remove javascript

Increase precision to high for cpp/static-buffer-overflow

.codeqlmanifest.json

@@ -1,5 +1,7 @@
 { "provide": [ "*/ql/src/qlpack.yml",
+               "*/ql/lib/qlpack.yml",
                "*/ql/test/qlpack.yml",
+               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",

.gitattributes

@@ -48,3 +48,6 @@
 *.gif -text
 *.dll -text
 *.pdb -text
+
+java/ql/test/stubs/**/*.java linguist-generated=true
+java/ql/test/experimental/stubs/**/*.java linguist-generated=true

.github/workflows/check-change-note.yml

@@ -19,5 +19,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
-          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
+          grep true -c

.github/workflows/codeql-analysis.yml

@@ -11,6 +11,8 @@ on:
       - 'rc/*'
     paths:
       - 'csharp/**'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql-analysis.yml'
   schedule:
     - cron: '0 9 * * 1'
 
@@ -19,13 +21,18 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: read
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@main
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: csharp
@@ -33,8 +40,8 @@ jobs:
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+    #- name: Autobuild
+    #  uses: github/codeql-action/autobuild@main
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -43,9 +50,8 @@ jobs:
     #    and modify them (or add more) to build your code if your project
     #    uses a compiled language
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+    - run: |
+       dotnet build csharp
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@main

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -0,0 +1,97 @@
+name: Check framework coverage changes
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/csv-coverage-pr-comment.yml'
+      - '*/ql/src/**/*.ql'
+      - '*/ql/src/**/*.qll'
+      - 'misc/scripts/library-coverage/*.py'
+      # input data files
+      - '*/documentation/library-coverage/cwe-sink.csv'
+      - '*/documentation/library-coverage/frameworks.csv'
+    branches:
+      - main
+      - 'rc/*'
+
+jobs:
+  generate:
+    name: Generate framework coverage artifacts
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql) - MERGE
+      uses: actions/checkout@v2
+      with:
+        path: merge
+    - name: Clone self (github/codeql) - BASE
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 2
+        path: base
+    - run: |
+        git checkout HEAD^1
+        git log -1 --format='%H'
+      working-directory: base
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Generate CSV files on merge commit of the PR
+      run: |
+        echo "Running generator on merge"
+        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
+        mkdir out_merge
+        cp framework-coverage-*.csv out_merge/
+        cp framework-coverage-*.rst out_merge/
+    - name: Generate CSV files on base commit of the PR
+      run: |
+        echo "Running generator on base"
+        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
+        mkdir out_base
+        cp framework-coverage-*.csv out_base/
+        cp framework-coverage-*.rst out_base/
+    - name: Generate diff of coverage reports
+      run: |
+        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-merge
+        path: |
+          out_merge/framework-coverage-*.csv
+          out_merge/framework-coverage-*.rst
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-base
+        path: |
+          out_base/framework-coverage-*.csv
+          out_base/framework-coverage-*.rst
+    - name: Upload comparison results
+      uses: actions/upload-artifact@v2
+      with:
+        name: comparison
+        path: |
+          comparison.md
+    - name: Save PR number
+      run: |
+        mkdir -p pr
+        echo ${{ github.event.pull_request.number }} > pr/NR
+    - name: Upload PR number
+      uses: actions/upload-artifact@v2
+      with:
+        name: pr
+        path: pr/

.github/workflows/csv-coverage-pr-comment.yml

@@ -0,0 +1,34 @@
+name: Comment on PR with framework coverage changes
+
+on:
+  workflow_run:
+    workflows: ["Check framework coverage changes"]
+    types:
+      - completed
+
+jobs:
+  check:
+    name: Check framework coverage differences and comment
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+
+    - name: Check coverage difference file and comment
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"

.github/workflows/csv-coverage-timeseries.yml

@@ -0,0 +1,42 @@
+name: Build framework coverage timeseries reports
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: script
+    - name: Clone self (github/codeql) for analysis
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        CLI=$(realpath "codeql-cli/codeql")
+        echo $CLI
+        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
+    - name: Upload timeseries CSV
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-timeseries
+        path: framework-coverage-timeseries-*.csv
+

.github/workflows/csv-coverage-update.yml

@@ -0,0 +1,44 @@
+name: Update framework coverage reports
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  update:
+    name: Update framework coverage report
+    if: github.repository == 'github/codeql'
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: ql
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+
+    - name: Generate coverage files
+      run: |
+        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
+
+    - name: Create pull request with changes
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"

.github/workflows/csv-coverage.yml

@@ -0,0 +1,49 @@
+name: Build framework coverage reports
+
+on:
+  workflow_dispatch:
+    inputs:
+      qlModelShaOverride:
+        description: 'github/codeql repo SHA used for looking up the CSV models'
+        required: false
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: script
+    - name: Clone self (github/codeql) for analysis
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-csv
+        path: framework-coverage-*.csv
+    - name: Upload RST package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-rst
+        path: framework-coverage-*.rst
+

CODEOWNERS

@@ -17,3 +17,9 @@
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
+
+# CodeQL tools and associated docs
+/docs/codeql-cli/ @github/codeql-cli-reviewers
+/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
+/docs/ql-language-reference/ @github/codeql-frontend-reviewers
+/docs/query-*-style-guide.md @github/codeql-analysis-reviewers

README.md

@@ -4,8 +4,8 @@ This open source repository contains the standard CodeQL libraries and queries t
 
 ## How do I learn CodeQL and run queries?
 
-There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
+There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 

config/identical-files.json

@@ -1,327 +1,333 @@
 {
   "DataFlow Java/C++/C#/Python": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
   ],
   "DataFlow Java/C# Flow Summaries": [
-    "java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
   ],
   "SsaReadPosition Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
   "Sign Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
   ],
   "SignAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
   "Bound Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
+    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
   ],
   "ModulusAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+    "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
   ],
   "C++ SubBasicBlocks": [
-    "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
+    "cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
   ],
   "IR Instruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
   ],
   "IR IRBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
   ],
   "IR IRVariable": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
   ],
   "IR IRFunction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
   ],
   "IR Operand": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
   ],
   "IR IRType": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll",
     "csharp/ql/src/experimental/ir/implementation/IRType.qll"
   ],
   "IR IRConfiguration": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
     "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
   ],
   "IR UseSoundEscapeAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
   ],
   "IR IRFunctionBase": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
   ],
   "IR Operand Tag": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
   ],
   "IR TInstruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
   ],
   "IR TIRVariable": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
   ],
   "IR IR": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
   ],
   "IR IRConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
   ],
   "IR PrintIR": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
   ],
   "IR IntegerConstant": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerConstant.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
   ],
   "IR IntegerInteval": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerInterval.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
   ],
   "IR IntegerPartial": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
   ],
   "IR Overlap": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll",
     "csharp/ql/src/experimental/ir/internal/Overlap.qll"
   ],
   "IR EdgeKind": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll",
     "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
   ],
   "IR MemoryAccessKind": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
     "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
   ],
   "IR TempVariableTag": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
     "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
   ],
   "IR Opcode": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll",
     "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
   ],
   "IR SSAConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
   ],
   "C++ IR InstructionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
   ],
   "C++ IR IRImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
   ],
   "C++ IR IRBlockImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
   ],
   "C++ IR IRFunctionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
   ],
   "C++ IR IRVariableImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
   ],
   "C++ IR OperandImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
   ],
   "C++ IR PrintIRImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
   ],
   "C++ SSA SSAConstructionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
   ],
   "SSA AliasAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
+  "SSA PrintAliasAnalysis": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
+  ],
   "C++ SSA AliasAnalysisImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
   ],
   "C++ IR ValueNumberingImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "IR SSA SimpleSSA": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
   ],
   "IR AliasConfiguration (unaliased_ssa)": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
   ],
   "IR SSA SSAConstruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
   ],
   "IR SSA PrintSSA": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
   ],
   "IR ValueNumberInternal": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
   ],
   "C++ IR ValueNumber": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR PrintValueNumbering": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
   ],
   "C++ IR PrintConstantAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
   ],
   "C++ IR ReachableBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
   ],
   "C++ IR PrintReachableBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
   ],
   "C++ IR Dominance": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
   ],
   "C++ IR PrintDominance": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
   "C# IR InstructionImports": [
     "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
@@ -356,8 +362,8 @@
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "C# ControlFlowReachability": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
   ],
   "Inline Test Expectations": [
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
@@ -373,11 +379,11 @@
     "cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
   ],
   "XML": [
-    "cpp/ql/src/semmle/code/cpp/XML.qll",
-    "csharp/ql/src/semmle/code/csharp/XML.qll",
-    "java/ql/src/semmle/code/xml/XML.qll",
-    "javascript/ql/src/semmle/javascript/XML.qll",
-    "python/ql/src/semmle/python/xml/XML.qll"
+    "cpp/ql/lib/semmle/code/cpp/XML.qll",
+    "csharp/ql/lib/semmle/code/csharp/XML.qll",
+    "java/ql/lib/semmle/code/xml/XML.qll",
+    "javascript/ql/lib/semmle/javascript/XML.qll",
+    "python/ql/lib/semmle/python/xml/XML.qll"
   ],
   "DuplicationProblems.inc.qhelp": [
     "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
@@ -431,13 +437,29 @@
     "python/ql/src/analysis/IDEContextual.qll"
   ],
   "SSA C#": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll"
   ],
   "CryptoAlgorithms Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/crypto/Crypto.qll"
+    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
+    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll"
+  ],
+  "SensitiveDataHeuristics Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
+    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll"
+  ],
+  "ReDoS Util Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
+    "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll"
+  ],
+  "ReDoS Exponential Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
+    "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll"
+  ],
+  "ReDoS Polynomial Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
+    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll"
   ]
 }

cpp/change-notes/2021-03-11-overflow-abs.md

@@ -0,0 +1,2 @@
+lgtm
+* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.

cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.

cpp/change-notes/2021-05-10-comparison-with-wider-type.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.

cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md

@@ -0,0 +1,2 @@
+lgtm
+* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-18-static-buffer-overflow.md

@@ -0,0 +1,2 @@
+lgtm
+* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.

cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md

@@ -0,0 +1,2 @@
+lgtm
+* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).

cpp/change-notes/2021-05-20-ref-qualifiers.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).

cpp/change-notes/2021-05-21-unsafe-strncat.md

@@ -0,0 +1,2 @@
+lgtm
+* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.

cpp/change-notes/2021-06-10-std-types.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
+* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
+* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.

cpp/change-notes/2021-06-22-sql-tainted.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Uncontrolled data in SQL query' (cpp/sql-injection) query now supports the `libpqxx` library.

cpp/change-notes/2021-06-24-dataflow-implicit-reads.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.

cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm
+* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.

cpp/change-notes/2021-06-30-wrong-type-format-argument.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms.  There are now fewer false positive results.

cpp/change-notes/2021-07-13-cleartext-storage-file.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file) query now uses dataflow to produce additional results.
+* Heuristics in the SensitiveExprs.qll library have been improved, making the "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file), "Cleartext storage of sensitive information in buffer" (cpp/cleartext-storage-buffer) and "Cleartext storage of sensitive information in an SQLite" (cpp/cleartext-storage-database) queries more accurate.

cpp/change-notes/2021-07-20-toctou-race-condition.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Improvements have been made to the `cpp/toctou-race-condition` query, both to find more correct results and fewer false positive results.

cpp/change-notes/2021-07-27-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm
+* Improvements made to the (`cpp/uncontrolled-arithmetic`) query, reducing the frequency of false positive results.

cpp/change-notes/2021-07-29-virtual-function-declaration-specifiers.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Virtual function specifiers are now accessible via the new predicates on `Function` (`.isDeclaredVirtual`, `.isOverride`, and `.isFinal`).

cpp/change-notes/2021-08-10-has-trailing-return-type.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `Function.hasTrailingReturnType` predicate to check whether a function was declared with a trailing return type.

cpp/change-notes/2021-08-17-has-c-linkage.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `RoutineType.hasCLinkage` predicate to check whether a function type has "C" language linkage.

cpp/change-notes/2021-08-23-ctime-weaken-claims.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Lowered the precision of `cpp/potentially-dangerous-function` so it is run but not displayed on LGTM by default and so it's only run and displayed on Code Scanning if a broader suite like `cpp-security-extended` is opted into.

cpp/change-notes/2021-08-23-getPrimaryQlClasses.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `Element.getPrimaryQlClasses()` predicate, which gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.

cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query `cpp/implicit-bitfield-downcast` now accounts for C++ reference types, which leads to more true positive results.

cpp/change-notes/2021-08-31-range-analysis-upper-bound.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `SimpleRangeAnalysis` library includes information from the
+  immediate guard for determining the upper bound of a stack
+  variable for improved accuracy.

cpp/change-notes/2021-09-13-overflow-static.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `memberMayBeVarSize` predicate considers more fields to be variable size.
+  As a result, the "Static buffer overflow" query (cpp/static-buffer-overflow)
+  produces fewer false positives.

cpp/change-notes/2021-09-27-overflow-static.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Increase precision to high for the "Static buffer overflow" query
+  (`cpp/static-buffer-overflow`). This means the query is run and displayed by default on Code Scanning and LGTM.

cpp/ql/examples/qlpack.lock.yml

@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0

cpp/ql/examples/qlpack.yml

@@ -1,3 +1,4 @@
-name: codeql-cpp-examples
-version: 0.0.0
-libraryPathDependencies: codeql-cpp
+name: codeql/cpp-examples
+version: 0.0.2
+dependencies:
+  codeql/cpp-all: "*"

cpp/ql/lib/qlpack.lock.yml

@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0

cpp/ql/lib/qlpack.yml

@@ -0,0 +1,7 @@
+name: codeql/cpp-all
+version: 0.0.2
+dbscheme: semmlecode.cpp.dbscheme
+extractor: cpp
+library: true
+dependencies:
+  codeql/cpp-upgrades: 0.0.2

cpp/ql/lib/semmle/code/cpp/Element.qll

@@ -0,0 +1,297 @@
+/**
+ * Provides the `Element` class, which is the base class for all classes representing C or C++
+ * program elements.
+ */
+
+import semmle.code.cpp.Location
+private import semmle.code.cpp.Enclosing
+private import semmle.code.cpp.internal.ResolveClass
+
+/**
+ * Get the `Element` that represents this `@element`.
+ * Normally this will simply be a cast of `e`, but sometimes it is not.
+ * For example, for an incomplete struct `e` the result may be a
+ * complete struct with the same name.
+ */
+pragma[inline]
+Element mkElement(@element e) { unresolveElement(result) = e }
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Gets an `@element` that resolves to the `Element`. This should
+ * normally only be called from member predicates, where `e` is not
+ * `this` and you need the result for an argument to a database
+ * extensional.
+ * See `underlyingElement` for when `e` is `this`.
+ */
+pragma[inline]
+@element unresolveElement(Element e) {
+  not result instanceof @usertype and
+  result = e
+  or
+  e = resolveClass(result)
+}
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Gets the `@element` that this `Element` extends. This should normally
+ * only be called from member predicates, where `e` is `this` and you
+ * need the result for an argument to a database extensional.
+ * See `unresolveElement` for when `e` is not `this`.
+ */
+@element underlyingElement(Element e) { result = e }
+
+/**
+ * A C/C++ element with no member predicates other than `toString`. Not for
+ * general use. This class does not define a location, so classes wanting to
+ * change their location without affecting other classes can extend
+ * `ElementBase` instead of `Element` to create a new rootdef for `getURL`,
+ * `getLocation`, or `hasLocationInfo`.
+ */
+class ElementBase extends @element {
+  /** Gets a textual representation of this element. */
+  cached
+  string toString() { none() }
+
+  /** DEPRECATED: use `getAPrimaryQlClass` instead. */
+  deprecated string getCanonicalQLClass() { result = this.getAPrimaryQlClass() }
+
+  /**
+   * Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
+   */
+  final string getPrimaryQlClasses() { result = concat(getAPrimaryQlClass(), ",") }
+
+  /**
+   * Gets the name of a primary CodeQL class to which this element belongs.
+   *
+   * For most elements, this is simply the most precise syntactic category to
+   * which they belong; for example, `AddExpr` is a primary class, but
+   * `BinaryOperation` is not.
+   *
+   * This predicate can have multiple results if multiple primary classes match.
+   * For some elements, this predicate may not have a result.
+   */
+  string getAPrimaryQlClass() { none() }
+}
+
+/**
+ * A C/C++ element. This class is the base class for all C/C++
+ * elements, such as functions, classes, expressions, and so on.
+ */
+class Element extends ElementBase {
+  /** Gets the primary file where this element occurs. */
+  File getFile() { result = this.getLocation().getFile() }
+
+  /**
+   * Holds if this element may be from source. This predicate holds for all
+   * elements, except for those in the dummy file, whose name is the empty string.
+   * The dummy file contains declarations that are built directly into the compiler.
+   */
+  predicate fromSource() { this.getFile().fromSource() }
+
+  /**
+   * Holds if this element may be from a library.
+   *
+   * DEPRECATED: always true.
+   */
+  deprecated predicate fromLibrary() { this.getFile().fromLibrary() }
+
+  /** Gets the primary location of this element. */
+  Location getLocation() { none() }
+
+  /**
+   * Gets the source of this element: either itself or a macro that expanded
+   * to this element.
+   *
+   * If the element is not in a macro expansion, then the "root" is just
+   * the element itself. Otherwise, it is the definition of the innermost
+   * macro whose expansion the element is in.
+   *
+   * This method is useful for filtering macro results in checks: simply
+   * blame `e.findRootCause` rather than `e`. This will report only bugs
+   * that are not in macros, and in addition report macros that (somewhere)
+   * expand to a bug.
+   */
+  Element findRootCause() {
+    if exists(MacroInvocation mi | this = mi.getAGeneratedElement())
+    then
+      exists(MacroInvocation mi |
+        this = mi.getAGeneratedElement() and
+        not exists(MacroInvocation closer |
+          this = closer.getAGeneratedElement() and
+          mi = closer.getParentInvocation+()
+        ) and
+        result = mi.getMacro()
+      )
+    else result = this
+  }
+
+  /**
+   * Gets the parent scope of this `Element`, if any.
+   * A scope is a `Type` (`Class` / `Enum`), a `Namespace`, a `BlockStmt`, a `Function`,
+   * or certain kinds of `Statement`.
+   */
+  Element getParentScope() {
+    // result instanceof class
+    exists(Declaration m |
+      m = this and
+      result = m.getDeclaringType() and
+      not this instanceof EnumConstant
+    )
+    or
+    exists(TemplateClass tc | this = tc.getATemplateArgument() and result = tc)
+    or
+    // result instanceof namespace
+    exists(Namespace n | result = n and n.getADeclaration() = this)
+    or
+    exists(FriendDecl d, Namespace n | this = d and n.getADeclaration() = d and result = n)
+    or
+    exists(Namespace n | this = n and result = n.getParentNamespace())
+    or
+    // result instanceof stmt
+    exists(LocalVariable v |
+      this = v and
+      exists(DeclStmt ds | ds.getADeclaration() = v and result = ds.getParent())
+    )
+    or
+    exists(Parameter p | this = p and result = p.getFunction())
+    or
+    exists(GlobalVariable g, Namespace n | this = g and n.getADeclaration() = g and result = n)
+    or
+    exists(EnumConstant e | this = e and result = e.getDeclaringEnum())
+    or
+    // result instanceof block|function
+    exists(BlockStmt b | this = b and blockscope(unresolveElement(b), unresolveElement(result)))
+    or
+    exists(TemplateFunction tf | this = tf.getATemplateArgument() and result = tf)
+    or
+    // result instanceof stmt
+    exists(ControlStructure s | this = s and result = s.getParent())
+    or
+    using_container(unresolveElement(result), underlyingElement(this))
+  }
+
+  /**
+   * Holds if this element comes from a macro expansion. Only elements that
+   * are entirely generated by a macro are included - for elements that
+   * partially come from a macro, see `isAffectedByMacro`.
+   */
+  predicate isInMacroExpansion() { inMacroExpansion(this) }
+
+  /**
+   * Holds if this element is affected in any way by a macro. All elements
+   * that are totally or partially generated by a macro are included, so
+   * this is a super-set of `isInMacroExpansion`.
+   */
+  predicate isAffectedByMacro() { affectedByMacro(this) }
+
+  private Element getEnclosingElementPref() {
+    enclosingfunction(underlyingElement(this), unresolveElement(result)) or
+    result.(Function) = stmtEnclosingElement(this) or
+    this.(LocalScopeVariable).getFunction() = result or
+    enumconstants(underlyingElement(this), unresolveElement(result), _, _, _, _) or
+    derivations(underlyingElement(this), unresolveElement(result), _, _, _) or
+    stmtparents(underlyingElement(this), _, unresolveElement(result)) or
+    exprparents(underlyingElement(this), _, unresolveElement(result)) or
+    namequalifiers(underlyingElement(this), unresolveElement(result), _, _) or
+    initialisers(underlyingElement(this), unresolveElement(result), _, _) or
+    exprconv(unresolveElement(result), underlyingElement(this)) or
+    param_decl_bind(underlyingElement(this), _, unresolveElement(result)) or
+    using_container(unresolveElement(result), underlyingElement(this)) or
+    static_asserts(unresolveElement(this), _, _, _, underlyingElement(result))
+  }
+
+  /** Gets the closest `Element` enclosing this one. */
+  cached
+  Element getEnclosingElement() {
+    result = getEnclosingElementPref()
+    or
+    not exists(getEnclosingElementPref()) and
+    (
+      this = result.(Class).getAMember()
+      or
+      result = exprEnclosingElement(this)
+      or
+      var_decls(underlyingElement(this), unresolveElement(result), _, _, _)
+    )
+  }
+
+  /**
+   * Holds if this `Element` is a part of a template instantiation (but not
+   * the template itself).
+   */
+  predicate isFromTemplateInstantiation(Element instantiation) {
+    exists(Element e | isFromTemplateInstantiationRec(e, instantiation) |
+      this = e or
+      this.(DeclarationEntry).getDeclaration() = e
+    )
+  }
+
+  /**
+   * Holds if this `Element` is part of a template `template` (not if it is
+   * part of an instantiation of `template`). This means it is represented in
+   * the database purely as syntax and without guarantees on the presence or
+   * correctness of type-based operations such as implicit conversions.
+   *
+   * If an element is nested within several templates, this predicate holds with
+   * a value of `template` for each containing template.
+   */
+  predicate isFromUninstantiatedTemplate(Element template) {
+    exists(Element e | isFromUninstantiatedTemplateRec(e, template) |
+      this = e or
+      this.(DeclarationEntry).getDeclaration() = e
+    )
+  }
+}
+
+private predicate isFromTemplateInstantiationRec(Element e, Element instantiation) {
+  instantiation.(Function).isConstructedFrom(_) and
+  e = instantiation
+  or
+  instantiation.(Class).isConstructedFrom(_) and
+  e = instantiation
+  or
+  instantiation.(Variable).isConstructedFrom(_) and
+  e = instantiation
+  or
+  isFromTemplateInstantiationRec(e.getEnclosingElement(), instantiation)
+}
+
+private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
+  is_class_template(unresolveElement(template)) and
+  e = template
+  or
+  is_function_template(unresolveElement(template)) and
+  e = template
+  or
+  is_variable_template(unresolveElement(template)) and
+  e = template
+  or
+  isFromUninstantiatedTemplateRec(e.getEnclosingElement(), template)
+}
+
+/**
+ * A C++11 `static_assert` or C11 `_Static_assert` construct. For example each
+ * line in the following example contains a static assert:
+ * ```
+ * static_assert(sizeof(MyStruct) <= 4096);
+ * static_assert(sizeof(MyStruct) <= 4096, "MyStruct is too big!");
+ * ```
+ */
+class StaticAssert extends Locatable, @static_assert {
+  override string toString() { result = "static_assert(..., \"" + getMessage() + "\")" }
+
+  /**
+   * Gets the expression which this static assertion ensures is true.
+   */
+  Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _, _) }
+
+  /**
+   * Gets the message which will be reported by the compiler if this static assertion fails.
+   */
+  string getMessage() { static_asserts(underlyingElement(this), _, result, _, _) }
+
+  override Location getLocation() { static_asserts(underlyingElement(this), _, _, result, _) }
+}

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -0,0 +1,448 @@
+/**
+ * Provides classes representing files and folders.
+ */
+
+import semmle.code.cpp.Element
+import semmle.code.cpp.Declaration
+import semmle.code.cpp.metrics.MetricFile
+
+/** A file or folder. */
+class Container extends Locatable, @container {
+  /**
+   * Gets the absolute, canonical path of this container, using forward slashes
+   * as path separator.
+   *
+   * The path starts with a _root prefix_ followed by zero or more _path
+   * segments_ separated by forward slashes.
+   *
+   * The root prefix is of one of the following forms:
+   *
+   *   1. A single forward slash `/` (Unix-style)
+   *   2. An upper-case drive letter followed by a colon and a forward slash,
+   *      such as `C:/` (Windows-style)
+   *   3. Two forward slashes, a computer name, and then another forward slash,
+   *      such as `//FileServer/` (UNC-style)
+   *
+   * Path segments are never empty (that is, absolute paths never contain two
+   * contiguous slashes, except as part of a UNC-style root prefix). Also, path
+   * segments never contain forward slashes, and no path segment is of the
+   * form `.` (one dot) or `..` (two dots).
+   *
+   * Note that an absolute path never ends with a forward slash, except if it is
+   * a bare root prefix, that is, the path has no path segments. A container
+   * whose absolute path has no segments is always a `Folder`, not a `File`.
+   */
+  string getAbsolutePath() { none() } // overridden by subclasses
+
+  /**
+   * DEPRECATED: Use `getLocation` instead.
+   * Gets a URL representing the location of this container.
+   *
+   * For more information see [Providing URLs](https://help.semmle.com/QL/learn-ql/ql/locations.html#providing-urls).
+   */
+  deprecated string getURL() { none() } // overridden by subclasses
+
+  /**
+   * Gets the relative path of this file or folder from the root folder of the
+   * analyzed source location. The relative path of the root folder itself is
+   * the empty string.
+   *
+   * This has no result if the container is outside the source root, that is,
+   * if the root folder is not a reflexive, transitive parent of this container.
+   */
+  string getRelativePath() {
+    exists(string absPath, string pref |
+      absPath = getAbsolutePath() and sourceLocationPrefix(pref)
+    |
+      absPath = pref and result = ""
+      or
+      absPath = pref.regexpReplaceAll("/$", "") + "/" + result and
+      not result.matches("/%")
+    )
+  }
+
+  /**
+   * Gets the base name of this container including extension, that is, the last
+   * segment of its absolute path, or the empty string if it has no segments.
+   *
+   * Here are some examples of absolute paths and the corresponding base names
+   * (surrounded with quotes to avoid ambiguity):
+   *
+   * <table border="1">
+   * <tr><th>Absolute path</th><th>Base name</th></tr>
+   * <tr><td>"/tmp/tst.js"</td><td>"tst.js"</td></tr>
+   * <tr><td>"C:/Program Files (x86)"</td><td>"Program Files (x86)"</td></tr>
+   * <tr><td>"/"</td><td>""</td></tr>
+   * <tr><td>"C:/"</td><td>""</td></tr>
+   * <tr><td>"D:/"</td><td>""</td></tr>
+   * <tr><td>"//FileServer/"</td><td>""</td></tr>
+   * </table>
+   */
+  string getBaseName() {
+    result = getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1)
+  }
+
+  /**
+   * Gets the extension of this container, that is, the suffix of its base name
+   * after the last dot character, if any.
+   *
+   * In particular,
+   *
+   *  - if the name does not include a dot, there is no extension, so this
+   *    predicate has no result;
+   *  - if the name ends in a dot, the extension is the empty string;
+   *  - if the name contains multiple dots, the extension follows the last dot.
+   *
+   * Here are some examples of absolute paths and the corresponding extensions
+   * (surrounded with quotes to avoid ambiguity):
+   *
+   * <table border="1">
+   * <tr><th>Absolute path</th><th>Extension</th></tr>
+   * <tr><td>"/tmp/tst.js"</td><td>"js"</td></tr>
+   * <tr><td>"/tmp/.classpath"</td><td>"classpath"</td></tr>
+   * <tr><td>"/bin/bash"</td><td>not defined</td></tr>
+   * <tr><td>"/tmp/tst2."</td><td>""</td></tr>
+   * <tr><td>"/tmp/x.tar.gz"</td><td>"gz"</td></tr>
+   * </table>
+   */
+  string getExtension() { result = getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3) }
+
+  /**
+   * Gets the stem of this container, that is, the prefix of its base name up to
+   * (but not including) the last dot character if there is one, or the entire
+   * base name if there is not.
+   *
+   * Here are some examples of absolute paths and the corresponding stems
+   * (surrounded with quotes to avoid ambiguity):
+   *
+   * <table border="1">
+   * <tr><th>Absolute path</th><th>Stem</th></tr>
+   * <tr><td>"/tmp/tst.js"</td><td>"tst"</td></tr>
+   * <tr><td>"/tmp/.classpath"</td><td>""</td></tr>
+   * <tr><td>"/bin/bash"</td><td>"bash"</td></tr>
+   * <tr><td>"/tmp/tst2."</td><td>"tst2"</td></tr>
+   * <tr><td>"/tmp/x.tar.gz"</td><td>"x.tar"</td></tr>
+   * </table>
+   */
+  string getStem() { result = getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1) }
+
+  /** Gets the parent container of this file or folder, if any. */
+  Container getParentContainer() {
+    containerparent(unresolveElement(result), underlyingElement(this))
+  }
+
+  /** Gets a file or sub-folder in this container. */
+  Container getAChildContainer() { this = result.getParentContainer() }
+
+  /** Gets a file in this container. */
+  File getAFile() { result = getAChildContainer() }
+
+  /** Gets the file in this container that has the given `baseName`, if any. */
+  File getFile(string baseName) {
+    result = getAFile() and
+    result.getBaseName() = baseName
+  }
+
+  /** Gets a sub-folder in this container. */
+  Folder getAFolder() { result = getAChildContainer() }
+
+  /** Gets the sub-folder in this container that has the given `baseName`, if any. */
+  Folder getFolder(string baseName) {
+    result = getAFolder() and
+    result.getBaseName() = baseName
+  }
+
+  /**
+   * Gets a textual representation of the path of this container.
+   *
+   * This is the absolute path of the container.
+   */
+  override string toString() { result = getAbsolutePath() }
+}
+
+/**
+ * A folder that was observed on disk during the build process.
+ *
+ * For the example folder name of "/usr/home/me", the path decomposes to:
+ *
+ *  1. "/usr/home" - see `getParentContainer`.
+ *  2. "me" - see `getBaseName`.
+ *
+ * To get the full path, use `getAbsolutePath`.
+ */
+class Folder extends Container, @folder {
+  override string getAbsolutePath() { folders(underlyingElement(this), result) }
+
+  override Location getLocation() {
+    result.getContainer() = this and
+    result.hasLocationInfo(_, 0, 0, 0, 0)
+  }
+
+  override string getAPrimaryQlClass() { result = "Folder" }
+
+  /**
+   * DEPRECATED: Use `getLocation` instead.
+   * Gets the URL of this folder.
+   */
+  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
+
+  /**
+   * DEPRECATED: use `getAbsolutePath` instead.
+   * Gets the name of this folder.
+   */
+  deprecated string getName() { folders(underlyingElement(this), result) }
+
+  /**
+   * DEPRECATED: use `getAbsolutePath` instead.
+   * Holds if this element is named `name`.
+   */
+  deprecated predicate hasName(string name) { name = this.getName() }
+
+  /**
+   * DEPRECATED: use `getAbsolutePath` instead.
+   * Gets the full name of this folder.
+   */
+  deprecated string getFullName() { result = this.getName() }
+
+  /**
+   * DEPRECATED: use `getBaseName` instead.
+   * Gets the last part of the folder name.
+   */
+  deprecated string getShortName() { result = this.getBaseName() }
+
+  /**
+   * DEPRECATED: use `getParentContainer` instead.
+   * Gets the parent folder.
+   */
+  deprecated Folder getParent() {
+    containerparent(unresolveElement(result), underlyingElement(this))
+  }
+}
+
+/**
+ * A file that was observed on disk during the build process.
+ *
+ * For the example filename of "/usr/home/me/myprogram.c", the filename
+ * decomposes to:
+ *
+ *  1. "/usr/home/me" - see `getParentContainer`.
+ *  2. "myprogram.c" - see `getBaseName`.
+ *
+ * The base name further decomposes into the _stem_ and _extension_ -- see
+ * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
+ */
+class File extends Container, @file {
+  override string getAbsolutePath() { files(underlyingElement(this), result) }
+
+  override string toString() { result = Container.super.toString() }
+
+  override string getAPrimaryQlClass() { result = "File" }
+
+  override Location getLocation() {
+    result.getContainer() = this and
+    result.hasLocationInfo(_, 0, 0, 0, 0)
+  }
+
+  /**
+   * DEPRECATED: Use `getLocation` instead.
+   * Gets the URL of this file.
+   */
+  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
+
+  /** Holds if this file was compiled as C (at any point). */
+  predicate compiledAsC() { fileannotations(underlyingElement(this), 1, "compiled as c", "1") }
+
+  /** Holds if this file was compiled as C++ (at any point). */
+  predicate compiledAsCpp() { fileannotations(underlyingElement(this), 1, "compiled as c++", "1") }
+
+  /**
+   * Holds if this file was compiled by a Microsoft compiler (at any point).
+   *
+   * Note: currently unreliable - on some projects only some of the files that
+   * are compiled by a Microsoft compiler are detected by this predicate.
+   */
+  predicate compiledAsMicrosoft() {
+    exists(File f, Compilation c |
+      c.getAFileCompiled() = f and
+      (
+        c.getAnArgument() = "--microsoft" or
+        c.getAnArgument()
+            .toLowerCase()
+            .replaceAll("\\", "/")
+            .matches(["%/cl.exe", "%/clang-cl.exe"])
+      ) and
+      f.getAnIncludedFile*() = this
+    )
+  }
+
+  /** Gets a top-level element declared in this file. */
+  Declaration getATopLevelDeclaration() { result.getAFile() = this and result.isTopLevel() }
+
+  /** Gets a declaration in this file. */
+  Declaration getADeclaration() { result.getAFile() = this }
+
+  /** Holds if this file uses the given macro. */
+  predicate usesMacro(Macro m) {
+    exists(MacroInvocation mi |
+      mi.getFile() = this and
+      mi.getMacro() = m
+    )
+  }
+
+  /**
+   * Gets a file that is directly included from this file (using a
+   * pre-processor directive like `#include`).
+   */
+  File getAnIncludedFile() {
+    exists(Include i | i.getFile() = this and i.getIncludedFile() = result)
+  }
+
+  /**
+   * Holds if this file may be from source. This predicate holds for all files
+   * except the dummy file, whose name is the empty string, which contains
+   * declarations that are built into the compiler.
+   */
+  override predicate fromSource() { numlines(underlyingElement(this), _, _, _) }
+
+  /**
+   * Holds if this file may be from a library.
+   *
+   * DEPRECATED: For historical reasons this is true for any file.
+   */
+  deprecated override predicate fromLibrary() { any() }
+
+  /** Gets the metric file. */
+  MetricFile getMetrics() { result = this }
+
+  /**
+   * Gets the remainder of the base name after the first dot character. Note
+   * that the name of this predicate is in plural form, unlike `getExtension`,
+   * which gets the remainder of the base name after the _last_ dot character.
+   *
+   * Predicates `getStem` and `getExtension` should be preferred over
+   * `getShortName` and `getExtensions` since the former pair is compatible
+   * with the file libraries of other languages.
+   * Note the slight difference between this predicate and `getStem`:
+   * for example, for "file.tar.gz", this predicate will have the result
+   * "tar.gz", while `getExtension` will have the result "gz".
+   */
+  string getExtensions() {
+    exists(string name, int firstDotPos |
+      name = this.getBaseName() and
+      firstDotPos = min([name.indexOf("."), name.length() - 1]) and
+      result = name.suffix(firstDotPos + 1)
+    )
+  }
+
+  /**
+   * Gets the short name of this file, that is, the prefix of its base name up
+   * to (but not including) the first dot character if there is one, or the
+   * entire base name if there is not. For example, if the full name is
+   * "/path/to/filename.a.bcd" then the short name is "filename".
+   *
+   * Predicates `getStem` and `getExtension` should be preferred over
+   * `getShortName` and `getExtensions` since the former pair is compatible
+   * with the file libraries of other languages.
+   * Note the slight difference between this predicate and `getStem`:
+   * for example, for "file.tar.gz", this predicate will have the result
+   * "file", while `getStem` will have the result "file.tar".
+   */
+  string getShortName() {
+    exists(string name, int firstDotPos |
+      name = this.getBaseName() and
+      firstDotPos = min([name.indexOf("."), name.length()]) and
+      result = name.prefix(firstDotPos)
+    )
+    or
+    this.getAbsolutePath() = "" and
+    result = ""
+  }
+}
+
+/**
+ * Holds if any file was compiled by a Microsoft compiler.
+ */
+predicate anyFileCompiledAsMicrosoft() { any(File f).compiledAsMicrosoft() }
+
+/**
+ * A C/C++ header file, as determined (mainly) by file extension.
+ *
+ * For the related notion of whether a file is included anywhere (using a
+ * pre-processor directive like `#include`), use `Include.getIncludedFile`.
+ */
+class HeaderFile extends File {
+  HeaderFile() {
+    this.getExtension().toLowerCase() =
+      ["h", "r", "hpp", "hxx", "h++", "hh", "hp", "tcc", "tpp", "txx", "t++"]
+    or
+    not exists(this.getExtension()) and
+    exists(Include i | i.getIncludedFile() = this)
+  }
+
+  override string getAPrimaryQlClass() { result = "HeaderFile" }
+
+  /**
+   * Holds if this header file does not contain any declaration entries or top level
+   * declarations.  For example it might be:
+   *  - a file containing only preprocessor directives and/or comments
+   *  - an empty file
+   *  - a file that contains non-top level code or data that's included in an
+   *    unusual way
+   */
+  predicate noTopLevelCode() {
+    not exists(DeclarationEntry de | de.getFile() = this) and
+    not exists(Declaration d | d.getFile() = this and d.isTopLevel()) and
+    not exists(UsingEntry ue | ue.getFile() = this)
+  }
+}
+
+/**
+ * A C source file, as determined by file extension.
+ *
+ * For the related notion of whether a file is compiled as C code, use
+ * `File.compiledAsC`.
+ */
+class CFile extends File {
+  CFile() { this.getExtension().toLowerCase() = ["c", "i"] }
+
+  override string getAPrimaryQlClass() { result = "CFile" }
+}
+
+/**
+ * A C++ source file, as determined by file extension.
+ *
+ * For the related notion of whether a file is compiled as C++ code, use
+ * `File.compiledAsCpp`.
+ */
+class CppFile extends File {
+  CppFile() {
+    this.getExtension().toLowerCase() =
+      ["cpp", "cxx", "c++", "cc", "cp", "icc", "ipp", "ixx", "i++", "ii"]
+    // Note: .C files are indistinguishable from .c files on some
+    // file systems, so we just treat them as CFile's.
+  }
+
+  override string getAPrimaryQlClass() { result = "CppFile" }
+}
+
+/**
+ * DEPRECATED: Objective-C is no longer supported.
+ * An Objective C source file, as determined by file extension.
+ *
+ * For the related notion of whether a file is compiled as Objective C
+ * code, use `File.compiledAsObjC`.
+ */
+deprecated class ObjCFile extends File {
+  ObjCFile() { none() }
+}
+
+/**
+ * DEPRECATED: Objective-C is no longer supported.
+ * An Objective C++ source file, as determined by file extension.
+ *
+ * For the related notion of whether a file is compiled as Objective C++
+ * code, use `File.compiledAsObjCpp`.
+ */
+deprecated class ObjCppFile extends File {
+  ObjCppFile() { none() }
+}

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -0,0 +1,876 @@
+/**
+ * Provides classes for working with functions, including template functions.
+ */
+
+import semmle.code.cpp.Location
+import semmle.code.cpp.Class
+import semmle.code.cpp.Parameter
+import semmle.code.cpp.exprs.Call
+import semmle.code.cpp.metrics.MetricFunction
+import semmle.code.cpp.Linkage
+private import semmle.code.cpp.internal.ResolveClass
+
+/**
+ * A C/C++ function [N4140 8.3.5]. Both member functions and non-member
+ * functions are included. For example the function `MyFunction` in:
+ * ```
+ * void MyFunction() {
+ *   DoSomething();
+ * }
+ * ```
+ *
+ * Function has a one-to-many relationship with FunctionDeclarationEntry,
+ * because the same function can be declared in multiple locations. This
+ * relationship between `Declaration` and `DeclarationEntry` is explained
+ * in more detail in `Declaration.qll`.
+ */
+class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
+  override string getName() { functions(underlyingElement(this), result, _) }
+
+  /**
+   * DEPRECATED: Use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+   * Gets the full signature of this function, including return type, parameter
+   * types, and template arguments.
+   *
+   * For example, in the following code:
+   * ```
+   * template<typename T> T min(T x, T y);
+   * int z = min(5, 7);
+   * ```
+   * The full signature of the function called on the last line would be
+   * "min<int>(int, int) -> int", and the full signature of the uninstantiated
+   * template on the first line would be "min<T>(T, T) -> T".
+   */
+  string getFullSignature() {
+    exists(string name, string templateArgs, string args |
+      result = name + templateArgs + args + " -> " + getType().toString() and
+      name = getQualifiedName() and
+      (
+        if exists(getATemplateArgument())
+        then
+          templateArgs =
+            "<" +
+              concat(int i |
+                exists(getTemplateArgument(i))
+              |
+                getTemplateArgument(i).toString(), ", " order by i
+              ) + ">"
+        else templateArgs = ""
+      ) and
+      args =
+        "(" +
+          concat(int i |
+            exists(getParameter(i))
+          |
+            getParameter(i).getType().toString(), ", " order by i
+          ) + ")"
+    )
+  }
+
+  /** Gets a specifier of this function. */
+  override Specifier getASpecifier() {
+    funspecifiers(underlyingElement(this), unresolveElement(result)) or
+    result.hasName(getADeclarationEntry().getASpecifier())
+  }
+
+  /** Gets an attribute of this function. */
+  Attribute getAnAttribute() { funcattributes(underlyingElement(this), unresolveElement(result)) }
+
+  /** Holds if this function is generated by the compiler. */
+  predicate isCompilerGenerated() { compgenerated(underlyingElement(this)) }
+
+  /** Holds if this function is inline. */
+  predicate isInline() { this.hasSpecifier("inline") }
+
+  /**
+   * Holds if this function is virtual.
+   *
+   * Unlike `isDeclaredVirtual()`, `isVirtual()` holds even if the function
+   * is not explicitly declared with the `virtual` specifier.
+   */
+  predicate isVirtual() { this.hasSpecifier("virtual") }
+
+  /** Holds if this function is declared with the `virtual` specifier. */
+  predicate isDeclaredVirtual() { this.hasSpecifier("declared_virtual") }
+
+  /** Holds if this function is declared with the `override` specifier. */
+  predicate isOverride() { this.hasSpecifier("override") }
+
+  /** Holds if this function is declared with the `final` specifier. */
+  predicate isFinal() { this.hasSpecifier("final") }
+
+  /**
+   * Holds if this function is deleted.
+   * This may be because it was explicitly deleted with an `= delete`
+   * definition, or because the compiler was unable to auto-generate a
+   * definition for it.
+   *
+   * Most implicitly deleted functions are omitted from the database.
+   * `Class.implicitCopyConstructorDeleted` and
+   * `Class.implicitCopyAssignmentOperatorDeleted` can be used to find
+   * whether a class would have had those members implicitly deleted.
+   */
+  predicate isDeleted() { function_deleted(underlyingElement(this)) }
+
+  /**
+   * Holds if this function is explicitly defaulted with the `= default`
+   * specifier.
+   */
+  predicate isDefaulted() { function_defaulted(underlyingElement(this)) }
+
+  /**
+   * Holds if this function is declared to be `constexpr`.
+   *
+   * Note that this does not hold if the function has been declared
+   * `consteval`.
+   */
+  predicate isDeclaredConstexpr() { this.hasSpecifier("declared_constexpr") }
+
+  /**
+   * Holds if this function is `constexpr`. Normally, this holds if and
+   * only if `isDeclaredConstexpr()` holds, but in some circumstances
+   * they differ. For example, with
+   * ```
+   * int f(int i) { return 6; }
+   * template <typename T> constexpr int g(T x) { return f(x); }
+   * ```
+   * `g<int>` is declared constexpr, but is not constexpr.
+   *
+   * Will also hold if this function is `consteval`.
+   */
+  predicate isConstexpr() { this.hasSpecifier("is_constexpr") }
+
+  /**
+   * Holds if this function is declared to be `consteval`.
+   */
+  predicate isConsteval() { this.hasSpecifier("is_consteval") }
+
+  /**
+   * Holds if this function is declared with `__attribute__((naked))` or
+   * `__declspec(naked)`.
+   */
+  predicate isNaked() { getAnAttribute().hasName("naked") }
+
+  /**
+   * Holds if this function has a trailing return type.
+   *
+   * Note that this is true whether or not deduction took place. For example,
+   * this holds for both `e` and `f`, but not `g` or `h`:
+   * ```
+   * auto e() -> int { return 0; }
+   * auto f() -> auto { return 0; }
+   * auto g() { return 0; }
+   * int h() { return 0; }
+   * ```
+   */
+  predicate hasTrailingReturnType() { this.hasSpecifier("has_trailing_return_type") }
+
+  /** Gets the return type of this function. */
+  Type getType() { function_return_type(underlyingElement(this), unresolveElement(result)) }
+
+  /**
+   * Gets the return type of this function after specifiers have been deeply
+   * stripped and typedefs have been resolved.
+   */
+  Type getUnspecifiedType() { result = getType().getUnspecifiedType() }
+
+  /**
+   * Gets the nth parameter of this function. There is no result for the
+   * implicit `this` parameter, and there is no `...` varargs pseudo-parameter.
+   */
+  Parameter getParameter(int n) { params(unresolveElement(result), underlyingElement(this), n, _) }
+
+  /**
+   * Gets a parameter of this function. There is no result for the implicit
+   * `this` parameter, and there is no `...` varargs pseudo-parameter.
+   */
+  Parameter getAParameter() { params(unresolveElement(result), underlyingElement(this), _, _) }
+
+  /**
+   * Gets an access of this function.
+   *
+   * To get calls to this function, use `getACallToThisFunction` instead.
+   */
+  FunctionAccess getAnAccess() { result.getTarget() = this }
+
+  /**
+   * Gets the number of parameters of this function, _not_ including any
+   * implicit `this` parameter or any `...` varargs pseudo-parameter.
+   */
+  int getNumberOfParameters() { result = count(this.getAParameter()) }
+
+  /**
+   * Gets the number of parameters of this function, _including_ any implicit
+   * `this` parameter but _not_ including any `...` varargs pseudo-parameter.
+   */
+  int getEffectiveNumberOfParameters() {
+    // This method is overridden in `MemberFunction`, where the result is
+    // adjusted to account for the implicit `this` parameter.
+    result = getNumberOfParameters()
+  }
+
+  /**
+   * Gets a string representing the parameters of this function.
+   *
+   * For example: for a function `int Foo(int p1, int p2)` this would
+   * return `int p1, int p2`.
+   */
+  string getParameterString() {
+    result = concat(int i | | min(getParameter(i).getTypedName()), ", " order by i)
+  }
+
+  /** Gets a call to this function. */
+  FunctionCall getACallToThisFunction() { result.getTarget() = this }
+
+  /**
+   * Gets a declaration entry corresponding to this declaration. The
+   * relationship between `Declaration` and `DeclarationEntry` is explained
+   * in `Declaration.qll`.
+   */
+  override FunctionDeclarationEntry getADeclarationEntry() {
+    if fun_decls(_, underlyingElement(this), _, _, _)
+    then declEntry(result)
+    else
+      exists(Function f |
+        this.isConstructedFrom(f) and
+        fun_decls(unresolveElement(result), unresolveElement(f), _, _, _)
+      )
+  }
+
+  private predicate declEntry(FunctionDeclarationEntry fde) {
+    fun_decls(unresolveElement(fde), underlyingElement(this), _, _, _) and
+    // If one .cpp file specializes a function, and another calls the
+    // specialized function, then when extracting the second we only see an
+    // instantiation, not the specialization. We Therefore need to ignore
+    // any non-specialized declarations if there are any specialized ones.
+    (this.isSpecialization() implies fde.isSpecialization())
+  }
+
+  /**
+   * Gets the location of a `FunctionDeclarationEntry` corresponding to this
+   * declaration.
+   */
+  override Location getADeclarationLocation() { result = getADeclarationEntry().getLocation() }
+
+  /** Holds if this Function is a Template specialization. */
+  predicate isSpecialization() {
+    exists(FunctionDeclarationEntry fde |
+      fun_decls(unresolveElement(fde), underlyingElement(this), _, _, _) and
+      fde.isSpecialization()
+    )
+  }
+
+  /**
+   * Gets the declaration entry corresponding to this declaration that is a
+   * definition, if any.
+   */
+  override FunctionDeclarationEntry getDefinition() {
+    result = getADeclarationEntry() and
+    result.isDefinition()
+  }
+
+  /** Gets the location of the definition, if any. */
+  override Location getDefinitionLocation() {
+    if exists(getDefinition())
+    then result = getDefinition().getLocation()
+    else exists(Function f | this.isConstructedFrom(f) and result = f.getDefinition().getLocation())
+  }
+
+  /**
+   * Gets the preferred location of this declaration. (The location of the
+   * definition, if possible.)
+   */
+  override Location getLocation() {
+    if exists(getDefinition())
+    then result = this.getDefinitionLocation()
+    else result = this.getADeclarationLocation()
+  }
+
+  /** Gets a child declaration of this function. */
+  Declaration getADeclaration() { result = this.getAParameter() }
+
+  /**
+   * Gets the block that is the function body.
+   *
+   * For C++ functions whose body is a function try statement rather than a
+   * block, this gives the block guarded by the try statement. See
+   * `FunctionTryStmt` for further information.
+   */
+  BlockStmt getBlock() { result.getParentScope() = this }
+
+  /** Holds if this function has an entry point. */
+  predicate hasEntryPoint() { exists(getEntryPoint()) }
+
+  /**
+   * Gets the first node in this function's control flow graph.
+   *
+   * For most functions, this first node will be the `BlockStmt` returned by
+   * `getBlock`. However in C++, the first node can also be a
+   * `FunctionTryStmt`.
+   */
+  Stmt getEntryPoint() { function_entry_point(underlyingElement(this), unresolveElement(result)) }
+
+  /**
+   * Gets the metric class. `MetricFunction` has methods for computing
+   * various metrics, such as "number of lines of code" and "number of
+   * function calls".
+   */
+  MetricFunction getMetrics() { result = this }
+
+  /** Holds if this function calls the function `f`. */
+  predicate calls(Function f) { exists(Locatable l | this.calls(f, l)) }
+
+  /**
+   * Holds if this function calls the function `f` in the `FunctionCall`
+   * expression `l`.
+   */
+  predicate calls(Function f, Locatable l) {
+    exists(FunctionCall call |
+      call.getEnclosingFunction() = this and call.getTarget() = f and call = l
+    )
+    or
+    exists(DestructorCall call |
+      call.getEnclosingFunction() = this and call.getTarget() = f and call = l
+    )
+  }
+
+  /** Holds if this function accesses a function or variable or enumerator `a`. */
+  predicate accesses(Declaration a) { exists(Locatable l | this.accesses(a, l)) }
+
+  /**
+   * Holds if this function accesses a function or variable or enumerator `a`
+   * in the `Access` expression `l`.
+   */
+  predicate accesses(Declaration a, Locatable l) {
+    exists(Access access |
+      access.getEnclosingFunction() = this and
+      a = access.getTarget() and
+      access = l
+    )
+  }
+
+  /** Gets a variable that is written-to in this function. */
+  Variable getAWrittenVariable() {
+    exists(ConstructorFieldInit cfi |
+      cfi.getEnclosingFunction() = this and result = cfi.getTarget()
+    )
+    or
+    exists(VariableAccess va |
+      va = result.getAnAccess() and
+      va.isUsedAsLValue() and
+      va.getEnclosingFunction() = this
+    )
+  }
+
+  /**
+   * Gets the class of which this function, called `memberName`, is a member.
+   *
+   * Prefer to use `getDeclaringType()` or `getName()` directly if you do not
+   * need to reason about both.
+   */
+  pragma[nomagic]
+  Class getClassAndName(string memberName) {
+    this.hasName(memberName) and
+    this.getDeclaringType() = result
+  }
+
+  /**
+   * Implements `ControlFlowNode.getControlFlowScope`. The `Function` is
+   * used to represent the exit node of the control flow graph, so it is
+   * its own scope.
+   */
+  override Function getControlFlowScope() { result = this }
+
+  /**
+   * Implements `ControlFlowNode.getEnclosingStmt`. The `Function` is
+   * used to represent the exit node of the control flow graph, so it
+   * has no enclosing statement.
+   */
+  override Stmt getEnclosingStmt() { none() }
+
+  /**
+   * Holds if this function has C linkage, as specified by one of its
+   * declaration entries. For example: `extern "C" void foo();`.
+   */
+  predicate hasCLinkage() { getADeclarationEntry().hasCLinkage() }
+
+  /**
+   * Holds if this function is constructed from `f` as a result
+   * of template instantiation. If so, it originates either from a template
+   * function or from a function nested in a template class.
+   */
+  predicate isConstructedFrom(Function f) {
+    function_instantiation(underlyingElement(this), unresolveElement(f))
+  }
+
+  /**
+   * Holds if this function is defined in several files. This is illegal in
+   * C (though possible in some C++ compilers), and likely indicates that
+   * several functions that are not linked together have been compiled. An
+   * example would be a project with many 'main' functions.
+   */
+  predicate isMultiplyDefined() { strictcount(getFile()) > 1 }
+
+  /** Holds if this function is a varargs function. */
+  predicate isVarargs() { hasSpecifier("varargs") }
+
+  /** Gets a type that is specified to be thrown by the function. */
+  Type getAThrownType() { result = getADeclarationEntry().getAThrownType() }
+
+  /**
+   * Gets the `i`th type specified to be thrown by the function.
+   */
+  Type getThrownType(int i) { result = getADeclarationEntry().getThrownType(i) }
+
+  /** Holds if the function has an exception specification. */
+  predicate hasExceptionSpecification() { getADeclarationEntry().hasExceptionSpecification() }
+
+  /** Holds if this function has a `throw()` exception specification. */
+  predicate isNoThrow() { getADeclarationEntry().isNoThrow() }
+
+  /** Holds if this function has a `noexcept` exception specification. */
+  predicate isNoExcept() { getADeclarationEntry().isNoExcept() }
+
+  /**
+   * Gets a function that overloads this one.
+   *
+   * Note: if _overrides_ are wanted rather than _overloads_ then
+   * `MemberFunction::getAnOverridingFunction` should be used instead.
+   */
+  Function getAnOverload() {
+    (
+      // If this function is declared in a class, only consider other
+      // functions from the same class.
+      exists(string name, Class declaringType |
+        candGetAnOverloadMember(name, declaringType, this) and
+        candGetAnOverloadMember(name, declaringType, result)
+      )
+      or
+      // Conversely, if this function is not
+      // declared in a class, only consider other functions not declared in a
+      // class.
+      exists(string name, Namespace namespace |
+        candGetAnOverloadNonMember(name, namespace, this) and
+        candGetAnOverloadNonMember(name, namespace, result)
+      )
+    ) and
+    result != this and
+    // Instantiations and specializations don't participate in overload
+    // resolution.
+    not (
+      this instanceof FunctionTemplateInstantiation or
+      result instanceof FunctionTemplateInstantiation
+    ) and
+    not (
+      this instanceof FunctionTemplateSpecialization or
+      result instanceof FunctionTemplateSpecialization
+    )
+  }
+
+  /** Gets a link target which compiled or referenced this function. */
+  LinkTarget getALinkTarget() { this = result.getAFunction() }
+
+  /**
+   * Holds if this function is side-effect free (conservative
+   * approximation).
+   */
+  predicate isSideEffectFree() { not this.mayHaveSideEffects() }
+
+  /**
+   * Holds if this function may have side-effects; if in doubt, we assume it
+   * may.
+   */
+  predicate mayHaveSideEffects() {
+    // If we cannot see the definition then we assume that it may have
+    // side-effects.
+    if exists(this.getEntryPoint())
+    then
+      // If it might be globally impure (we don't care about it modifying
+      // temporaries) then it may have side-effects.
+      this.getEntryPoint().mayBeGloballyImpure()
+      or
+      // Constructor initializers are separate from the entry point ...
+      this.(Constructor).getAnInitializer().mayBeGloballyImpure()
+      or
+      // ... and likewise for destructors.
+      this.(Destructor).getADestruction().mayBeGloballyImpure()
+    else
+      // Unless it's a function that we know is side-effect free, it may
+      // have side-effects.
+      not this.hasGlobalOrStdName([
+          "strcmp", "wcscmp", "_mbscmp", "strlen", "wcslen", "_mbslen", "_mbslen_l", "_mbstrlen",
+          "_mbstrlen_l", "strnlen", "strnlen_s", "wcsnlen", "wcsnlen_s", "_mbsnlen", "_mbsnlen_l",
+          "_mbstrnlen", "_mbstrnlen_l", "strncmp", "wcsncmp", "_mbsncmp", "_mbsncmp_l", "strchr",
+          "memchr", "wmemchr", "memcmp", "wmemcmp", "_memicmp", "_memicmp_l", "feof", "isdigit",
+          "isxdigit", "abs", "fabs", "labs", "floor", "ceil", "atoi", "atol", "atoll", "atof"
+        ])
+  }
+
+  /**
+   * Gets the nearest enclosing AccessHolder.
+   */
+  override AccessHolder getEnclosingAccessHolder() { result = this.getDeclaringType() }
+}
+
+pragma[noinline]
+private predicate candGetAnOverloadMember(string name, Class declaringType, Function f) {
+  f.getName() = name and
+  f.getDeclaringType() = declaringType
+}
+
+pragma[noinline]
+private predicate candGetAnOverloadNonMember(string name, Namespace namespace, Function f) {
+  f.getName() = name and
+  f.getNamespace() = namespace and
+  not exists(f.getDeclaringType())
+}
+
+/**
+ * A particular declaration or definition of a C/C++ function. For example the
+ * declaration and definition of `MyFunction` in the following code are each a
+ * `FunctionDeclarationEntry`:
+ * ```
+ * void MyFunction();
+ *
+ * void MyFunction() {
+ *   DoSomething();
+ * }
+ * ```
+ */
+class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
+  /** Gets the function which is being declared or defined. */
+  override Function getDeclaration() { result = getFunction() }
+
+  override string getAPrimaryQlClass() { result = "FunctionDeclarationEntry" }
+
+  /** Gets the function which is being declared or defined. */
+  Function getFunction() { fun_decls(underlyingElement(this), unresolveElement(result), _, _, _) }
+
+  /** Gets the name of the function. */
+  override string getName() { fun_decls(underlyingElement(this), _, _, result, _) }
+
+  /**
+   * Gets the return type of the function which is being declared or
+   * defined.
+   */
+  override Type getType() { fun_decls(underlyingElement(this), _, unresolveElement(result), _, _) }
+
+  /** Gets the location of this declaration entry. */
+  override Location getLocation() { fun_decls(underlyingElement(this), _, _, _, result) }
+
+  /** Gets a specifier associated with this declaration entry. */
+  override string getASpecifier() { fun_decl_specifiers(underlyingElement(this), result) }
+
+  /**
+   * Implements `Element.getEnclosingElement`. A function declaration does
+   * not have an enclosing element.
+   */
+  override Element getEnclosingElement() { none() }
+
+  /**
+   * Gets the typedef type (if any) used for this function declaration. As
+   * an example, the typedef type in the declaration of function foo in the
+   * following is Foo:
+   *
+   * typedef int Foo();
+   * static Foo foo;
+   */
+  TypedefType getTypedefType() {
+    fun_decl_typedef_type(underlyingElement(this), unresolveElement(result))
+  }
+
+  /**
+   * Gets the cyclomatic complexity of this function:
+   *
+   *   The number of branching statements (if, while, do, for, switch,
+   *   case, catch) plus the number of branching expressions (`?`, `&&`,
+   *   `||`) plus one.
+   */
+  int getCyclomaticComplexity() { result = 1 + cyclomaticComplexityBranches(getBlock()) }
+
+  /**
+   * If this is a function definition, get the block containing the
+   * function body.
+   */
+  BlockStmt getBlock() {
+    this.isDefinition() and
+    result = getFunction().getBlock() and
+    result.getFile() = this.getFile()
+  }
+
+  /**
+   * If this is a function definition, get the number of lines of code
+   * associated with it.
+   */
+  pragma[noopt]
+  int getNumberOfLines() {
+    exists(BlockStmt b, Location l, int start, int end, int diff | b = getBlock() |
+      l = b.getLocation() and
+      start = l.getStartLine() and
+      end = l.getEndLine() and
+      diff = end - start and
+      result = diff + 1
+    )
+  }
+
+  /**
+   * Gets the declaration entry for a parameter of this function
+   * declaration.
+   */
+  ParameterDeclarationEntry getAParameterDeclarationEntry() {
+    result = getParameterDeclarationEntry(_)
+  }
+
+  /**
+   * Gets the declaration entry for the nth parameter of this function
+   * declaration.
+   */
+  ParameterDeclarationEntry getParameterDeclarationEntry(int n) {
+    param_decl_bind(unresolveElement(result), n, underlyingElement(this))
+  }
+
+  /** Gets the number of parameters of this function declaration. */
+  int getNumberOfParameters() { result = count(this.getAParameterDeclarationEntry()) }
+
+  /**
+   * Gets a string representing the parameters of this function declaration.
+   *
+   * For example: for a function 'int Foo(int p1, int p2)' this would
+   * return 'int p1, int p2'.
+   */
+  string getParameterString() {
+    result = concat(int i | | min(getParameterDeclarationEntry(i).getTypedName()), ", " order by i)
+  }
+
+  /**
+   * Holds if this declaration entry specifies C linkage:
+   *
+   *    `extern "C" void foo();`
+   */
+  predicate hasCLinkage() { getASpecifier() = "c_linkage" }
+
+  /** Holds if this declaration entry has a void parameter list. */
+  predicate hasVoidParamList() { getASpecifier() = "void_param_list" }
+
+  /** Holds if this declaration is also a definition of its function. */
+  override predicate isDefinition() { fun_def(underlyingElement(this)) }
+
+  /** Holds if this declaration is a Template specialization. */
+  predicate isSpecialization() { fun_specialized(underlyingElement(this)) }
+
+  /**
+   * Holds if this declaration is an implicit function declaration, that is,
+   * where a function is used before it is declared (under older C standards).
+   */
+  predicate isImplicit() { fun_implicit(underlyingElement(this)) }
+
+  /** Gets a type that is specified to be thrown by the declared function. */
+  Type getAThrownType() { result = getThrownType(_) }
+
+  /**
+   * Gets the `i`th type specified to be thrown by the declared function
+   * (where `i` is indexed from 0). For example, if a function is declared
+   * to `throw(int,float)`, then the thrown type with index 0 would be
+   * `int`, and that with index 1 would be `float`.
+   */
+  Type getThrownType(int i) {
+    fun_decl_throws(underlyingElement(this), i, unresolveElement(result))
+  }
+
+  /**
+   * If this declaration has a noexcept-specification [N4140 15.4], then
+   * this predicate returns the argument to `noexcept` if one was given.
+   */
+  Expr getNoExceptExpr() { fun_decl_noexcept(underlyingElement(this), unresolveElement(result)) }
+
+  /**
+   * Holds if the declared function has an exception specification [N4140
+   * 15.4].
+   */
+  predicate hasExceptionSpecification() {
+    fun_decl_throws(underlyingElement(this), _, _) or
+    fun_decl_noexcept(underlyingElement(this), _) or
+    isNoThrow() or
+    isNoExcept()
+  }
+
+  /**
+   * Holds if the declared function has a `throw()` exception specification.
+   */
+  predicate isNoThrow() { fun_decl_empty_throws(underlyingElement(this)) }
+
+  /**
+   * Holds if the declared function has an empty `noexcept` exception
+   * specification.
+   */
+  predicate isNoExcept() { fun_decl_empty_noexcept(underlyingElement(this)) }
+}
+
+/**
+ * A C/C++ non-member function (a function that is not a member of any
+ * class). For example, in the following code, `MyFunction` is a
+ * `TopLevelFunction` but `MyMemberFunction` is not:
+ * ```
+ * void MyFunction() {
+ *   DoSomething();
+ * }
+ *
+ * class MyClass {
+ * public:
+ *   void MyMemberFunction() {
+ *     DoSomething();
+ *   }
+ * };
+ * ```
+ */
+class TopLevelFunction extends Function {
+  TopLevelFunction() { not this.isMember() }
+
+  override string getAPrimaryQlClass() { result = "TopLevelFunction" }
+}
+
+/**
+ * A C++ user-defined operator [N4140 13.5].
+ */
+class Operator extends Function {
+  Operator() { functions(underlyingElement(this), _, 5) }
+
+  override string getAPrimaryQlClass() {
+    not this instanceof MemberFunction and result = "Operator"
+  }
+}
+
+/**
+ * A C++ function which has a non-empty template argument list. For example
+ * the function `myTemplateFunction` in the following code:
+ * ```
+ * template<class T>
+ * void myTemplateFunction(T t) {
+ *   ...
+ * }
+ * ```
+ *
+ * This comprises function declarations which are immediately preceded by
+ * `template <...>`, where the "..." part is not empty, and therefore it does
+ * not include:
+ *
+ *   1. Full specializations of template functions, as they have an empty
+ *      template argument list.
+ *   2. Instantiations of template functions, as they don't have an
+ *      explicit template argument list.
+ *   3. Member functions of template classes - unless they have their own
+ *      (non-empty) template argument list.
+ */
+class TemplateFunction extends Function {
+  TemplateFunction() {
+    is_function_template(underlyingElement(this)) and exists(getATemplateArgument())
+  }
+
+  override string getAPrimaryQlClass() { result = "TemplateFunction" }
+
+  /**
+   * Gets a compiler-generated instantiation of this function template.
+   */
+  Function getAnInstantiation() {
+    result.isConstructedFrom(this) and
+    not result.isSpecialization()
+  }
+
+  /**
+   * Gets a full specialization of this function template.
+   *
+   * Note that unlike classes, functions overload rather than specialize
+   * partially. Therefore this does not include things which "look like"
+   * partial specializations, nor does it include full specializations of
+   * such things -- see FunctionTemplateSpecialization for further details.
+   */
+  FunctionTemplateSpecialization getASpecialization() { result.getPrimaryTemplate() = this }
+}
+
+/**
+ * A function that is an instantiation of a template. For example
+ * the instantiation `myTemplateFunction<int>` in the following code:
+ * ```
+ * template<class T>
+ * void myTemplateFunction(T t) {
+ *   ...
+ * }
+ *
+ * void caller(int i) {
+ *   myTemplateFunction<int>(i);
+ * }
+ * ```
+ */
+class FunctionTemplateInstantiation extends Function {
+  TemplateFunction tf;
+
+  FunctionTemplateInstantiation() { tf.getAnInstantiation() = this }
+
+  override string getAPrimaryQlClass() { result = "FunctionTemplateInstantiation" }
+
+  /**
+   * Gets the function template from which this instantiation was instantiated.
+   *
+   * Example: For `int const& std::min<int>(int const&, int const&)`, returns `T const& min<T>(T const&, T const&)`.
+   */
+  TemplateFunction getTemplate() { result = tf }
+}
+
+/**
+ * An explicit specialization of a C++ function template. For example the
+ * function `myTemplateFunction<int>` in the following code:
+ * ```
+ * template<class T>
+ * void myTemplateFunction(T t) {
+ *   ...
+ * }
+ *
+ * template<>
+ * void myTemplateFunction<int>(int i) {
+ *   ...
+ * }
+ * ```
+ *
+ * Note that unlike classes, functions overload rather than specialize
+ * partially. Therefore this only includes the last two of the following
+ * four definitions, and in particular does not include the second one:
+ *
+ * ```
+ * template <typename T> void f(T) {...}
+ * template <typename T> void f(T*) {...}
+ * template <> void f<int>(int *) {...}
+ * template <> void f<int*>(int *) {...}
+ * ```
+ *
+ * Furthermore, this does not include compiler-generated instantiations of
+ * function templates.
+ *
+ * For further reference on function template specializations, see:
+ *   http://www.gotw.ca/publications/mill17.htm
+ */
+class FunctionTemplateSpecialization extends Function {
+  FunctionTemplateSpecialization() { this.isSpecialization() }
+
+  override string getAPrimaryQlClass() { result = "FunctionTemplateSpecialization" }
+
+  /**
+   * Gets the primary template for the specialization (the function template
+   * this specializes).
+   */
+  TemplateFunction getPrimaryTemplate() { this.isConstructedFrom(result) }
+}
+
+/**
+ * A GCC built-in function. For example: `__builtin___memcpy_chk`.
+ */
+class BuiltInFunction extends Function {
+  BuiltInFunction() { functions(underlyingElement(this), _, 6) }
+
+  /** Gets a dummy location for the built-in function. */
+  override Location getLocation() {
+    suppressUnusedThis(this) and
+    result instanceof UnknownDefaultLocation
+  }
+}
+
+private predicate suppressUnusedThis(Function f) { any() }

cpp/ql/lib/semmle/code/cpp/Initializer.qll

@@ -18,6 +18,12 @@ import semmle.code.cpp.controlflow.ControlFlowGraph
  *   ...
  * }
  * ```
+ * But _not_ `4` in the following code:
+ * ```
+ * int myUninitializedVariable;
+ * myUninitializedVariable = 4;
+ * ```
+ * Instead, this is an `Assignment`.
  */
 class Initializer extends ControlFlowNode, @initialiser {
   override Location getLocation() { initialisers(underlyingElement(this), _, _, result) }

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -0,0 +1,173 @@
+/**
+ * Provides classes and predicates for locations in the source code.
+ */
+
+import semmle.code.cpp.Element
+import semmle.code.cpp.File
+
+/**
+ * A location of a C/C++ artifact.
+ */
+class Location extends @location {
+  /** Gets the container corresponding to this location. */
+  Container getContainer() { this.fullLocationInfo(result, _, _, _, _) }
+
+  /** Gets the file corresponding to this location, if any. */
+  File getFile() { result = this.getContainer() }
+
+  /** Gets the 1-based line number (inclusive) where this location starts. */
+  int getStartLine() { this.fullLocationInfo(_, result, _, _, _) }
+
+  /** Gets the 1-based column number (inclusive) where this location starts. */
+  int getStartColumn() { this.fullLocationInfo(_, _, result, _, _) }
+
+  /** Gets the 1-based line number (inclusive) where this location ends. */
+  int getEndLine() { this.fullLocationInfo(_, _, _, result, _) }
+
+  /** Gets the 1-based column number (inclusive) where this location ends. */
+  int getEndColumn() { this.fullLocationInfo(_, _, _, _, result) }
+
+  /**
+   * Gets a textual representation of this element.
+   *
+   * The format is "file://filePath:startLine:startColumn:endLine:endColumn".
+   */
+  string toString() {
+    exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+      this.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    |
+      toUrl(filepath, startline, startcolumn, endline, endcolumn, result)
+    )
+  }
+
+  /**
+   * Holds if this element is in the specified container.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline`.
+   *
+   * This predicate is similar to `hasLocationInfo`, but exposes the `Container`
+   * entity, rather than merely its path.
+   */
+  predicate fullLocationInfo(
+    Container container, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    locations_default(this, unresolveElement(container), startline, startcolumn, endline, endcolumn) or
+    locations_expr(this, unresolveElement(container), startline, startcolumn, endline, endcolumn) or
+    locations_stmt(this, unresolveElement(container), startline, startcolumn, endline, endcolumn)
+  }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    exists(Container f | this.fullLocationInfo(f, startline, startcolumn, endline, endcolumn) |
+      filepath = f.getAbsolutePath()
+    )
+  }
+
+  /** Holds if `this` comes on a line strictly before `l`. */
+  pragma[inline]
+  predicate isBefore(Location l) {
+    this.getFile() = l.getFile() and this.getEndLine() < l.getStartLine()
+  }
+
+  /** Holds if location `l` is completely contained within this one. */
+  predicate subsumes(Location l) {
+    exists(File f | f = getFile() |
+      exists(int thisStart, int thisEnd | charLoc(f, thisStart, thisEnd) |
+        exists(int lStart, int lEnd | l.charLoc(f, lStart, lEnd) |
+          thisStart <= lStart and lEnd <= thisEnd
+        )
+      )
+    )
+  }
+
+  /**
+   * Holds if this location corresponds to file `f` and character "offsets"
+   * `start..end`. Note that these are not real character offsets, because
+   * we use `maxCols` to find the length of the longest line and then pretend
+   * that all the lines are the same length. However, these offsets are
+   * convenient for comparing or sorting locations in a file. For an example,
+   * see `subsumes`.
+   */
+  predicate charLoc(File f, int start, int end) {
+    f = getFile() and
+    exists(int maxCols | maxCols = maxCols(f) |
+      start = getStartLine() * maxCols + getStartColumn() and
+      end = getEndLine() * maxCols + getEndColumn()
+    )
+  }
+}
+
+/**
+ * DEPRECATED: Use `Location` instead.
+ * A location of an element. Not used for expressions or statements, which
+ * instead use LocationExpr and LocationStmt respectively.
+ */
+deprecated library class LocationDefault extends Location, @location_default { }
+
+/**
+ * DEPRECATED: Use `Location` instead.
+ * A location of a statement.
+ */
+deprecated library class LocationStmt extends Location, @location_stmt { }
+
+/**
+ * DEPRECATED: Use `Location` instead.
+ * A location of an expression.
+ */
+deprecated library class LocationExpr extends Location, @location_expr { }
+
+/**
+ * Gets the length of the longest line in file `f`.
+ */
+pragma[nomagic]
+private int maxCols(File f) {
+  result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn()))
+}
+
+/**
+ * A C/C++ element that has a location in a file
+ */
+class Locatable extends Element { }
+
+/**
+ * A dummy location which is used when something doesn't have a location in
+ * the source code but needs to have a `Location` associated with it. There
+ * may be several distinct kinds of unknown locations. For example: one for
+ * expressions, one for statements and one for other program elements.
+ */
+class UnknownLocation extends Location {
+  UnknownLocation() { getFile().getAbsolutePath() = "" }
+}
+
+/**
+ * A dummy location which is used when something doesn't have a location in
+ * the source code but needs to have a `Location` associated with it.
+ */
+class UnknownDefaultLocation extends UnknownLocation {
+  UnknownDefaultLocation() { locations_default(this, _, 0, 0, 0, 0) }
+}
+
+/**
+ * A dummy location which is used when an expression doesn't have a
+ * location in the source code but needs to have a `Location` associated
+ * with it.
+ */
+class UnknownExprLocation extends UnknownLocation {
+  UnknownExprLocation() { locations_expr(this, _, 0, 0, 0, 0) }
+}
+
+/**
+ * A dummy location which is used when a statement doesn't have a location
+ * in the source code but needs to have a `Location` associated with it.
+ */
+class UnknownStmtLocation extends UnknownLocation {
+  UnknownStmtLocation() { locations_stmt(this, _, 0, 0, 0, 0) }
+}

cpp/ql/lib/semmle/code/cpp/MemberFunction.qll

@@ -48,6 +48,15 @@ class MemberFunction extends Function {
   /** Holds if this member is public. */
   predicate isPublic() { this.hasSpecifier("public") }
 
+  /** Holds if this declaration has the lvalue ref-qualifier */
+  predicate isLValueRefQualified() { hasSpecifier("&") }
+
+  /** Holds if this declaration has the rvalue ref-qualifier */
+  predicate isRValueRefQualified() { hasSpecifier("&&") }
+
+  /** Holds if this declaration has a ref-qualifier */
+  predicate isRefQualified() { isLValueRefQualified() or isRValueRefQualified() }
+
   /** Holds if this function overrides that function. */
   predicate overrides(MemberFunction that) {
     overrides(underlyingElement(this), unresolveElement(that))

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -46,7 +46,7 @@ private string escapeString(string s) {
  * string representation comes first in lexicographical order.
  */
 private Location getRepresentativeLocation(Locatable ast) {
-  result = rank[1](Location loc | loc = ast.getLocation() | loc order by loc.toString())
+  result = min(Location loc | loc = ast.getLocation() | loc order by loc.toString())
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -37,7 +37,7 @@ class FunctionSpecifier extends Specifier {
     this.hasName("explicit")
   }
 
-  override string getAPrimaryQlClass() { result = "FunctionSpecifier)" }
+  override string getAPrimaryQlClass() { result = "FunctionSpecifier" }
 }
 
 /**