Bump actions/setup-dotnet from 4 to 5

Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 4 to 5. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](https://github.com/actions/setup-dotnet/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #20352 from michaelnebel/csharp/dotnet908
2026-05-18 05:07:06 +02:00 · 2025-09-10 10:11:18 +00:00 · 2025-09-10 12:09:35 +02:00 · 2025-09-10 11:21:34 +02:00 · 2025-09-10 11:21:19 +02:00 · 2025-09-10 10:42:59 +02:00
542 changed files with 29227 additions and 16439 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -32,9 +32,9 @@ jobs:

    steps:
    - name: Setup dotnet
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
      with:
-        dotnet-version: 9.0.100
+        dotnet-version: 9.0.300

    - name: Checkout repository
      uses: actions/checkout@v5
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -41,16 +41,16 @@ jobs:
    steps:
      - uses: actions/checkout@v5
      - name: Setup dotnet
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@v5
        with:
-          dotnet-version: 9.0.100
+          dotnet-version: 9.0.300
      - name: Extractor unit tests
        run: |
          dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
        shell: bash
  stubgentest:
    runs-on: ubuntu-latest
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -31,7 +31,7 @@ jobs:
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
-      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
      uses: ./codeql/.github/actions/fetch-codeql
    - name: Build code scanning query list
      run: |
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -26,7 +26,7 @@ bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.17.4")
+bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
 bazel_dep(name = "rules_rust", version = "0.63.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
@@ -172,7 +172,7 @@ http_archive(
 )

 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "9.0.100")
+dotnet.toolchain(dotnet_version = "9.0.300")
 use_repo(dotnet, "dotnet_toolchains")

 register_toolchains("@dotnet_toolchains//:all")
--- a/actions/extractor/codeql-extractor.yml
+++ b/actions/extractor/codeql-extractor.yml
@@ -1,5 +1,4 @@
 name: "actions"
-aliases: []
 display_name: "GitHub Actions"
 version: 0.0.1
 column_kind: "utf16"
@@ -8,9 +7,11 @@ build_modes:
  - none
 default_queries:
  - codeql/actions-queries
-file_coverage_languages: []
+# Actions workflows are not reported separately by the GitHub API, so we can't
+# associate them with a specific language.
 github_api_languages: []
-scc_languages: []
+scc_languages:
+  - YAML
 file_types:
  - name: workflow
    display_name: GitHub Actions workflow files
--- a/actions/extractor/tools/baseline-config.json
+++ b/actions/extractor/tools/baseline-config.json
@@ -0,0 +1,10 @@
+{
+    "paths": [
+        ".github/workflows/*.yml",
+        ".github/workflows/*.yaml",
+        ".github/reusable_workflows/**/*.yml",
+        ".github/reusable_workflows/**/*.yaml",
+        "**/action.yml",
+        "**/action.yaml"
+    ]
+}
--- a/actions/extractor/tools/configure-baseline.cmd
+++ b/actions/extractor/tools/configure-baseline.cmd
@@ -0,0 +1,2 @@
+@echo off
+type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"
--- a/actions/extractor/tools/configure-baseline.sh
+++ b/actions/extractor/tools/configure-baseline.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"
--- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
@@ -1,3 +1,4 @@
+ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
@@ -1,4 +1,5 @@
 ql/actions/ql/src/Debug/SyntaxError.ql
+ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
@@ -1,3 +1,4 @@
+ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
--- a/actions/ql/lib/codeql/Locations.qll
+++ b/actions/ql/lib/codeql/Locations.qll
@@ -70,8 +70,8 @@ class Location extends TLocation, TBaseLocation {

  /**
   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
+   * The location spans column `sc` of line `sl` to
+   * column `ec` of line `el` in file `p`.
   * For more information, see
   * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
   */
--- a/actions/ql/lib/codeql/actions/Ast.qll
+++ b/actions/ql/lib/codeql/actions/Ast.qll
@@ -261,7 +261,7 @@ class If extends AstNode instanceof IfImpl {
 }

 /**
- * An Environemnt node representing a deployment environment.
+ * An Environment node representing a deployment environment.
 */
 class Environment extends AstNode instanceof EnvironmentImpl {
  string getName() { result = super.getName() }
--- a/actions/ql/lib/codeql/actions/ast/internal/Ast.qll
+++ b/actions/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -125,12 +125,11 @@ abstract class AstNodeImpl extends TAstNode {
   * Gets the enclosing Step.
   */
  StepImpl getEnclosingStep() {
-    if this instanceof StepImpl
-    then result = this
-    else
-      if this instanceof ScalarValueImpl
-      then result.getAChildNode*() = this.getParentNode()
-      else none()
+    this instanceof StepImpl and
+    result = this
+    or
+    this instanceof ScalarValueImpl and
+    result.getAChildNode*() = this.getParentNode()
  }

  /**
@@ -1416,9 +1415,8 @@ class ExternalJobImpl extends JobImpl, UsesImpl {
  override string getVersion() {
    exists(YamlString name |
      n.lookup("uses") = name and
-      if not name.getValue().matches("\\.%")
-      then result = name.getValue().regexpCapture(repoUsesParser(), 4)
-      else none()
+      not name.getValue().matches("\\.%") and
+      result = name.getValue().regexpCapture(repoUsesParser(), 4)
    )
  }
 }
--- a/actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll
+++ b/actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll
@@ -286,7 +286,7 @@ private module Cached {
  /**
   * Holds if `cfn` is the `i`th node in basic block `bb`.
   *
-   * In other words, `i` is the shortest distance from a node `bb`
+   * In other words, `i` is the shortest distance from a node `bbStart`
   * that starts a basic block to `cfn` along the `intraBBSucc` relation.
   */
  cached
--- a/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
+++ b/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
@@ -3,6 +3,8 @@ private import codeql.controlflow.Cfg as CfgShared
 private import codeql.Locations

 module Completion {
+  import codeql.controlflow.SuccessorType
+
  private newtype TCompletion =
    TSimpleCompletion() or
    TBooleanCompletion(boolean b) { b in [false, true] } or
@@ -25,7 +27,7 @@ module Completion {

    override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }

-    override NormalSuccessor getAMatchingSuccessorType() { any() }
+    override DirectSuccessor getAMatchingSuccessorType() { any() }
  }

  class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
@@ -49,34 +51,6 @@ module Completion {

    override ReturnSuccessor getAMatchingSuccessorType() { any() }
  }
-
-  cached
-  private newtype TSuccessorType =
-    TNormalSuccessor() or
-    TBooleanSuccessor(boolean b) { b in [false, true] } or
-    TReturnSuccessor()
-
-  class SuccessorType extends TSuccessorType {
-    string toString() { none() }
-  }
-
-  class NormalSuccessor extends SuccessorType, TNormalSuccessor {
-    override string toString() { result = "successor" }
-  }
-
-  class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
-    boolean value;
-
-    BooleanSuccessor() { this = TBooleanSuccessor(value) }
-
-    override string toString() { result = value.toString() }
-
-    boolean getValue() { result = value }
-  }
-
-  class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
-    override string toString() { result = "return" }
-  }
 }

 module CfgScope {
@@ -127,14 +101,8 @@ private module Implementation implements CfgShared::InputSig<Location> {
    last(scope.(CompositeAction), e, c)
  }

-  predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
-
-  predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
-
  SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }

-  predicate isAbnormalExitType(SuccessorType t) { none() }
-
  int idOfAstNode(AstNode node) { none() }

  int idOfCfgScope(CfgScope scope) { none() }
--- a/actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
+++ b/actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
@@ -63,10 +63,10 @@ predicate madSource(DataFlow::Node source, string kind, string fieldName) {
    (
      if fieldName.trim().matches("env.%")
      then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
-      else
-        if fieldName.trim().matches("output.%")
-        then source.asExpr() = uses
-        else none()
+      else (
+        fieldName.trim().matches("output.%") and
+        source.asExpr() = uses
+      )
    )
  )
 }
--- a/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
+++ b/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -31,14 +31,14 @@ abstract class RemoteFlowSource extends SourceNode {
 class GitHubCtxSource extends RemoteFlowSource {
  string flag;
  string event;
-  GitHubExpression e;

  GitHubCtxSource() {
-    this.asExpr() = e and
-    // github.head_ref
-    e.getFieldName() = "head_ref" and
-    flag = "branch" and
-    (
+    exists(GitHubExpression e |
+      this.asExpr() = e and
+      // github.head_ref
+      e.getFieldName() = "head_ref" and
+      flag = "branch"
+    |
      event = e.getATriggerEvent().getName() and
      event = "pull_request_target"
      or
@@ -148,7 +148,6 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
 class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
  string cmd;
  string flag;
-  string access_path;
  Run run;

  // Examples
@@ -163,7 +162,7 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
    run.getScript().getACommand() = cmd and
    cmd.matches("jq%") and
    cmd.matches("%GITHUB_EVENT_PATH%") and
-    exists(string regexp |
+    exists(string regexp, string access_path |
      untrustedEventPropertiesDataModel(regexp, flag) and
      not flag = "json" and
      access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and
--- a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
@@ -19,7 +19,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
 */
 class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
  string command;
-  string argument;

  ArgumentInjectionFromEnvVarSink() {
    exists(Run run, string var |
@@ -28,7 +27,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
        exists(run.getInScopeEnvVarExpr(var)) or
        var = "GITHUB_HEAD_REF"
      ) and
-      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
+      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, _)
    )
  }

@@ -44,13 +43,12 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
 */
 class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
  string command;
-  string argument;

  ArgumentInjectionFromCommandSink() {
    exists(CommandSource source, Run run |
      run = source.getEnclosingRun() and
      this.asExpr() = run.getScript() and
-      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
+      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, _)
    )
  }

--- a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -125,8 +125,6 @@ class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep,
 }

 class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, UsesStep {
-  string script;
-
  ActionsGitHubScriptDownloadStep() {
    // eg:
    // - uses: actions/github-script@v6
@@ -149,12 +147,14 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
    //      var fs = require('fs');
    //      fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
    this.getCallee() = "actions/github-script" and
-    this.getArgument("script") = script and
-    script.matches("%listWorkflowRunArtifacts(%") and
-    script.matches("%downloadArtifact(%") and
-    script.matches("%writeFileSync(%") and
-    // Filter out artifacts that were created by pull-request.
-    not script.matches("%exclude_pull_requests: true%")
+    exists(string script |
+      this.getArgument("script") = script and
+      script.matches("%listWorkflowRunArtifacts(%") and
+      script.matches("%downloadArtifact(%") and
+      script.matches("%writeFileSync(%") and
+      // Filter out artifacts that were created by pull-request.
+      not script.matches("%exclude_pull_requests: true%")
+    )
  }

  override string getPath() {
@@ -171,10 +171,10 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
                .getScript()
                .getACommand()
                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
-    else
-      if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())
-      then result = "GITHUB_WORKSPACE/"
-      else none()
+    else (
+      this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) and
+      result = "GITHUB_WORKSPACE/"
+    )
  }
 }

@@ -207,12 +207,13 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
                .getScript()
                .getACommand()
                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
-    else
-      if
+    else (
+      (
        this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or
        this.getScript().getACommand().regexpMatch(unzipRegexp())
-      then result = "GITHUB_WORKSPACE/"
-      else none()
+      ) and
+      result = "GITHUB_WORKSPACE/"
+    )
  }
 }

@@ -259,15 +260,15 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {

 class ArtifactPoisoningSink extends DataFlow::Node {
  UntrustedArtifactDownloadStep download;
-  PoisonableStep poisonable;

  ArtifactPoisoningSink() {
-    download.getAFollowingStep() = poisonable and
-    // excluding artifacts downloaded to the temporary directory
-    not download.getPath().regexpMatch("^/tmp.*") and
-    not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
-    not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
-    (
+    exists(PoisonableStep poisonable |
+      download.getAFollowingStep() = poisonable and
+      // excluding artifacts downloaded to the temporary directory
+      not download.getPath().regexpMatch("^/tmp.*") and
+      not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
+      not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*")
+    |
      poisonable.(Run).getScript() = this.asExpr() and
      (
        // Check if the poisonable step is a local script execution step
--- a/actions/ql/lib/codeql/actions/security/ControlChecks.qll
+++ b/actions/ql/lib/codeql/actions/security/ControlChecks.qll
@@ -159,11 +159,8 @@ abstract class CommentVsHeadDateCheck extends ControlCheck {

 /* Specific implementations of control checks */
 class LabelIfCheck extends LabelCheck instanceof If {
-  string condition;
-
  LabelIfCheck() {
-    condition = normalizeExpr(this.getCondition()) and
-    (
+    exists(string condition | condition = normalizeExpr(this.getCondition()) |
      // eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
      condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*")
      or
--- a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -55,12 +55,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
 *          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
 */
 class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
-  CommandSource inCommand;
-  string injectedVar;
-  string command;
-
  EnvVarInjectionFromCommandSink() {
-    exists(Run run |
+    exists(Run run, CommandSource inCommand, string injectedVar, string command |
      this.asExpr() = inCommand.getEnclosingRun().getScript() and
      run = inCommand.getEnclosingRun() and
      run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and
@@ -86,12 +82,8 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
 *      echo "FOO=$BODY" >> $GITHUB_ENV
 */
 class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink {
-  string inVar;
-  string injectedVar;
-  string command;
-
  EnvVarInjectionFromEnvVarSink() {
-    exists(Run run |
+    exists(Run run, string inVar, string injectedVar, string command |
      run.getScript() = this.asExpr() and
      exists(run.getInScopeEnvVarExpr(inVar)) and
      run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and
--- a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
@@ -99,18 +99,14 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink {
 *          echo $BODY
 */
 class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink {
-  string clobbering_var;
-  string clobbered_value;
-
  WorkflowCommandClobberingFromEnvVarSink() {
-    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt |
+    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt, string clobbering_var |
      run.getScript() = this.asExpr() and
      run.getScript().getAStmt() = clobbering_stmt and
      clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and
      exists(run.getInScopeEnvVarExpr(clobbering_var)) and
      run.getScript().getAStmt() = workflow_cmd_stmt and
-      clobbered_value =
-        trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1))
+      exists(trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)))
    )
  }
 }
--- a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
+++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
@@ -1,10 +1,8 @@
 import actions

 class UnversionedImmutableAction extends UsesStep {
-  string immutable_action;
-
  UnversionedImmutableAction() {
-    isImmutableAction(this, immutable_action) and
+    isImmutableAction(this, _) and
    not isSemVer(this.getVersion())
  }
 }
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.16
+version: 0.4.17-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+++ b/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
@@ -0,0 +1,13 @@
+/**
+ * @id actions/diagnostics/successfully-extracted-files
+ * @name Extracted files
+ * @description List all files that were extracted.
+ * @kind diagnostic
+ * @tags successfully-extracted-files
+ */
+
+private import codeql.Locations
+
+from File f
+where exists(f.getRelativePath())
+select f, ""
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/change-notes/2025-09-05-file-coverage.md
+++ b/actions/ql/src/change-notes/2025-09-05-file-coverage.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Actions analysis now reports file coverage information on the CodeQL status page.
--- a/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+++ b/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
@@ -37,8 +37,6 @@ where
    )
    or
    // upload artifact is not used in the same workflow
-    not exists(UsesStep upload |
-      download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload
-    )
+    not download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() instanceof UsesStep
  )
 select download, "Potential artifact poisoning"
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.8
+version: 0.6.9-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/ql/lib/Options.qll
+++ b/cpp/ql/lib/Options.qll
@@ -35,7 +35,7 @@ class CustomOptions extends Options {
  override predicate returnsNull(Call call) { Options.super.returnsNull(call) }

  /**
-   * Holds if a call to this function will never return.
+   * Holds if a call to the function `f` will never return.
   *
   * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
   * `longjmp`, `error`, `__builtin_unreachable` and any function with a
--- a/cpp/ql/lib/change-notes/2025-09-02-vla.md
+++ b/cpp/ql/lib/change-notes/2025-09-02-vla.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type defined in terms of an other `VlaDeclStmt` via a `typedef`.
--- a/cpp/ql/lib/change-notes/2025-09-03-rename-api.md
+++ b/cpp/ql/lib/change-notes/2025-09-03-rename-api.md
@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The predicate `getAContructorCall` in the class `SslContextClass` has been deprecated. Use `getAConstructorCall` instead.
--- a/cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll
+++ b/cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll
@@ -127,7 +127,7 @@ abstract class CryptographicAlgorithm extends CryptographicArtifact {
  /**
   * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
   * Subclassess should override for more api-specific normalization.
-   * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
+   * By default, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
   */
  bindingset[s]
  string normalizeName(string s) {
--- a/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll
+++ b/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll
@@ -652,14 +652,14 @@ module KeyGeneration {
   * Trace from EVP_PKEY_CTX* at algorithm sink to keygen,
   * users can then extrapolatae the matching algorithm from the alg sink to the keygen
   */
-  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize implements DataFlow::ConfigSig {
+  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSizeConfig implements DataFlow::ConfigSig {
    predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }

    predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
  }

  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
-    DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize>;
+    DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSizeConfig>;

  /**
   * UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll
@@ -59,7 +59,7 @@ private string privateNormalizeFunctionName(Function f, string algType) {
 *
 * The predicate attempts to restrict normalization to what looks like an openssl
 * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`).
- * This may give false postive functions if a directory erronously appears to be openssl;
+ * This may give false positive functions if a directory erronously appears to be openssl;
 * however, we take the stance that if a function
 * exists strongly mapping to a known function name in a directory such as these,
 * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were.
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll
@@ -49,7 +49,7 @@ private string privateNormalizeFunctionName(Function f, string algType) {
 *
 * The predicate attempts to restrict normalization to what looks like an openssl
 * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`).
- * This may give false postive functions if a directory erronously appears to be openssl;
+ * This may give false positive functions if a directory erronously appears to be openssl;
 * however, we take the stance that if a function
 * exists strongly mapping to a known function name in a directory such as these,
 * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were.
--- a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll
+++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll
@@ -31,7 +31,7 @@ predicate knownPassthroughFunction(Function f, int inInd, int outInd) {

 /**
 * `c` is a call to a function that preserves the algorithm but changes its form.
- * `onExpr` is the input argument passing through to, `outExpr` is the next expression in a dataflow step associated with `c`
+ * `inExpr` is the input argument passing through to, `outExpr` is the next expression in a dataflow step associated with `c`
 */
 predicate knownPassthoughCall(Call c, Expr inExpr, Expr outExpr) {
  exists(int inInd, int outInd |
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
@@ -298,10 +298,11 @@ private predicate boundFlowStep(Instruction i, NonPhiOperand op, int delta, bool
      else
        if strictlyNegative(x)
        then upper = true and delta = -1
-        else
-          if negative(x)
-          then upper = true and delta = 0
-          else none()
+        else (
+          negative(x) and
+          upper = true and
+          delta = 0
+        )
  )
  or
  exists(Operand x |
@@ -321,10 +322,11 @@ private predicate boundFlowStep(Instruction i, NonPhiOperand op, int delta, bool
      else
        if strictlyNegative(x)
        then upper = false and delta = 1
-        else
-          if negative(x)
-          then upper = false and delta = 0
-          else none()
+        else (
+          negative(x) and
+          upper = false and
+          delta = 0
+        )
  )
  or
  i.(RemInstruction).getRightOperand() = op and positive(op) and delta = -1 and upper = true
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 5.5.0
+version: 5.5.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Concept.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Concept.qll
@@ -198,7 +198,7 @@ class ConceptIdExpr extends Expr, @concept_id {
  final Locatable getATemplateArgumentKind() { result = this.getTemplateArgumentKind(_) }

  /**
-   * Gets the `i`th template argument passed to the concept.
+   * Gets template argument at index `index` passed to the concept, if any.
   *
   * For example, if:
   * ```cpp
@@ -219,7 +219,7 @@ class ConceptIdExpr extends Expr, @concept_id {
  }

  /**
-   * Gets the kind of the `i`th template argument value passed to the concept.
+   * Gets the kind of the template argument value at index `index` passed to the concept, if any.
   *
   * For example, if:
   * ```cpp
--- a/cpp/ql/lib/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Declaration.qll
@@ -223,8 +223,8 @@ class Declaration extends Locatable, @declaration {
  final Locatable getATemplateArgumentKind() { result = this.getTemplateArgumentKind(_) }

  /**
-   * Gets the `i`th template argument used to instantiate this declaration from a
-   * template.
+   * Gets the template argument at index `index` used to instantiate this declaration from a
+   * template, if any.
   *
   * For example:
   *
@@ -245,9 +245,9 @@ class Declaration extends Locatable, @declaration {
  }

  /**
-   * Gets the `i`th template argument value used to instantiate this declaration
-   * from a template. When called on a template, this will return the `i`th template
-   * parameter value if it exists.
+   * Gets the template argument value at index `index` used to instantiate this declaration
+   * from a template. When called on a template, this will return the template
+   * parameter value at index `index` if it exists.
   *
   * For example:
   *
--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -877,7 +877,7 @@ class FormatLiteral extends Literal instanceof StringLiteral {
  }

  /**
-   * Gets the char type required by the nth conversion specifier.
+   * Gets the char type required by the `n`th conversion specifier.
   *  - in the base case this is the default for the formatting function
   *    (e.g. `char` for `printf`, `char` or `wchar_t` for `wprintf`).
   *  - the `%C` format character reverses wideness.
@@ -922,7 +922,7 @@ class FormatLiteral extends Literal instanceof StringLiteral {
  }

  /**
-   * Gets the string type required by the nth conversion specifier.
+   * Gets the string type required by the `n`th conversion specifier.
   *  - in the base case this is the default for the formatting function
   *    (e.g. `char *` for `printf`, `char *` or `wchar_t *` for `wprintf`).
   *  - the `%S` format character reverses wideness on some platforms.
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/Dominance.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/Dominance.qll
@@ -101,7 +101,7 @@ predicate postDominates(ControlFlowNode postDominator, ControlFlowNode node) {
 */

 /**
- * Holds if `dominator` is an immediate dominator of `node` in the control-flow
+ * Holds if `dom` is an immediate dominator of `node` in the control-flow
 * graph of basic blocks.
 */
 predicate bbIDominates(BasicBlock dom, BasicBlock node) =
@@ -117,7 +117,7 @@ private predicate bb_predecessor(BasicBlock succ, BasicBlock pred) { bb_successo
 private predicate bb_exit(ExitBasicBlock exit) { any() }

 /**
- * Holds if `postDominator` is an immediate post-dominator of `node` in the control-flow
+ * Holds if `pDom` is an immediate post-dominator of `node` in the control-flow
 * graph of basic blocks.
 */
 predicate bbIPostDominates(BasicBlock pDom, BasicBlock node) =
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -72,6 +72,20 @@ abstract private class GuardConditionImpl extends Expr {
   */
  abstract predicate valueControls(BasicBlock controlled, AbstractValue v);

+  /**
+   * Holds if the control-flow edge `(pred, succ)` may be taken only if
+   * the value of this condition is `v`.
+   */
+  abstract predicate valueControlsEdge(BasicBlock pred, BasicBlock succ, AbstractValue v);
+
+  /**
+   * Holds if  the control-flow edge `(pred, succ)` may be taken only if
+   * this the value of this condition is `testIsTrue`.
+   */
+  final predicate controlsEdge(BasicBlock pred, BasicBlock succ, boolean testIsTrue) {
+    this.valueControlsEdge(pred, succ, any(BooleanValue bv | bv.getValue() = testIsTrue))
+  }
+
  /**
   * Holds if this condition controls `controlled`, meaning that `controlled` is only
   * entered if the value of this condition is `testIsTrue`.
@@ -175,6 +189,58 @@ abstract private class GuardConditionImpl extends Expr {
   */
  pragma[inline]
  abstract predicate ensuresEq(Expr e, int k, BasicBlock block, boolean areEqual);
+
+  /**
+   * Holds if (determined by this guard) `left == right + k` must be `areEqual` on the edge from
+   * `pred` to `succ`. If `areEqual = false` then this implies `left != right + k`.
+   */
+  pragma[inline]
+  final predicate ensuresEqEdge(
+    Expr left, Expr right, int k, BasicBlock pred, BasicBlock succ, boolean areEqual
+  ) {
+    exists(boolean testIsTrue |
+      this.comparesEq(left, right, k, areEqual, testIsTrue) and
+      this.controlsEdge(pred, succ, testIsTrue)
+    )
+  }
+
+  /**
+   * Holds if (determined by this guard) `e == k` must be `areEqual` on the edge from
+   * `pred` to `succ`. If `areEqual = false` then this implies `e != k`.
+   */
+  pragma[inline]
+  final predicate ensuresEqEdge(Expr e, int k, BasicBlock pred, BasicBlock succ, boolean areEqual) {
+    exists(AbstractValue v |
+      this.comparesEq(e, k, areEqual, v) and
+      this.valueControlsEdge(pred, succ, v)
+    )
+  }
+
+  /**
+   * Holds if (determined by this guard) `left < right + k` must be `isLessThan` on the edge from
+   * `pred` to `succ`. If `isLessThan = false` then this implies `left >= right + k`.
+   */
+  pragma[inline]
+  final predicate ensuresLtEdge(
+    Expr left, Expr right, int k, BasicBlock pred, BasicBlock succ, boolean isLessThan
+  ) {
+    exists(boolean testIsTrue |
+      this.comparesLt(left, right, k, isLessThan, testIsTrue) and
+      this.controlsEdge(pred, succ, testIsTrue)
+    )
+  }
+
+  /**
+   * Holds if (determined by this guard) `e < k` must be `isLessThan` on the edge from
+   * `pred` to `succ`. If `isLessThan = false` then this implies `e >= k`.
+   */
+  pragma[inline]
+  final predicate ensuresLtEdge(Expr e, int k, BasicBlock pred, BasicBlock succ, boolean isLessThan) {
+    exists(AbstractValue v |
+      this.comparesLt(e, k, isLessThan, v) and
+      this.valueControlsEdge(pred, succ, v)
+    )
+  }
 }

 final class GuardCondition = GuardConditionImpl;
@@ -187,6 +253,16 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardConditionImpl
    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
  }

+  override predicate valueControlsEdge(BasicBlock pred, BasicBlock succ, AbstractValue v) {
+    exists(BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
+      this = binop and
+      lhs = binop.getLeftOperand() and
+      rhs = binop.getRightOperand() and
+      lhs.valueControlsEdge(pred, succ, v) and
+      rhs.valueControlsEdge(pred, succ, v)
+    )
+  }
+
  override predicate valueControls(BasicBlock controlled, AbstractValue v) {
    exists(BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
      this = binop and
@@ -274,6 +350,25 @@ private predicate controlsBlock(IRGuardCondition ir, BasicBlock controlled, Abst
  )
 }

+/**
+ * Holds if `ir` controls the `(pred, succ)` edge, meaning that the edge
+ * `(pred, succ)` is only taken if the value of this condition is `v`. This
+ * helper predicate does not necessarily hold for binary logical operations
+ * like `&&` and `||`.
+ * See the detailed explanation on predicate `controlsEdge`.
+ */
+private predicate controlsEdge(
+  IRGuardCondition ir, BasicBlock pred, BasicBlock succ, AbstractValue v
+) {
+  exists(IRBlock irPred, IRBlock irSucc |
+    ir.valueControlsEdge(irPred, irSucc, v) and
+    nonExcludedIRAndBasicBlock(irPred, pred) and
+    nonExcludedIRAndBasicBlock(irSucc, succ) and
+    not isUnreachedBlock(irPred) and
+    not isUnreachedBlock(irSucc)
+  )
+}
+
 private class GuardConditionFromNotExpr extends GuardConditionImpl {
  IRGuardCondition ir;

@@ -295,6 +390,10 @@ private class GuardConditionFromNotExpr extends GuardConditionImpl {
    controlsBlock(ir, controlled, v.getDualValue())
  }

+  override predicate valueControlsEdge(BasicBlock pred, BasicBlock succ, AbstractValue v) {
+    controlsEdge(ir, pred, succ, v.getDualValue())
+  }
+
  pragma[inline]
  override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
    exists(Instruction li, Instruction ri |
@@ -383,6 +482,10 @@ private class GuardConditionFromIR extends GuardConditionImpl {
    controlsBlock(ir, controlled, v)
  }

+  override predicate valueControlsEdge(BasicBlock pred, BasicBlock succ, AbstractValue v) {
+    controlsEdge(ir, pred, succ, v)
+  }
+
  pragma[inline]
  override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
    exists(Instruction li, Instruction ri |
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
@@ -1042,8 +1042,8 @@ private predicate subEdgeIncludingDestructors(Pos p1, Node n1, Node n2, Pos p2)
 * - `MicrosoftTryFinallyStmt`: On the edge following the `__finally` block for
 *   the case where an exception was thrown and needs to be propagated.
 */
-DestructorCall getSynthesisedDestructorCallAfterNode(Node n, int i) {
-  synthetic_destructor_call(n, i, result)
+DestructorCall getSynthesisedDestructorCallAfterNode(Node node, int index) {
+  synthetic_destructor_call(node, index, result)
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -834,8 +834,10 @@ class ContentSet instanceof Content {
   * For more information, see
   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    super.hasLocationInfo(path, sl, sc, el, ec)
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
  }
 }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -2273,8 +2273,10 @@ class ContentSet instanceof Content {
   * For more information, see
   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    super.hasLocationInfo(path, sl, sc, el, ec)
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
  }
 }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll
@@ -2,6 +2,7 @@
 * Provides classes that specify the conditions under which control flows along a given edge.
 */

+private import codeql.controlflow.SuccessorType
 private import internal.EdgeKindInternal

 private newtype TEdgeKind =
@@ -28,6 +29,21 @@ abstract private class EdgeKindImpl extends TEdgeKind {

 final class EdgeKind = EdgeKindImpl;

+private SuccessorType getAMatchingSpecificSuccessorType(EdgeKind k) {
+  result.(BooleanSuccessor).getValue() = true and k instanceof TrueEdge
+  or
+  result.(BooleanSuccessor).getValue() = false and k instanceof FalseEdge
+  or
+  result instanceof ExceptionSuccessor and k instanceof ExceptionEdge
+}
+
+SuccessorType getAMatchingSuccessorType(EdgeKind k) {
+  result = getAMatchingSpecificSuccessorType(k)
+  or
+  not exists(getAMatchingSpecificSuccessorType(k)) and
+  result instanceof DirectSuccessor
+}
+
 /**
 * A "goto" edge, representing the unconditional successor of an `Instruction`
 * or `IRBlock`.
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
@@ -265,9 +265,9 @@ private predicate isEntryBlock(TIRBlock block) {
 }

 module IRCfg implements BB::CfgSig<Language::Location> {
-  class ControlFlowNode = Instruction;
+  private import codeql.controlflow.SuccessorType

-  class SuccessorType = EdgeKind;
+  class ControlFlowNode = Instruction;

  final private class FinalIRBlock = IRBlock;

@@ -280,7 +280,12 @@ module IRCfg implements BB::CfgSig<Language::Location> {

    BasicBlock getASuccessor() { result = super.getASuccessor() }

-    BasicBlock getASuccessor(SuccessorType t) { result = super.getSuccessor(t) }
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }

    predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll
@@ -41,7 +41,7 @@ newtype TValueNumber =
  ) {
    loadTotalOverlapValueNumber(_, irFunc, type, memOperand, operand)
  } or
-  TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
+  TUniqueValueNumber(Instruction instr) { uniqueValueNumber(instr) }

 /**
 * A `ConvertInstruction` which converts data of type `T` to data of type `U`
@@ -129,12 +129,14 @@ private predicate filteredNumberableInstruction(Instruction instr) {
    count(instr.(InheritanceConversionInstruction).getBaseClass()) != 1 or
    count(instr.(InheritanceConversionInstruction).getDerivedClass()) != 1
  )
+  or
+  count(instr.getEnclosingIRFunction()) != 1
 }

 private predicate variableAddressValueNumber(
  VariableAddressInstruction instr, IRFunction irFunc, Language::AST ast
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  // The underlying AST element is used as value-numbering key instead of the
  // `IRVariable` to work around a problem where a variable or expression with
  // multiple types gives rise to multiple `IRVariable`s.
@@ -144,7 +146,7 @@ private predicate variableAddressValueNumber(
 private predicate initializeParameterValueNumber(
  InitializeParameterInstruction instr, IRFunction irFunc, Language::AST var
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  // The underlying AST element is used as value-numbering key instead of the
  // `IRVariable` to work around a problem where a variable or expression with
  // multiple types gives rise to multiple `IRVariable`s.
@@ -154,7 +156,7 @@ private predicate initializeParameterValueNumber(
 private predicate constantValueNumber(
  ConstantInstruction instr, IRFunction irFunc, IRType type, string value
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  unique( | | instr.getResultIRType()) = type and
  instr.getValue() = value
 }
@@ -162,7 +164,7 @@ private predicate constantValueNumber(
 private predicate stringConstantValueNumber(
  StringConstantInstruction instr, IRFunction irFunc, IRType type, string value
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getResultIRType() = type and
  instr.getValue().getValue() = value
 }
@@ -171,7 +173,7 @@ private predicate fieldAddressValueNumber(
  FieldAddressInstruction instr, IRFunction irFunc, Language::Field field,
  TValueNumber objectAddress
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  unique( | | instr.getField()) = field and
  tvalueNumber(instr.getObjectAddress()) = objectAddress
 }
@@ -182,7 +184,7 @@ private predicate binaryValueNumber0(
  TValueNumber valueNumber
 ) {
  not instr instanceof PointerArithmeticInstruction and
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  (
    isLeft = true and
@@ -206,7 +208,7 @@ private predicate pointerArithmeticValueNumber0(
  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
  boolean isLeft, TValueNumber valueNumber
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  instr.getElementSize() = elementSize and
  (
@@ -229,7 +231,7 @@ private predicate pointerArithmeticValueNumber(
 private predicate unaryValueNumber(
  UnaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  not instr instanceof InheritanceConversionInstruction and
  not instr instanceof CopyInstruction and
  not instr instanceof FieldAddressInstruction and
@@ -242,7 +244,7 @@ private predicate inheritanceConversionValueNumber(
  InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode,
  Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  tvalueNumber(instr.getUnary()) = operand and
  unique( | | instr.getBaseClass()) = baseClass and
@@ -254,7 +256,7 @@ private predicate loadTotalOverlapValueNumber0(
  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
  boolean isAddress
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getResultIRType() = type and
  (
    isAddress = true and
@@ -277,8 +279,7 @@ private predicate loadTotalOverlapValueNumber(
 * Holds if `instr` should be assigned a unique value number because this library does not know how
 * to determine if two instances of that instruction are equivalent.
 */
-private predicate uniqueValueNumber(Instruction instr, IRFunction irFunc) {
-  instr.getEnclosingIRFunction() = irFunc and
+private predicate uniqueValueNumber(Instruction instr) {
  not instr.getResultIRType() instanceof IRVoidType and
  (
    not numberableInstruction(instr)
@@ -294,10 +295,8 @@ cached
 TValueNumber tvalueNumber(Instruction instr) {
  result = nonUniqueValueNumber(instr)
  or
-  exists(IRFunction irFunc |
-    uniqueValueNumber(instr, irFunc) and
-    result = TUniqueValueNumber(irFunc, instr)
-  )
+  uniqueValueNumber(instr) and
+  result = TUniqueValueNumber(instr)
 }

 /**
@@ -311,68 +310,64 @@ TValueNumber tvalueNumberOfOperand(Operand op) { result = tvalueNumber(op.getDef
 * value number.
 */
 private TValueNumber nonUniqueValueNumber(Instruction instr) {
-  exists(IRFunction irFunc |
-    irFunc = instr.getEnclosingIRFunction() and
-    (
-      exists(Language::AST ast |
-        variableAddressValueNumber(instr, irFunc, ast) and
-        result = TVariableAddressValueNumber(irFunc, ast)
-      )
-      or
-      exists(Language::AST var |
-        initializeParameterValueNumber(instr, irFunc, var) and
-        result = TInitializeParameterValueNumber(irFunc, var)
-      )
-      or
-      exists(string value, IRType type |
-        constantValueNumber(instr, irFunc, type, value) and
-        result = TConstantValueNumber(irFunc, type, value)
-      )
-      or
-      exists(IRType type, string value |
-        stringConstantValueNumber(instr, irFunc, type, value) and
-        result = TStringConstantValueNumber(irFunc, type, value)
-      )
-      or
-      exists(Language::Field field, TValueNumber objectAddress |
-        fieldAddressValueNumber(instr, irFunc, field, objectAddress) and
-        result = TFieldAddressValueNumber(irFunc, field, objectAddress)
-      )
-      or
-      exists(Opcode opcode, TValueNumber leftOperand, TValueNumber rightOperand |
-        binaryValueNumber(instr, irFunc, opcode, leftOperand, rightOperand) and
-        result = TBinaryValueNumber(irFunc, opcode, leftOperand, rightOperand)
-      )
-      or
-      exists(Opcode opcode, TValueNumber operand |
-        unaryValueNumber(instr, irFunc, opcode, operand) and
-        result = TUnaryValueNumber(irFunc, opcode, operand)
-      )
-      or
-      exists(
-        Opcode opcode, Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
-      |
-        inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and
-        result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand)
-      )
-      or
-      exists(Opcode opcode, int elementSize, TValueNumber leftOperand, TValueNumber rightOperand |
-        pointerArithmeticValueNumber(instr, irFunc, opcode, elementSize, leftOperand, rightOperand) and
-        result =
-          TPointerArithmeticValueNumber(irFunc, opcode, elementSize, leftOperand, rightOperand)
-      )
-      or
-      exists(IRType type, TValueNumber memOperand, TValueNumber operand |
-        loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
-        result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
-      )
-      or
-      // The value number of a copy is just the value number of its source value.
-      result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
-      or
-      // The value number of a type-preserving conversion is just the value
-      // number of the unconverted value.
-      result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
+  exists(IRFunction irFunc | irFunc = instr.getEnclosingIRFunction() |
+    exists(Language::AST ast |
+      variableAddressValueNumber(instr, irFunc, ast) and
+      result = TVariableAddressValueNumber(irFunc, ast)
    )
+    or
+    exists(Language::AST var |
+      initializeParameterValueNumber(instr, irFunc, var) and
+      result = TInitializeParameterValueNumber(irFunc, var)
+    )
+    or
+    exists(string value, IRType type |
+      constantValueNumber(instr, irFunc, type, value) and
+      result = TConstantValueNumber(irFunc, type, value)
+    )
+    or
+    exists(IRType type, string value |
+      stringConstantValueNumber(instr, irFunc, type, value) and
+      result = TStringConstantValueNumber(irFunc, type, value)
+    )
+    or
+    exists(Language::Field field, TValueNumber objectAddress |
+      fieldAddressValueNumber(instr, irFunc, field, objectAddress) and
+      result = TFieldAddressValueNumber(irFunc, field, objectAddress)
+    )
+    or
+    exists(Opcode opcode, TValueNumber leftOperand, TValueNumber rightOperand |
+      binaryValueNumber(instr, irFunc, opcode, leftOperand, rightOperand) and
+      result = TBinaryValueNumber(irFunc, opcode, leftOperand, rightOperand)
+    )
+    or
+    exists(Opcode opcode, TValueNumber operand |
+      unaryValueNumber(instr, irFunc, opcode, operand) and
+      result = TUnaryValueNumber(irFunc, opcode, operand)
+    )
+    or
+    exists(
+      Opcode opcode, Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
+    |
+      inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and
+      result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand)
+    )
+    or
+    exists(Opcode opcode, int elementSize, TValueNumber leftOperand, TValueNumber rightOperand |
+      pointerArithmeticValueNumber(instr, irFunc, opcode, elementSize, leftOperand, rightOperand) and
+      result = TPointerArithmeticValueNumber(irFunc, opcode, elementSize, leftOperand, rightOperand)
+    )
+    or
+    exists(IRType type, TValueNumber memOperand, TValueNumber operand |
+      loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
+      result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
+    )
+    or
+    // The value number of a copy is just the value number of its source value.
+    result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
+    or
+    // The value number of a type-preserving conversion is just the value
+    // number of the unconverted value.
+    result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
@@ -265,9 +265,9 @@ private predicate isEntryBlock(TIRBlock block) {
 }

 module IRCfg implements BB::CfgSig<Language::Location> {
-  class ControlFlowNode = Instruction;
+  private import codeql.controlflow.SuccessorType

-  class SuccessorType = EdgeKind;
+  class ControlFlowNode = Instruction;

  final private class FinalIRBlock = IRBlock;

@@ -280,7 +280,12 @@ module IRCfg implements BB::CfgSig<Language::Location> {

    BasicBlock getASuccessor() { result = super.getASuccessor() }

-    BasicBlock getASuccessor(SuccessorType t) { result = super.getSuccessor(t) }
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }

    predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll
@@ -41,7 +41,7 @@ newtype TValueNumber =
  ) {
    loadTotalOverlapValueNumber(_, irFunc, type, memOperand, operand)
  } or
-  TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
+  TUniqueValueNumber(Instruction instr) { uniqueValueNumber(instr) }

 /**
 * A `ConvertInstruction` which converts data of type `T` to data of type `U`
@@ -129,12 +129,14 @@ private predicate filteredNumberableInstruction(Instruction instr) {
    count(instr.(InheritanceConversionInstruction).getBaseClass()) != 1 or
    count(instr.(InheritanceConversionInstruction).getDerivedClass()) != 1
  )
+  or
+  count(instr.getEnclosingIRFunction()) != 1
 }

 private predicate variableAddressValueNumber(
  VariableAddressInstruction instr, IRFunction irFunc, Language::AST ast
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  // The underlying AST element is used as value-numbering key instead of the
  // `IRVariable` to work around a problem where a variable or expression with
  // multiple types gives rise to multiple `IRVariable`s.
@@ -144,7 +146,7 @@ private predicate variableAddressValueNumber(
 private predicate initializeParameterValueNumber(
  InitializeParameterInstruction instr, IRFunction irFunc, Language::AST var
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  // The underlying AST element is used as value-numbering key instead of the
  // `IRVariable` to work around a problem where a variable or expression with
  // multiple types gives rise to multiple `IRVariable`s.
@@ -154,7 +156,7 @@ private predicate initializeParameterValueNumber(
 private predicate constantValueNumber(
  ConstantInstruction instr, IRFunction irFunc, IRType type, string value
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  unique( | | instr.getResultIRType()) = type and
  instr.getValue() = value
 }
@@ -162,7 +164,7 @@ private predicate constantValueNumber(
 private predicate stringConstantValueNumber(
  StringConstantInstruction instr, IRFunction irFunc, IRType type, string value
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getResultIRType() = type and
  instr.getValue().getValue() = value
 }
@@ -171,7 +173,7 @@ private predicate fieldAddressValueNumber(
  FieldAddressInstruction instr, IRFunction irFunc, Language::Field field,
  TValueNumber objectAddress
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  unique( | | instr.getField()) = field and
  tvalueNumber(instr.getObjectAddress()) = objectAddress
 }
@@ -182,7 +184,7 @@ private predicate binaryValueNumber0(
  TValueNumber valueNumber
 ) {
  not instr instanceof PointerArithmeticInstruction and
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  (
    isLeft = true and
@@ -206,7 +208,7 @@ private predicate pointerArithmeticValueNumber0(
  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
  boolean isLeft, TValueNumber valueNumber
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  instr.getElementSize() = elementSize and
  (
@@ -229,7 +231,7 @@ private predicate pointerArithmeticValueNumber(
 private predicate unaryValueNumber(
  UnaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  not instr instanceof InheritanceConversionInstruction and
  not instr instanceof CopyInstruction and
  not instr instanceof FieldAddressInstruction and
@@ -242,7 +244,7 @@ private predicate inheritanceConversionValueNumber(
  InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode,
  Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  tvalueNumber(instr.getUnary()) = operand and
  unique( | | instr.getBaseClass()) = baseClass and
@@ -254,7 +256,7 @@ private predicate loadTotalOverlapValueNumber0(
  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
  boolean isAddress
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getResultIRType() = type and
  (
    isAddress = true and
@@ -277,8 +279,7 @@ private predicate loadTotalOverlapValueNumber(
 * Holds if `instr` should be assigned a unique value number because this library does not know how
 * to determine if two instances of that instruction are equivalent.
 */
-private predicate uniqueValueNumber(Instruction instr, IRFunction irFunc) {
-  instr.getEnclosingIRFunction() = irFunc and
+private predicate uniqueValueNumber(Instruction instr) {
  not instr.getResultIRType() instanceof IRVoidType and
  (
    not numberableInstruction(instr)
@@ -294,10 +295,8 @@ cached
 TValueNumber tvalueNumber(Instruction instr) {
  result = nonUniqueValueNumber(instr)
  or
-  exists(IRFunction irFunc |
-    uniqueValueNumber(instr, irFunc) and
-    result = TUniqueValueNumber(irFunc, instr)
-  )
+  uniqueValueNumber(instr) and
+  result = TUniqueValueNumber(instr)
 }

 /**
@@ -311,68 +310,64 @@ TValueNumber tvalueNumberOfOperand(Operand op) { result = tvalueNumber(op.getDef
 * value number.
 */
 private TValueNumber nonUniqueValueNumber(Instruction instr) {
-  exists(IRFunction irFunc |
-    irFunc = instr.getEnclosingIRFunction() and
-    (
-      exists(Language::AST ast |
-        variableAddressValueNumber(instr, irFunc, ast) and
-        result = TVariableAddressValueNumber(irFunc, ast)
-      )
-      or
-      exists(Language::AST var |
-        initializeParameterValueNumber(instr, irFunc, var) and
-        result = TInitializeParameterValueNumber(irFunc, var)
-      )
-      or
-      exists(string value, IRType type |
-        constantValueNumber(instr, irFunc, type, value) and
-        result = TConstantValueNumber(irFunc, type, value)
-      )
-      or
-      exists(IRType type, string value |
-        stringConstantValueNumber(instr, irFunc, type, value) and
-        result = TStringConstantValueNumber(irFunc, type, value)
-      )
-      or
-      exists(Language::Field field, TValueNumber objectAddress |
-        fieldAddressValueNumber(instr, irFunc, field, objectAddress) and
-        result = TFieldAddressValueNumber(irFunc, field, objectAddress)
-      )
-      or
-      exists(Opcode opcode, TValueNumber leftOperand, TValueNumber rightOperand |
-        binaryValueNumber(instr, irFunc, opcode, leftOperand, rightOperand) and
-        result = TBinaryValueNumber(irFunc, opcode, leftOperand, rightOperand)
-      )
-      or
-      exists(Opcode opcode, TValueNumber operand |
-        unaryValueNumber(instr, irFunc, opcode, operand) and
-        result = TUnaryValueNumber(irFunc, opcode, operand)
-      )
-      or
-      exists(
-        Opcode opcode, Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
-      |
-        inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and
-        result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand)
-      )
-      or
-      exists(Opcode opcode, int elementSize, TValueNumber leftOperand, TValueNumber rightOperand |
-        pointerArithmeticValueNumber(instr, irFunc, opcode, elementSize, leftOperand, rightOperand) and
-        result =
-          TPointerArithmeticValueNumber(irFunc, opcode, elementSize, leftOperand, rightOperand)
-      )
-      or
-      exists(IRType type, TValueNumber memOperand, TValueNumber operand |
-        loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
-        result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
-      )
-      or
-      // The value number of a copy is just the value number of its source value.
-      result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
-      or
-      // The value number of a type-preserving conversion is just the value
-      // number of the unconverted value.
-      result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
+  exists(IRFunction irFunc | irFunc = instr.getEnclosingIRFunction() |
+    exists(Language::AST ast |
+      variableAddressValueNumber(instr, irFunc, ast) and
+      result = TVariableAddressValueNumber(irFunc, ast)
    )
+    or
+    exists(Language::AST var |
+      initializeParameterValueNumber(instr, irFunc, var) and
+      result = TInitializeParameterValueNumber(irFunc, var)
+    )
+    or
+    exists(string value, IRType type |
+      constantValueNumber(instr, irFunc, type, value) and
+      result = TConstantValueNumber(irFunc, type, value)
+    )
+    or
+    exists(IRType type, string value |
+      stringConstantValueNumber(instr, irFunc, type, value) and
+      result = TStringConstantValueNumber(irFunc, type, value)
+    )
+    or
+    exists(Language::Field field, TValueNumber objectAddress |
+      fieldAddressValueNumber(instr, irFunc, field, objectAddress) and
+      result = TFieldAddressValueNumber(irFunc, field, objectAddress)
+    )
+    or
+    exists(Opcode opcode, TValueNumber leftOperand, TValueNumber rightOperand |
+      binaryValueNumber(instr, irFunc, opcode, leftOperand, rightOperand) and
+      result = TBinaryValueNumber(irFunc, opcode, leftOperand, rightOperand)
+    )
+    or
+    exists(Opcode opcode, TValueNumber operand |
+      unaryValueNumber(instr, irFunc, opcode, operand) and
+      result = TUnaryValueNumber(irFunc, opcode, operand)
+    )
+    or
+    exists(
+      Opcode opcode, Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
+    |
+      inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and
+      result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand)
+    )
+    or
+    exists(Opcode opcode, int elementSize, TValueNumber leftOperand, TValueNumber rightOperand |
+      pointerArithmeticValueNumber(instr, irFunc, opcode, elementSize, leftOperand, rightOperand) and
+      result = TPointerArithmeticValueNumber(irFunc, opcode, elementSize, leftOperand, rightOperand)
+    )
+    or
+    exists(IRType type, TValueNumber memOperand, TValueNumber operand |
+      loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
+      result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
+    )
+    or
+    // The value number of a copy is just the value number of its source value.
+    result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
+    or
+    // The value number of a type-preserving conversion is just the value
+    // number of the unconverted value.
+    result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll
@@ -97,7 +97,14 @@ newtype TInstructionTag =
    exists(Stmt s | exists(s.getImplicitDestructorCall(index)))
  } or
  CoAwaitBranchTag() or
-  BoolToIntConversionTag()
+  BoolToIntConversionTag() or
+  SizeofVlaBaseSizeTag() or
+  SizeofVlaConversionTag(int index) {
+    exists(VlaDeclStmt v | exists(v.getTransitiveVlaDimensionStmt(index)))
+  } or
+  SizeofVlaDimensionTag(int index) {
+    exists(VlaDeclStmt v | exists(v.getTransitiveVlaDimensionStmt(index)))
+  }

 class InstructionTag extends TInstructionTag {
  final string toString() { result = getInstructionTagId(this) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -123,13 +123,16 @@ private predicate ignoreExprAndDescendants(Expr expr) {
  //  or
  ignoreExprAndDescendants(getRealParent(expr)) // recursive case
  or
-  // va_start doesn't evaluate its argument, so we don't need to translate it.
+  // va_start does not evaluate its argument, so we do not need to translate it.
  exists(BuiltInVarArgsStart vaStartExpr |
    vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
  )
  or
+  // sizeof does not evaluate its argument, so we do not need to translate it.
+  exists(SizeofExprOperator sizeofExpr | sizeofExpr.getExprOperand().getFullyConverted() = expr)
+  or
  // The children of C11 _Generic expressions are just surface syntax.
-  exists(C11GenericExpr generic | generic.getAChild() = expr)
+  exists(C11GenericExpr generic | generic.getAChild().getFullyConverted() = expr)
  or
  // Do not translate implicit destructor calls for unnamed temporary variables that are
  // conditionally constructed (until we have a mechanism for calling these only when the
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -187,7 +187,7 @@ Variable getEnclosingVariable(Expr e) {
 }

 /**
- * The IR translation of the "core"  part of an expression. This is the part of
+ * The IR translation of the "core" part of an expression. This is the part of
 * the expression that produces the result value of the expression, before any
 * lvalue-to-rvalue conversion on the result. Every expression has a single
 * `TranslatedCoreExpr`.
@@ -4094,6 +4094,155 @@ class TranslatedStmtExpr extends TranslatedNonConstantExpr {
  TranslatedStmt getStmt() { result = getTranslatedStmt(expr.getStmt()) }
 }

+private VlaDeclStmt getVlaDeclStmt(Expr expr, int pointerDerefCount) {
+  expr.(VariableAccess).getTarget() = result.getVariable() and
+  pointerDerefCount = 0
+  or
+  not expr.(PointerDereferenceExpr).getOperand() instanceof AddressOfExpr and
+  result = getVlaDeclStmt(expr.(PointerDereferenceExpr).getOperand(), pointerDerefCount - 1)
+  or
+  // Skip sequences of the form `*&...`
+  result =
+    getVlaDeclStmt(expr.(PointerDereferenceExpr).getOperand().(AddressOfExpr).getOperand(),
+      pointerDerefCount)
+  or
+  result = getVlaDeclStmt(expr.(ArrayExpr).getArrayBase(), pointerDerefCount - 1)
+}
+
+/**
+ * The IR translation of `SizeofExprOperator` when its result is non-constant, i.e.,
+ * when the operand expression refers to a variable length array.
+ */
+class TranslatedSizeofExpr extends TranslatedNonConstantExpr {
+  override SizeofExprOperator expr;
+  VlaDeclStmt vlaDeclStmt;
+  int vlaDimensions;
+  int pointerDerefCount;
+
+  TranslatedSizeofExpr() {
+    vlaDeclStmt = getVlaDeclStmt(expr.getExprOperand(), pointerDerefCount) and
+    vlaDimensions = vlaDeclStmt.getTransitiveNumberOfVlaDimensionStmts() and
+    pointerDerefCount < vlaDimensions
+  }
+
+  final override Instruction getFirstInstruction(EdgeKind kind) {
+    result = this.getInstruction(SizeofVlaBaseSizeTag()) and
+    kind instanceof GotoEdge
+  }
+
+  override Instruction getALastInstructionInternal() {
+    result = this.getInstruction(SizeofVlaDimensionTag(vlaDimensions - 1))
+  }
+
+  final override TranslatedElement getChildInternal(int id) { none() }
+
+  final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    opcode instanceof Opcode::Constant and
+    tag = SizeofVlaBaseSizeTag() and
+    resultType = this.getResultType()
+    or
+    exists(int n, Type dimType |
+      pointerDerefCount <= n and
+      n < vlaDimensions and
+      dimType = this.getDimensionExpr(n).getUnderlyingType() and
+      tag = SizeofVlaConversionTag(n)
+    |
+      (
+        expr.getUnderlyingType() = dimType and
+        opcode instanceof Opcode::CopyValue
+        or
+        not expr.getUnderlyingType() = dimType and
+        opcode instanceof Opcode::Convert
+      )
+    ) and
+    resultType = this.getResultType()
+    or
+    opcode instanceof Opcode::Mul and
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions | tag = SizeofVlaDimensionTag(n)) and
+    resultType = this.getResultType()
+  }
+
+  final override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) {
+    tag = SizeofVlaBaseSizeTag() and
+    result = this.getInstruction(SizeofVlaConversionTag(pointerDerefCount)) and
+    kind instanceof GotoEdge
+    or
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions |
+      tag = SizeofVlaConversionTag(n) and
+      result = this.getInstruction(SizeofVlaDimensionTag(n))
+    ) and
+    kind instanceof GotoEdge
+    or
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions - 1 |
+      tag = SizeofVlaDimensionTag(n) and
+      result = this.getInstruction(SizeofVlaConversionTag(n + 1))
+    ) and
+    kind instanceof GotoEdge
+    or
+    tag = SizeofVlaDimensionTag(vlaDimensions - 1) and
+    result = this.getParent().getChildSuccessor(this, kind)
+  }
+
+  override string getInstructionConstantValue(InstructionTag tag) {
+    tag = SizeofVlaBaseSizeTag() and
+    result = this.getBaseType(vlaDeclStmt).getSize().toString()
+  }
+
+  private Type getBaseType(VlaDeclStmt v) {
+    not exists(v.getParentVlaDecl()) and
+    (
+      result =
+        this.getBaseType(v.getVariable().getUnderlyingType(), v.getNumberOfVlaDimensionStmts())
+      or
+      result = this.getBaseType(v.getType().getUnderlyingType(), v.getNumberOfVlaDimensionStmts())
+    )
+    or
+    result = this.getBaseType(v.getParentVlaDecl())
+  }
+
+  private Type getBaseType(Type type, int n) {
+    n = 0 and
+    result = type
+    or
+    result = this.getBaseType(type.(DerivedType).getBaseType(), n - 1)
+  }
+
+  override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions |
+      tag = SizeofVlaConversionTag(n) and
+      (
+        operandTag instanceof UnaryOperandTag and
+        result = getTranslatedExpr(this.getDimensionExpr(n)).getResult()
+      )
+    )
+    or
+    exists(int n | pointerDerefCount <= n and n < vlaDimensions |
+      tag = SizeofVlaDimensionTag(n) and
+      (
+        operandTag instanceof LeftOperandTag and
+        (
+          n - 1 >= pointerDerefCount and
+          result = this.getInstruction(SizeofVlaDimensionTag(n - 1))
+          or
+          n - 1 < pointerDerefCount and
+          result = this.getInstruction(SizeofVlaBaseSizeTag())
+        )
+        or
+        operandTag instanceof RightOperandTag and
+        result = this.getInstruction(SizeofVlaConversionTag(n))
+      )
+    )
+  }
+
+  private Expr getDimensionExpr(int n) {
+    result = vlaDeclStmt.getTransitiveVlaDimensionStmt(n).getDimensionExpr().getFullyConverted()
+  }
+
+  final override Instruction getResult() {
+    result = this.getInstruction(SizeofVlaDimensionTag(vlaDimensions - 1))
+  }
+}
+
 class TranslatedErrorExpr extends TranslatedSingleInstructionExpr {
  override ErrorExpr expr;

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -50,7 +50,7 @@ CppType getEllipsisVariablePRValueType() {
 CppType getEllipsisVariableGLValueType() { result = getTypeForGLValue(any(UnknownType t)) }

 /**
- * Holds if the function returns a value, as opposed to returning `void`.
+ * Holds if the function `func` returns a value, as opposed to returning `void`.
 */
 predicate hasReturnValue(Function func) { not func.getUnspecifiedType() instanceof VoidType }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
@@ -601,7 +601,7 @@ class TranslatedReturnVoidStmt extends TranslatedReturnStmt {
 * The IR translation of an implicit `return` statement generated by the extractor to handle control
 * flow that reaches the end of a non-`void`-returning function body. Such control flow
 * produces undefined behavior in C++ but not in C. However even in C using the return value is
- * undefined behaviour. We make it return uninitialized memory to get as much flow as possible.
+ * undefined behavior. We make it return uninitialized memory to get as much flow as possible.
 */
 class TranslatedNoValueReturnStmt extends TranslatedReturnStmt, TranslatedVariableInitialization {
  TranslatedNoValueReturnStmt() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
@@ -265,9 +265,9 @@ private predicate isEntryBlock(TIRBlock block) {
 }

 module IRCfg implements BB::CfgSig<Language::Location> {
-  class ControlFlowNode = Instruction;
+  private import codeql.controlflow.SuccessorType

-  class SuccessorType = EdgeKind;
+  class ControlFlowNode = Instruction;

  final private class FinalIRBlock = IRBlock;

@@ -280,7 +280,12 @@ module IRCfg implements BB::CfgSig<Language::Location> {

    BasicBlock getASuccessor() { result = super.getASuccessor() }

-    BasicBlock getASuccessor(SuccessorType t) { result = super.getSuccessor(t) }
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }

    predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll
@@ -41,7 +41,7 @@ newtype TValueNumber =
  ) {
    loadTotalOverlapValueNumber(_, irFunc, type, memOperand, operand)
  } or
-  TUniqueValueNumber(IRFunction irFunc, Instruction instr) { uniqueValueNumber(instr, irFunc) }
+  TUniqueValueNumber(Instruction instr) { uniqueValueNumber(instr) }

 /**
 * A `ConvertInstruction` which converts data of type `T` to data of type `U`
@@ -129,12 +129,14 @@ private predicate filteredNumberableInstruction(Instruction instr) {
    count(instr.(InheritanceConversionInstruction).getBaseClass()) != 1 or
    count(instr.(InheritanceConversionInstruction).getDerivedClass()) != 1
  )
+  or
+  count(instr.getEnclosingIRFunction()) != 1
 }

 private predicate variableAddressValueNumber(
  VariableAddressInstruction instr, IRFunction irFunc, Language::AST ast
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  // The underlying AST element is used as value-numbering key instead of the
  // `IRVariable` to work around a problem where a variable or expression with
  // multiple types gives rise to multiple `IRVariable`s.
@@ -144,7 +146,7 @@ private predicate variableAddressValueNumber(
 private predicate initializeParameterValueNumber(
  InitializeParameterInstruction instr, IRFunction irFunc, Language::AST var
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  // The underlying AST element is used as value-numbering key instead of the
  // `IRVariable` to work around a problem where a variable or expression with
  // multiple types gives rise to multiple `IRVariable`s.
@@ -154,7 +156,7 @@ private predicate initializeParameterValueNumber(
 private predicate constantValueNumber(
  ConstantInstruction instr, IRFunction irFunc, IRType type, string value
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  unique( | | instr.getResultIRType()) = type and
  instr.getValue() = value
 }
@@ -162,7 +164,7 @@ private predicate constantValueNumber(
 private predicate stringConstantValueNumber(
  StringConstantInstruction instr, IRFunction irFunc, IRType type, string value
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getResultIRType() = type and
  instr.getValue().getValue() = value
 }
@@ -171,7 +173,7 @@ private predicate fieldAddressValueNumber(
  FieldAddressInstruction instr, IRFunction irFunc, Language::Field field,
  TValueNumber objectAddress
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  unique( | | instr.getField()) = field and
  tvalueNumber(instr.getObjectAddress()) = objectAddress
 }
@@ -182,7 +184,7 @@ private predicate binaryValueNumber0(
  TValueNumber valueNumber
 ) {
  not instr instanceof PointerArithmeticInstruction and
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  (
    isLeft = true and
@@ -206,7 +208,7 @@ private predicate pointerArithmeticValueNumber0(
  PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, int elementSize,
  boolean isLeft, TValueNumber valueNumber
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  instr.getElementSize() = elementSize and
  (
@@ -229,7 +231,7 @@ private predicate pointerArithmeticValueNumber(
 private predicate unaryValueNumber(
  UnaryInstruction instr, IRFunction irFunc, Opcode opcode, TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  not instr instanceof InheritanceConversionInstruction and
  not instr instanceof CopyInstruction and
  not instr instanceof FieldAddressInstruction and
@@ -242,7 +244,7 @@ private predicate inheritanceConversionValueNumber(
  InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode,
  Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getOpcode() = opcode and
  tvalueNumber(instr.getUnary()) = operand and
  unique( | | instr.getBaseClass()) = baseClass and
@@ -254,7 +256,7 @@ private predicate loadTotalOverlapValueNumber0(
  LoadTotalOverlapInstruction instr, IRFunction irFunc, IRType type, TValueNumber valueNumber,
  boolean isAddress
 ) {
-  instr.getEnclosingIRFunction() = irFunc and
+  unique( | | instr.getEnclosingIRFunction()) = irFunc and
  instr.getResultIRType() = type and
  (
    isAddress = true and
@@ -277,8 +279,7 @@ private predicate loadTotalOverlapValueNumber(
 * Holds if `instr` should be assigned a unique value number because this library does not know how
 * to determine if two instances of that instruction are equivalent.
 */
-private predicate uniqueValueNumber(Instruction instr, IRFunction irFunc) {
-  instr.getEnclosingIRFunction() = irFunc and
+private predicate uniqueValueNumber(Instruction instr) {
  not instr.getResultIRType() instanceof IRVoidType and
  (
    not numberableInstruction(instr)
@@ -294,10 +295,8 @@ cached
 TValueNumber tvalueNumber(Instruction instr) {
  result = nonUniqueValueNumber(instr)
  or
-  exists(IRFunction irFunc |
-    uniqueValueNumber(instr, irFunc) and
-    result = TUniqueValueNumber(irFunc, instr)
-  )
+  uniqueValueNumber(instr) and
+  result = TUniqueValueNumber(instr)
 }

 /**
@@ -311,68 +310,64 @@ TValueNumber tvalueNumberOfOperand(Operand op) { result = tvalueNumber(op.getDef
 * value number.
 */
 private TValueNumber nonUniqueValueNumber(Instruction instr) {
-  exists(IRFunction irFunc |
-    irFunc = instr.getEnclosingIRFunction() and
-    (
-      exists(Language::AST ast |
-        variableAddressValueNumber(instr, irFunc, ast) and
-        result = TVariableAddressValueNumber(irFunc, ast)
-      )
-      or
-      exists(Language::AST var |
-        initializeParameterValueNumber(instr, irFunc, var) and
-        result = TInitializeParameterValueNumber(irFunc, var)
-      )
-      or
-      exists(string value, IRType type |
-        constantValueNumber(instr, irFunc, type, value) and
-        result = TConstantValueNumber(irFunc, type, value)
-      )
-      or
-      exists(IRType type, string value |
-        stringConstantValueNumber(instr, irFunc, type, value) and
-        result = TStringConstantValueNumber(irFunc, type, value)
-      )
-      or
-      exists(Language::Field field, TValueNumber objectAddress |
-        fieldAddressValueNumber(instr, irFunc, field, objectAddress) and
-        result = TFieldAddressValueNumber(irFunc, field, objectAddress)
-      )
-      or
-      exists(Opcode opcode, TValueNumber leftOperand, TValueNumber rightOperand |
-        binaryValueNumber(instr, irFunc, opcode, leftOperand, rightOperand) and
-        result = TBinaryValueNumber(irFunc, opcode, leftOperand, rightOperand)
-      )
-      or
-      exists(Opcode opcode, TValueNumber operand |
-        unaryValueNumber(instr, irFunc, opcode, operand) and
-        result = TUnaryValueNumber(irFunc, opcode, operand)
-      )
-      or
-      exists(
-        Opcode opcode, Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
-      |
-        inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and
-        result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand)
-      )
-      or
-      exists(Opcode opcode, int elementSize, TValueNumber leftOperand, TValueNumber rightOperand |
-        pointerArithmeticValueNumber(instr, irFunc, opcode, elementSize, leftOperand, rightOperand) and
-        result =
-          TPointerArithmeticValueNumber(irFunc, opcode, elementSize, leftOperand, rightOperand)
-      )
-      or
-      exists(IRType type, TValueNumber memOperand, TValueNumber operand |
-        loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
-        result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
-      )
-      or
-      // The value number of a copy is just the value number of its source value.
-      result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
-      or
-      // The value number of a type-preserving conversion is just the value
-      // number of the unconverted value.
-      result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
+  exists(IRFunction irFunc | irFunc = instr.getEnclosingIRFunction() |
+    exists(Language::AST ast |
+      variableAddressValueNumber(instr, irFunc, ast) and
+      result = TVariableAddressValueNumber(irFunc, ast)
    )
+    or
+    exists(Language::AST var |
+      initializeParameterValueNumber(instr, irFunc, var) and
+      result = TInitializeParameterValueNumber(irFunc, var)
+    )
+    or
+    exists(string value, IRType type |
+      constantValueNumber(instr, irFunc, type, value) and
+      result = TConstantValueNumber(irFunc, type, value)
+    )
+    or
+    exists(IRType type, string value |
+      stringConstantValueNumber(instr, irFunc, type, value) and
+      result = TStringConstantValueNumber(irFunc, type, value)
+    )
+    or
+    exists(Language::Field field, TValueNumber objectAddress |
+      fieldAddressValueNumber(instr, irFunc, field, objectAddress) and
+      result = TFieldAddressValueNumber(irFunc, field, objectAddress)
+    )
+    or
+    exists(Opcode opcode, TValueNumber leftOperand, TValueNumber rightOperand |
+      binaryValueNumber(instr, irFunc, opcode, leftOperand, rightOperand) and
+      result = TBinaryValueNumber(irFunc, opcode, leftOperand, rightOperand)
+    )
+    or
+    exists(Opcode opcode, TValueNumber operand |
+      unaryValueNumber(instr, irFunc, opcode, operand) and
+      result = TUnaryValueNumber(irFunc, opcode, operand)
+    )
+    or
+    exists(
+      Opcode opcode, Language::Class baseClass, Language::Class derivedClass, TValueNumber operand
+    |
+      inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and
+      result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand)
+    )
+    or
+    exists(Opcode opcode, int elementSize, TValueNumber leftOperand, TValueNumber rightOperand |
+      pointerArithmeticValueNumber(instr, irFunc, opcode, elementSize, leftOperand, rightOperand) and
+      result = TPointerArithmeticValueNumber(irFunc, opcode, elementSize, leftOperand, rightOperand)
+    )
+    or
+    exists(IRType type, TValueNumber memOperand, TValueNumber operand |
+      loadTotalOverlapValueNumber(instr, irFunc, type, memOperand, operand) and
+      result = TLoadTotalOverlapValueNumber(irFunc, type, memOperand, operand)
+    )
+    or
+    // The value number of a copy is just the value number of its source value.
+    result = tvalueNumber(instr.(CongruentCopyInstruction).getSourceValue())
+    or
+    // The value number of a type-preserving conversion is just the value
+    // number of the unconverted value.
+    result = tvalueNumber(instr.(TypePreservingConvertInstruction).getUnary())
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/IRUtilities.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/IRUtilities.qll
@@ -49,7 +49,8 @@ Type getVariableType(Variable v) {
 }

 /**
- * Holds if the database contains a `case` label with the specified minimum and maximum value.
+ * Holds if the database contains a `switchCase` label with the specified minimum `minValue`
+ * and maximum `maxValue` value.
 */
 predicate hasCaseEdge(SwitchCase switchCase, string minValue, string maxValue) {
  minValue = switchCase.getExpr().getFullyConverted().getValue() and
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll
@@ -371,7 +371,7 @@ class FunctionOutput extends TFunctionOutput {
  /**
   * Holds if this is the output value pointed to by a pointer parameter to a function, or the
   * output value referred to by a reference parameter to a function, where the parameter has
-   * index `index`.
+   * index `i`.
   *
   * Example:
   * ```
@@ -389,7 +389,7 @@ class FunctionOutput extends TFunctionOutput {
  /**
   * Holds if this is the output value pointed to by a pointer parameter (through `ind` number
   * of indirections) to a function, or the output value referred to by a reference parameter to
-   * a function, where the parameter has index `index`.
+   * a function, where the parameter has index `i`.
   *
   * Example:
   * ```
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
@@ -307,13 +307,12 @@ class SemStoreExpr extends SemUnaryExpr {
 }

 class SemConditionalExpr extends SemKnownExpr {
-  SemExpr condition;
  SemExpr trueResult;
  SemExpr falseResult;

  SemConditionalExpr() {
    opcode instanceof Opcode::Conditional and
-    Specific::conditionalExpr(this, type, condition, trueResult, falseResult)
+    Specific::conditionalExpr(this, type, any(SemExpr condition), trueResult, falseResult)
  }

  final SemExpr getBranchExpr(boolean branch) {
--- a/cpp/ql/lib/semmle/code/cpp/security/FileWrite.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/FileWrite.qll
@@ -21,7 +21,9 @@ class FileWrite extends Expr {
  Expr getDest() { fileWrite(this, _, result) }

  /**
-   * Gets the conversion character for this write, if it exists and is known. For example in the following code the write of `value1` has conversion character `"s"`, whereas the write of `value2` has no conversion specifier.
+   * Gets the conversion character from `source` for this write, if it exists and is known.
+   * For example in the following code the write of `value1` has conversion character `"s"`, whereas
+   * the write of `value2` has no conversion specifier.
   * ```
   * fprintf(file, "%s", value1);
   * stream << value2;
--- a/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll
@@ -191,11 +191,19 @@ module BoostorgAsio {
  class SslContextClass extends Class {
    SslContextClass() { this.getQualifiedName() = "boost::asio::ssl::context" }

-    ConstructorCall getAContructorCall() {
+    /**
+     * Gets a constructor call, if any.
+     */
+    ConstructorCall getAConstructorCall() {
      this.getAConstructor().getACallToThisFunction() = result and
      not result.getLocation().getFile().toString().matches("%/boost/asio/%") and
      result.fromSource()
    }
+
+    /**
+     * DEPRECATED: Use `getAConstructorCall` instead.
+     */
+    deprecated ConstructorCall getAContructorCall() { result = this.getAConstructorCall() }
  }

  /**
@@ -368,7 +376,7 @@ module BoostorgAsio {
     */
    default predicate isSink(DataFlow::Node sink) {
      exists(ConstructorCall cc, SslContextClass c, Expr e | e = sink.asExpr() |
-        c.getAContructorCall() = cc and
+        c.getAConstructorCall() = cc and
        cc.getArgument(0) = e
      )
    }
@@ -468,7 +476,7 @@ module BoostorgAsio {
    predicate isSource(DataFlow::Node source) {
      exists(SslContextClass c, ConstructorCall cc |
        cc = source.asExpr() and
-        c.getAContructorCall() = cc
+        c.getAConstructorCall() = cc
      )
    }

--- a/cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
@@ -2355,6 +2355,20 @@ class VlaDeclStmt extends Stmt, @stmt_vla_decl {
    )
  }

+  /**
+   * Gets the number of VLA dimension statements in this VLA declaration
+   * statement and transitively of the VLA declaration used to define its
+   * base type. if any.
+   */
+  int getTransitiveNumberOfVlaDimensionStmts() {
+    not exists(this.getParentVlaDecl()) and
+    result = this.getNumberOfVlaDimensionStmts()
+    or
+    result =
+      this.getNumberOfVlaDimensionStmts() +
+        this.getParentVlaDecl().getTransitiveNumberOfVlaDimensionStmts()
+  }
+
  /**
   * Gets the `i`th VLA dimension statement in this VLA
   * declaration statement.
@@ -2367,6 +2381,19 @@ class VlaDeclStmt extends Stmt, @stmt_vla_decl {
    )
  }

+  /**
+   * Gets the `i`th VLA dimension statement in this VLA declaration
+   * statement or transitively of the VLA declaration used to define
+   * its base type.
+   */
+  VlaDimensionStmt getTransitiveVlaDimensionStmt(int i) {
+    i < this.getNumberOfVlaDimensionStmts() and
+    result = this.getVlaDimensionStmt(i)
+    or
+    result =
+      this.getParentVlaDecl().getTransitiveVlaDimensionStmt(i - this.getNumberOfVlaDimensionStmts())
+  }
+
  /**
   * Gets the type that this VLA declaration statement relates to,
   * if any.
@@ -2378,4 +2405,31 @@ class VlaDeclStmt extends Stmt, @stmt_vla_decl {
   * if any.
   */
  Variable getVariable() { variable_vla(unresolveElement(result), underlyingElement(this)) }
+
+  /**
+   * Get the VLA declaration used to define the base type of
+   * this VLA declaration, if any.
+   */
+  VlaDeclStmt getParentVlaDecl() {
+    exists(Variable v, Type baseType |
+      v = this.getVariable() and
+      baseType = this.getBaseType(v.getType(), this.getNumberOfVlaDimensionStmts())
+    |
+      result.getType() = baseType
+    )
+    or
+    exists(Type t, Type baseType |
+      t = this.getType().(TypedefType).getBaseType() and
+      baseType = this.getBaseType(t, this.getNumberOfVlaDimensionStmts())
+    |
+      result.getType() = baseType
+    )
+  }
+
+  private Type getBaseType(Type type, int n) {
+    n = 0 and
+    result = type
+    or
+    result = this.getBaseType(type.(DerivedType).getBaseType(), n - 1)
+  }
 }
--- a/Constants/MagicConstants.qll
+++ b/Constants/MagicConstants.qll
@@ -164,12 +164,17 @@ predicate valueOccurrenceCount(string value, int n) {
  n > 20
 }

-predicate occurenceCount(Literal lit, string value, int n) {
+predicate occurrenceCount(Literal lit, string value, int n) {
  valueOccurrenceCount(value, n) and
  value = lit.getValue() and
  nonTrivialValue(_, lit)
 }

+/**
+ * DEPRECATED: Use `occurrenceCount` instead.
+ */
+deprecated predicate occurenceCount = occurrenceCount/3;
+
 /*
 * Literals repeated frequently
 */
@@ -178,7 +183,7 @@ predicate check(Literal lit, string value, int n, File f) {
  // Check that the literal is nontrivial
  not trivial(lit) and
  // Check that it is repeated a number of times
-  occurenceCount(lit, value, n) and
+  occurrenceCount(lit, value, n) and
  n > 20 and
  f = lit.getFile() and
  // Exclude generated files
--- a/Year/LeapYear.qll
+++ b/Year/LeapYear.qll
@@ -128,11 +128,18 @@ abstract class LeapYearFieldAccess extends YearFieldAccess {
  /**
   * Holds if the top-level binary operation includes an addition or subtraction operator with an operand specified by `valueToCheck`.
   */
-  predicate additionalAdditionOrSubstractionCheckForLeapYear(int valueToCheck) {
+  predicate additionalAdditionOrSubtractionCheckForLeapYear(int valueToCheck) {
    additionalLogicalCheck(this, "+", valueToCheck) or
    additionalLogicalCheck(this, "-", valueToCheck)
  }

+  /**
+   * DEPRECATED: Use `additionalAdditionOrSubtractionCheckForLeapYear` instead.
+   */
+  deprecated predicate additionalAdditionOrSubstractionCheckForLeapYear(int valueToCheck) {
+    this.additionalAdditionOrSubtractionCheckForLeapYear(valueToCheck)
+  }
+
  /**
   * Holds if this object is used on a modulus 4 operation, which would likely indicate the start of a leap year check.
   */
@@ -180,13 +187,13 @@ class StructTmLeapYearFieldAccess extends LeapYearFieldAccess {
    this.additionalModulusCheckForLeapYear(100) and
    // tm_year represents years since 1900
    (
-      this.additionalAdditionOrSubstractionCheckForLeapYear(1900)
+      this.additionalAdditionOrSubtractionCheckForLeapYear(1900)
      or
      // some systems may use 2000 for 2-digit year conversions
-      this.additionalAdditionOrSubstractionCheckForLeapYear(2000)
+      this.additionalAdditionOrSubtractionCheckForLeapYear(2000)
      or
      // converting from/to Unix epoch
-      this.additionalAdditionOrSubstractionCheckForLeapYear(1970)
+      this.additionalAdditionOrSubtractionCheckForLeapYear(1970)
    )
  }
 }
--- a/Bugs/Protocols/TlsSettingsMisconfiguration.ql
+++ b/Bugs/Protocols/TlsSettingsMisconfiguration.ql
@@ -14,7 +14,7 @@ import cpp
 import semmle.code.cpp.security.boostorg.asio.protocols

 predicate isSourceImpl(DataFlow::Node source, ConstructorCall cc) {
-  exists(BoostorgAsio::SslContextClass c | c.getAContructorCall() = cc and cc = source.asExpr())
+  exists(BoostorgAsio::SslContextClass c | c.getAConstructorCall() = cc and cc = source.asExpr())
 }

 predicate isSinkImpl(DataFlow::Node sink, FunctionCall fcSetOptions) {
--- a/cpp/ql/src/Metrics/Internal/CallableExtents.ql
+++ b/cpp/ql/src/Metrics/Internal/CallableExtents.ql
@@ -20,12 +20,14 @@ class RangeFunction extends Function {
   * For more information, see
   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    super.getLocation().hasLocationInfo(path, sl, sc, _, _) and
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.getLocation().hasLocationInfo(filepath, startline, startcolumn, _, _) and
    (
-      this.getBlock().getLocation().hasLocationInfo(path, _, _, el, ec)
+      this.getBlock().getLocation().hasLocationInfo(filepath, _, _, endline, endcolumn)
      or
-      not exists(this.getBlock()) and el = sl + 1 and ec = 1
+      not exists(this.getBlock()) and endline = startline + 1 and endcolumn = 1
    )
  }
 }
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -25,10 +25,10 @@ import semmle.code.cpp.controlflow.IRGuards as IRGuards
 predicate outOfBoundsExpr(Expr expr, string kind) {
  if convertedExprMightOverflowPositively(expr)
  then kind = "overflow"
-  else
-    if convertedExprMightOverflowNegatively(expr)
-    then kind = "overflow negatively"
-    else none()
+  else (
+    convertedExprMightOverflowNegatively(expr) and
+    kind = "overflow negatively"
+  )
 }

 predicate isSource(FS::FlowSource source, string sourceType) { sourceType = source.getSourceType() }
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
@@ -55,30 +55,9 @@ predicate resultIsChecked(SslGetPeerCertificateCall getCertCall, ControlFlowNode
 predicate certIsZero(
  SslGetPeerCertificateCall getCertCall, ControlFlowNode node1, ControlFlowNode node2
 ) {
-  exists(Expr cert | cert = globalValueNumber(getCertCall).getAnExpr() |
-    exists(GuardCondition guard, Expr zero |
-      zero.getValue().toInt() = 0 and
-      node1 = guard and
-      (
-        // if (cert == zero) {
-        guard.comparesEq(cert, zero, 0, true, true) and
-        node2 = guard.getATrueSuccessor()
-        or
-        // if (cert != zero) { }
-        guard.comparesEq(cert, zero, 0, false, true) and
-        node2 = guard.getAFalseSuccessor()
-      )
-    )
-    or
-    (
-      // if (cert) { }
-      node1 = cert
-      or
-      // if (!cert) {
-      node1.(NotExpr).getAChild() = cert
-    ) and
-    node2 = node1.getASuccessor() and
-    not cert.(GuardCondition).controls(node2, true) // cert may be false
+  exists(Expr cert |
+    cert = globalValueNumber(getCertCall).getAnExpr() and
+    node1.(GuardCondition).ensuresEqEdge(cert, 0, _, node2.getBasicBlock(), true)
  )
 }

--- a/cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll
+++ b/cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll
@@ -31,27 +31,28 @@ private predicate hasConditionalInitialization(
 class ConditionallyInitializedVariable extends LocalVariable {
  ConditionalInitializationCall call;
  ConditionalInitializationFunction f;
-  VariableAccess initAccess;
  Evidence e;

  ConditionallyInitializedVariable() {
    // Find a call that conditionally initializes this variable
-    hasConditionalInitialization(f, call, this, initAccess, e) and
-    // Ignore cases where the variable is assigned prior to the call
-    not reaches(this.getAnAssignedValue(), initAccess) and
-    // Ignore cases where the variable is assigned field-wise prior to the call.
-    not exists(FieldAccess fa |
-      exists(Assignment a |
-        fa = getAFieldAccess(this) and
-        a.getLValue() = fa
+    exists(VariableAccess initAccess |
+      hasConditionalInitialization(f, call, this, initAccess, e) and
+      // Ignore cases where the variable is assigned prior to the call
+      not reaches(this.getAnAssignedValue(), initAccess) and
+      // Ignore cases where the variable is assigned field-wise prior to the call.
+      not exists(FieldAccess fa |
+        exists(Assignment a |
+          fa = getAFieldAccess(this) and
+          a.getLValue() = fa
+        )
+      |
+        reaches(fa, initAccess)
+      ) and
+      // Ignore cases where the variable is assigned by a prior call to an initialization function
+      not exists(Call c |
+        this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
+        reaches(c, initAccess)
      )
-    |
-      reaches(fa, initAccess)
-    ) and
-    // Ignore cases where the variable is assigned by a prior call to an initialization function
-    not exists(Call c |
-      this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
-      reaches(c, initAccess)
    ) and
    /*
     * Static local variables with constant initializers do not have the initializer expr as part of
--- a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -41,7 +41,7 @@ predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
 }

 /**
- * Holds if the function may throw an exception when called. That is, if the body of the function looks
+ * Holds if the function `f` may throw an exception when called. That is, if the body of the function looks
 * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
 */
 predicate functionMayThrow(Function f) {
--- a/cpp/ql/src/change-notes/2025-09-03-rename-api.md
+++ b/cpp/ql/src/change-notes/2025-09-03-rename-api.md
@@ -0,0 +1,5 @@
+---
+category: fix
+---
+* The predicate `occurenceCount` in the file module `MagicConstants` has been deprecated. Use `occurrenceCount` instead.
+* The predicate `additionalAdditionOrSubstractionCheckForLeapYear` in the file module `LeapYear` has been deprecated. Use `additionalAdditionOrSubtractionCheckForLeapYear` instead.
--- a/cpp/ql/src/definitions.ql
+++ b/cpp/ql/src/definitions.ql
@@ -13,6 +13,6 @@ where
  def = definitionOf(e, kind) and
  // We need to exclude definitions for elements inside template instantiations,
  // as these often lead to multiple links to definitions from the same source location.
-  // LGTM does not support this behaviour.
+  // LGTM does not support this behavior.
  not e.isFromTemplateInstantiation(_)
 select e, def, kind
--- a/Bugs/RedundantNullCheckParam.ql
+++ b/Bugs/RedundantNullCheckParam.ql
@@ -47,7 +47,7 @@ where
  // for a function parameter
  unchecked.getTarget() = param and
  // this function parameter is not overwritten
-  count(param.getAnAssignment()) = 0 and
+  not exists(param.getAnAssignment()) and
  check.getTarget() = param and
  // which is once checked
  candidateResultChecked(check, eqop) and
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -19,16 +19,17 @@ import cpp
 * Errors when using a variable declaration inside a loop.
 */
 class DangerousWhileLoop extends WhileStmt {
-  Expr exp;
  Declaration dl;

  DangerousWhileLoop() {
    this = dl.getParentScope().(BlockStmt).getParent*() and
-    exp = this.getCondition().getAChild*() and
-    not exp instanceof PointerFieldAccess and
-    not exp instanceof ValueFieldAccess and
-    exp.(VariableAccess).getTarget().getName() = dl.getName() and
-    not exp.getParent*() instanceof FunctionCall
+    exists(Expr exp |
+      exp = this.getCondition().getAChild*() and
+      not exp instanceof PointerFieldAccess and
+      not exp instanceof ValueFieldAccess and
+      exp.(VariableAccess).getTarget().getName() = dl.getName() and
+      not exp.getParent*() instanceof FunctionCall
+    )
  }

  Declaration getDeclaration() { result = dl }
--- a/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
@@ -46,7 +46,7 @@ predicate exprMayBeString(Expr exp) {
  )
 }

-/** Holds if expression is constant or operator call `sizeof`. */
+/** Holds if expression `exp` is constant or operator call `sizeof`. */
 predicate argConstOrSizeof(Expr exp) {
  exp.getValue().toInt() > 1 or
  exp.(SizeofTypeOperator).getTypeOperand().getSize() > 1
--- a/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
@@ -15,7 +15,7 @@
 import cpp
 import semmle.code.cpp.commons.Exclusions

-/** Holds if a `fc` function call is available before or after a `chdir` function call. */
+/** Holds if a `fcp` function call is available before or after a `chdir` function call. */
 predicate inExistsChdir(FunctionCall fcp) {
  exists(FunctionCall fctmp |
    (
@@ -29,7 +29,7 @@ predicate inExistsChdir(FunctionCall fcp) {
  )
 }

-/** Holds if a `fc` function call is available before or after a function call containing a `chdir` call. */
+/** Holds if a `fcp` function call is available before or after a function call containing a `chdir` call. */
 predicate outExistsChdir(FunctionCall fcp) {
  exists(FunctionCall fctmp |
    exists(FunctionCall fctmp2 |
--- a/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
@@ -266,7 +266,7 @@ class LifetimePointerType extends LifetimeIndirectionType {
 class FullExpr extends Expr {
  FullExpr() {
    // A full-expression is not a subexpression
-    not exists(Expr p | this.getParent() = p)
+    not this.getParent() instanceof Expr
    or
    // A sub-expression that is an unevaluated operand
    this.isUnevaluated()
--- a/cpp/ql/src/external/DefectFilter.qll
+++ b/cpp/ql/src/external/DefectFilter.qll
@@ -5,8 +5,8 @@ import cpp
 /**
 * Holds if `id` in the opaque identifier of a result reported by query `queryPath`,
 * such that `message` is the associated message and the location of the result spans
- * column `startcolumn` of line `startline` to column `endcolumn` of line `endline`
- * in file `filepath`.
+ * column `startcol` of line `startline` to column `endcol` of line `endline`
+ * in file `file`.
 *
 * For more information, see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
 */
--- a/cpp/ql/src/external/MetricFilter.qll
+++ b/cpp/ql/src/external/MetricFilter.qll
@@ -5,8 +5,8 @@ import cpp
 /**
 * Holds if `id` in the opaque identifier of a result reported by query `queryPath`,
 * such that `value` is the reported metric value and the location of the result spans
- * column `startcolumn` of line `startline` to column `endcolumn` of line `endline`
- * in file `filepath`.
+ * column `startcol` of line `startline` to column `endcol` of line `endline`
+ * in file `file`.
 *
 * For more information, see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
 */
--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -28,7 +28,7 @@ where
  exists(FunctionCall c, int i, Function f |
    c.getArgument(i) = e and
    c.getTarget() = f and
-    exists(Parameter p | f.getParameter(i) = p) and // varargs
+    exists(f.getParameter(i)) and // varargs
    baseElement(e.getType(), cl) and // only interested in arrays with classes
    not compatible(f.getParameter(i).getUnspecifiedType(), e.getUnspecifiedType())
  )
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.4.7
+version: 1.4.8-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -24581,6 +24581,516 @@ ir.cpp:
 # 2776|                 Value = [CStyleCast] 42
 # 2776|                 ValueCategory = prvalue
 # 2777|     getStmt(2): [ReturnStmt] return ...
+# 2779| [TopLevelFunction] void vla_sizeof_test(int, size_t, char)
+# 2779|   <params>: 
+# 2779|     getParameter(0): [Parameter] len1
+# 2779|         Type = [IntType] int
+# 2779|     getParameter(1): [Parameter] len2
+# 2779|         Type = [CTypedefType,Size_t] size_t
+# 2779|     getParameter(2): [Parameter] len3
+# 2779|         Type = [PlainCharType] char
+# 2779|   getEntryPoint(): [BlockStmt] { ... }
+# 2780|     getStmt(0): [DeclStmt] declaration
+# 2780|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp1
+# 2780|           Type = [ArrayType] char[]
+# 2780|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2780|       getDimensionExpr(): [VariableAccess] len1
+# 2780|           Type = [IntType] int
+# 2780|           ValueCategory = prvalue(load)
+# 2780|     getStmt(2): [VlaDeclStmt] VLA declaration
+# 2781|     getStmt(3): [DeclStmt] declaration
+# 2781|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of x
+# 2781|           Type = [CTypedefType,Size_t] size_t
+# 2781|         getVariable().getInitializer(): [Initializer] initializer for x
+# 2781|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2781|               Type = [LongType] unsigned long
+# 2781|               ValueCategory = prvalue
+# 2781|             getExprOperand(): [VariableAccess] tmp1
+# 2781|                 Type = [ArrayType] char[]
+# 2781|                 ValueCategory = lvalue
+# 2781|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2781|                 Type = [ArrayType] char[]
+# 2781|                 ValueCategory = lvalue
+# 2782|     getStmt(4): [DeclStmt] declaration
+# 2782|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp2
+# 2782|           Type = [ArrayType] int[][]
+# 2782|     getStmt(5): [VlaDimensionStmt] VLA dimension size
+# 2782|       getDimensionExpr(): [VariableAccess] len1
+# 2782|           Type = [IntType] int
+# 2782|           ValueCategory = prvalue(load)
+# 2782|     getStmt(6): [VlaDimensionStmt] VLA dimension size
+# 2782|       getDimensionExpr(): [VariableAccess] len2
+# 2782|           Type = [CTypedefType,Size_t] size_t
+# 2782|           ValueCategory = prvalue(load)
+# 2782|     getStmt(7): [VlaDeclStmt] VLA declaration
+# 2783|     getStmt(8): [DeclStmt] declaration
+# 2783|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of y
+# 2783|           Type = [CTypedefType,Size_t] size_t
+# 2783|         getVariable().getInitializer(): [Initializer] initializer for y
+# 2783|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2783|               Type = [LongType] unsigned long
+# 2783|               ValueCategory = prvalue
+# 2783|             getExprOperand(): [VariableAccess] tmp2
+# 2783|                 Type = [ArrayType] int[][]
+# 2783|                 ValueCategory = lvalue
+# 2783|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2783|                 Type = [ArrayType] int[][]
+# 2783|                 ValueCategory = lvalue
+# 2784|     getStmt(9): [DeclStmt] declaration
+# 2784|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of z
+# 2784|           Type = [CTypedefType,Size_t] size_t
+# 2784|         getVariable().getInitializer(): [Initializer] initializer for z
+# 2784|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2784|               Type = [LongType] unsigned long
+# 2784|               ValueCategory = prvalue
+# 2784|             getExprOperand(): [PointerDereferenceExpr] * ...
+# 2784|                 Type = [ArrayType] int[]
+# 2784|                 ValueCategory = lvalue
+# 2784|               getOperand(): [VariableAccess] tmp2
+# 2784|                   Type = [ArrayType] int[][]
+# 2784|                   ValueCategory = lvalue
+# 2784|               getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2784|                   Type = [PointerType] int(*)[]
+# 2784|                   ValueCategory = prvalue
+# 2784|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2784|                 Type = [ArrayType] int[]
+# 2784|                 ValueCategory = lvalue
+# 2785|     getStmt(10): [DeclStmt] declaration
+# 2785|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp3
+# 2785|           Type = [ArrayType] int[][][]
+# 2785|     getStmt(11): [VlaDimensionStmt] VLA dimension size
+# 2785|       getDimensionExpr(): [VariableAccess] len1
+# 2785|           Type = [IntType] int
+# 2785|           ValueCategory = prvalue(load)
+# 2785|     getStmt(12): [VlaDimensionStmt] VLA dimension size
+# 2785|       getDimensionExpr(): [VariableAccess] len2
+# 2785|           Type = [CTypedefType,Size_t] size_t
+# 2785|           ValueCategory = prvalue(load)
+# 2785|     getStmt(13): [VlaDimensionStmt] VLA dimension size
+# 2785|       getDimensionExpr(): [VariableAccess] len3
+# 2785|           Type = [PlainCharType] char
+# 2785|           ValueCategory = prvalue(load)
+# 2785|     getStmt(14): [VlaDeclStmt] VLA declaration
+# 2786|     getStmt(15): [DeclStmt] declaration
+# 2786|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of w
+# 2786|           Type = [CTypedefType,Size_t] size_t
+# 2786|         getVariable().getInitializer(): [Initializer] initializer for w
+# 2786|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2786|               Type = [LongType] unsigned long
+# 2786|               ValueCategory = prvalue
+# 2786|             getExprOperand(): [VariableAccess] tmp3
+# 2786|                 Type = [ArrayType] int[][][]
+# 2786|                 ValueCategory = lvalue
+# 2786|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2786|                 Type = [ArrayType] int[][][]
+# 2786|                 ValueCategory = lvalue
+# 2787|     getStmt(16): [DeclStmt] declaration
+# 2787|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of v
+# 2787|           Type = [CTypedefType,Size_t] size_t
+# 2787|         getVariable().getInitializer(): [Initializer] initializer for v
+# 2787|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2787|               Type = [LongType] unsigned long
+# 2787|               ValueCategory = prvalue
+# 2787|             getExprOperand(): [PointerDereferenceExpr] * ...
+# 2787|                 Type = [ArrayType] int[][]
+# 2787|                 ValueCategory = lvalue
+# 2787|               getOperand(): [VariableAccess] tmp3
+# 2787|                   Type = [ArrayType] int[][][]
+# 2787|                   ValueCategory = lvalue
+# 2787|               getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2787|                   Type = [PointerType] int(*)[][]
+# 2787|                   ValueCategory = prvalue
+# 2787|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2787|                 Type = [ArrayType] int[][]
+# 2787|                 ValueCategory = lvalue
+# 2788|     getStmt(17): [DeclStmt] declaration
+# 2788|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of u
+# 2788|           Type = [CTypedefType,Size_t] size_t
+# 2788|         getVariable().getInitializer(): [Initializer] initializer for u
+# 2788|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2788|               Type = [LongType] unsigned long
+# 2788|               ValueCategory = prvalue
+# 2788|             getExprOperand(): [PointerDereferenceExpr] * ...
+# 2788|                 Type = [ArrayType] int[]
+# 2788|                 ValueCategory = lvalue
+# 2788|               getOperand(): [PointerDereferenceExpr] * ...
+# 2788|                   Type = [ArrayType] int[][]
+# 2788|                   ValueCategory = lvalue
+# 2788|                 getOperand(): [VariableAccess] tmp3
+# 2788|                     Type = [ArrayType] int[][][]
+# 2788|                     ValueCategory = lvalue
+# 2788|                 getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2788|                     Type = [PointerType] int(*)[][]
+# 2788|                     ValueCategory = prvalue
+# 2788|               getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2788|                   Type = [PointerType] int(*)[]
+# 2788|                   ValueCategory = prvalue
+# 2788|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2788|                 Type = [ArrayType] int[]
+# 2788|                 ValueCategory = lvalue
+# 2789|     getStmt(18): [DeclStmt] declaration
+# 2789|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of t
+# 2789|           Type = [CTypedefType,Size_t] size_t
+# 2789|         getVariable().getInitializer(): [Initializer] initializer for t
+# 2789|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2789|               Type = [LongType] unsigned long
+# 2789|               Value = [SizeofExprOperator] 4
+# 2789|               ValueCategory = prvalue
+# 2789|             getExprOperand(): [PointerDereferenceExpr] * ...
+# 2789|                 Type = [IntType] int
+# 2789|                 ValueCategory = lvalue
+# 2789|               getOperand(): [PointerDereferenceExpr] * ...
+# 2789|                   Type = [ArrayType] int[]
+# 2789|                   ValueCategory = lvalue
+# 2789|                 getOperand(): [PointerDereferenceExpr] * ...
+# 2789|                     Type = [ArrayType] int[][]
+# 2789|                     ValueCategory = lvalue
+# 2789|                   getOperand(): [VariableAccess] tmp3
+# 2789|                       Type = [ArrayType] int[][][]
+# 2789|                       ValueCategory = lvalue
+# 2789|                   getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2789|                       Type = [PointerType] int(*)[][]
+# 2789|                       ValueCategory = prvalue
+# 2789|                 getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2789|                     Type = [PointerType] int(*)[]
+# 2789|                     ValueCategory = prvalue
+# 2789|               getOperand().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2789|                   Type = [IntPointerType] int *
+# 2789|                   ValueCategory = prvalue
+# 2789|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2789|                 Type = [IntType] int
+# 2789|                 ValueCategory = lvalue
+# 2790|     getStmt(19): [ReturnStmt] return ...
+# 2792| [TopLevelFunction] void vla_sizeof_test2(int, size_t, char)
+# 2792|   <params>: 
+# 2792|     getParameter(0): [Parameter] len1
+# 2792|         Type = [IntType] int
+# 2792|     getParameter(1): [Parameter] len2
+# 2792|         Type = [CTypedefType,Size_t] size_t
+# 2792|     getParameter(2): [Parameter] len3
+# 2792|         Type = [PlainCharType] char
+# 2792|   getEntryPoint(): [BlockStmt] { ... }
+# 2793|     getStmt(0): [DeclStmt] declaration
+# 2793|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp1
+# 2793|           Type = [ArrayType] int[][]
+# 2793|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2793|       getDimensionExpr(): [VariableAccess] len1
+# 2793|           Type = [IntType] int
+# 2793|           ValueCategory = prvalue(load)
+# 2793|     getStmt(2): [VlaDimensionStmt] VLA dimension size
+# 2793|       getDimensionExpr(): [VariableAccess] len2
+# 2793|           Type = [CTypedefType,Size_t] size_t
+# 2793|           ValueCategory = prvalue(load)
+# 2793|     getStmt(3): [VlaDeclStmt] VLA declaration
+# 2794|     getStmt(4): [DeclStmt] declaration
+# 2794|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of z
+# 2794|           Type = [CTypedefType,Size_t] size_t
+# 2794|         getVariable().getInitializer(): [Initializer] initializer for z
+# 2794|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2794|               Type = [LongType] unsigned long
+# 2794|               ValueCategory = prvalue
+# 2794|             getExprOperand(): [ArrayExpr] access to array
+# 2794|                 Type = [ArrayType] int[]
+# 2794|                 ValueCategory = lvalue
+# 2794|               getArrayBase(): [VariableAccess] tmp1
+# 2794|                   Type = [ArrayType] int[][]
+# 2794|                   ValueCategory = lvalue
+# 2794|               getArrayOffset(): [Literal] 1
+# 2794|                   Type = [IntType] int
+# 2794|                   Value = [Literal] 1
+# 2794|                   ValueCategory = prvalue
+# 2794|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2794|                   Type = [PointerType] int(*)[]
+# 2794|                   ValueCategory = prvalue
+# 2794|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2794|                 Type = [ArrayType] int[]
+# 2794|                 ValueCategory = lvalue
+# 2795|     getStmt(5): [DeclStmt] declaration
+# 2795|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp2
+# 2795|           Type = [ArrayType] int[][][]
+# 2795|     getStmt(6): [VlaDimensionStmt] VLA dimension size
+# 2795|       getDimensionExpr(): [VariableAccess] len1
+# 2795|           Type = [IntType] int
+# 2795|           ValueCategory = prvalue(load)
+# 2795|     getStmt(7): [VlaDimensionStmt] VLA dimension size
+# 2795|       getDimensionExpr(): [VariableAccess] len2
+# 2795|           Type = [CTypedefType,Size_t] size_t
+# 2795|           ValueCategory = prvalue(load)
+# 2795|     getStmt(8): [VlaDimensionStmt] VLA dimension size
+# 2795|       getDimensionExpr(): [VariableAccess] len3
+# 2795|           Type = [PlainCharType] char
+# 2795|           ValueCategory = prvalue(load)
+# 2795|     getStmt(9): [VlaDeclStmt] VLA declaration
+# 2796|     getStmt(10): [DeclStmt] declaration
+# 2796|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of v
+# 2796|           Type = [CTypedefType,Size_t] size_t
+# 2796|         getVariable().getInitializer(): [Initializer] initializer for v
+# 2796|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2796|               Type = [LongType] unsigned long
+# 2796|               ValueCategory = prvalue
+# 2796|             getExprOperand(): [ArrayExpr] access to array
+# 2796|                 Type = [ArrayType] int[][]
+# 2796|                 ValueCategory = lvalue
+# 2796|               getArrayBase(): [VariableAccess] tmp2
+# 2796|                   Type = [ArrayType] int[][][]
+# 2796|                   ValueCategory = lvalue
+# 2796|               getArrayOffset(): [Literal] 1
+# 2796|                   Type = [IntType] int
+# 2796|                   Value = [Literal] 1
+# 2796|                   ValueCategory = prvalue
+# 2796|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2796|                   Type = [PointerType] int(*)[][]
+# 2796|                   ValueCategory = prvalue
+# 2796|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2796|                 Type = [ArrayType] int[][]
+# 2796|                 ValueCategory = lvalue
+# 2797|     getStmt(11): [DeclStmt] declaration
+# 2797|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of u
+# 2797|           Type = [CTypedefType,Size_t] size_t
+# 2797|         getVariable().getInitializer(): [Initializer] initializer for u
+# 2797|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2797|               Type = [LongType] unsigned long
+# 2797|               ValueCategory = prvalue
+# 2797|             getExprOperand(): [ArrayExpr] access to array
+# 2797|                 Type = [ArrayType] int[]
+# 2797|                 ValueCategory = lvalue
+# 2797|               getArrayBase(): [ArrayExpr] access to array
+# 2797|                   Type = [ArrayType] int[][]
+# 2797|                   ValueCategory = lvalue
+# 2797|                 getArrayBase(): [VariableAccess] tmp2
+# 2797|                     Type = [ArrayType] int[][][]
+# 2797|                     ValueCategory = lvalue
+# 2797|                 getArrayOffset(): [Literal] 1
+# 2797|                     Type = [IntType] int
+# 2797|                     Value = [Literal] 1
+# 2797|                     ValueCategory = prvalue
+# 2797|                 getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2797|                     Type = [PointerType] int(*)[][]
+# 2797|                     ValueCategory = prvalue
+# 2797|               getArrayOffset(): [Literal] 2
+# 2797|                   Type = [IntType] int
+# 2797|                   Value = [Literal] 2
+# 2797|                   ValueCategory = prvalue
+# 2797|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2797|                   Type = [PointerType] int(*)[]
+# 2797|                   ValueCategory = prvalue
+# 2797|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2797|                 Type = [ArrayType] int[]
+# 2797|                 ValueCategory = lvalue
+# 2798|     getStmt(12): [DeclStmt] declaration
+# 2798|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of t
+# 2798|           Type = [CTypedefType,Size_t] size_t
+# 2798|         getVariable().getInitializer(): [Initializer] initializer for t
+# 2798|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2798|               Type = [LongType] unsigned long
+# 2798|               Value = [SizeofExprOperator] 4
+# 2798|               ValueCategory = prvalue
+# 2798|             getExprOperand(): [ArrayExpr] access to array
+# 2798|                 Type = [IntType] int
+# 2798|                 ValueCategory = lvalue
+# 2798|               getArrayBase(): [ArrayExpr] access to array
+# 2798|                   Type = [ArrayType] int[]
+# 2798|                   ValueCategory = lvalue
+# 2798|                 getArrayBase(): [ArrayExpr] access to array
+# 2798|                     Type = [ArrayType] int[][]
+# 2798|                     ValueCategory = lvalue
+# 2798|                   getArrayBase(): [VariableAccess] tmp2
+# 2798|                       Type = [ArrayType] int[][][]
+# 2798|                       ValueCategory = lvalue
+# 2798|                   getArrayOffset(): [Literal] 1
+# 2798|                       Type = [IntType] int
+# 2798|                       Value = [Literal] 1
+# 2798|                       ValueCategory = prvalue
+# 2798|                   getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2798|                       Type = [PointerType] int(*)[][]
+# 2798|                       ValueCategory = prvalue
+# 2798|                 getArrayOffset(): [Literal] 2
+# 2798|                     Type = [IntType] int
+# 2798|                     Value = [Literal] 2
+# 2798|                     ValueCategory = prvalue
+# 2798|                 getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2798|                     Type = [PointerType] int(*)[]
+# 2798|                     ValueCategory = prvalue
+# 2798|               getArrayOffset(): [Literal] 3
+# 2798|                   Type = [IntType] int
+# 2798|                   Value = [Literal] 3
+# 2798|                   ValueCategory = prvalue
+# 2798|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2798|                   Type = [IntPointerType] int *
+# 2798|                   ValueCategory = prvalue
+# 2798|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2798|                 Type = [IntType] int
+# 2798|                 ValueCategory = lvalue
+# 2799|     getStmt(13): [ReturnStmt] return ...
+# 2801| [TopLevelFunction] size_t vla_sizeof_test3(int, size_t, char, bool)
+# 2801|   <params>: 
+# 2801|     getParameter(0): [Parameter] len1
+# 2801|         Type = [IntType] int
+# 2801|     getParameter(1): [Parameter] len2
+# 2801|         Type = [CTypedefType,Size_t] size_t
+# 2801|     getParameter(2): [Parameter] len3
+# 2801|         Type = [PlainCharType] char
+# 2801|     getParameter(3): [Parameter] b
+# 2801|         Type = [BoolType] bool
+# 2801|   getEntryPoint(): [BlockStmt] { ... }
+# 2802|     getStmt(0): [DeclStmt] declaration
+# 2802|       getDeclarationEntry(0): [TypeDeclarationEntry] declaration of arr
+# 2802|           Type = [CTypedefType,LocalTypedefType] arr
+# 2802|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2802|       getDimensionExpr(): [VariableAccess] len1
+# 2802|           Type = [IntType] int
+# 2802|           ValueCategory = prvalue(load)
+# 2802|     getStmt(2): [VlaDimensionStmt] VLA dimension size
+# 2802|       getDimensionExpr(): [VariableAccess] len2
+# 2802|           Type = [CTypedefType,Size_t] size_t
+# 2802|           ValueCategory = prvalue(load)
+# 2802|     getStmt(3): [VlaDeclStmt] VLA declaration
+# 2803|     getStmt(4): [DeclStmt] declaration
+# 2803|       getDeclarationEntry(0): [TypeDeclarationEntry] declaration of arr2
+# 2803|           Type = [CTypedefType,LocalTypedefType] arr2
+# 2803|     getStmt(5): [VlaDeclStmt] VLA declaration
+# 2804|     getStmt(6): [DeclStmt] declaration
+# 2804|       getDeclarationEntry(0): [TypeDeclarationEntry] declaration of arr3
+# 2804|           Type = [CTypedefType,LocalTypedefType] arr3
+# 2804|     getStmt(7): [VlaDimensionStmt] VLA dimension size
+# 2804|       getDimensionExpr(): [VariableAccess] len3
+# 2804|           Type = [PlainCharType] char
+# 2804|           ValueCategory = prvalue(load)
+# 2804|     getStmt(8): [VlaDeclStmt] VLA declaration
+# 2806|     getStmt(9): [IfStmt] if (...) ... 
+# 2806|       getCondition(): [VariableAccess] b
+# 2806|           Type = [BoolType] bool
+# 2806|           ValueCategory = prvalue(load)
+# 2806|       getThen(): [BlockStmt] { ... }
+# 2807|         getStmt(0): [DeclStmt] declaration
+# 2807|           getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp
+# 2807|               Type = [CTypedefType,LocalTypedefType] arr3
+# 2807|         getStmt(1): [VlaDeclStmt] VLA declaration
+# 2808|         getStmt(2): [ReturnStmt] return ...
+# 2808|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2808|               Type = [LongType] unsigned long
+# 2808|               ValueCategory = prvalue
+# 2808|             getExprOperand(): [ArrayExpr] access to array
+# 2808|                 Type = [CTypedefType,LocalTypedefType] arr2
+# 2808|                 ValueCategory = lvalue
+# 2808|               getArrayBase(): [VariableAccess] tmp
+# 2808|                   Type = [CTypedefType,LocalTypedefType] arr3
+# 2808|                   ValueCategory = lvalue
+# 2808|               getArrayOffset(): [Literal] 1
+# 2808|                   Type = [IntType] int
+# 2808|                   Value = [Literal] 1
+# 2808|                   ValueCategory = prvalue
+# 2808|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2808|                   Type = [PointerType] arr2 *
+# 2808|                   ValueCategory = prvalue
+# 2808|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2808|                 Type = [CTypedefType,LocalTypedefType] arr2
+# 2808|                 ValueCategory = lvalue
+# 2811|     getStmt(10): [ReturnStmt] return ...
+# 2811|       getExpr(): [Literal] 0
+# 2811|           Type = [IntType] int
+# 2811|           Value = [Literal] 0
+# 2811|           ValueCategory = prvalue
+# 2811|       getExpr().getFullyConverted(): [CStyleCast] (size_t)...
+# 2811|           Conversion = [IntegralConversion] integral conversion
+# 2811|           Type = [CTypedefType,Size_t] size_t
+# 2811|           Value = [CStyleCast] 0
+# 2811|           ValueCategory = prvalue
+# 2814| [TopLevelFunction] void vla_sizeof_test4(int, size_t)
+# 2814|   <params>: 
+# 2814|     getParameter(0): [Parameter] len1
+# 2814|         Type = [IntType] int
+# 2814|     getParameter(1): [Parameter] len2
+# 2814|         Type = [CTypedefType,Size_t] size_t
+# 2814|   getEntryPoint(): [BlockStmt] { ... }
+# 2815|     getStmt(0): [DeclStmt] declaration
+# 2815|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp1
+# 2815|           Type = [ArrayType] int[][]
+# 2815|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2815|       getDimensionExpr(): [VariableAccess] len1
+# 2815|           Type = [IntType] int
+# 2815|           ValueCategory = prvalue(load)
+# 2815|     getStmt(2): [VlaDimensionStmt] VLA dimension size
+# 2815|       getDimensionExpr(): [VariableAccess] len2
+# 2815|           Type = [CTypedefType,Size_t] size_t
+# 2815|           ValueCategory = prvalue(load)
+# 2815|     getStmt(3): [VlaDeclStmt] VLA declaration
+# 2816|     getStmt(4): [DeclStmt] declaration
+# 2816|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of z
+# 2816|           Type = [CTypedefType,Size_t] size_t
+# 2816|         getVariable().getInitializer(): [Initializer] initializer for z
+# 2816|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2816|               Type = [LongType] unsigned long
+# 2816|               ValueCategory = prvalue
+# 2816|             getExprOperand(): [ArrayExpr] access to array
+# 2816|                 Type = [ArrayType] int[]
+# 2816|                 ValueCategory = lvalue
+# 2816|               getArrayBase(): [VariableAccess] tmp1
+# 2816|                   Type = [ArrayType] int[][]
+# 2816|                   ValueCategory = lvalue
+# 2816|               getArrayOffset(): [Literal] 1
+# 2816|                   Type = [IntType] int
+# 2816|                   Value = [Literal] 1
+# 2816|                   ValueCategory = prvalue
+# 2816|               getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 2816|                   Type = [PointerType] int(*)[]
+# 2816|                   ValueCategory = prvalue
+# 2816|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2816|                 Type = [ArrayType] int[]
+# 2816|                 ValueCategory = lvalue
+# 2817|     getStmt(5): [ReturnStmt] return ...
+# 2819| [TopLevelFunction] void vla_sizeof_test5(int, size_t)
+# 2819|   <params>: 
+# 2819|     getParameter(0): [Parameter] len1
+# 2819|         Type = [IntType] int
+# 2819|     getParameter(1): [Parameter] len2
+# 2819|         Type = [CTypedefType,Size_t] size_t
+# 2819|   getEntryPoint(): [BlockStmt] { ... }
+# 2820|     getStmt(0): [DeclStmt] declaration
+# 2820|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of tmp1
+# 2820|           Type = [ArrayType] int[][]
+# 2820|     getStmt(1): [VlaDimensionStmt] VLA dimension size
+# 2820|       getDimensionExpr(): [VariableAccess] len1
+# 2820|           Type = [IntType] int
+# 2820|           ValueCategory = prvalue(load)
+# 2820|     getStmt(2): [VlaDimensionStmt] VLA dimension size
+# 2820|       getDimensionExpr(): [VariableAccess] len2
+# 2820|           Type = [CTypedefType,Size_t] size_t
+# 2820|           ValueCategory = prvalue(load)
+# 2820|     getStmt(3): [VlaDeclStmt] VLA declaration
+# 2821|     getStmt(4): [DeclStmt] declaration
+# 2821|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of z
+# 2821|           Type = [CTypedefType,Size_t] size_t
+# 2821|         getVariable().getInitializer(): [Initializer] initializer for z
+# 2821|           getExpr(): [SizeofExprOperator] sizeof(<expr>)
+# 2821|               Type = [LongType] unsigned long
+# 2821|               ValueCategory = prvalue
+# 2821|             getExprOperand(): [ArrayExpr] access to array
+# 2821|                 Type = [ArrayType] int[]
+# 2821|                 ValueCategory = lvalue
+# 2821|               getArrayBase(): [PointerDereferenceExpr] * ...
+# 2821|                   Type = [ArrayType] int[][]
+# 2821|                   ValueCategory = lvalue
+# 2821|                 getOperand(): [AddressOfExpr] & ...
+# 2821|                     Type = [PointerType] int(*)[][]
+# 2821|                     ValueCategory = prvalue
+# 2821|                   getOperand(): [VariableAccess] tmp1
+# 2821|                       Type = [ArrayType] int[][]
+# 2821|                       ValueCategory = lvalue
+# 2821|               getArrayOffset(): [Literal] 1
+# 2821|                   Type = [IntType] int
+# 2821|                   Value = [Literal] 1
+# 2821|                   ValueCategory = prvalue
+# 2821|               getArrayBase().getFullyConverted(): [ParenthesisExpr] (...)
+# 2821|                   Type = [PointerType] int(*)[]
+# 2821|                   ValueCategory = prvalue
+# 2821|                 getExpr(): [ArrayToPointerConversion] array to pointer conversion
+# 2821|                     Type = [PointerType] int(*)[]
+# 2821|                     ValueCategory = prvalue
+# 2821|             getExprOperand().getFullyConverted(): [ParenthesisExpr] (...)
+# 2821|                 Type = [ArrayType] int[]
+# 2821|                 ValueCategory = lvalue
+# 2822|     getStmt(5): [ReturnStmt] return ...
 ir23.cpp:
 #    1| [TopLevelFunction] bool consteval_1()
 #    1|   <params>: 
--- a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
@@ -20430,6 +20430,247 @@ ir.cpp:
 # 2774|     v2774_6(void)           = AliasedUse                    : ~m2776_6
 # 2774|     v2774_7(void)           = ExitFunction                  : 

+# 2779| void vla_sizeof_test(int, size_t, char)
+# 2779|   Block 0
+# 2779|     v2779_1(void)                 = EnterFunction             : 
+# 2779|     m2779_2(unknown)              = AliasedDefinition         : 
+# 2779|     m2779_3(unknown)              = InitializeNonLocal        : 
+# 2779|     m2779_4(unknown)              = Chi                       : total:m2779_2, partial:m2779_3
+# 2779|     r2779_5(glval<int>)           = VariableAddress[len1]     : 
+# 2779|     m2779_6(int)                  = InitializeParameter[len1] : &:r2779_5
+# 2779|     r2779_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2779|     m2779_8(unsigned long)        = InitializeParameter[len2] : &:r2779_7
+# 2779|     r2779_9(glval<char>)          = VariableAddress[len3]     : 
+# 2779|     m2779_10(char)                = InitializeParameter[len3] : &:r2779_9
+# 2780|     r2780_1(glval<char[]>)        = VariableAddress[tmp1]     : 
+# 2780|     m2780_2(char[])               = Uninitialized[tmp1]       : &:r2780_1
+# 2780|     r2780_3(glval<int>)           = VariableAddress[len1]     : 
+# 2780|     r2780_4(int)                  = Load[len1]                : &:r2780_3, m2779_6
+# 2780|     v2780_5(void)                 = NoOp                      : 
+# 2781|     r2781_1(glval<unsigned long>) = VariableAddress[x]        : 
+# 2781|     r2781_2(unsigned long)        = Constant[1]               : 
+# 2781|     r2781_3(unsigned long)        = Convert                   : r2780_4
+# 2781|     r2781_4(unsigned long)        = Mul                       : r2781_2, r2781_3
+# 2781|     m2781_5(unsigned long)        = Store[x]                  : &:r2781_1, r2781_4
+# 2782|     r2782_1(glval<int[][]>)       = VariableAddress[tmp2]     : 
+# 2782|     m2782_2(int[][])              = Uninitialized[tmp2]       : &:r2782_1
+# 2782|     r2782_3(glval<int>)           = VariableAddress[len1]     : 
+# 2782|     r2782_4(int)                  = Load[len1]                : &:r2782_3, m2779_6
+# 2782|     r2782_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2782|     r2782_6(unsigned long)        = Load[len2]                : &:r2782_5, m2779_8
+# 2782|     v2782_7(void)                 = NoOp                      : 
+# 2783|     r2783_1(glval<unsigned long>) = VariableAddress[y]        : 
+# 2783|     r2783_2(unsigned long)        = Constant[4]               : 
+# 2783|     r2783_3(unsigned long)        = Convert                   : r2782_4
+# 2783|     r2783_4(unsigned long)        = Mul                       : r2783_2, r2783_3
+# 2783|     r2783_5(unsigned long)        = CopyValue                 : r2782_6
+# 2783|     r2783_6(unsigned long)        = Mul                       : r2783_4, r2783_5
+# 2783|     m2783_7(unsigned long)        = Store[y]                  : &:r2783_1, r2783_6
+# 2784|     r2784_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2784|     r2784_2(unsigned long)        = Constant[4]               : 
+# 2784|     r2784_3(unsigned long)        = CopyValue                 : r2782_6
+# 2784|     r2784_4(unsigned long)        = Mul                       : r2784_2, r2784_3
+# 2784|     m2784_5(unsigned long)        = Store[z]                  : &:r2784_1, r2784_4
+# 2785|     r2785_1(glval<int[][][]>)     = VariableAddress[tmp3]     : 
+# 2785|     m2785_2(int[][][])            = Uninitialized[tmp3]       : &:r2785_1
+# 2785|     r2785_3(glval<int>)           = VariableAddress[len1]     : 
+# 2785|     r2785_4(int)                  = Load[len1]                : &:r2785_3, m2779_6
+# 2785|     r2785_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2785|     r2785_6(unsigned long)        = Load[len2]                : &:r2785_5, m2779_8
+# 2785|     r2785_7(glval<char>)          = VariableAddress[len3]     : 
+# 2785|     r2785_8(char)                 = Load[len3]                : &:r2785_7, m2779_10
+# 2785|     v2785_9(void)                 = NoOp                      : 
+# 2786|     r2786_1(glval<unsigned long>) = VariableAddress[w]        : 
+# 2786|     r2786_2(unsigned long)        = Constant[4]               : 
+# 2786|     r2786_3(unsigned long)        = Convert                   : r2785_4
+# 2786|     r2786_4(unsigned long)        = Mul                       : r2786_2, r2786_3
+# 2786|     r2786_5(unsigned long)        = CopyValue                 : r2785_6
+# 2786|     r2786_6(unsigned long)        = Mul                       : r2786_4, r2786_5
+# 2786|     r2786_7(unsigned long)        = Convert                   : r2785_8
+# 2786|     r2786_8(unsigned long)        = Mul                       : r2786_6, r2786_7
+# 2786|     m2786_9(unsigned long)        = Store[w]                  : &:r2786_1, r2786_8
+# 2787|     r2787_1(glval<unsigned long>) = VariableAddress[v]        : 
+# 2787|     r2787_2(unsigned long)        = Constant[4]               : 
+# 2787|     r2787_3(unsigned long)        = CopyValue                 : r2785_6
+# 2787|     r2787_4(unsigned long)        = Mul                       : r2787_2, r2787_3
+# 2787|     r2787_5(unsigned long)        = Convert                   : r2785_8
+# 2787|     r2787_6(unsigned long)        = Mul                       : r2787_4, r2787_5
+# 2787|     m2787_7(unsigned long)        = Store[v]                  : &:r2787_1, r2787_6
+# 2788|     r2788_1(glval<unsigned long>) = VariableAddress[u]        : 
+# 2788|     r2788_2(unsigned long)        = Constant[4]               : 
+# 2788|     r2788_3(unsigned long)        = Convert                   : r2785_8
+# 2788|     r2788_4(unsigned long)        = Mul                       : r2788_2, r2788_3
+# 2788|     m2788_5(unsigned long)        = Store[u]                  : &:r2788_1, r2788_4
+# 2789|     r2789_1(glval<unsigned long>) = VariableAddress[t]        : 
+# 2789|     r2789_2(unsigned long)        = Constant[4]               : 
+# 2789|     m2789_3(unsigned long)        = Store[t]                  : &:r2789_1, r2789_2
+# 2790|     v2790_1(void)                 = NoOp                      : 
+# 2779|     v2779_11(void)                = ReturnVoid                : 
+# 2779|     v2779_12(void)                = AliasedUse                : m2779_3
+# 2779|     v2779_13(void)                = ExitFunction              : 
+
+# 2792| void vla_sizeof_test2(int, size_t, char)
+# 2792|   Block 0
+# 2792|     v2792_1(void)                 = EnterFunction             : 
+# 2792|     m2792_2(unknown)              = AliasedDefinition         : 
+# 2792|     m2792_3(unknown)              = InitializeNonLocal        : 
+# 2792|     m2792_4(unknown)              = Chi                       : total:m2792_2, partial:m2792_3
+# 2792|     r2792_5(glval<int>)           = VariableAddress[len1]     : 
+# 2792|     m2792_6(int)                  = InitializeParameter[len1] : &:r2792_5
+# 2792|     r2792_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2792|     m2792_8(unsigned long)        = InitializeParameter[len2] : &:r2792_7
+# 2792|     r2792_9(glval<char>)          = VariableAddress[len3]     : 
+# 2792|     m2792_10(char)                = InitializeParameter[len3] : &:r2792_9
+# 2793|     r2793_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2793|     m2793_2(int[][])              = Uninitialized[tmp1]       : &:r2793_1
+# 2793|     r2793_3(glval<int>)           = VariableAddress[len1]     : 
+# 2793|     r2793_4(int)                  = Load[len1]                : &:r2793_3, m2792_6
+# 2793|     r2793_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2793|     r2793_6(unsigned long)        = Load[len2]                : &:r2793_5, m2792_8
+# 2793|     v2793_7(void)                 = NoOp                      : 
+# 2794|     r2794_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2794|     r2794_2(unsigned long)        = Constant[4]               : 
+# 2794|     r2794_3(unsigned long)        = CopyValue                 : r2793_6
+# 2794|     r2794_4(unsigned long)        = Mul                       : r2794_2, r2794_3
+# 2794|     m2794_5(unsigned long)        = Store[z]                  : &:r2794_1, r2794_4
+# 2795|     r2795_1(glval<int[][][]>)     = VariableAddress[tmp2]     : 
+# 2795|     m2795_2(int[][][])            = Uninitialized[tmp2]       : &:r2795_1
+# 2795|     r2795_3(glval<int>)           = VariableAddress[len1]     : 
+# 2795|     r2795_4(int)                  = Load[len1]                : &:r2795_3, m2792_6
+# 2795|     r2795_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2795|     r2795_6(unsigned long)        = Load[len2]                : &:r2795_5, m2792_8
+# 2795|     r2795_7(glval<char>)          = VariableAddress[len3]     : 
+# 2795|     r2795_8(char)                 = Load[len3]                : &:r2795_7, m2792_10
+# 2795|     v2795_9(void)                 = NoOp                      : 
+# 2796|     r2796_1(glval<unsigned long>) = VariableAddress[v]        : 
+# 2796|     r2796_2(unsigned long)        = Constant[4]               : 
+# 2796|     r2796_3(unsigned long)        = CopyValue                 : r2795_6
+# 2796|     r2796_4(unsigned long)        = Mul                       : r2796_2, r2796_3
+# 2796|     r2796_5(unsigned long)        = Convert                   : r2795_8
+# 2796|     r2796_6(unsigned long)        = Mul                       : r2796_4, r2796_5
+# 2796|     m2796_7(unsigned long)        = Store[v]                  : &:r2796_1, r2796_6
+# 2797|     r2797_1(glval<unsigned long>) = VariableAddress[u]        : 
+# 2797|     r2797_2(unsigned long)        = Constant[4]               : 
+# 2797|     r2797_3(unsigned long)        = Convert                   : r2795_8
+# 2797|     r2797_4(unsigned long)        = Mul                       : r2797_2, r2797_3
+# 2797|     m2797_5(unsigned long)        = Store[u]                  : &:r2797_1, r2797_4
+# 2798|     r2798_1(glval<unsigned long>) = VariableAddress[t]        : 
+# 2798|     r2798_2(unsigned long)        = Constant[4]               : 
+# 2798|     m2798_3(unsigned long)        = Store[t]                  : &:r2798_1, r2798_2
+# 2799|     v2799_1(void)                 = NoOp                      : 
+# 2792|     v2792_11(void)                = ReturnVoid                : 
+# 2792|     v2792_12(void)                = AliasedUse                : m2792_3
+# 2792|     v2792_13(void)                = ExitFunction              : 
+
+# 2801| size_t vla_sizeof_test3(int, size_t, char, bool)
+# 2801|   Block 0
+# 2801|     v2801_1(void)                 = EnterFunction             : 
+# 2801|     m2801_2(unknown)              = AliasedDefinition         : 
+# 2801|     m2801_3(unknown)              = InitializeNonLocal        : 
+# 2801|     m2801_4(unknown)              = Chi                       : total:m2801_2, partial:m2801_3
+# 2801|     r2801_5(glval<int>)           = VariableAddress[len1]     : 
+# 2801|     m2801_6(int)                  = InitializeParameter[len1] : &:r2801_5
+# 2801|     r2801_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2801|     m2801_8(unsigned long)        = InitializeParameter[len2] : &:r2801_7
+# 2801|     r2801_9(glval<char>)          = VariableAddress[len3]     : 
+# 2801|     m2801_10(char)                = InitializeParameter[len3] : &:r2801_9
+# 2801|     r2801_11(glval<bool>)         = VariableAddress[b]        : 
+# 2801|     m2801_12(bool)                = InitializeParameter[b]    : &:r2801_11
+# 2802|     r2802_1(glval<int>)           = VariableAddress[len1]     : 
+# 2802|     r2802_2(int)                  = Load[len1]                : &:r2802_1, m2801_6
+# 2802|     r2802_3(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2802|     r2802_4(unsigned long)        = Load[len2]                : &:r2802_3, m2801_8
+# 2802|     v2802_5(void)                 = NoOp                      : 
+# 2803|     v2803_1(void)                 = NoOp                      : 
+# 2804|     r2804_1(glval<char>)          = VariableAddress[len3]     : 
+# 2804|     r2804_2(char)                 = Load[len3]                : &:r2804_1, m2801_10
+# 2804|     v2804_3(void)                 = NoOp                      : 
+# 2806|     r2806_1(glval<bool>)          = VariableAddress[b]        : 
+# 2806|     r2806_2(bool)                 = Load[b]                   : &:r2806_1, m2801_12
+# 2806|     v2806_3(void)                 = ConditionalBranch         : r2806_2
+#-----|   False -> Block 3
+#-----|   True -> Block 2
+
+# 2801|   Block 1
+# 2801|     m2801_13(unsigned long)        = Phi                      : from 2:m2808_7, from 3:m2811_3
+# 2801|     r2801_14(glval<unsigned long>) = VariableAddress[#return] : 
+# 2801|     v2801_15(void)                 = ReturnValue              : &:r2801_14, m2801_13
+# 2801|     v2801_16(void)                 = AliasedUse               : m2801_3
+# 2801|     v2801_17(void)                 = ExitFunction             : 
+
+# 2807|   Block 2
+# 2807|     r2807_1(glval<long[][][]>)    = VariableAddress[tmp]     : 
+# 2807|     m2807_2(long[][][])           = Uninitialized[tmp]       : &:r2807_1
+# 2807|     v2807_3(void)                 = NoOp                     : 
+# 2808|     r2808_1(glval<unsigned long>) = VariableAddress[#return] : 
+# 2808|     r2808_2(unsigned long)        = Constant[8]              : 
+# 2808|     r2808_3(unsigned long)        = Convert                  : r2802_2
+# 2808|     r2808_4(unsigned long)        = Mul                      : r2808_2, r2808_3
+# 2808|     r2808_5(unsigned long)        = CopyValue                : r2802_4
+# 2808|     r2808_6(unsigned long)        = Mul                      : r2808_4, r2808_5
+# 2808|     m2808_7(unsigned long)        = Store[#return]           : &:r2808_1, r2808_6
+#-----|   Goto -> Block 1
+
+# 2811|   Block 3
+# 2811|     r2811_1(glval<unsigned long>) = VariableAddress[#return] : 
+# 2811|     r2811_2(unsigned long)        = Constant[0]              : 
+# 2811|     m2811_3(unsigned long)        = Store[#return]           : &:r2811_1, r2811_2
+#-----|   Goto -> Block 1
+
+# 2814| void vla_sizeof_test4(int, size_t)
+# 2814|   Block 0
+# 2814|     v2814_1(void)                 = EnterFunction             : 
+# 2814|     m2814_2(unknown)              = AliasedDefinition         : 
+# 2814|     m2814_3(unknown)              = InitializeNonLocal        : 
+# 2814|     m2814_4(unknown)              = Chi                       : total:m2814_2, partial:m2814_3
+# 2814|     r2814_5(glval<int>)           = VariableAddress[len1]     : 
+# 2814|     m2814_6(int)                  = InitializeParameter[len1] : &:r2814_5
+# 2814|     r2814_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2814|     m2814_8(unsigned long)        = InitializeParameter[len2] : &:r2814_7
+# 2815|     r2815_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2815|     m2815_2(int[][])              = Uninitialized[tmp1]       : &:r2815_1
+# 2815|     r2815_3(glval<int>)           = VariableAddress[len1]     : 
+# 2815|     r2815_4(int)                  = Load[len1]                : &:r2815_3, m2814_6
+# 2815|     r2815_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2815|     r2815_6(unsigned long)        = Load[len2]                : &:r2815_5, m2814_8
+# 2815|     v2815_7(void)                 = NoOp                      : 
+# 2816|     r2816_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2816|     r2816_2(unsigned long)        = Constant[4]               : 
+# 2816|     r2816_3(unsigned long)        = CopyValue                 : r2815_6
+# 2816|     r2816_4(unsigned long)        = Mul                       : r2816_2, r2816_3
+# 2816|     m2816_5(unsigned long)        = Store[z]                  : &:r2816_1, r2816_4
+# 2817|     v2817_1(void)                 = NoOp                      : 
+# 2814|     v2814_9(void)                 = ReturnVoid                : 
+# 2814|     v2814_10(void)                = AliasedUse                : m2814_3
+# 2814|     v2814_11(void)                = ExitFunction              : 
+
+# 2819| void vla_sizeof_test5(int, size_t)
+# 2819|   Block 0
+# 2819|     v2819_1(void)                 = EnterFunction             : 
+# 2819|     m2819_2(unknown)              = AliasedDefinition         : 
+# 2819|     m2819_3(unknown)              = InitializeNonLocal        : 
+# 2819|     m2819_4(unknown)              = Chi                       : total:m2819_2, partial:m2819_3
+# 2819|     r2819_5(glval<int>)           = VariableAddress[len1]     : 
+# 2819|     m2819_6(int)                  = InitializeParameter[len1] : &:r2819_5
+# 2819|     r2819_7(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2819|     m2819_8(unsigned long)        = InitializeParameter[len2] : &:r2819_7
+# 2820|     r2820_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2820|     m2820_2(int[][])              = Uninitialized[tmp1]       : &:r2820_1
+# 2820|     r2820_3(glval<int>)           = VariableAddress[len1]     : 
+# 2820|     r2820_4(int)                  = Load[len1]                : &:r2820_3, m2819_6
+# 2820|     r2820_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2820|     r2820_6(unsigned long)        = Load[len2]                : &:r2820_5, m2819_8
+# 2820|     v2820_7(void)                 = NoOp                      : 
+# 2821|     r2821_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2821|     r2821_2(unsigned long)        = Constant[4]               : 
+# 2821|     r2821_3(unsigned long)        = CopyValue                 : r2820_6
+# 2821|     r2821_4(unsigned long)        = Mul                       : r2821_2, r2821_3
+# 2821|     m2821_5(unsigned long)        = Store[z]                  : &:r2821_1, r2821_4
+# 2822|     v2822_1(void)                 = NoOp                      : 
+# 2819|     v2819_9(void)                 = ReturnVoid                : 
+# 2819|     v2819_10(void)                = AliasedUse                : m2819_3
+# 2819|     v2819_11(void)                = ExitFunction              : 
+
 ir23.cpp:
 #    1| bool consteval_1()
 #    1|   Block 0
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -2776,4 +2776,49 @@ void test_allocation_with_initializer() {
    long* p2 = new long(42);
 }

+void vla_sizeof_test(int len1, size_t len2, char len3) {
+  char tmp1[len1];
+  size_t x = sizeof(tmp1);
+  int tmp2[len1][len2];
+  size_t y = sizeof(tmp2);
+  size_t z = sizeof(*tmp2);
+  int tmp3[len1][len2][len3];
+  size_t w = sizeof(tmp3);
+  size_t v = sizeof(*tmp3);
+  size_t u = sizeof(**tmp3);
+  size_t t = sizeof(***tmp3);
+}
+
+void vla_sizeof_test2(int len1, size_t len2, char len3) {
+  int tmp1[len1][len2];
+  size_t z = sizeof(tmp1[1]);
+  int tmp2[len1][len2][len3];
+  size_t v = sizeof(tmp2[1]);
+  size_t u = sizeof(tmp2[1][2]);
+  size_t t = sizeof(tmp2[1][2][3]);
+}
+
+size_t vla_sizeof_test3(int len1, size_t len2, char len3, bool b) {
+  typedef long arr[len1][len2];
+  typedef arr arr2;
+  typedef arr2 arr3[len3];
+
+  if (b) {
+    arr3 tmp;
+    return sizeof(tmp[1]);
+  } 
+
+  return 0;
+}
+
+void vla_sizeof_test4(int len1, size_t len2) {
+  int tmp1[len1][len2];
+  size_t z = sizeof(1[tmp1]);
+}
+
+void vla_sizeof_test5(int len1, size_t len2) {
+  int tmp1[len1][len2];
+  size_t z = sizeof((*&tmp1)[1]);
+}
+
 // semmle-extractor-options: -std=c++20 --clang
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -18577,6 +18577,241 @@ ir.cpp:
 # 2774|     v2774_5(void)           = AliasedUse                    : ~m?
 # 2774|     v2774_6(void)           = ExitFunction                  : 

+# 2779| void vla_sizeof_test(int, size_t, char)
+# 2779|   Block 0
+# 2779|     v2779_1(void)                 = EnterFunction             : 
+# 2779|     mu2779_2(unknown)             = AliasedDefinition         : 
+# 2779|     mu2779_3(unknown)             = InitializeNonLocal        : 
+# 2779|     r2779_4(glval<int>)           = VariableAddress[len1]     : 
+# 2779|     mu2779_5(int)                 = InitializeParameter[len1] : &:r2779_4
+# 2779|     r2779_6(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2779|     mu2779_7(unsigned long)       = InitializeParameter[len2] : &:r2779_6
+# 2779|     r2779_8(glval<char>)          = VariableAddress[len3]     : 
+# 2779|     mu2779_9(char)                = InitializeParameter[len3] : &:r2779_8
+# 2780|     r2780_1(glval<char[]>)        = VariableAddress[tmp1]     : 
+# 2780|     mu2780_2(char[])              = Uninitialized[tmp1]       : &:r2780_1
+# 2780|     r2780_3(glval<int>)           = VariableAddress[len1]     : 
+# 2780|     r2780_4(int)                  = Load[len1]                : &:r2780_3, ~m?
+# 2780|     v2780_5(void)                 = NoOp                      : 
+# 2781|     r2781_1(glval<unsigned long>) = VariableAddress[x]        : 
+# 2781|     r2781_2(unsigned long)        = Constant[1]               : 
+# 2781|     r2781_3(unsigned long)        = Convert                   : r2780_4
+# 2781|     r2781_4(unsigned long)        = Mul                       : r2781_2, r2781_3
+# 2781|     mu2781_5(unsigned long)       = Store[x]                  : &:r2781_1, r2781_4
+# 2782|     r2782_1(glval<int[][]>)       = VariableAddress[tmp2]     : 
+# 2782|     mu2782_2(int[][])             = Uninitialized[tmp2]       : &:r2782_1
+# 2782|     r2782_3(glval<int>)           = VariableAddress[len1]     : 
+# 2782|     r2782_4(int)                  = Load[len1]                : &:r2782_3, ~m?
+# 2782|     r2782_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2782|     r2782_6(unsigned long)        = Load[len2]                : &:r2782_5, ~m?
+# 2782|     v2782_7(void)                 = NoOp                      : 
+# 2783|     r2783_1(glval<unsigned long>) = VariableAddress[y]        : 
+# 2783|     r2783_2(unsigned long)        = Constant[4]               : 
+# 2783|     r2783_3(unsigned long)        = Convert                   : r2782_4
+# 2783|     r2783_4(unsigned long)        = Mul                       : r2783_2, r2783_3
+# 2783|     r2783_5(unsigned long)        = CopyValue                 : r2782_6
+# 2783|     r2783_6(unsigned long)        = Mul                       : r2783_4, r2783_5
+# 2783|     mu2783_7(unsigned long)       = Store[y]                  : &:r2783_1, r2783_6
+# 2784|     r2784_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2784|     r2784_2(unsigned long)        = Constant[4]               : 
+# 2784|     r2784_3(unsigned long)        = CopyValue                 : r2782_6
+# 2784|     r2784_4(unsigned long)        = Mul                       : r2784_2, r2784_3
+# 2784|     mu2784_5(unsigned long)       = Store[z]                  : &:r2784_1, r2784_4
+# 2785|     r2785_1(glval<int[][][]>)     = VariableAddress[tmp3]     : 
+# 2785|     mu2785_2(int[][][])           = Uninitialized[tmp3]       : &:r2785_1
+# 2785|     r2785_3(glval<int>)           = VariableAddress[len1]     : 
+# 2785|     r2785_4(int)                  = Load[len1]                : &:r2785_3, ~m?
+# 2785|     r2785_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2785|     r2785_6(unsigned long)        = Load[len2]                : &:r2785_5, ~m?
+# 2785|     r2785_7(glval<char>)          = VariableAddress[len3]     : 
+# 2785|     r2785_8(char)                 = Load[len3]                : &:r2785_7, ~m?
+# 2785|     v2785_9(void)                 = NoOp                      : 
+# 2786|     r2786_1(glval<unsigned long>) = VariableAddress[w]        : 
+# 2786|     r2786_2(unsigned long)        = Constant[4]               : 
+# 2786|     r2786_3(unsigned long)        = Convert                   : r2785_4
+# 2786|     r2786_4(unsigned long)        = Mul                       : r2786_2, r2786_3
+# 2786|     r2786_5(unsigned long)        = CopyValue                 : r2785_6
+# 2786|     r2786_6(unsigned long)        = Mul                       : r2786_4, r2786_5
+# 2786|     r2786_7(unsigned long)        = Convert                   : r2785_8
+# 2786|     r2786_8(unsigned long)        = Mul                       : r2786_6, r2786_7
+# 2786|     mu2786_9(unsigned long)       = Store[w]                  : &:r2786_1, r2786_8
+# 2787|     r2787_1(glval<unsigned long>) = VariableAddress[v]        : 
+# 2787|     r2787_2(unsigned long)        = Constant[4]               : 
+# 2787|     r2787_3(unsigned long)        = CopyValue                 : r2785_6
+# 2787|     r2787_4(unsigned long)        = Mul                       : r2787_2, r2787_3
+# 2787|     r2787_5(unsigned long)        = Convert                   : r2785_8
+# 2787|     r2787_6(unsigned long)        = Mul                       : r2787_4, r2787_5
+# 2787|     mu2787_7(unsigned long)       = Store[v]                  : &:r2787_1, r2787_6
+# 2788|     r2788_1(glval<unsigned long>) = VariableAddress[u]        : 
+# 2788|     r2788_2(unsigned long)        = Constant[4]               : 
+# 2788|     r2788_3(unsigned long)        = Convert                   : r2785_8
+# 2788|     r2788_4(unsigned long)        = Mul                       : r2788_2, r2788_3
+# 2788|     mu2788_5(unsigned long)       = Store[u]                  : &:r2788_1, r2788_4
+# 2789|     r2789_1(glval<unsigned long>) = VariableAddress[t]        : 
+# 2789|     r2789_2(unsigned long)        = Constant[4]               : 
+# 2789|     mu2789_3(unsigned long)       = Store[t]                  : &:r2789_1, r2789_2
+# 2790|     v2790_1(void)                 = NoOp                      : 
+# 2779|     v2779_10(void)                = ReturnVoid                : 
+# 2779|     v2779_11(void)                = AliasedUse                : ~m?
+# 2779|     v2779_12(void)                = ExitFunction              : 
+
+# 2792| void vla_sizeof_test2(int, size_t, char)
+# 2792|   Block 0
+# 2792|     v2792_1(void)                 = EnterFunction             : 
+# 2792|     mu2792_2(unknown)             = AliasedDefinition         : 
+# 2792|     mu2792_3(unknown)             = InitializeNonLocal        : 
+# 2792|     r2792_4(glval<int>)           = VariableAddress[len1]     : 
+# 2792|     mu2792_5(int)                 = InitializeParameter[len1] : &:r2792_4
+# 2792|     r2792_6(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2792|     mu2792_7(unsigned long)       = InitializeParameter[len2] : &:r2792_6
+# 2792|     r2792_8(glval<char>)          = VariableAddress[len3]     : 
+# 2792|     mu2792_9(char)                = InitializeParameter[len3] : &:r2792_8
+# 2793|     r2793_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2793|     mu2793_2(int[][])             = Uninitialized[tmp1]       : &:r2793_1
+# 2793|     r2793_3(glval<int>)           = VariableAddress[len1]     : 
+# 2793|     r2793_4(int)                  = Load[len1]                : &:r2793_3, ~m?
+# 2793|     r2793_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2793|     r2793_6(unsigned long)        = Load[len2]                : &:r2793_5, ~m?
+# 2793|     v2793_7(void)                 = NoOp                      : 
+# 2794|     r2794_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2794|     r2794_2(unsigned long)        = Constant[4]               : 
+# 2794|     r2794_3(unsigned long)        = CopyValue                 : r2793_6
+# 2794|     r2794_4(unsigned long)        = Mul                       : r2794_2, r2794_3
+# 2794|     mu2794_5(unsigned long)       = Store[z]                  : &:r2794_1, r2794_4
+# 2795|     r2795_1(glval<int[][][]>)     = VariableAddress[tmp2]     : 
+# 2795|     mu2795_2(int[][][])           = Uninitialized[tmp2]       : &:r2795_1
+# 2795|     r2795_3(glval<int>)           = VariableAddress[len1]     : 
+# 2795|     r2795_4(int)                  = Load[len1]                : &:r2795_3, ~m?
+# 2795|     r2795_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2795|     r2795_6(unsigned long)        = Load[len2]                : &:r2795_5, ~m?
+# 2795|     r2795_7(glval<char>)          = VariableAddress[len3]     : 
+# 2795|     r2795_8(char)                 = Load[len3]                : &:r2795_7, ~m?
+# 2795|     v2795_9(void)                 = NoOp                      : 
+# 2796|     r2796_1(glval<unsigned long>) = VariableAddress[v]        : 
+# 2796|     r2796_2(unsigned long)        = Constant[4]               : 
+# 2796|     r2796_3(unsigned long)        = CopyValue                 : r2795_6
+# 2796|     r2796_4(unsigned long)        = Mul                       : r2796_2, r2796_3
+# 2796|     r2796_5(unsigned long)        = Convert                   : r2795_8
+# 2796|     r2796_6(unsigned long)        = Mul                       : r2796_4, r2796_5
+# 2796|     mu2796_7(unsigned long)       = Store[v]                  : &:r2796_1, r2796_6
+# 2797|     r2797_1(glval<unsigned long>) = VariableAddress[u]        : 
+# 2797|     r2797_2(unsigned long)        = Constant[4]               : 
+# 2797|     r2797_3(unsigned long)        = Convert                   : r2795_8
+# 2797|     r2797_4(unsigned long)        = Mul                       : r2797_2, r2797_3
+# 2797|     mu2797_5(unsigned long)       = Store[u]                  : &:r2797_1, r2797_4
+# 2798|     r2798_1(glval<unsigned long>) = VariableAddress[t]        : 
+# 2798|     r2798_2(unsigned long)        = Constant[4]               : 
+# 2798|     mu2798_3(unsigned long)       = Store[t]                  : &:r2798_1, r2798_2
+# 2799|     v2799_1(void)                 = NoOp                      : 
+# 2792|     v2792_10(void)                = ReturnVoid                : 
+# 2792|     v2792_11(void)                = AliasedUse                : ~m?
+# 2792|     v2792_12(void)                = ExitFunction              : 
+
+# 2801| size_t vla_sizeof_test3(int, size_t, char, bool)
+# 2801|   Block 0
+# 2801|     v2801_1(void)                 = EnterFunction             : 
+# 2801|     mu2801_2(unknown)             = AliasedDefinition         : 
+# 2801|     mu2801_3(unknown)             = InitializeNonLocal        : 
+# 2801|     r2801_4(glval<int>)           = VariableAddress[len1]     : 
+# 2801|     mu2801_5(int)                 = InitializeParameter[len1] : &:r2801_4
+# 2801|     r2801_6(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2801|     mu2801_7(unsigned long)       = InitializeParameter[len2] : &:r2801_6
+# 2801|     r2801_8(glval<char>)          = VariableAddress[len3]     : 
+# 2801|     mu2801_9(char)                = InitializeParameter[len3] : &:r2801_8
+# 2801|     r2801_10(glval<bool>)         = VariableAddress[b]        : 
+# 2801|     mu2801_11(bool)               = InitializeParameter[b]    : &:r2801_10
+# 2802|     r2802_1(glval<int>)           = VariableAddress[len1]     : 
+# 2802|     r2802_2(int)                  = Load[len1]                : &:r2802_1, ~m?
+# 2802|     r2802_3(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2802|     r2802_4(unsigned long)        = Load[len2]                : &:r2802_3, ~m?
+# 2802|     v2802_5(void)                 = NoOp                      : 
+# 2803|     v2803_1(void)                 = NoOp                      : 
+# 2804|     r2804_1(glval<char>)          = VariableAddress[len3]     : 
+# 2804|     r2804_2(char)                 = Load[len3]                : &:r2804_1, ~m?
+# 2804|     v2804_3(void)                 = NoOp                      : 
+# 2806|     r2806_1(glval<bool>)          = VariableAddress[b]        : 
+# 2806|     r2806_2(bool)                 = Load[b]                   : &:r2806_1, ~m?
+# 2806|     v2806_3(void)                 = ConditionalBranch         : r2806_2
+#-----|   False -> Block 3
+#-----|   True -> Block 2
+
+# 2801|   Block 1
+# 2801|     r2801_12(glval<unsigned long>) = VariableAddress[#return] : 
+# 2801|     v2801_13(void)                 = ReturnValue              : &:r2801_12, ~m?
+# 2801|     v2801_14(void)                 = AliasedUse               : ~m?
+# 2801|     v2801_15(void)                 = ExitFunction             : 
+
+# 2807|   Block 2
+# 2807|     r2807_1(glval<long[][][]>)    = VariableAddress[tmp]     : 
+# 2807|     mu2807_2(long[][][])          = Uninitialized[tmp]       : &:r2807_1
+# 2807|     v2807_3(void)                 = NoOp                     : 
+# 2808|     r2808_1(glval<unsigned long>) = VariableAddress[#return] : 
+# 2808|     r2808_2(unsigned long)        = Constant[8]              : 
+# 2808|     r2808_3(unsigned long)        = Convert                  : r2802_2
+# 2808|     r2808_4(unsigned long)        = Mul                      : r2808_2, r2808_3
+# 2808|     r2808_5(unsigned long)        = CopyValue                : r2802_4
+# 2808|     r2808_6(unsigned long)        = Mul                      : r2808_4, r2808_5
+# 2808|     mu2808_7(unsigned long)       = Store[#return]           : &:r2808_1, r2808_6
+#-----|   Goto -> Block 1
+
+# 2811|   Block 3
+# 2811|     r2811_1(glval<unsigned long>) = VariableAddress[#return] : 
+# 2811|     r2811_2(unsigned long)        = Constant[0]              : 
+# 2811|     mu2811_3(unsigned long)       = Store[#return]           : &:r2811_1, r2811_2
+#-----|   Goto -> Block 1
+
+# 2814| void vla_sizeof_test4(int, size_t)
+# 2814|   Block 0
+# 2814|     v2814_1(void)                 = EnterFunction             : 
+# 2814|     mu2814_2(unknown)             = AliasedDefinition         : 
+# 2814|     mu2814_3(unknown)             = InitializeNonLocal        : 
+# 2814|     r2814_4(glval<int>)           = VariableAddress[len1]     : 
+# 2814|     mu2814_5(int)                 = InitializeParameter[len1] : &:r2814_4
+# 2814|     r2814_6(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2814|     mu2814_7(unsigned long)       = InitializeParameter[len2] : &:r2814_6
+# 2815|     r2815_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2815|     mu2815_2(int[][])             = Uninitialized[tmp1]       : &:r2815_1
+# 2815|     r2815_3(glval<int>)           = VariableAddress[len1]     : 
+# 2815|     r2815_4(int)                  = Load[len1]                : &:r2815_3, ~m?
+# 2815|     r2815_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2815|     r2815_6(unsigned long)        = Load[len2]                : &:r2815_5, ~m?
+# 2815|     v2815_7(void)                 = NoOp                      : 
+# 2816|     r2816_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2816|     r2816_2(unsigned long)        = Constant[4]               : 
+# 2816|     r2816_3(unsigned long)        = CopyValue                 : r2815_6
+# 2816|     r2816_4(unsigned long)        = Mul                       : r2816_2, r2816_3
+# 2816|     mu2816_5(unsigned long)       = Store[z]                  : &:r2816_1, r2816_4
+# 2817|     v2817_1(void)                 = NoOp                      : 
+# 2814|     v2814_8(void)                 = ReturnVoid                : 
+# 2814|     v2814_9(void)                 = AliasedUse                : ~m?
+# 2814|     v2814_10(void)                = ExitFunction              : 
+
+# 2819| void vla_sizeof_test5(int, size_t)
+# 2819|   Block 0
+# 2819|     v2819_1(void)                 = EnterFunction             : 
+# 2819|     mu2819_2(unknown)             = AliasedDefinition         : 
+# 2819|     mu2819_3(unknown)             = InitializeNonLocal        : 
+# 2819|     r2819_4(glval<int>)           = VariableAddress[len1]     : 
+# 2819|     mu2819_5(int)                 = InitializeParameter[len1] : &:r2819_4
+# 2819|     r2819_6(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2819|     mu2819_7(unsigned long)       = InitializeParameter[len2] : &:r2819_6
+# 2820|     r2820_1(glval<int[][]>)       = VariableAddress[tmp1]     : 
+# 2820|     mu2820_2(int[][])             = Uninitialized[tmp1]       : &:r2820_1
+# 2820|     r2820_3(glval<int>)           = VariableAddress[len1]     : 
+# 2820|     r2820_4(int)                  = Load[len1]                : &:r2820_3, ~m?
+# 2820|     r2820_5(glval<unsigned long>) = VariableAddress[len2]     : 
+# 2820|     r2820_6(unsigned long)        = Load[len2]                : &:r2820_5, ~m?
+# 2820|     v2820_7(void)                 = NoOp                      : 
+# 2821|     r2821_1(glval<unsigned long>) = VariableAddress[z]        : 
+# 2821|     r2821_2(unsigned long)        = Constant[4]               : 
+# 2821|     r2821_3(unsigned long)        = CopyValue                 : r2820_6
+# 2821|     r2821_4(unsigned long)        = Mul                       : r2821_2, r2821_3
+# 2821|     mu2821_5(unsigned long)       = Store[z]                  : &:r2821_1, r2821_4
+# 2822|     v2822_1(void)                 = NoOp                      : 
+# 2819|     v2819_8(void)                 = ReturnVoid                : 
+# 2819|     v2819_9(void)                 = AliasedUse                : ~m?
+# 2819|     v2819_10(void)                = ExitFunction              : 
+
 ir23.cpp:
 #    1| bool consteval_1()
 #    1|   Block 0
--- a/csharp/actions/create-extractor-pack/action.yml
+++ b/csharp/actions/create-extractor-pack/action.yml
@@ -7,7 +7,7 @@ runs:
    - name: Setup dotnet
      uses: actions/setup-dotnet@v4
      with:
-        dotnet-version: 9.0.100
+        dotnet-version: 9.0.300
    - name: Build Extractor
      shell: bash
      run: scripts/create-extractor-pack.sh
--- a/csharp/documentation/library-coverage/coverage.csv
+++ b/csharp/documentation/library-coverage/coverage.csv
@@ -43,5 +43,5 @@ MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,54,47,12165,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5929,6236
+System,54,47,12241,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,6003,6238
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,
--- a/csharp/documentation/library-coverage/coverage.rst
+++ b/csharp/documentation/library-coverage/coverage.rst
@@ -8,7 +8,7 @@ C# framework & library support

   Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
   `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,12165,54,5
+   System,"``System.*``, ``System``",47,12241,54,5
   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Data.SqlClient``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2257,159,4
-   Totals,,107,14429,407,9
+   Totals,,107,14505,407,9

--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs
@@ -138,7 +138,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        }

        // The version number should be kept in sync with the version .NET version used for building the application.
-        public const string LatestDotNetSdkVersion = "9.0.100";
+        public const string LatestDotNetSdkVersion = "9.0.300";

        /// <summary>
        /// Returns a script for downloading relevant versions of the
--- a/csharp/paket.main_extension.bzl
+++ b/csharp/paket.main_extension.bzl
@@ -2,8 +2,9 @@

 load(":paket.main.bzl", _main = "main")

-def _main_impl(_ctx):
+def _main_impl(module_ctx):
    _main()
+    return module_ctx.extension_metadata(reproducible = True)

 main_extension = module_extension(
    implementation = _main_impl,
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.47
+version: 1.7.48-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.47
+version: 1.7.48-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/integration-tests/all-platforms/autobuild/global.json
+++ b/csharp/ql/integration-tests/all-platforms/autobuild/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
    }
-}
+}
--- a/csharp/ql/integration-tests/all-platforms/binlog/global.json
+++ b/csharp/ql/integration-tests/all-platforms/binlog/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
    }
 }
--- a/Show More
+++ b/Show More