SizeBarrierFlow::flowTo(large) and
+    SizeBarrierConfig::isSink(DataFlow::operandNode(small), large, g, k, edge)
+  }
+
+  /**
+   * Gets an instruction `instr` that is guarded by a check such as `instr <= small + delta` where
+   * `small <= _ + k` and `small` is the "small side" of of a relational comparison that checks
+   * whether `small <= size` where `size` is the size of an allocation.
+   */
+  Instruction getABarrierInstruction0(int delta, int k) {
+    exists(
+      IRGuardCondition g, ValueNumber value, Operand small, boolean edge, DataFlow::Node large
+    |
+      // We know:
+      // 1. result <= value + delta (by `bounded`)
+      // 2. value <= large + k (by `operandGuardChecks`).
+      // So:
+      // result <= value + delta (by 1.)
+      //        <= large + k + delta (by 2.)
+      small = value.getAUse() and
+      operandGuardChecks(pragma[only_bind_into](g), pragma[only_bind_into](small), large,
+        pragma[only_bind_into](k), pragma[only_bind_into](edge)) and
+      bounded(result, value.getAnInstruction(), delta) and
+      g.controls(result.getBlock(), edge) and
+      k < getASizeAddend(large)
+    )
+  }
+
+  /**
+   * Gets an instruction that is guarded by a guard condition which ensures that
+   * the value of the instruction is upper-bounded by size of some allocation.
+   */
+  bindingset[state]
+  pragma[inline_late]
+  Instruction getABarrierInstruction(int state) {
+    exists(int delta, int k |
+      state > k + delta and
+      // result <= "size of allocation" + delta + k
+      //        < "size of allocation" + state
+      result = getABarrierInstruction0(delta, k)
+    )
+  }
+
+  /**
+   * Gets a `DataFlow::Node` that is guarded by a guard condition which ensures that
+   * the value of the node is upper-bounded by size of some allocation.
+   */
+  DataFlow::Node getABarrierNode(int state) {
+    exists(DataFlow::Node source, int delta, int k |
+      SizeBarrierFlow::flow(source, result) and
+      hasSize(_, source, state) and
+      result.asInstruction() = SizeBarrier::getABarrierInstruction0(delta, k) and
+      state > k + delta
+      // so now we have:
+      // result <= "size of allocation" + delta + k
+      //        < "size of allocation" + state
+    )
+  }
+}
+
 private module InterestingPointerAddInstruction {
   private module PointerAddInstructionConfig implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) {
@@ -76,7 +227,7 @@ private module InterestingPointerAddInstruction {
       hasSize(source.asExpr(), _, _)
     }
 
-    predicate fieldFlowBranchLimit = allocationToInvalidPointerFieldFlowBranchLimit/0;
+    int fieldFlowBranchLimit() { result = allocationToInvalidPointerFieldFlowBranchLimit() }
 
     predicate isSink(DataFlow::Node sink) {
       sink.asInstruction() = any(PointerAddInstruction pai).getLeft()
@@ -112,17 +263,6 @@ private module InterestingPointerAddInstruction {
   }
 }
 
-private module SizeBarrierInput implements SizeBarrierInputSig {
-  predicate fieldFlowBranchLimit = allocationToInvalidPointerFieldFlowBranchLimit/0;
-
-  predicate isSource(DataFlow::Node source) {
-    // The sources is the same as in the sources for the second
-    // projection in the `AllocToInvalidPointerConfig` module.
-    hasSize(_, source, _) and
-    InterestingPointerAddInstruction::isInterestingSize(source)
-  }
-}
-
 /**
  * A product-flow configuration for flow from an `(allocation, size)` pair to a
  * pointer-arithmetic operation `pai` such that `pai <= allocation + size`.
@@ -161,7 +301,7 @@ private module Config implements ProductFlow::StateConfigSig {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 
   predicate isBarrier2(DataFlow::Node node, FlowState2 state) {
-    node = SizeBarrier<SizeBarrierInput>::getABarrierNode(state)
+    node = SizeBarrier::getABarrierNode(state)
   }
 
   predicate isBarrier2(DataFlow::Node node) {
@@ -217,8 +357,8 @@ private predicate pointerAddInstructionHasBounds0(
     sizeInstr = sizeSink.asInstruction() and
     // pai.getRight() <= sizeSink + delta
     bounded1(right, sizeInstr, delta) and
-    not right = SizeBarrier<SizeBarrierInput>::getABarrierInstruction(delta) and
-    not sizeInstr = SizeBarrier<SizeBarrierInput>::getABarrierInstruction(delta)
+    not right = SizeBarrier::getABarrierInstruction(delta) and
+    not sizeInstr = SizeBarrier::getABarrierInstruction(delta)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/security/ProductFlowUtils/ProductFlowUtils.qll

@@ -1,167 +0,0 @@
-/**
- * This file provides the `SizeBarrier` module which provides barriers for
- * both the `cpp/invalid-pointer-deref` query and the `cpp/overrun-write`
- * query.
- */
-
-private import cpp
-private import semmle.code.cpp.dataflow.new.DataFlow
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.controlflow.IRGuards
-private import semmle.code.cpp.rangeanalysis.new.RangeAnalysisUtil
-
-private VariableAccess getAVariableAccess(Expr e) { e.getAChild*() = result }
-
-/**
- * Gets a (sub)expression that may be the result of evaluating `size`.
- *
- * For example, `getASizeCandidate(a ? b : c)` gives `a ? b : c`, `b` and `c`.
- */
-bindingset[size]
-pragma[inline_late]
-private Expr getASizeCandidate(Expr size) {
-  result = size
-  or
-  result = [size.(ConditionalExpr).getThen(), size.(ConditionalExpr).getElse()]
-}
-
-/**
- * Holds if the `(n, state)` pair represents the source of flow for the size
- * expression associated with `alloc`.
- */
-predicate hasSize(HeuristicAllocationExpr alloc, DataFlow::Node n, int state) {
-  exists(VariableAccess va, Expr size, int delta, Expr s |
-    size = alloc.getSizeExpr() and
-    s = getASizeCandidate(size) and
-    // Get the unique variable in a size expression like `x` in `malloc(x + 1)`.
-    va = unique( | | getAVariableAccess(s)) and
-    // Compute `delta` as the constant difference between `x` and `x + 1`.
-    bounded1(any(Instruction instr | instr.getUnconvertedResultExpression() = s),
-      any(LoadInstruction load | load.getUnconvertedResultExpression() = va), delta) and
-    n.asExpr() = va and
-    state = delta
-  )
-}
-
-/** Provides the input specification of the `SizeBarrier` module. */
-signature module SizeBarrierInputSig {
-  /** Gets the virtual dispatch branching limit when calculating field flow. */
-  int fieldFlowBranchLimit();
-
-  /** Holds if `source` is a relevant data flow source. */
-  predicate isSource(DataFlow::Node source);
-}
-
-/**
- * A module that encapsulates a barrier guard to remove false positives from flow like:
- * ```cpp
- * char *p = new char[size];
- * // ...
- * unsigned n = size;
- * // ...
- * if(n < size) {
- *   use(*p[n]);
- * }
- * ```
- * In this case, the sink pair identified by the product flow library (without any additional barriers)
- * would be `(p, n)` (where `n` is the `n` in `p[n]`), because there exists a pointer-arithmetic
- * instruction `pai = a + b` such that:
- * 1. the allocation flows to `a`, and
- * 2. `b <= n` where `n` is the `n` in `p[n]`
- * but because there's a strict comparison that compares `n` against the size of the allocation this
- * snippet is fine.
- */
-module SizeBarrier<SizeBarrierInputSig Input> {
-  private module SizeBarrierConfig implements DataFlow::ConfigSig {
-    predicate isSource = Input::isSource/1;
-
-    predicate fieldFlowBranchLimit = Input::fieldFlowBranchLimit/0;
-
-    /**
-     * Holds if `small <= large + k` holds if `g` evaluates to `testIsTrue`.
-     */
-    additional predicate isSink(
-      DataFlow::Node small, DataFlow::Node large, IRGuardCondition g, int k, boolean testIsTrue
-    ) {
-      // The sink is any "large" side of a relational comparison. i.e., the `large` expression
-      // in a guard such as `small <= large + k`.
-      g.comparesLt(small.asOperand(), large.asOperand(), k + 1, true, testIsTrue)
-    }
-
-    predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) }
-  }
-
-  private module SizeBarrierFlow = DataFlow::Global<SizeBarrierConfig>;
-
-  private int getASizeAddend(DataFlow::Node node) {
-    exists(DataFlow::Node source |
-      SizeBarrierFlow::flow(source, node) and
-      hasSize(_, source, result)
-    )
-  }
-
-  /**
-   * Holds if `small <= large + k` holds if `g` evaluates to `edge`.
-   */
-  private predicate operandGuardChecks(
-    IRGuardCondition g, Operand small, DataFlow::Node large, int k, boolean edge
-  ) {
-    SizeBarrierFlow::flowTo(large) and
-    SizeBarrierConfig::isSink(DataFlow::operandNode(small), large, g, k, edge)
-  }
-
-  /**
-   * Gets an instruction `instr` that is guarded by a check such as `instr <= small + delta` where
-   * `small <= _ + k` and `small` is the "small side" of a relational comparison that checks
-   * whether `small <= size` where `size` is the size of an allocation.
-   */
-  private Instruction getABarrierInstruction0(int delta, int k) {
-    exists(
-      IRGuardCondition g, ValueNumber value, Operand small, boolean edge, DataFlow::Node large
-    |
-      // We know:
-      // 1. result <= value + delta (by `bounded`)
-      // 2. value <= large + k (by `operandGuardChecks`).
-      // So:
-      // result <= value + delta (by 1.)
-      //        <= large + k + delta (by 2.)
-      small = value.getAUse() and
-      operandGuardChecks(pragma[only_bind_into](g), pragma[only_bind_into](small), large,
-        pragma[only_bind_into](k), pragma[only_bind_into](edge)) and
-      bounded(result, value.getAnInstruction(), delta) and
-      g.controls(result.getBlock(), edge) and
-      k < getASizeAddend(large)
-    )
-  }
-
-  /**
-   * Gets an instruction that is guarded by a guard condition which ensures that
-   * the value of the instruction is upper-bounded by size of some allocation.
-   */
-  bindingset[state]
-  pragma[inline_late]
-  Instruction getABarrierInstruction(int state) {
-    exists(int delta, int k |
-      state > k + delta and
-      // result <= "size of allocation" + delta + k
-      //        < "size of allocation" + state
-      result = getABarrierInstruction0(delta, k)
-    )
-  }
-
-  /**
-   * Gets a `DataFlow::Node` that is guarded by a guard condition which ensures that
-   * the value of the node is upper-bounded by size of some allocation.
-   */
-  DataFlow::Node getABarrierNode(int state) {
-    exists(DataFlow::Node source, int delta, int k |
-      SizeBarrierFlow::flow(source, result) and
-      hasSize(_, source, state) and
-      result.asInstruction() = getABarrierInstruction0(delta, k) and
-      state > k + delta
-      // so now we have:
-      // result <= "size of allocation" + delta + k
-      //        < "size of allocation" + state
-    )
-  }
-}

cpp/ql/src/Best Practices/SloppyGlobal.ql

@@ -14,9 +14,6 @@ import semmle.code.cpp.ConfigurationTestFile
 from GlobalVariable gv
 where
   gv.getName().length() <= 3 and
-  // We will give an alert for the TemplateVariable, so we don't
-  // need to also give one for each instantiation
-  not gv instanceof VariableTemplateInstantiation and
   not gv.isStatic() and
   not gv.getFile() instanceof ConfigurationTestFile // variables in files generated during configuration are likely false positives
 select gv,

cpp/ql/src/CHANGELOG.md

@@ -1,34 +1,8 @@
-## 1.4.6
-
-### Minor Analysis Improvements
-
-* The `cpp/short-global-name` query will no longer give alerts for instantiations of template variables, only for the template itself.
-* Fixed a false positive in `cpp/overflow-buffer` when the type of the destination buffer is a reference to a class/struct type.
-
-## 1.4.5
-
-### Minor Analysis Improvements
-
-* The "Initialization code not run" query (`cpp/initialization-not-run`) no longer reports an alert on static global variables that have no dereference.
-
-## 1.4.4
-
-### Minor Analysis Improvements
-
-* Due to changes in the `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) the primary alert location generated by the queries `cpp/path-injection`, `cpp/sql-injection`, `cpp/tainted-format-string`, and `cpp/command-line-injection` may have changed.
-* Added flow models for the Win32 API functions `CreateThread`, `CreateRemoteThread`, and `CreateRemoteThreadEx`.
-* Improved support for dataflow through function objects and lambda expressions.
-* Added flow models for `pthread_create` and `std::thread`.
-* The `cpp/incorrect-string-type-conversion` query no longer alerts on incorrect type conversions that occur in unreachable code.
-* Added flow models for the GNU C Library.
-* Fixed a number of false positives and false negatives in `cpp/global-use-before-init`. Note that this query is not part of any of the default query suites.
-* The query `cpp/sql-injection` now can be extended using the `sql-injection` Models as Data (MaD) sink kind.
-
 ## 1.4.3
 
 ### Minor Analysis Improvements
 
-* Added flow models for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2`, `nghttp2/nghttp2`, `libuv/libuv`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
+* Added flow model for the following libraries: `madler/zlib`, `google/brotli`, `libidn/libidn2`, `libssh2/libssh2/`, `nghttp2/nghttp2`, `libuv/libuv/`, and `curl/curl`. This may result in more alerts when running queries on codebases that use these libraries.
 
 ## 1.4.2
 
@@ -38,7 +12,7 @@ No user-facing changes.
 
 ### Minor Analysis Improvements
 
-* Added flow models for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
+* Added flow model for the `SQLite` and `OpenSSL` libraries. This may result in more alerts when running queries on codebases that use these libraries.
 
 ## 1.4.0
 

cpp/ql/src/Critical/InitialisationNotRun.ql

@@ -32,18 +32,9 @@ predicate called(Function f) {
   exists(FunctionAccess fa | fa.getTarget() = f)
 }
 
-predicate staticWithoutDereference(GlobalVariable v) {
-  v.isStatic() and
-  not exists(VariableAccess va |
-    va = v.getAnAccess() and
-    dereferenced(va)
-  )
-}
-
 from GlobalVariable v
 where
   global(v) and
-  not staticWithoutDereference(v) and
   not exists(VariableAccess lval |
     v.getAnAccess() = lval and
     lval.isUsedAsLValue() and

cpp/ql/src/Critical/OverflowDestination.ql

@@ -82,16 +82,6 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
       nodeIsBarrierEqualityCandidate(node, access, checkedVar)
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    exists(FunctionCall fc | result = fc.getLocation() |
-      sourceSized(fc, sink.asIndirectConvertedExpr())
-    )
-  }
 }
 
 module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -168,19 +168,6 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
       cannotContainString(t)
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(FormattingFunctionCall call, Expr formatString | result = call.getLocation() |
-      isSinkImpl(sink, formatString) and
-      call.getArgument(call.getFormatParameterIndex()) = formatString
-    )
-  }
 }
 
 module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>;

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -215,10 +215,6 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
   }
-
-  predicate observeDiffInformedIncrementalMode() {
-    none() // only used negatively in UncheckedLeapYearAfterYearModification.ql
-  }
 }
 
 module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
@@ -289,14 +285,6 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
       aexpr.getLValue() = fa
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) {
-    result = source.asExpr().getLocation()
-  }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.asExpr().getLocation() }
 }
 
 module PossibleYearArithmeticOperationCheckFlow =

cpp/ql/src/Metrics/Classes/CNumberOfFunctions.qhelp

@@ -49,16 +49,21 @@ need to be part of the class. (A classic example of this is the
 observes, there are at least two key problems with this approach:
 
 
-<i>1. It may be possible to generalize some of the utility functions beyond the
+<ul>
+<li>
+It may be possible to generalize some of the utility functions beyond the
 narrow context of the class in question -- by bundling them with the class,
 the class author reduces the scope for functionality reuse.
+</li>
 
-2. It's usually impossible for the class author to know every possible
+<li>
+It's usually impossible for the class author to know every possible
 operation that the user might want to perform on the class, so the public
 interface will inherently be incomplete. New utility functions will end up
 having a different syntax to the privileged public functions in the class,
 negatively impacting on code consistency.
-</i>
+</li>
+</ul>
 
 To refactor a class like this, simply move its utility functions elsewhere,
 paring its public interface down to the bare minimum.

cpp/ql/src/Metrics/Classes/CSizeOfAPI.qhelp

@@ -46,17 +46,21 @@ need to be part of the class. (A classic example of this is the
 <code>std::string</code> class in the C++ Standard Library.) As [Sutter]
 observes, there are at least two key problems with this approach:
 
-<i>
-1. It may be possible to generalize some of the utility functions beyond the
+<ul>
+<li>
+It may be possible to generalize some of the utility functions beyond the
 narrow context of the class in question -- by bundling them with the class,
 the class author reduces the scope for functionality reuse.
+</li>
 
-2. It's usually impossible for the class author to know every possible
+<li>
+It's usually impossible for the class author to know every possible
 operation that the user might want to perform on the class, so the public
 interface will inherently be incomplete. New utility functions will end up
 having a different syntax to the privileged public functions in the class,
 negatively impacting on code consistency.
-</i>
+</li>
+</ul>
 
 To refactor a class like this, simply move its utility functions elsewhere,
 paring its public interface down to the bare minimum.

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -93,12 +93,6 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
     // make sinks barriers so that we only report the closest instance
     isSink(node)
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.asIndirectArgument().getLocation()
-  }
 }
 
 module TaintedPath = TaintTracking::Global<TaintedPathConfig>;

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -150,17 +150,6 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
   predicate isBarrierOut(DataFlow::Node node) {
     isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    exists(DataFlow::Node concatResult, Expr command, ExecState state |
-      result = [concatResult.getLocation(), command.getLocation()] and
-      isSink(sink, state) and
-      isSinkImpl(sink, command, _) and
-      concatResult = state.getOutgoingNode()
-    )
-  }
 }
 
 module ExecTaint = TaintTracking::GlobalWithState<ExecTaintConfig>;

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -39,12 +39,6 @@ module Config implements DataFlow::ConfigSig {
     or
     node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) {
-    exists(QueryString query | result = query.getLocation() | query = source.asIndirectExpr())
-  }
 }
 
 module Flow = TaintTracking::Global<Config>;

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -54,12 +54,6 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
       sql.barrierSqlArgument(input, _)
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    exists(Expr taintedArg | result = taintedArg.getLocation() | taintedArg = asSinkExpr(sink))
-  }
 }
 
 module SqlTainted = TaintTracking::Global<SqlTaintedConfig>;

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -23,7 +23,7 @@ predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperat
   exists(int processOperationArg, FunctionCall call |
     isProcessOperationArgument(processOperation, processOperationArg) and
     call.getTarget().getName() = processOperation and
-    call.getArgument(processOperationArg) = arg.asIndirectExpr()
+    call.getArgument(processOperationArg) = [arg.asExpr(), arg.asIndirectExpr()]
   )
 }
 

cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql

@@ -20,7 +20,6 @@ import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysis
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
-import semmle.code.cpp.security.ProductFlowUtils.ProductFlowUtils
 import semmle.code.cpp.rangeanalysis.new.RangeAnalysisUtil
 import StringSizeFlow::PathGraph1
 import codeql.util.Unit
@@ -44,28 +43,20 @@ predicate hasSize(HeuristicAllocationExpr alloc, DataFlow::Node n, int state) {
   )
 }
 
-/**
- * Holds if `c` a call to an `ArrayFunction` with buffer argument `bufSink`,
- * and a size argument `sizeInstr` which satisfies `sizeInstr <= sizeBound + delta`.
- *
- * Furthermore, the `sizeSink` node is the dataflow node corresponding to
- * `sizeBound`, and the expression `eBuf` is the expression corresponding
- * to `bufInstr`.
- */
-predicate isSinkPairImpl0(
-  CallInstruction c, DataFlow::Node bufSink, DataFlow::Node sizeSink, int delta, Expr eBuf,
-  Instruction sizeBound, Instruction sizeInstr
+predicate isSinkPairImpl(
+  CallInstruction c, DataFlow::Node bufSink, DataFlow::Node sizeSink, int delta, Expr eBuf
 ) {
-  exists(int bufIndex, int sizeIndex, Instruction bufInstr, ArrayFunction func |
+  exists(
+    int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr, ArrayFunction func
+  |
     bufInstr = bufSink.asInstruction() and
     c.getArgument(bufIndex) = bufInstr and
-    sizeBound = sizeSink.asInstruction() and
-    c.getArgument(sizeIndex) = sizeInstr and
+    sizeInstr = sizeSink.asInstruction() and
     c.getStaticCallTarget() = func and
     pragma[only_bind_into](func)
         .hasArrayWithVariableSize(pragma[only_bind_into](bufIndex),
           pragma[only_bind_into](sizeIndex)) and
-    bounded(sizeInstr, sizeBound, delta) and
+    bounded(c.getArgument(sizeIndex), sizeInstr, delta) and
     eBuf = bufInstr.getUnconvertedResultExpression()
   )
 }
@@ -95,39 +86,99 @@ module ValidState {
   private module ValidStateConfig implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) { hasSize(_, source, _) }
 
-    predicate isSink(DataFlow::Node sink) { isSinkPairImpl0(_, _, sink, _, _, _, _) }
+    predicate isSink(DataFlow::Node sink) { isSinkPairImpl(_, _, sink, _, _) }
 
-    predicate isBarrierOut(DataFlow::Node node) { DataFlow::flowsToBackEdge(node) }
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      isAdditionalFlowStep2(node1, node2, _)
+    }
+
+    predicate includeHiddenNodes() { any() }
   }
 
   private import DataFlow::Global<ValidStateConfig>
 
-  predicate validState(DataFlow::Node source, DataFlow::Node sink, int value) {
-    hasSize(_, source, value) and
-    flow(source, sink)
+  private predicate inLoop(PathNode n) { n.getASuccessor+() = n }
+
+  /**
+   * Holds if `value` is a possible offset for `n`.
+   *
+   * To ensure termination, we limit `value` to be in the
+   * range `[-2, 2]` if the node is part of a loop. Without
+   * this restriction we wouldn't terminate on an example like:
+   * ```cpp
+   * while(unknown()) { size++; }
+   * ```
+   */
+  private predicate validStateImpl(PathNode n, int value) {
+    // If the dataflow node depends recursively on itself we restrict the range.
+    (inLoop(n) implies value = [-2 .. 2]) and
+    (
+      // For the dataflow source we have an allocation such as `malloc(size + k)`,
+      // and the value of the flow-state is then `k`.
+      hasSize(_, n.getNode(), value)
+      or
+      // For a dataflow sink any `value` that is strictly smaller than the delta
+      // needs to be a valid flow-state. That is, for a snippet like:
+      // ```
+      // p = b ? new char[size] : new char[size + 1];
+      // memset(p, 0, size + 2);
+      // ```
+      // the valid flow-states at the `memset` must include the set `{0, 1}` since the
+      // flow-state at `new char[size]` is `0`, and the flow-state at `new char[size + 1]`
+      // is `1`.
+      //
+      // So we find a valid flow-state at the sink's predecessor, and use the definition
+      // of our sink predicate to compute the valid flow-states at the sink.
+      exists(int delta, PathNode n0 |
+        n0.getASuccessor() = n and
+        validStateImpl(n0, value) and
+        isSinkPairImpl(_, _, n.getNode(), delta, _) and
+        delta > value
+      )
+      or
+      // For a non-source and non-sink node there is two cases to consider.
+      // 1. A node where we have to update the flow-state, or
+      // 2. A node that doesn't update the flow-state.
+      //
+      // For case 1, we compute the new flow-state by adding the constant operand of the
+      // `AddInstruction` to the flow-state of any predecessor node.
+      // For case 2 we simply propagate the valid flow-states from the predecessor node to
+      // the next one.
+      exists(PathNode n0, DataFlow::Node node0, DataFlow::Node node, int value0 |
+        n0.getASuccessor() = n and
+        validStateImpl(n0, value0) and
+        node = n.getNode() and
+        node0 = n0.getNode()
+      |
+        exists(int delta |
+          isAdditionalFlowStep2(node0, node, delta) and
+          value0 = value + delta
+        )
+        or
+        not isAdditionalFlowStep2(node0, node, _) and
+        value = value0
+      )
+    )
+  }
+
+  predicate validState(DataFlow::Node n, int value) {
+    validStateImpl(any(PathNode pn | pn.getNode() = n), value)
   }
 }
 
 import ValidState
 
-module SizeBarrierInput implements SizeBarrierInputSig {
-  int fieldFlowBranchLimit() { result = 2 }
-
-  predicate isSource(DataFlow::Node source) {
-    exists(int state |
-      hasSize(_, source, state) and
-      validState(source, _, state)
-    )
-  }
-}
-
-predicate isSinkPairImpl(
-  CallInstruction c, DataFlow::Node bufSink, DataFlow::Node sizeSink, int delta, Expr eBuf
-) {
-  exists(Instruction sizeBound, Instruction sizeInstr |
-    isSinkPairImpl0(c, bufSink, sizeSink, delta, eBuf, sizeBound, sizeInstr) and
-    not sizeBound = SizeBarrier<SizeBarrierInput>::getABarrierInstruction(delta) and
-    not sizeInstr = SizeBarrier<SizeBarrierInput>::getABarrierInstruction(delta)
+/**
+ * Holds if `node2` is a dataflow node that represents an addition of two operands `op1`
+ * and `op2` such that:
+ * 1. `node1` is the dataflow node that represents `op1`, and
+ * 2. the value of `op2` can be upper bounded by `delta.`
+ */
+predicate isAdditionalFlowStep2(DataFlow::Node node1, DataFlow::Node node2, int delta) {
+  exists(AddInstruction add, Operand op |
+    add.hasOperands(node1.asOperand(), op) and
+    semBounded(getSemanticExpr(op.getDef()), any(SemZeroBound zero), delta, true, _) and
+    node2.asInstruction() = add
   )
 }
 
@@ -147,14 +198,14 @@ module StringSizeConfig implements ProductFlow::StateConfigSig {
     // to the size of the allocation. This state is then checked in `isSinkPair`.
     exists(state1) and
     hasSize(bufSource.asExpr(), sizeSource, state2) and
-    validState(sizeSource, _, state2)
+    validState(sizeSource, state2)
   }
 
   predicate isSinkPair(
     DataFlow::Node bufSink, FlowState1 state1, DataFlow::Node sizeSink, FlowState2 state2
   ) {
     exists(state1) and
-    validState(_, sizeSink, state2) and
+    validState(sizeSink, state2) and
     exists(int delta |
       isSinkPairImpl(_, bufSink, sizeSink, delta, _) and
       delta > state2
@@ -163,8 +214,14 @@ module StringSizeConfig implements ProductFlow::StateConfigSig {
 
   predicate isBarrierOut2(DataFlow::Node node) { DataFlow::flowsToBackEdge(node) }
 
-  predicate isBarrier2(DataFlow::Node node, FlowState2 state) {
-    node = SizeBarrier<SizeBarrierInput>::getABarrierNode(state)
+  predicate isAdditionalFlowStep2(
+    DataFlow::Node node1, FlowState2 state1, DataFlow::Node node2, FlowState2 state2
+  ) {
+    validState(node2, state2) and
+    exists(int delta |
+      isAdditionalFlowStep2(node1, node2, delta) and
+      state1 = state2 + delta
+    )
   }
 }
 

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -124,12 +124,6 @@ module Config implements DataFlow::ConfigSig {
     // Block flow if the node is guarded by any <, <= or = operations.
     node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    exists(BufferWrite bw | result = bw.getLocation() | isSink(sink, bw, _))
-  }
 }
 
 module Flow = TaintTracking::Global<Config>;