use ATM model from training run classification_1659313637_335f5d4e_baz

Co-authored-by: Henry Mercer <henrymercer@github.com>

.codeqlmanifest.json

@@ -1,27 +0,0 @@
-{
-    "provide": [
-        "*/ql/src/qlpack.yml",
-        "*/ql/lib/qlpack.yml",
-        "*/ql/test/qlpack.yml",
-        "*/ql/examples/qlpack.yml",
-        "*/ql/consistency-queries/qlpack.yml",
-        "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
-        "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
-        "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml",
-        "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
-        "csharp/ql/campaigns/Solorigate/lib/qlpack.yml",
-        "csharp/ql/campaigns/Solorigate/src/qlpack.yml",
-        "csharp/ql/campaigns/Solorigate/test/qlpack.yml",
-        "misc/legacy-support/*/qlpack.yml",
-        "misc/suite-helpers/qlpack.yml",
-        "ruby/extractor-pack/codeql-extractor.yml",
-        "ql/extractor-pack/codeql-extractor.yml"
-    ],
-    "versionPolicies": {
-      "default": {
-        "requireChangeNotes": true,
-        "committedPrereleaseSuffix": "dev",
-        "committedVersion": "nextPatchRelease"
-      }
-    }
-}

.devcontainer/devcontainer.json

@@ -3,6 +3,8 @@
     "rust-lang.rust",
     "bungcip.better-toml",
     "github.vscode-codeql",
+    "hbenl.vscode-test-explorer",
+    "ms-vscode.test-adapter-converter",
     "slevesque.vscode-zipexplorer"
   ],
   "settings": {

.gitattributes

@@ -39,6 +39,7 @@
 *.py text
 *.lua text
 *.expected text
+*.go text
 
 # Explicitly set a bunch of known extensions to binary, because Git < 2.10 will treat
 # `* text=auto eol=lf` as `* text eol=lf`
@@ -52,6 +53,14 @@
 java/ql/test/stubs/**/*.java linguist-generated=true
 java/ql/test/experimental/stubs/**/*.java linguist-generated=true
 
+# Force git not to modify line endings for go or html files under the go/ql directory
+go/ql/**/*.go -text
+go/ql/**/*.html -text
+# Force git not to modify line endings for go dbschemes
+go/*.dbscheme -text
+# Preserve unusual line ending from codeql-go merge
+go/extractor/opencsv/CSVReader.java -text
+
 # For some languages, upgrade script testing references really old dbscheme
 # files from legacy upgrades that have CRLF line endings. Since upgrade
 # resolution relies on object hashes, we must suppress line ending conversion

.github/labeler.yml

@@ -6,14 +6,23 @@
   - csharp/**/*
   - change-notes/**/*csharp*
 
+Go:
+  - go/**/*
+  - change-notes/**/*go.*
+
 Java:
-  - java/**/*
+  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ]
   - change-notes/**/*java.*
 
 JS:
   - any: [ 'javascript/**/*', '!javascript/ql/experimental/adaptivethreatmodeling/**/*' ]
   - change-notes/**/*javascript*
 
+Kotlin:
+  - java/kotlin-extractor/**/*
+  - java/kotlin-explorer/**/*
+  - java/ql/test/kotlin/**/*
+
 Python:
   - python/**/*
   - change-notes/**/*python*
@@ -21,7 +30,7 @@ Python:
 Ruby:
   - ruby/**/*
   - change-notes/**/*ruby*
-  
+
 Swift:
   - swift/**/*
   - change-notes/**/*swift*
@@ -31,5 +40,5 @@ documentation:
   - "**/*.md"
   - docs/**/*
 
-"QL-for-QL": 
+"QL-for-QL":
   - ql/**/*

.github/problem-matchers/codeql-query-format.json

@@ -0,0 +1,14 @@
+{
+    "problemMatcher": [
+        {
+            "owner": "codeql-query-format",
+            "pattern": [
+                {
+                    "regexp": "^((.*) would change by autoformatting\\.)$",
+                    "file": 2,
+                    "message": 1
+                }
+            ]
+        }
+    ]
+}

.github/problem-matchers/codeql-syntax-check.json

@@ -0,0 +1,17 @@
+{
+    "problemMatcher": [
+        {
+            "owner": "codeql-syntax-check",
+            "pattern": [
+                {
+                    "regexp": "^((ERROR|WARNING): .* \\((.*):(\\d+),(\\d+)-\\d+\\))$",
+                    "message": 1,
+                    "file": 3,
+                    "line": 4,
+                    "col": 5,
+                    "severity": 2
+                }
+            ]
+        }
+    ]
+}

.github/problem-matchers/codeql-test-run.json

@@ -0,0 +1,14 @@
+{
+    "problemMatcher": [
+        {
+            "owner": "codeql-test-run",
+            "pattern": [
+                {
+                    "regexp": "(\\[.*\\] FAILED\\((RESULT|COMPILATION)\\) (.*))$",
+                    "file": 3,
+                    "message": 1
+                }
+            ]
+        }
+    ]
+}

.github/problem-matchers/make.json

@@ -0,0 +1,13 @@
+{
+    "problemMatcher": [
+        {
+            "owner": "make",
+            "pattern": [
+                {
+                    "regexp": "^(make: \\*\\*\\* .*)$",
+                    "message": 1
+                }
+            ]
+        }
+    ]
+}

.github/workflows/go-tests.yml

@@ -0,0 +1,162 @@
+name: "Go: Run Tests"
+on:
+  pull_request:
+    paths:
+      - "go/**"
+      - .github/workflows/go-tests.yml
+      - codeql-workspace.yml
+jobs:
+
+  test-linux:
+    name: Test Linux (Ubuntu)
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Set up Go 1.18.1
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18.1
+      id: go
+
+    - name: Set up CodeQL CLI
+      run: |
+        echo "Removing old CodeQL Directory..."
+        rm -rf $HOME/codeql
+        echo "Done"
+        cd $HOME
+        echo "Downloading CodeQL CLI..."
+        LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | grep -v beta | tail -1)
+        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
+        echo "Done"
+        echo "Unpacking CodeQL CLI..."
+        unzip -q codeql-linux64.zip
+        rm -f codeql-linux64.zip
+        echo "Done"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+
+    - name: Check out code
+      uses: actions/checkout@v2
+
+    - name: Enable problem matchers in repository
+      shell: bash
+      run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+    - name: Build
+      run: |
+        cd go
+        env PATH=$PATH:$HOME/codeql make
+
+    - name: Check that all QL and Go code is autoformatted
+      run: |
+        cd go
+        env PATH=$PATH:$HOME/codeql make check-formatting
+
+    - name: Compile qhelp files to markdown
+      run: |
+        cd go
+        env PATH=$PATH:$HOME/codeql QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
+
+    - name: Upload qhelp markdown
+      uses: actions/upload-artifact@v2
+      with:
+        name: qhelp-markdown
+        path: go/qhelp-out/**/*.md
+
+    - name: Test
+      run: |
+        cd go
+        env PATH=$PATH:$HOME/codeql make test
+
+  test-mac:
+    name: Test MacOS
+    runs-on: macOS-latest
+    steps:
+    - name: Set up Go 1.18.1
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18.1
+      id: go
+
+    - name: Set up CodeQL CLI
+      run: |
+        echo "Removing old CodeQL Directory..."
+        rm -rf $HOME/codeql
+        echo "Done"
+        cd $HOME
+        echo "Downloading CodeQL CLI..."
+        LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | grep -v beta | tail -1)
+        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-osx64.zip "$LATEST"
+        echo "Done"
+        echo "Unpacking CodeQL CLI..."
+        unzip -q codeql-osx64.zip
+        rm -f codeql-osx64.zip
+        echo "Done"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+
+    - name: Check out code
+      uses: actions/checkout@v2
+
+    - name: Enable problem matchers in repository
+      shell: bash
+      run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+    - name: Build
+      run: |
+        cd go
+        env PATH=$PATH:$HOME/codeql make
+
+    - name: Test
+      run: |
+        cd go
+        env PATH=$PATH:$HOME/codeql make test
+
+  test-win:
+    name: Test Windows
+    runs-on: windows-2019
+    steps:
+    - name: Set up Go 1.18.1
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18.1
+      id: go
+
+    - name: Set up CodeQL CLI
+      run: |
+        echo "Removing old CodeQL Directory..."
+        rm -rf $HOME/codeql
+        echo "Done"
+        cd "$HOME"
+        echo "Downloading CodeQL CLI..."
+        LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | grep -v beta | tail -1)
+        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-win64.zip "$LATEST"
+        echo "Done"
+        echo "Unpacking CodeQL CLI..."
+        unzip -q -o codeql-win64.zip
+        unzip -q -o codeql-win64.zip codeql/codeql.exe
+        rm -f codeql-win64.zip
+        echo "Done"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      shell:
+        bash
+
+    - name: Check out code
+      uses: actions/checkout@v2
+
+    - name: Enable problem matchers in repository
+      shell: bash
+      run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+    - name: Build
+      run: |
+        $Env:Path += ";$HOME\codeql"
+        cd go
+        make
+
+    - name: Test
+      run: |
+        $Env:Path += ";$HOME\codeql"
+        cd go
+        make test

.github/workflows/js-ml-tests.yml

@@ -5,6 +5,7 @@ on:
     paths:
       - "javascript/ql/experimental/adaptivethreatmodeling/**"
       - .github/workflows/js-ml-tests.yml
+      - codeql-workspace.yml
     branches:
       - main
       - "rc/*"
@@ -12,6 +13,8 @@ on:
     paths:
       - "javascript/ql/experimental/adaptivethreatmodeling/**"
       - .github/workflows/js-ml-tests.yml
+      - codeql-workspace.yml
+  workflow_dispatch:
 
 defaults:
   run:

.github/workflows/labeler.yml

@@ -4,6 +4,9 @@ on:
 
 jobs:
   triage:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/labeler@v4

.github/workflows/mad_modelDiff.yml

@@ -61,7 +61,7 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/model-generator/GenerateFlowModel.py $DATABASE $MODELS/${SHORTNAME}.qll
+            python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $MODELS/${SHORTNAME}.qll
             mv $MODELS/${SHORTNAME}.qll $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.qll
             cd ..
           }

.github/workflows/mad_regenerate-models.yml

@@ -20,7 +20,7 @@ jobs:
         ref: ["placeholder"]
         include:
           - slug: "apache/commons-io"
-            ref: "8985de8fe74f6622a419b37a6eed0dbc484dc128"
+            ref: "13258ce2d07aa0e764bbaa8020af4dcd3a02a620"
         exclude:
           - slug: "placeholder"
             ref: "placeholder"

.github/workflows/ql-for-ql-build.yml

@@ -140,7 +140,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        folder: [cpp, csharp, java, javascript, python, ql, ruby, swift]
+        folder: [cpp, csharp, java, javascript, python, ql, ruby, swift, go]
 
     needs:
       - package

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -19,7 +19,6 @@ jobs:
       matrix:
         repo:
           - github/codeql
-          - github/codeql-go
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -77,7 +76,7 @@ jobs:
           path: stats
       - run: |
           python -m pip install --user lxml
-          find stats -name 'stats.xml' -print0 | sort -z | xargs -0 python ql/scripts/merge_stats.py --output ql/ql/src/ql.dbscheme.stats --normalise ql_tokeninfo
+          find stats -name 'stats.xml' -print0 | sort -z | xargs -0 python ruby/scripts/merge_stats.py --output ql/ql/src/ql.dbscheme.stats --normalise ql_tokeninfo
       - uses: actions/upload-artifact@v3
         with:
           name: ql.dbscheme.stats

.github/workflows/ql-for-ql-tests.yml

@@ -5,10 +5,12 @@ on:
     branches: [main]
     paths:
       - "ql/**"
+      - codeql-workspace.yml
   pull_request:
     branches: [main]
     paths:
       - "ql/**"
+      - codeql-workspace.yml
 
 env:
   CARGO_TERM_COLOR: always

.github/workflows/query-list.yml

@@ -5,6 +5,8 @@ on:
     branches:
      - main
      - 'rc/**'
+    tags:
+     - 'codeql-cli/*'
   pull_request:
     paths:
       - '.github/workflows/query-list.yml'
@@ -20,11 +22,6 @@ jobs:
       uses: actions/checkout@v3
       with:
         path: codeql 
-    - name: Clone github/codeql-go
-      uses: actions/checkout@v3
-      with:
-        repository: 'github/codeql-go'
-        path: codeql-go
     - name: Set up Python 3.8
       uses: actions/setup-python@v3
       with:

.github/workflows/ruby-build.yml

@@ -5,6 +5,7 @@ on:
     paths:
       - "ruby/**"
       - .github/workflows/ruby-build.yml
+      - codeql-workspace.yml
     branches:
       - main
       - "rc/*"
@@ -12,6 +13,7 @@ on:
     paths:
       - "ruby/**"
       - .github/workflows/ruby-build.yml
+      - codeql-workspace.yml
     branches:
       - main
       - "rc/*"

.github/workflows/ruby-qltest.yml

@@ -5,6 +5,7 @@ on:
     paths:
       - "ruby/**"
       - .github/workflows/ruby-qltest.yml
+      - codeql-workspace.yml
     branches:
       - main
       - "rc/*"
@@ -12,6 +13,7 @@ on:
     paths:
       - "ruby/**"
       - .github/workflows/ruby-qltest.yml
+      - codeql-workspace.yml
     branches:
       - main
       - "rc/*"

.github/workflows/swift-codegen.yml

@@ -18,8 +18,15 @@ jobs:
       - name: Run unit tests
         run: |
           bazel test //swift/codegen/test --test_output=errors
-      - name: Check that code was generated
+      - name: Check that QL generated code was checked in
         run: |
           bazel run //swift/codegen
           git add swift
           git diff --exit-code --stat HEAD
+      - name: Generate C++ files
+        run: |
+          bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/swift-generated-headers
+      - uses: actions/upload-artifact@v3
+        with:
+          name: swift-generated-headers
+          path: swift-generated-headers/*.h

.github/workflows/swift-qltest.yml

@@ -5,6 +5,7 @@ on:
     paths:
       - "swift/**"
       - .github/workflows/swift-qltest.yml
+      - codeql-workspace.yml
     branches:
       - main
 defaults:

.gitignore

@@ -9,6 +9,7 @@
 # qltest projects and artifacts
 */ql/test/**/*.testproj
 */ql/test/**/*.actual
+*/ql/test/**/go.sum
 
 # Visual studio temporaries, except a file used by QL4VS
 .vs/*
@@ -42,3 +43,18 @@ csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
 
 # CLion project files
 /.clwb
+
+# Go build artifacts
+go/build/*
+
+# Go binaries
+go/tools/bin
+go/tools/linux64
+go/tools/osx64
+go/tools/win64
+go/tools/tokenizer.jar
+go/main
+
+# node_modules folders except in the JS test suite
+node_modules/
+!/javascript/ql/test/**/node_modules/

.lgtm.yml

@@ -6,6 +6,7 @@ path_classifiers:
   test:
   - csharp/ql/src
   - csharp/ql/test
+  - go/ql/test
   - javascript/extractor/parser-tests
   - javascript/extractor/tests
   - javascript/ql/src
@@ -13,6 +14,9 @@ path_classifiers:
   - python/ql/src
   - python/ql/test
 
+  example:
+  - go/ql/src
+
 queries:
   - include: "*"
 

.pre-commit-config.yaml

@@ -25,7 +25,7 @@ repos:
 
       - id: sync-files
         name: Fix files required to be identical
-        files: \.(qll?|qhelp)$
+        files: \.(qll?|qhelp|swift)$
         language: system
         entry: python3 config/sync-files.py --latest
         pass_filenames: false

CODEOWNERS

@@ -1,5 +1,6 @@
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
+/go/ @github/codeql-go
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
@@ -27,8 +28,8 @@
 # QL for QL reviewers
 /ql/ @github/codeql-ql-for-ql-reviewers
 
-# Bazel
-**/*.bazel @github/codeql-ci-reviewers
+# Bazel (excluding BUILD.bazel files)
+WORKSPACE.bazel @github/codeql-ci-reviewers
 **/*.bzl @github/codeql-ci-reviewers
 
 # Documentation etc
@@ -37,6 +38,7 @@
 
 # Workflows
 /.github/workflows/ @github/codeql-ci-reviewers
+/.github/workflows/go-* @github/codeql-go
 /.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby

README.md

@@ -1,6 +1,6 @@
 # CodeQL
 
-This open source repository contains the standard CodeQL libraries and queries that power [GitHub Advanced Security](https://github.com/features/security/code) and the other application security products that [GitHub](https://github.com/features/security/) makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the [CodeQL for Go repository](https://github.com/github/codeql-go).
+This open source repository contains the standard CodeQL libraries and queries that power [GitHub Advanced Security](https://github.com/features/security/code) and the other application security products that [GitHub](https://github.com/features/security/) makes available to its customers worldwide.
 
 ## How do I learn CodeQL and run queries?
 

codeql-workspace.yml

@@ -0,0 +1,32 @@
+provide:
+  - "*/ql/src/qlpack.yml"
+  - "*/ql/lib/qlpack.yml"
+  - "*/ql/test/qlpack.yml"
+  - "*/ql/examples/qlpack.yml"
+  - "*/ql/consistency-queries/qlpack.yml"
+  - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
+  - "go/ql/config/legacy-support/qlpack.yml"
+  - "go/build/codeql-extractor-go/codeql-extractor.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml"
+  # This pack is explicitly excluded from the workspace since most users
+  # will want to use a version of this pack from the package cache. Internal
+  # users can uncomment the following line and place a custom ML model
+  # in the corresponding pack to test a custom ML model within their local
+  # checkout.
+  # - "javascript/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
+  - "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
+  - "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
+  - "csharp/ql/campaigns/Solorigate/test/qlpack.yml"
+  - "misc/legacy-support/*/qlpack.yml"
+  - "misc/suite-helpers/qlpack.yml"
+  - "ruby/extractor-pack/codeql-extractor.yml"
+  - "swift/extractor-pack/codeql-extractor.yml"
+  - "ql/extractor-pack/codeql-extractor.ym"
+
+versionPolicies:
+  default:
+    requireChangeNotes: true
+    committedPrereleaseSuffix: dev
+    committedVersion: nextPatchRelease

config/identical-files.json

@@ -22,13 +22,15 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
@@ -36,7 +38,8 @@
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
@@ -57,7 +60,8 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
@@ -65,7 +69,8 @@
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll"
   ],
   "DataFlow Java/C# Flow Summaries": [
     "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
@@ -385,7 +390,8 @@
     "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll"
+    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "go/ql/test/TestUtilities/InlineExpectationsTest.qll"
   ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
@@ -458,7 +464,8 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
     "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/SsaImplCommon.qll"
   ],
   "CryptoAlgorithms Python/JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
@@ -475,20 +482,23 @@
     "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
     "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll"
   ],
-  "ReDoS Util Python/JS/Ruby": [
+  "ReDoS Util Python/JS/Ruby/Java": [
     "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
     "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll",
-    "ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtil.qll"
+    "ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtil.qll",
+    "java/ql/lib/semmle/code/java/security/performance/ReDoSUtil.qll"
   ],
-  "ReDoS Exponential Python/JS/Ruby": [
+  "ReDoS Exponential Python/JS/Ruby/Java": [
     "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
     "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll",
-    "ruby/ql/lib/codeql/ruby/security/performance/ExponentialBackTracking.qll"
+    "ruby/ql/lib/codeql/ruby/security/performance/ExponentialBackTracking.qll",
+    "java/ql/lib/semmle/code/java/security/performance/ExponentialBackTracking.qll"
   ],
-  "ReDoS Polynomial Python/JS/Ruby": [
+  "ReDoS Polynomial Python/JS/Ruby/Java": [
     "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
     "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll",
-    "ruby/ql/lib/codeql/ruby/security/performance/SuperlinearBackTracking.qll"
+    "ruby/ql/lib/codeql/ruby/security/performance/SuperlinearBackTracking.qll",
+    "java/ql/lib/semmle/code/java/security/performance/SuperlinearBackTracking.qll"
   ],
   "BadTagFilterQuery Python/JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll",
@@ -497,7 +507,8 @@
   ],
   "CFG": [
     "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
-    "ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll"
+    "ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll",
+    "swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowGraphImplShared.qll"
   ],
   "TypeTracker": [
     "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
@@ -515,7 +526,8 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
+    "python/ql/lib/semmle/python/frameworks/data/internal/AccessPathSyntax.qll"
   ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
@@ -533,7 +545,8 @@
   ],
   "ApiGraphModels": [
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
-    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll"
+    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
+    "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll"
   ],
   "TaintedFormatStringQuery Ruby/JS": [
     "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
@@ -550,5 +563,25 @@
   "HttpToFileAccessCustomizations JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
     "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
+  ],
+  "Typo database": [
+    "javascript/ql/src/Expressions/TypoDatabase.qll",
+    "ql/ql/src/codeql_ql/style/TypoDatabase.qll"
+  ],
+  "Swift declarations test file": [
+    "swift/ql/test/extractor-tests/declarations/declarations.swift",
+    "swift/ql/test/library-tests/parent/declarations.swift"
+  ],
+  "Swift statements test file": [
+    "swift/ql/test/extractor-tests/statements/statements.swift",
+    "swift/ql/test/library-tests/parent/statements.swift"
+  ],
+  "Swift expressions test file": [
+    "swift/ql/test/extractor-tests/expressions/expressions.swift",
+    "swift/ql/test/library-tests/parent/expressions.swift"
+  ],
+  "Swift patterns test file": [
+    "swift/ql/test/extractor-tests/patterns/patterns.swift",
+    "swift/ql/test/library-tests/parent/patterns.swift"
   ]
 }

cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/upgrade.properties

@@ -0,0 +1,3 @@
+description: Add relation for tracking C++ braced initializers
+compatibility: full
+braced_initialisers.rel: delete

cpp/downgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/exprparents.ql

@@ -0,0 +1,21 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Stmt extends @stmt {
+  string toString() { none() }
+}
+
+predicate isStmtWithInitializer(Stmt stmt) {
+  exists(int kind | stmts(stmt, kind, _) | kind = 2 or kind = 11 or kind = 35)
+}
+
+from Expr child, int index, int index_new, Element parent
+where
+  exprparents(child, index, parent) and
+  if isStmtWithInitializer(parent) then index_new = index - 1 else index_new = index
+select child, index_new, parent

cpp/downgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/stmtparents.ql

@@ -0,0 +1,22 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Stmt extends @stmt {
+  string toString() { none() }
+}
+
+predicate isStmtWithInitializer(Stmt stmt) {
+  exists(int kind | stmts(stmt, kind, _) | kind = 2 or kind = 11 or kind = 35)
+}
+
+from Stmt child, int index, int index_new, Element parent
+where
+  stmtparents(child, index, parent) and
+  (
+    not isStmtWithInitializer(parent)
+    or
+    index > 0
+  ) and
+  if isStmtWithInitializer(parent) then index_new = index - 1 else index_new = index
+select child, index_new, parent

cpp/downgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/upgrade.properties

@@ -0,0 +1,6 @@
+description: Support C++17 if and switch initializers
+compatibility: partial
+if_initialization.rel: delete
+switch_initialization.rel: delete
+exprparents.rel: run exprparents.qlo
+stmtparents.rel: run stmtparents.qlo

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.2.2
+
+### Deprecated APIs
+
+ * The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
+
+### New Features
+
+* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.
+
 ## 0.2.1
 
 ## 0.2.0

cpp/ql/lib/change-notes/2022-05-30-braced-initializers.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.

cpp/ql/lib/change-notes/released/0.2.2.md

@@ -0,0 +1,9 @@
+## 0.2.2
+
+### Deprecated APIs
+
+ * The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
+
+### New Features
+
+* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.2.1
+lastReleaseVersion: 0.2.2

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.2.1
+version: 0.2.3-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Field.qll

@@ -31,7 +31,7 @@ class Field extends MemberVariable {
   int getByteOffset() { fieldoffsets(underlyingElement(this), result, _) }
 
   /**
-   * Gets the byte offset within `mostDerivedClass` of each occurence of this
+   * Gets the byte offset within `mostDerivedClass` of each occurrence of this
    * field within `mostDerivedClass` itself or a base class subobject of
    * `mostDerivedClass`.
    * Note that for fields of virtual base classes, and non-virtual base classes

cpp/ql/lib/semmle/code/cpp/Initializer.qll

@@ -51,4 +51,7 @@ class Initializer extends ControlFlowNode, @initialiser {
   override Function getControlFlowScope() { result = this.getExpr().getEnclosingFunction() }
 
   override Stmt getEnclosingStmt() { result = this.getExpr().getEnclosingStmt() }
+
+  /** Holds if the initializer used the C++ braced initializer notation. */
+  predicate isBraced() { braced_initialisers(underlyingElement(this)) }
 }

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -663,18 +663,24 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
     or
     s.(ComputedGotoStmt).getExpr() = e and pred = "getExpr()"
     or
+    s.(ConstexprIfStmt).getInitialization() = e and pred = "getInitialization()"
+    or
     s.(ConstexprIfStmt).getCondition() = e and pred = "getCondition()"
     or
     s.(ConstexprIfStmt).getThen() = e and pred = "getThen()"
     or
     s.(ConstexprIfStmt).getElse() = e and pred = "getElse()"
     or
+    s.(IfStmt).getInitialization() = e and pred = "getInitialization()"
+    or
     s.(IfStmt).getCondition() = e and pred = "getCondition()"
     or
     s.(IfStmt).getThen() = e and pred = "getThen()"
     or
     s.(IfStmt).getElse() = e and pred = "getElse()"
     or
+    s.(SwitchStmt).getInitialization() = e and pred = "getInitialization()"
+    or
     s.(SwitchStmt).getExpr() = e and pred = "getExpr()"
     or
     s.(SwitchStmt).getStmt() = e and pred = "getStmt()"

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -872,7 +872,7 @@ class FormatLiteral extends Literal {
 
   private Type getConversionType1(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("d|i") and
+      cnv = ["d", "i"] and
       result = this.getIntegralConversion(n) and
       not result.getUnderlyingType().(IntegralType).isExplicitlySigned() and
       not result.getUnderlyingType().(IntegralType).isExplicitlyUnsigned()
@@ -912,7 +912,7 @@ class FormatLiteral extends Literal {
 
   private Type getConversionType2(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("o|u|x|X") and
+      cnv = ["o", "u", "x", "X"] and
       result = this.getIntegralConversion(n) and
       result.getUnderlyingType().(IntegralType).isUnsigned()
     )
@@ -920,7 +920,7 @@ class FormatLiteral extends Literal {
 
   private Type getConversionType3(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("a|A|e|E|f|F|g|G") and result = this.getFloatingPointConversion(n)
+      cnv = ["a", "A", "e", "E", "f", "F", "g", "G"] and result = this.getFloatingPointConversion(n)
     )
   }
 
@@ -1312,7 +1312,7 @@ class FormatLiteral extends Literal {
         len =
           min(int v |
             v = this.getPrecision(n) or
-            v = this.getUse().getFormatArgument(n).(AnalysedString).getMaxLength() - 1 // (don't count null terminator)
+            v = this.getUse().getFormatArgument(n).(AnalyzedString).getMaxLength() - 1 // (don't count null terminator)
           ) and
         reason = TValueFlowAnalysis()
       )

cpp/ql/lib/semmle/code/cpp/commons/StringAnalysis.qll

@@ -27,11 +27,14 @@ predicate canValueFlow(Expr fromExpr, Expr toExpr) {
   fromExpr = toExpr.(ConditionalExpr).getElse()
 }
 
+/** DEPRECATED: Alias for AnalyzedString */
+deprecated class AnalysedString = AnalyzedString;
+
 /**
- * An analysed null terminated string.
+ * An analyzed null terminated string.
  */
-class AnalysedString extends Expr {
-  AnalysedString() {
+class AnalyzedString extends Expr {
+  AnalyzedString() {
     this.getUnspecifiedType() instanceof ArrayType or
     this.getUnspecifiedType() instanceof PointerType
   }
@@ -41,15 +44,15 @@ class AnalysedString extends Expr {
    * can be calculated.
    */
   int getMaxLength() {
-    // take the longest AnalysedString it's value could 'flow' from; however if even one doesn't
+    // take the longest AnalyzedString its value could 'flow' from; however if even one doesn't
     // return a value (this essentially means 'infinity') we can't return a value either.
     result =
-      max(AnalysedString expr, int toMax |
+      max(AnalyzedString expr, int toMax |
         canValueFlow*(expr, this) and toMax = expr.(StringLiteral).getOriginalLength()
       |
         toMax
       ) and // maximum length
-    forall(AnalysedString expr | canValueFlow(expr, this) | exists(expr.getMaxLength())) // all sources return a value (recursive)
+    forall(AnalyzedString expr | canValueFlow(expr, this) | exists(expr.getMaxLength())) // all sources return a value (recursive)
   }
 }
 

cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -708,30 +708,33 @@ private predicate straightLineSparse(Node scope, int i, Node ni, Spec spec) {
   or
   scope =
     any(SwitchStmt s |
+      // SwitchStmt [-> init] -> expr
       i = -1 and ni = s and spec.isAt()
       or
-      i = 0 and ni = s.getExpr() and spec.isAround()
+      i = 0 and ni = s.getInitialization() and spec.isAround()
+      or
+      i = 1 and ni = s.getExpr() and spec.isAround()
       or
       // If the switch body is not a block then this step is skipped, and the
       // expression jumps directly to the cases.
-      i = 1 and ni = s.getStmt().(BlockStmt) and spec.isAt()
+      i = 2 and ni = s.getStmt().(BlockStmt) and spec.isAt()
       or
-      i = 2 and ni = s.getASwitchCase() and spec.isBefore()
+      i = 3 and ni = s.getASwitchCase() and spec.isBefore()
       or
       // If there is no default case, we can jump to after the block. Note: `i`
       // is same value as above.
       not s.getASwitchCase() instanceof DefaultCase and
-      i = 2 and
+      i = 3 and
       ni = s.getStmt() and
       spec.isAfter()
       or
-      i = 3 and /* BARRIER */ ni = s and spec.isBarrier()
+      i = 4 and /* BARRIER */ ni = s and spec.isBarrier()
       or
-      i = 4 and ni = s.getStmt() and spec.isAfter()
+      i = 5 and ni = s.getStmt() and spec.isAfter()
       or
-      i = 5 and ni = s and spec.isAroundDestructors()
+      i = 6 and ni = s and spec.isAroundDestructors()
       or
-      i = 6 and ni = s and spec.isAfter()
+      i = 7 and ni = s and spec.isAfter()
     )
   or
   scope =
@@ -836,8 +839,15 @@ private predicate subEdge(Pos p1, Node n1, Node n2, Pos p2) {
     p2.nodeAt(n2, f)
   )
   or
-  // IfStmt -> condition ; { then, else } ->
+  // IfStmt -> [ init -> ] condition ; { then, else } ->
   exists(IfStmt s |
+    p1.nodeAt(n1, s) and
+    p2.nodeBefore(n2, s.getInitialization())
+    or
+    p1.nodeAfter(n1, s.getInitialization()) and
+    p2.nodeBefore(n2, s.getCondition())
+    or
+    not exists(s.getInitialization()) and
     p1.nodeAt(n1, s) and
     p2.nodeBefore(n2, s.getCondition())
     or
@@ -851,8 +861,15 @@ private predicate subEdge(Pos p1, Node n1, Node n2, Pos p2) {
     p2.nodeAfter(n2, s)
   )
   or
-  // ConstexprIfStmt -> condition ; { then, else } -> // same as IfStmt
+  // ConstexprIfStmt -> [ init -> ] condition ; { then, else } -> // same as IfStmt
   exists(ConstexprIfStmt s |
+    p1.nodeAt(n1, s) and
+    p2.nodeBefore(n2, s.getInitialization())
+    or
+    p1.nodeAfter(n1, s.getInitialization()) and
+    p2.nodeBefore(n2, s.getCondition())
+    or
+    not exists(s.getInitialization()) and
     p1.nodeAt(n1, s) and
     p2.nodeBefore(n2, s.getCondition())
     or
@@ -953,7 +970,7 @@ private predicate subEdge(Pos p1, Node n1, Node n2, Pos p2) {
 private predicate subEdgeIncludingDestructors(Pos p1, Node n1, Node n2, Pos p2) {
   subEdge(p1, n1, n2, p2)
   or
-  // If `n1` has sub-nodes to accomodate destructors, but there are none to be
+  // If `n1` has sub-nodes to accommodate destructors, but there are none to be
   // called, connect the "before destructors" node directly to the "after
   // destructors" node. For performance, only do this when the nodes exist.
   exists(Pos afterDtors | afterDtors.isAfterDestructors() | subEdge(afterDtors, n1, _, _)) and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -216,10 +216,9 @@ private module LambdaFlow {
     or
     // jump step
     exists(Node mid, DataFlowType t0 |
-      revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and
+      revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
       toReturn = false and
-      toJump = true and
-      lastCall = TDataFlowCallNone()
+      toJump = true
     |
       jumpStepCached(node, mid) and
       t = t0
@@ -305,7 +304,7 @@ cached
 private module Cached {
   /**
    * If needed, call this predicate from `DataFlowImplSpecific.qll` in order to
-   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and therby
+   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and thereby
    * collapsing the two stages.
    */
   cached
@@ -789,24 +788,31 @@ private module Cached {
   cached
   predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
 
+  cached
+  predicate storeSet(
+    Node node1, ContentSet c, Node node2, DataFlowType contentType, DataFlowType containerType
+  ) {
+    storeStep(node1, c, node2) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
+    or
+    exists(Node n1, Node n2 |
+      n1 = node1.(PostUpdateNode).getPreUpdateNode() and
+      n2 = node2.(PostUpdateNode).getPreUpdateNode()
+    |
+      argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
+      or
+      readSet(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
+    )
+  }
+
   private predicate store(
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
-    exists(ContentSet cs | c = cs.getAStoreContent() |
-      storeStep(node1, cs, node2) and
-      contentType = getNodeDataFlowType(node1) and
-      containerType = getNodeDataFlowType(node2)
-      or
-      exists(Node n1, Node n2 |
-        n1 = node1.(PostUpdateNode).getPreUpdateNode() and
-        n2 = node2.(PostUpdateNode).getPreUpdateNode()
-      |
-        argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, cs, contentType), n1)
-        or
-        readSet(n2, cs, n1) and
-        contentType = getNodeDataFlowType(n1) and
-        containerType = getNodeDataFlowType(n2)
-      )
+    exists(ContentSet cs |
+      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll

@@ -549,7 +549,7 @@ module FlowVar_internal {
         bb = this.(Loop).getStmt() and
         v = this.getARelevantVariable()
         or
-        this.reachesWithoutAssignment(bb.getAPredecessor(), v) and
+        this.reachesWithoutAssignment(pragma[only_bind_out](bb.getAPredecessor()), v) and
         this.bbInLoop(bb)
       ) and
       not assignsToVar(bb, v)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -170,6 +170,14 @@ abstract class Configuration extends string {
    */
   int explorationLimit() { none() }
 
+  /**
+   * Holds if hidden nodes should be included in the data flow graph.
+   *
+   * This feature should only be used for debugging or when the data flow graph
+   * is not visualized (for example in a `path-problem` query).
+   */
+  predicate includeHiddenNodes() { none() }
+
   /**
    * Holds if there is a partial data flow path from `source` to `node`. The
    * approximate distance between `node` and the closest source is `dist` and
@@ -3653,7 +3661,7 @@ private newtype TPathNode =
  * of dereference operations needed to get from the value in the node to the
  * tracked object. The final type indicates the type of the tracked object.
  */
-abstract private class AccessPath extends TAccessPath {
+private class AccessPath extends TAccessPath {
   /** Gets the head of this access path, if any. */
   abstract TypedContent getHead();
 
@@ -3846,16 +3854,11 @@ class PathNode extends TPathNode {
   /** Gets the associated configuration. */
   Configuration getConfiguration() { none() }
 
-  private PathNode getASuccessorIfHidden() {
-    this.(PathNodeImpl).isHidden() and
-    result = this.(PathNodeImpl).getASuccessorImpl()
-  }
-
   /** Gets a successor of this node, if any. */
   final PathNode getASuccessor() {
-    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
-    not this.(PathNodeImpl).isHidden() and
-    not result.(PathNodeImpl).isHidden()
+    result = this.(PathNodeImpl).getANonHiddenSuccessor() and
+    reach(this) and
+    reach(result)
   }
 
   /** Holds if this node is a source. */
@@ -3863,16 +3866,30 @@ class PathNode extends TPathNode {
 }
 
 abstract private class PathNodeImpl extends PathNode {
-  abstract PathNode getASuccessorImpl();
+  abstract PathNodeImpl getASuccessorImpl();
+
+  private PathNodeImpl getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.getASuccessorImpl()
+  }
+
+  final PathNodeImpl getANonHiddenSuccessor() {
+    result = this.getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
 
   abstract NodeEx getNodeEx();
 
   predicate isHidden() {
-    hiddenNode(this.getNodeEx().asNode()) and
-    not this.isSource() and
-    not this instanceof PathNodeSink
-    or
-    this.getNodeEx() instanceof TNodeImplicitRead
+    not this.getConfiguration().includeHiddenNodes() and
+    (
+      hiddenNode(this.getNodeEx().asNode()) and
+      not this.isSource() and
+      not this instanceof PathNodeSink
+      or
+      this.getNodeEx() instanceof TNodeImplicitRead
+    )
   }
 
   private string ppAp() {
@@ -3903,15 +3920,17 @@ abstract private class PathNodeImpl extends PathNode {
 }
 
 /** Holds if `n` can reach a sink. */
-private predicate directReach(PathNode n) {
-  n instanceof PathNodeSink or directReach(n.getASuccessor())
+private predicate directReach(PathNodeImpl n) {
+  n instanceof PathNodeSink or directReach(n.getANonHiddenSuccessor())
 }
 
 /** Holds if `n` can reach a sink or is used in a subpath that can reach a sink. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
 /** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+private predicate pathSucc(PathNodeImpl n1, PathNode n2) {
+  n1.getANonHiddenSuccessor() = n2 and directReach(n2)
+}
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3920,7 +3939,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(a) and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -4038,7 +4057,7 @@ private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
 
   override Configuration getConfiguration() { result = config }
 
-  override PathNode getASuccessorImpl() { none() }
+  override PathNodeImpl getASuccessorImpl() { none() }
 
   override predicate isSource() { sourceNode(node, state, config) }
 }
@@ -4354,8 +4373,8 @@ private module Subpaths {
   }
 
   pragma[nomagic]
-  private predicate hasSuccessor(PathNode pred, PathNodeMid succ, NodeEx succNode) {
-    succ = pred.getASuccessor() and
+  private predicate hasSuccessor(PathNodeImpl pred, PathNodeMid succ, NodeEx succNode) {
+    succ = pred.getANonHiddenSuccessor() and
     succNode = succ.getNodeEx()
   }
 
@@ -4364,9 +4383,9 @@ private module Subpaths {
    * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
-  predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
+  predicate subpaths(PathNodeImpl arg, PathNodeImpl par, PathNodeImpl ret, PathNode out) {
     exists(ParamNodeEx p, NodeEx o, FlowState sout, AccessPath apout, PathNodeMid out0 |
-      pragma[only_bind_into](arg).getASuccessor() = pragma[only_bind_into](out0) and
+      pragma[only_bind_into](arg).getANonHiddenSuccessor() = pragma[only_bind_into](out0) and
       subpaths03(pragma[only_bind_into](arg), p, localStepToHidden*(ret), o, sout, apout) and
       hasSuccessor(pragma[only_bind_into](arg), par, p) and
       not ret.isHidden() and
@@ -4379,12 +4398,12 @@ private module Subpaths {
   /**
    * Holds if `n` can reach a return node in a summarized subpath that can reach a sink.
    */
-  predicate retReach(PathNode n) {
+  predicate retReach(PathNodeImpl n) {
     exists(PathNode out | subpaths(_, _, n, out) | directReach(out) or retReach(out))
     or
-    exists(PathNode mid |
+    exists(PathNodeImpl mid |
       retReach(mid) and
-      n.getASuccessor() = mid and
+      n.getANonHiddenSuccessor() = mid and
       not subpaths(_, mid, _, _)
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -216,10 +216,9 @@ private module LambdaFlow {
     or
     // jump step
     exists(Node mid, DataFlowType t0 |
-      revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and
+      revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
       toReturn = false and
-      toJump = true and
-      lastCall = TDataFlowCallNone()
+      toJump = true
     |
       jumpStepCached(node, mid) and
       t = t0
@@ -305,7 +304,7 @@ cached
 private module Cached {
   /**
    * If needed, call this predicate from `DataFlowImplSpecific.qll` in order to
-   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and therby
+   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and thereby
    * collapsing the two stages.
    */
   cached
@@ -789,24 +788,31 @@ private module Cached {
   cached
   predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
 
+  cached
+  predicate storeSet(
+    Node node1, ContentSet c, Node node2, DataFlowType contentType, DataFlowType containerType
+  ) {
+    storeStep(node1, c, node2) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
+    or
+    exists(Node n1, Node n2 |
+      n1 = node1.(PostUpdateNode).getPreUpdateNode() and
+      n2 = node2.(PostUpdateNode).getPreUpdateNode()
+    |
+      argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
+      or
+      readSet(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
+    )
+  }
+
   private predicate store(
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
-    exists(ContentSet cs | c = cs.getAStoreContent() |
-      storeStep(node1, cs, node2) and
-      contentType = getNodeDataFlowType(node1) and
-      containerType = getNodeDataFlowType(node2)
-      or
-      exists(Node n1, Node n2 |
-        n1 = node1.(PostUpdateNode).getPreUpdateNode() and
-        n2 = node2.(PostUpdateNode).getPreUpdateNode()
-      |
-        argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, cs, contentType), n1)
-        or
-        readSet(n2, cs, n1) and
-        contentType = getNodeDataFlowType(n1) and
-        containerType = getNodeDataFlowType(n2)
-      )
+    exists(ContentSet cs |
+      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -37,7 +37,7 @@ private module Cached {
    *      along the chain of addresses computed by `StoreNodeInstr.getInner` to identify field writes
    *      and call `storeStep` accordingly (i.e., for an expression like `a.b.c = x`, we visit `c`, then
    *      `b`, then `a`).
-   *   2. Flow is transfered from a `WriteSideEffectInstruction` to a `StoreNodeOperand` after flow
+   *   2. Flow is transferred from a `WriteSideEffectInstruction` to a `StoreNodeOperand` after flow
    *      returns to a caller. Flow will then proceed to the defining instruction of the operand (because
    *      the `StoreNodeInstr` computed by `StoreNodeOperand.getInner()` is the `StoreNode` containing
    *      the defining instruction), and then along the chain computed by `StoreNodeInstr.getInner` like

cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll

@@ -67,7 +67,7 @@ class DefaultEdge extends EdgeKind, TDefaultEdge {
 
 /**
  * A "case" edge, representing the successor of a `Switch` instruction when the
- * the condition value matches a correponding `case` label.
+ * the condition value matches a corresponding `case` label.
  */
 class CaseEdge extends EdgeKind, TCaseEdge {
   string minValue;

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll

@@ -34,7 +34,7 @@ class ValueNumber extends TValueNumber {
   final Instruction getAnInstruction() { this = valueNumber(result) }
 
   /**
-   * Gets one of the instructions that was assigned this value number. The chosen instuction is
+   * Gets one of the instructions that was assigned this value number. The chosen instruction is
    * deterministic but arbitrary. Intended for use only in debugging.
    */
   final Instruction getExampleInstruction() {

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -1005,7 +1005,7 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
 deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
 
 /**
- * Expose some of the internal predicates to PrintSSA.qll. We do this by publically importing those modules in the
+ * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
  * `DebugSSA` module, which is then imported by PrintSSA.
  */
 module DebugSsa {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll

@@ -34,7 +34,7 @@ class ValueNumber extends TValueNumber {
   final Instruction getAnInstruction() { this = valueNumber(result) }
 
   /**
-   * Gets one of the instructions that was assigned this value number. The chosen instuction is
+   * Gets one of the instructions that was assigned this value number. The chosen instruction is
    * deterministic but arbitrary. Intended for use only in debugging.
    */
   final Instruction getExampleInstruction() {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -421,20 +421,36 @@ class TranslatedCatchAnyHandler extends TranslatedHandler {
 class TranslatedIfStmt extends TranslatedStmt, ConditionContext {
   override IfStmt stmt;
 
-  override Instruction getFirstInstruction() { result = getCondition().getFirstInstruction() }
+  override Instruction getFirstInstruction() {
+    if hasInitialization()
+    then result = getInitialization().getFirstInstruction()
+    else result = getFirstConditionInstruction()
+  }
 
   override TranslatedElement getChild(int id) {
-    id = 0 and result = getCondition()
+    id = 0 and result = getInitialization()
     or
-    id = 1 and result = getThen()
+    id = 1 and result = getCondition()
     or
-    id = 2 and result = getElse()
+    id = 2 and result = getThen()
+    or
+    id = 3 and result = getElse()
+  }
+
+  private predicate hasInitialization() { exists(stmt.getInitialization()) }
+
+  private TranslatedStmt getInitialization() {
+    result = getTranslatedStmt(stmt.getInitialization())
   }
 
   private TranslatedCondition getCondition() {
     result = getTranslatedCondition(stmt.getCondition().getFullyConverted())
   }
 
+  private Instruction getFirstConditionInstruction() {
+    result = getCondition().getFirstInstruction()
+  }
+
   private TranslatedStmt getThen() { result = getTranslatedStmt(stmt.getThen()) }
 
   private TranslatedStmt getElse() { result = getTranslatedStmt(stmt.getElse()) }
@@ -456,6 +472,9 @@ class TranslatedIfStmt extends TranslatedStmt, ConditionContext {
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getInitialization() and
+    result = getFirstConditionInstruction()
+    or
     (child = getThen() or child = getElse()) and
     result = getParent().getChildSuccessor(this)
   }
@@ -698,14 +717,28 @@ class TranslatedSwitchStmt extends TranslatedStmt {
     result = getTranslatedExpr(stmt.getExpr().getFullyConverted())
   }
 
+  private Instruction getFirstExprInstruction() { result = getExpr().getFirstInstruction() }
+
   private TranslatedStmt getBody() { result = getTranslatedStmt(stmt.getStmt()) }
 
-  override Instruction getFirstInstruction() { result = getExpr().getFirstInstruction() }
+  override Instruction getFirstInstruction() {
+    if hasInitialization()
+    then result = getInitialization().getFirstInstruction()
+    else result = getFirstExprInstruction()
+  }
 
   override TranslatedElement getChild(int id) {
-    id = 0 and result = getExpr()
+    id = 0 and result = getInitialization()
     or
-    id = 1 and result = getBody()
+    id = 1 and result = getExpr()
+    or
+    id = 2 and result = getBody()
+  }
+
+  private predicate hasInitialization() { exists(stmt.getInitialization()) }
+
+  private TranslatedStmt getInitialization() {
+    result = getTranslatedStmt(stmt.getInitialization())
   }
 
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -735,6 +768,8 @@ class TranslatedSwitchStmt extends TranslatedStmt {
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getInitialization() and result = getFirstExprInstruction()
+    or
     child = getExpr() and result = getInstruction(SwitchBranchTag())
     or
     child = getBody() and result = getParent().getChildSuccessor(this)

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll

@@ -34,7 +34,7 @@ class ValueNumber extends TValueNumber {
   final Instruction getAnInstruction() { this = valueNumber(result) }
 
   /**
-   * Gets one of the instructions that was assigned this value number. The chosen instuction is
+   * Gets one of the instructions that was assigned this value number. The chosen instruction is
    * deterministic but arbitrary. Intended for use only in debugging.
    */
   final Instruction getExampleInstruction() {

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -1005,7 +1005,7 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) {
 deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1;
 
 /**
- * Expose some of the internal predicates to PrintSSA.qll. We do this by publically importing those modules in the
+ * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the
  * `DebugSSA` module, which is then imported by PrintSSA.
  */
 module DebugSsa {

cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll

@@ -155,7 +155,7 @@ class StrCopyBW extends BufferWriteCall {
     // when result exists, it is an exact flow analysis
     reason instanceof ValueFlowAnalysis and
     result =
-      this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
+      this.getArgument(this.getParamSrc()).(AnalyzedString).getMaxLength() * this.getCharSize()
   }
 
   override int getMaxData(BufferWriteEstimationReason reason) {
@@ -201,7 +201,7 @@ class StrCatBW extends BufferWriteCall {
     // when result exists, it is an exact flow analysis
     reason instanceof ValueFlowAnalysis and
     result =
-      this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
+      this.getArgument(this.getParamSrc()).(AnalyzedString).getMaxLength() * this.getCharSize()
   }
 
   override int getMaxData(BufferWriteEstimationReason reason) {

cpp/ql/lib/semmle/code/cpp/security/Encryption.qll

@@ -59,7 +59,7 @@ predicate isInsecureEncryption(string name) { name.regexpMatch(getInsecureAlgori
 /**
  * Holds if there is additional evidence that `name` looks like it might be
  * related to operations with an encyption algorithm, besides the name of a
- * specific algorithm. This can be used in conjuction with
+ * specific algorithm. This can be used in conjunction with
  * `isInsecureEncryption` to produce a stronger heuristic.
  */
 bindingset[name]

cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll

@@ -213,6 +213,26 @@ class ConditionalStmt extends ControlStructure, TConditionalStmt { }
 class IfStmt extends ConditionalStmt, @stmt_if {
   override string getAPrimaryQlClass() { result = "IfStmt" }
 
+  /**
+   * Gets the initialization statement of this 'if' statement, if any.
+   *
+   * For example, for
+   * ```
+   * if (int x = y; b) { f(); }
+   * ```
+   * the result is `int x = y;`.
+   *
+   * Does not hold if the initialization statement is missing or an empty statement, as in
+   * ```
+   * if (b) { f(); }
+   * ```
+   * or
+   * ```
+   * if (; b) { f(); }
+   * ```
+   */
+  Stmt getInitialization() { if_initialization(underlyingElement(this), unresolveElement(result)) }
+
   /**
    * Gets the condition expression of this 'if' statement.
    *
@@ -222,7 +242,7 @@ class IfStmt extends ConditionalStmt, @stmt_if {
    * ```
    * the result is `b`.
    */
-  Expr getCondition() { result = this.getChild(0) }
+  Expr getCondition() { result = this.getChild(1) }
 
   override Expr getControllingExpr() { result = this.getCondition() }
 
@@ -299,6 +319,28 @@ class IfStmt extends ConditionalStmt, @stmt_if {
 class ConstexprIfStmt extends ConditionalStmt, @stmt_constexpr_if {
   override string getAPrimaryQlClass() { result = "ConstexprIfStmt" }
 
+  /**
+   * Gets the initialization statement of this 'constexpr if' statement, if any.
+   *
+   * For example, for
+   * ```
+   * if constexpr (int x = y; b) { f(); }
+   * ```
+   * the result is `int x = y;`.
+   *
+   * Does not hold if the initialization statement is missing or an empty statement, as in
+   * ```
+   * if constexpr (b) { f(); }
+   * ```
+   * or
+   * ```
+   * if constexpr (; b) { f(); }
+   * ```
+   */
+  Stmt getInitialization() {
+    constexpr_if_initialization(underlyingElement(this), unresolveElement(result))
+  }
+
   /**
    * Gets the condition expression of this 'constexpr if' statement.
    *
@@ -308,7 +350,7 @@ class ConstexprIfStmt extends ConditionalStmt, @stmt_constexpr_if {
    * ```
    * the result is `b`.
    */
-  Expr getCondition() { result = this.getChild(0) }
+  Expr getCondition() { result = this.getChild(1) }
 
   override Expr getControllingExpr() { result = this.getCondition() }
 
@@ -926,7 +968,7 @@ class ForStmt extends Loop, @stmt_for {
    *
    * Does not hold if the initialization statement is an empty statement, as in
    * ```
-   * for (; i < 10; i++) { j++ }
+   * for (; i < 10; i++) { j++; }
    * ```
    */
   Stmt getInitialization() { for_initialization(underlyingElement(this), unresolveElement(result)) }
@@ -1470,6 +1512,28 @@ class DefaultCase extends SwitchCase {
 class SwitchStmt extends ConditionalStmt, @stmt_switch {
   override string getAPrimaryQlClass() { result = "SwitchStmt" }
 
+  /**
+   * Gets the initialization statement of this 'switch' statement, if any.
+   *
+   * For example, for
+   * ```
+   * switch (int x = y; b) { }
+   * ```
+   * the result is `int x = y;`.
+   *
+   * Does not hold if the initialization statement is missing or an empty statement, as in
+   * ```
+   * switch (b) { }
+   * ```
+   * or
+   * ```
+   * switch (; b) { }
+   * ```
+   */
+  Stmt getInitialization() {
+    switch_initialization(underlyingElement(this), unresolveElement(result))
+  }
+
   /**
    * Gets the expression that this 'switch' statement switches on.
    *
@@ -1485,7 +1549,7 @@ class SwitchStmt extends ConditionalStmt, @stmt_switch {
    * ```
    * the result is `i`.
    */
-  Expr getExpr() { result = this.getChild(0) }
+  Expr getExpr() { result = this.getChild(1) }
 
   override Expr getControllingExpr() { result = this.getExpr() }
 

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -1436,6 +1436,10 @@ initialisers(
     int location: @location_expr ref
 );
 
+braced_initialisers(
+    int init: @initialiser ref
+);
+
 /**
  * An ancestor for the expression, for cases in which we cannot
  * otherwise find the expression's parent.
@@ -1863,6 +1867,11 @@ variable_vla(
     int decl: @stmt_vla_decl ref
 );
 
+if_initialization(
+    unique int if_stmt: @stmt_if ref,
+    int init_id: @stmt ref
+);
+
 if_then(
     unique int if_stmt: @stmt_if ref,
     int then_id: @stmt ref
@@ -1873,6 +1882,11 @@ if_else(
     int else_id: @stmt ref
 );
 
+constexpr_if_initialization(
+    unique int constexpr_if_stmt: @stmt_constexpr_if ref,
+    int init_id: @stmt ref
+);
+
 constexpr_if_then(
     unique int constexpr_if_stmt: @stmt_constexpr_if ref,
     int then_id: @stmt ref
@@ -1893,6 +1907,11 @@ do_body(
     int body_id: @stmt ref
 );
 
+switch_initialization(
+    unique int switch_stmt: @stmt_switch ref,
+    int init_id: @stmt ref
+);
+
 #keyset[switch_stmt, index]
 switch_case(
     int switch_stmt: @stmt_switch ref,

cpp/ql/lib/upgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add relation for tracking C++ braced initializers
+compatibility: backwards

cpp/ql/lib/upgrades/e9a518baf14f4322ac243578a8e1391386ff030f/exprparents.ql

@@ -0,0 +1,21 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Stmt extends @stmt {
+  string toString() { none() }
+}
+
+predicate isStmtWithInitializer(Stmt stmt) {
+  exists(int kind | stmts(stmt, kind, _) | kind = 2 or kind = 11 or kind = 35)
+}
+
+from Expr child, int index, int index_new, Element parent
+where
+  exprparents(child, index, parent) and
+  if isStmtWithInitializer(parent) then index_new = index + 1 else index_new = index
+select child, index_new, parent

cpp/ql/lib/upgrades/e9a518baf14f4322ac243578a8e1391386ff030f/stmtparents.ql

@@ -0,0 +1,17 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Stmt extends @stmt {
+  string toString() { none() }
+}
+
+predicate isStmtWithInitializer(Stmt stmt) {
+  exists(int kind | stmts(stmt, kind, _) | kind = 2 or kind = 11 or kind = 35)
+}
+
+from Stmt child, int index, int index_new, Element parent
+where
+  stmtparents(child, index, parent) and
+  if isStmtWithInitializer(parent) then index_new = index + 1 else index_new = index
+select child, index_new, parent

cpp/ql/lib/upgrades/e9a518baf14f4322ac243578a8e1391386ff030f/upgrade.properties

@@ -0,0 +1,4 @@
+description: Support C++17 if and switch initializers
+compatibility: partial
+exprparents.rel: run exprparents.qlo
+stmtparents.rel: run stmtparents.qlo

cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql

@@ -57,6 +57,5 @@ where
   not declarationHasSideEffects(v) and
   not exists(AsmStmt s | f = s.getEnclosingFunction()) and
   not v.getAnAttribute().getName() = "unused" and
-  not any(ErrorExpr e).getEnclosingFunction() = f and // unextracted expr may use `v`
-  not any(ConditionDeclExpr cde).getEnclosingFunction() = f // this case can be removed when the `if (a = b; a)` and `switch (a = b; a)` test cases don't depend on this exclusion
+  not any(ErrorExpr e).getEnclosingFunction() = f // unextracted expr may use `v`
 select v, "Variable " + v.getName() + " is not used"

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.1.3
+
+### Minor Analysis Improvements
+
+* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.
+* The `cpp/unused-local-variable` no longer ignores functions that include `if` and `switch` statements with C++17-style initializers.
+
 ## 0.1.2
 
 ### Minor Analysis Improvements

cpp/ql/src/Diagnostics/ExtractionProblems.qll

@@ -57,10 +57,10 @@ class ExtractionProblem extends TExtractionProblem {
   /** Gets the problem message for this problem. */
   string getProblemMessage() { none() }
 
-  /** Gets the file this problem occured in. */
+  /** Gets the file this problem occurred in. */
   File getFile() { none() }
 
-  /** Gets the location this problem occured in. */
+  /** Gets the location this problem occurred in. */
   Location getLocation() { none() }
 
   /** Gets the SARIF severity of this problem. */

cpp/ql/src/Diagnostics/Internal/ExtractionErrors.qll

@@ -57,10 +57,10 @@ class ExtractionError extends TExtractionError {
   /** Gets the error message for this error. */
   string getErrorMessage() { none() }
 
-  /** Gets the file this error occured in. */
+  /** Gets the file this error occurred in. */
   File getFile() { none() }
 
-  /** Gets the location this error occured in. */
+  /** Gets the location this error occurred in. */
   Location getLocation() { none() }
 
   /** Gets the SARIF severity of this error. */

cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql

@@ -19,7 +19,7 @@ predicate whitelist(Function f) {
       "nearbyintl", "rint", "rintf", "rintl", "round", "roundf", "roundl", "trunc", "truncf",
       "truncl"
     ] or
-  f.getName().matches("__builtin_%")
+  f.getName().matches("\\_\\_builtin\\_%")
 }
 
 predicate whitelistPow(FunctionCall fc) {

cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql

@@ -13,7 +13,7 @@
  * @deprecated This query is deprecated, use
  *             Potentially overrunning write (`cpp/overrunning-write`) and
  *             Potentially overrunning write with float to string conversion
- *             (`cpp/overrunning-write-with-float) instead.
+ *             (`cpp/overrunning-write-with-float`) instead.
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-611/Libxml2.qll

@@ -0,0 +1,78 @@
+/**
+ * Models the libxml2 XML library.
+ */
+
+import cpp
+import XML
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * A call to a `libxml2` function that parses XML.
+ */
+class Libxml2ParseCall extends FunctionCall {
+  int optionsArg;
+
+  Libxml2ParseCall() {
+    exists(string fname | this.getTarget().getName() = fname |
+      fname = "xmlCtxtUseOptions" and optionsArg = 1
+      or
+      fname = "xmlReadFile" and optionsArg = 2
+      or
+      fname = ["xmlCtxtReadFile", "xmlParseInNodeContext", "xmlReadDoc", "xmlReadFd"] and
+      optionsArg = 3
+      or
+      fname = ["xmlCtxtReadDoc", "xmlCtxtReadFd", "xmlReadMemory"] and optionsArg = 4
+      or
+      fname = ["xmlCtxtReadMemory", "xmlReadIO"] and optionsArg = 5
+      or
+      fname = "xmlCtxtReadIO" and optionsArg = 6
+    )
+  }
+
+  /**
+   * Gets the argument that specifies `xmlParserOption`s.
+   */
+  Expr getOptions() { result = this.getArgument(optionsArg) }
+}
+
+/**
+ * An `xmlParserOption` for `libxml2` that is considered unsafe.
+ */
+class Libxml2BadOption extends EnumConstant {
+  Libxml2BadOption() { this.getName() = ["XML_PARSE_NOENT", "XML_PARSE_DTDLOAD"] }
+}
+
+/**
+ * The libxml2 XML library.
+ */
+class LibXml2Library extends XmlLibrary {
+  LibXml2Library() { this = "LibXml2Library" }
+
+  override predicate configurationSource(DataFlow::Node node, string flowstate) {
+    // source is an `options` argument on a libxml2 parse call that specifies
+    // at least one unsafe option.
+    //
+    // note: we don't need to track an XML object for libxml2, so we don't
+    // really need data flow. Nevertheless we jam it into this configuration,
+    // with matching sources and sinks. This allows results to be presented by
+    // the same query, in a consistent way as other results with flow paths.
+    exists(Libxml2ParseCall call, Expr options |
+      options = call.getOptions() and
+      node.asExpr() = options and
+      flowstate = "libxml2" and
+      exists(Libxml2BadOption opt |
+        globalValueNumber(options).getAnExpr().getValue().toInt().bitAnd(opt.getValue().toInt()) !=
+          0
+      )
+    )
+  }
+
+  override predicate configurationSink(DataFlow::Node node, string flowstate) {
+    // sink is the `options` argument on a `libxml2` parse call.
+    exists(Libxml2ParseCall call, Expr options |
+      options = call.getOptions() and
+      node.asExpr() = options and
+      flowstate = "libxml2"
+    )
+  }
+}

cpp/ql/src/Security/CWE/CWE-611/XML.qll

@@ -0,0 +1,55 @@
+/**
+ * Provides a abstract classes for modeling XML libraries. This design is
+ * currently specialized for the purposes of the XXE query.
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.DataFlow
+import Xerces
+import Libxml2
+
+/**
+ * A flow state representing a possible configuration of an XML object.
+ */
+abstract class XxeFlowState extends DataFlow::FlowState {
+  bindingset[this]
+  XxeFlowState() { any() } // required characteristic predicate
+}
+
+/**
+ * An XML library or interface.
+ */
+abstract class XmlLibrary extends string {
+  bindingset[this]
+  XmlLibrary() { any() } // required characteristic predicate
+
+  /**
+   * Holds if `node` is the source node for a potentially unsafe configuration
+   * object for this XML library, along with `flowstate` representing its
+   * initial state.
+   */
+  abstract predicate configurationSource(DataFlow::Node node, string flowstate);
+
+  /**
+   * Holds if `node` is  the sink node where an unsafe configuration object is
+   * used to interpret XML.
+   */
+  abstract predicate configurationSink(DataFlow::Node node, string flowstate);
+}
+
+/**
+ * An `Expr` that changes the configuration of an XML object, transforming the
+ * `XxeFlowState` that flows through it.
+ */
+abstract class XxeFlowStateTransformer extends Expr {
+  /**
+   * Gets the flow state that `flowstate` is transformed into.
+   *
+   * Due to limitations of the implementation the transformation defined by this
+   * predicate must be idempotent, that is, for any input `x` it must be that:
+   * ```
+   * transform(transform(x)) = transform(x)
+   * ```
+   */
+  abstract XxeFlowState transform(XxeFlowState flowstate);
+}

cpp/ql/src/Security/CWE/CWE-611/XXE.ql

@@ -7,284 +7,14 @@
  * @id cpp/external-entity-expansion
  * @problem.severity warning
  * @security-severity 9.1
- * @precision medium
+ * @precision high
  * @tags security
  *       external/cwe/cwe-611
  */
 
 import cpp
-import semmle.code.cpp.ir.dataflow.DataFlow
+import XML
 import DataFlow::PathGraph
-import semmle.code.cpp.ir.IR
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-
-/**
- * A flow state representing a possible configuration of an XML object.
- */
-abstract class XXEFlowState extends DataFlow::FlowState {
-  bindingset[this]
-  XXEFlowState() { any() } // required characteristic predicate
-}
-
-/**
- * An `Expr` that changes the configuration of an XML object, transforming the
- * `XXEFlowState` that flows through it.
- */
-abstract class XXEFlowStateTranformer extends Expr {
-  /**
-   * Gets the flow state that `flowstate` is transformed into.
-   *
-   * Due to limitations of the implementation the transformation defined by this
-   * predicate must be idempotent, that is, for any input `x` it must be that:
-   * ```
-   * transform(tranform(x)) = tranform(x)
-   * ```
-   */
-  abstract XXEFlowState transform(XXEFlowState flowstate);
-}
-
-/**
- * The `AbstractDOMParser` class.
- */
-class AbstractDOMParserClass extends Class {
-  AbstractDOMParserClass() { this.hasName("AbstractDOMParser") }
-}
-
-/**
- * The `XercesDOMParser` class.
- */
-class XercesDOMParserClass extends Class {
-  XercesDOMParserClass() { this.hasName("XercesDOMParser") }
-}
-
-/**
- * The `SAXParser` class.
- */
-class SaxParserClass extends Class {
-  SaxParserClass() { this.hasName("SAXParser") }
-}
-
-/**
- * The `SAX2XMLReader` class.
- */
-class Sax2XmlReader extends Class {
-  Sax2XmlReader() { this.hasName("SAX2XMLReader") }
-}
-
-/**
- * Gets a valid flow state for `AbstractDOMParser` or `SAXParser` flow.
- *
- * These flow states take the form `Xerces-A-B`, where:
- *  - A is 1 if `setDisableDefaultEntityResolution` is `true`, 0 otherwise.
- *  - B is 1 if `setCreateEntityReferenceNodes` is `true`, 0 otherwise.
- */
-predicate encodeXercesFlowState(
-  string flowstate, int disabledDefaultEntityResolution, int createEntityReferenceNodes
-) {
-  flowstate = "Xerces-0-0" and
-  disabledDefaultEntityResolution = 0 and
-  createEntityReferenceNodes = 0
-  or
-  flowstate = "Xerces-0-1" and
-  disabledDefaultEntityResolution = 0 and
-  createEntityReferenceNodes = 1
-  or
-  flowstate = "Xerces-1-0" and
-  disabledDefaultEntityResolution = 1 and
-  createEntityReferenceNodes = 0
-  or
-  flowstate = "Xerces-1-1" and
-  disabledDefaultEntityResolution = 1 and
-  createEntityReferenceNodes = 1
-}
-
-/**
- * A flow state representing the configuration of an `AbstractDOMParser` or
- * `SAXParser` object.
- */
-class XercesFlowState extends XXEFlowState {
-  XercesFlowState() { encodeXercesFlowState(this, _, _) }
-}
-
-/**
- * A flow state transformer for a call to
- * `AbstractDOMParser.setDisableDefaultEntityResolution` or
- * `SAXParser.setDisableDefaultEntityResolution`. Transforms the flow
- * state through the qualifier according to the setting in the parameter.
- */
-class DisableDefaultEntityResolutionTranformer extends XXEFlowStateTranformer {
-  Expr newValue;
-
-  DisableDefaultEntityResolutionTranformer() {
-    exists(Call call, Function f |
-      call.getTarget() = f and
-      (
-        f.getDeclaringType() instanceof AbstractDOMParserClass or
-        f.getDeclaringType() instanceof SaxParserClass
-      ) and
-      f.hasName("setDisableDefaultEntityResolution") and
-      this = call.getQualifier() and
-      newValue = call.getArgument(0)
-    )
-  }
-
-  final override XXEFlowState transform(XXEFlowState flowstate) {
-    exists(int createEntityReferenceNodes |
-      encodeXercesFlowState(flowstate, _, createEntityReferenceNodes) and
-      (
-        globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // true
-        encodeXercesFlowState(result, 1, createEntityReferenceNodes)
-        or
-        not globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // false or unknown
-        encodeXercesFlowState(result, 0, createEntityReferenceNodes)
-      )
-    )
-  }
-}
-
-/**
- * A flow state transformer for a call to
- * `AbstractDOMParser.setCreateEntityReferenceNodes`. Transforms the flow
- * state through the qualifier according to the setting in the parameter.
- */
-class CreateEntityReferenceNodesTranformer extends XXEFlowStateTranformer {
-  Expr newValue;
-
-  CreateEntityReferenceNodesTranformer() {
-    exists(Call call, Function f |
-      call.getTarget() = f and
-      f.getClassAndName("setCreateEntityReferenceNodes") instanceof AbstractDOMParserClass and
-      this = call.getQualifier() and
-      newValue = call.getArgument(0)
-    )
-  }
-
-  final override XXEFlowState transform(XXEFlowState flowstate) {
-    exists(int disabledDefaultEntityResolution |
-      encodeXercesFlowState(flowstate, disabledDefaultEntityResolution, _) and
-      (
-        globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // true
-        encodeXercesFlowState(result, disabledDefaultEntityResolution, 1)
-        or
-        not globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // false or unknown
-        encodeXercesFlowState(result, disabledDefaultEntityResolution, 0)
-      )
-    )
-  }
-}
-
-/**
- * The `XMLUni.fgXercesDisableDefaultEntityResolution` constant.
- */
-class FeatureDisableDefaultEntityResolution extends Variable {
-  FeatureDisableDefaultEntityResolution() {
-    this.getName() = "fgXercesDisableDefaultEntityResolution" and
-    this.getDeclaringType().getName() = "XMLUni"
-  }
-}
-
-/**
- * A flow state transformer for a call to `SAX2XMLReader.setFeature`
- * specifying the feature `XMLUni::fgXercesDisableDefaultEntityResolution`.
- * Transforms the flow state through the qualifier according to this setting.
- */
-class SetFeatureTranformer extends XXEFlowStateTranformer {
-  Expr newValue;
-
-  SetFeatureTranformer() {
-    exists(Call call, Function f |
-      call.getTarget() = f and
-      f.getClassAndName("setFeature") instanceof Sax2XmlReader and
-      this = call.getQualifier() and
-      globalValueNumber(call.getArgument(0)).getAnExpr().(VariableAccess).getTarget() instanceof
-        FeatureDisableDefaultEntityResolution and
-      newValue = call.getArgument(1)
-    )
-  }
-
-  final override XXEFlowState transform(XXEFlowState flowstate) {
-    exists(int createEntityReferenceNodes |
-      encodeXercesFlowState(flowstate, _, createEntityReferenceNodes) and
-      (
-        globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // true
-        encodeXercesFlowState(result, 1, createEntityReferenceNodes)
-        or
-        not globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // false or unknown
-        encodeXercesFlowState(result, 0, createEntityReferenceNodes)
-      )
-    )
-  }
-}
-
-/**
- * The `AbstractDOMParser.parse`, `SAXParser.parse` or `SAX2XMLReader.parse`
- * method.
- */
-class ParseFunction extends Function {
-  ParseFunction() {
-    this.getClassAndName("parse") instanceof AbstractDOMParserClass or
-    this.getClassAndName("parse") instanceof SaxParserClass or
-    this.getClassAndName("parse") instanceof Sax2XmlReader
-  }
-}
-
-/**
- * The `createLSParser` function that returns a newly created `DOMLSParser`
- * object.
- */
-class CreateLSParser extends Function {
-  CreateLSParser() {
-    this.hasName("createLSParser") and
-    this.getUnspecifiedType().(PointerType).getBaseType().getName() = "DOMLSParser" // returns a `DOMLSParser *`.
-  }
-}
-
-/**
- * The `createXMLReader` function that returns a newly created `SAX2XMLReader`
- * object.
- */
-class CreateXmlReader extends Function {
-  CreateXmlReader() {
-    this.hasName("createXMLReader") and
-    this.getUnspecifiedType().(PointerType).getBaseType() instanceof Sax2XmlReader // returns a `SAX2XMLReader *`.
-  }
-}
-
-/**
- * A call to a `libxml2` function that parses XML.
- */
-class Libxml2ParseCall extends FunctionCall {
-  int optionsArg;
-
-  Libxml2ParseCall() {
-    exists(string fname | this.getTarget().getName() = fname |
-      fname = "xmlCtxtUseOptions" and optionsArg = 1
-      or
-      fname = "xmlReadFile" and optionsArg = 2
-      or
-      fname = ["xmlCtxtReadFile", "xmlParseInNodeContext", "xmlReadDoc", "xmlReadFd"] and
-      optionsArg = 3
-      or
-      fname = ["xmlCtxtReadDoc", "xmlCtxtReadFd", "xmlReadMemory"] and optionsArg = 4
-      or
-      fname = ["xmlCtxtReadMemory", "xmlReadIO"] and optionsArg = 5
-      or
-      fname = "xmlCtxtReadIO" and optionsArg = 6
-    )
-  }
-
-  /**
-   * Gets the argument that specifies `xmlParserOption`s.
-   */
-  Expr getOptions() { result = this.getArgument(optionsArg) }
-}
-
-/**
- * An `xmlParserOption` for `libxml2` that is considered unsafe.
- */
-class Libxml2BadOption extends EnumConstant {
-  Libxml2BadOption() { this.getName() = ["XML_PARSE_NOENT", "XML_PARSE_DTDLOAD"] }
-}
 
 /**
  * A configuration for tracking XML objects and their states.
@@ -293,85 +23,25 @@ class XXEConfiguration extends DataFlow::Configuration {
   XXEConfiguration() { this = "XXEConfiguration" }
 
   override predicate isSource(DataFlow::Node node, string flowstate) {
-    // source is the write on `this` of a call to the `XercesDOMParser`
-    // constructor.
-    exists(CallInstruction call |
-      call.getStaticCallTarget() = any(XercesDOMParserClass c).getAConstructor() and
-      node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
-        call.getThisArgument() and
-      encodeXercesFlowState(flowstate, 0, 1) // default configuration
-    )
-    or
-    // source is the result of a call to `createLSParser`.
-    exists(Call call |
-      call.getTarget() instanceof CreateLSParser and
-      call = node.asExpr() and
-      encodeXercesFlowState(flowstate, 0, 1) // default configuration
-    )
-    or
-    // source is the write on `this` of a call to the `SAXParser`
-    // constructor.
-    exists(CallInstruction call |
-      call.getStaticCallTarget() = any(SaxParserClass c).getAConstructor() and
-      node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
-        call.getThisArgument() and
-      encodeXercesFlowState(flowstate, 0, 1) // default configuration
-    )
-    or
-    // source is the result of a call to `createXMLReader`.
-    exists(Call call |
-      call.getTarget() instanceof CreateXmlReader and
-      call = node.asExpr() and
-      encodeXercesFlowState(flowstate, 0, 1) // default configuration
-    )
-    or
-    // source is an `options` argument on a `libxml2` parse call that specifies
-    // at least one unsafe option.
-    //
-    // note: we don't need to track an XML object for `libxml2`, so we don't
-    // really need data flow. Nevertheless we jam it into this configuration,
-    // with matching sources and sinks. This allows results to be presented by
-    // the same query, in a consistent way as other results with flow paths.
-    exists(Libxml2ParseCall call, Expr options |
-      options = call.getOptions() and
-      node.asExpr() = options and
-      flowstate = "libxml2" and
-      exists(Libxml2BadOption opt |
-        globalValueNumber(options).getAnExpr().getValue().toInt().bitAnd(opt.getValue().toInt()) !=
-          0
-      )
-    )
+    any(XmlLibrary l).configurationSource(node, flowstate)
   }
 
   override predicate isSink(DataFlow::Node node, string flowstate) {
-    // sink is the read of the qualifier of a call to `parse`.
-    exists(Call call |
-      call.getTarget() instanceof ParseFunction and
-      call.getQualifier() = node.asConvertedExpr()
-    ) and
-    flowstate instanceof XercesFlowState and
-    not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
-    or
-    // sink is the `options` argument on a `libxml2` parse call.
-    exists(Libxml2ParseCall call, Expr options |
-      options = call.getOptions() and
-      node.asExpr() = options and
-      flowstate = "libxml2"
-    )
+    any(XmlLibrary l).configurationSink(node, flowstate)
   }
 
   override predicate isAdditionalFlowStep(
     DataFlow::Node node1, string state1, DataFlow::Node node2, string state2
   ) {
-    // create additional flow steps for `XXEFlowStateTranformer`s
-    state2 = node2.asConvertedExpr().(XXEFlowStateTranformer).transform(state1) and
+    // create additional flow steps for `XxeFlowStateTransformer`s
+    state2 = node2.asConvertedExpr().(XxeFlowStateTransformer).transform(state1) and
     DataFlow::simpleLocalFlowStep(node1, node2)
   }
 
   override predicate isBarrier(DataFlow::Node node, string flowstate) {
     // when the flowstate is transformed at a call node, block the original
     // flowstate value.
-    node.asConvertedExpr().(XXEFlowStateTranformer).transform(flowstate) != flowstate
+    node.asConvertedExpr().(XxeFlowStateTransformer).transform(flowstate) != flowstate
   }
 }
 

cpp/ql/src/Security/CWE/CWE-611/Xerces.qll

@@ -0,0 +1,376 @@
+/**
+ * Models the Xerces XML library.
+ */
+
+import cpp
+import XML
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.ir.IR
+
+/**
+ * Gets a valid flow state for `AbstractDOMParser` or `SAXParser` flow.
+ *
+ * These flow states take the form `Xerces-A-B`, where:
+ *  - A is 1 if `setDisableDefaultEntityResolution` is `true`, 0 otherwise.
+ *  - B is 1 if `setCreateEntityReferenceNodes` is `true`, 0 otherwise.
+ */
+predicate encodeXercesFlowState(
+  string flowstate, int disabledDefaultEntityResolution, int createEntityReferenceNodes
+) {
+  flowstate = "Xerces-0-0" and
+  disabledDefaultEntityResolution = 0 and
+  createEntityReferenceNodes = 0
+  or
+  flowstate = "Xerces-0-1" and
+  disabledDefaultEntityResolution = 0 and
+  createEntityReferenceNodes = 1
+  or
+  flowstate = "Xerces-1-0" and
+  disabledDefaultEntityResolution = 1 and
+  createEntityReferenceNodes = 0
+  or
+  flowstate = "Xerces-1-1" and
+  disabledDefaultEntityResolution = 1 and
+  createEntityReferenceNodes = 1
+}
+
+/**
+ * A flow state representing the configuration of an `AbstractDOMParser` or
+ * `SAXParser` object.
+ */
+class XercesFlowState extends XxeFlowState {
+  XercesFlowState() { encodeXercesFlowState(this, _, _) }
+}
+
+/**
+ * The `AbstractDOMParser` class.
+ */
+class AbstractDomParserClass extends Class {
+  AbstractDomParserClass() { this.hasName("AbstractDOMParser") }
+}
+
+/**
+ * The `XercesDOMParser` class.
+ */
+class XercesDomParserClass extends Class {
+  XercesDomParserClass() { this.hasName("XercesDOMParser") }
+}
+
+/**
+ * The `XercesDOMParser` interface for the Xerces XML library.
+ */
+class XercesDomParserLibrary extends XmlLibrary {
+  XercesDomParserLibrary() { this = "XercesDomParserLibrary" }
+
+  override predicate configurationSource(DataFlow::Node node, string flowstate) {
+    // source is the write on `this` of a call to the `XercesDOMParser`
+    // constructor.
+    exists(CallInstruction call |
+      call.getStaticCallTarget() = any(XercesDomParserClass c).getAConstructor() and
+      node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
+        call.getThisArgument() and
+      encodeXercesFlowState(flowstate, 0, 1) // default configuration
+    )
+  }
+
+  override predicate configurationSink(DataFlow::Node node, string flowstate) {
+    // sink is the read of the qualifier of a call to `AbstractDOMParser.parse`.
+    exists(Call call |
+      call.getTarget().getClassAndName("parse") instanceof AbstractDomParserClass and
+      call.getQualifier() = node.asConvertedExpr()
+    ) and
+    flowstate instanceof XercesFlowState and
+    not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
+  }
+}
+
+/**
+ * The `DOMLSParser` class.
+ */
+class DomLSParserClass extends Class {
+  DomLSParserClass() { this.hasName("DOMLSParser") }
+}
+
+/**
+ * The `createLSParser` function that returns a newly created `DOMLSParser`
+ * object.
+ */
+class CreateLSParser extends Function {
+  CreateLSParser() {
+    this.hasName("createLSParser") and
+    this.getUnspecifiedType().(PointerType).getBaseType() instanceof DomLSParserClass // returns a `DOMLSParser *`.
+  }
+}
+
+/**
+ * The createLSParser interface for the Xerces XML library.
+ */
+class CreateLSParserLibrary extends XmlLibrary {
+  CreateLSParserLibrary() { this = "CreateLSParserLibrary" }
+
+  override predicate configurationSource(DataFlow::Node node, string flowstate) {
+    // source is the result of a call to `createLSParser`.
+    exists(Call call |
+      call.getTarget() instanceof CreateLSParser and
+      call = node.asExpr() and
+      encodeXercesFlowState(flowstate, 0, 1) // default configuration
+    )
+  }
+
+  override predicate configurationSink(DataFlow::Node node, string flowstate) {
+    // sink is the read of the qualifier of a call to `DOMLSParserClass.parse`.
+    exists(Call call |
+      call.getTarget().getClassAndName("parse") instanceof DomLSParserClass and
+      call.getQualifier() = node.asConvertedExpr()
+    ) and
+    flowstate instanceof XercesFlowState and
+    not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
+  }
+}
+
+/**
+ * The `SAXParser` class.
+ */
+class SaxParserClass extends Class {
+  SaxParserClass() { this.hasName("SAXParser") }
+}
+
+/**
+ * The `SAX2XMLReader` class.
+ */
+class Sax2XmlReader extends Class {
+  Sax2XmlReader() { this.hasName("SAX2XMLReader") }
+}
+
+/**
+ * The SAXParser interface for the Xerces XML library.
+ */
+class SaxParserLibrary extends XmlLibrary {
+  SaxParserLibrary() { this = "SaxParserLibrary" }
+
+  override predicate configurationSource(DataFlow::Node node, string flowstate) {
+    // source is the write on `this` of a call to the `SAXParser`
+    // constructor.
+    exists(CallInstruction call |
+      call.getStaticCallTarget() = any(SaxParserClass c).getAConstructor() and
+      node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
+        call.getThisArgument() and
+      encodeXercesFlowState(flowstate, 0, 1) // default configuration
+    )
+  }
+
+  override predicate configurationSink(DataFlow::Node node, string flowstate) {
+    // sink is the read of the qualifier of a call to `SAXParser.parse`.
+    exists(Call call |
+      call.getTarget().getClassAndName("parse") instanceof SaxParserClass and
+      call.getQualifier() = node.asConvertedExpr()
+    ) and
+    flowstate instanceof XercesFlowState and
+    not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
+  }
+}
+
+/**
+ * The `createXMLReader` function that returns a newly created `SAX2XMLReader`
+ * object.
+ */
+class CreateXmlReader extends Function {
+  CreateXmlReader() {
+    this.hasName("createXMLReader") and
+    this.getUnspecifiedType().(PointerType).getBaseType() instanceof Sax2XmlReader // returns a `SAX2XMLReader *`.
+  }
+}
+
+/**
+ * The SAX2XMLReader interface for the Xerces XML library.
+ */
+class Sax2XmlReaderLibrary extends XmlLibrary {
+  Sax2XmlReaderLibrary() { this = "Sax2XmlReaderLibrary" }
+
+  override predicate configurationSource(DataFlow::Node node, string flowstate) {
+    // source is the result of a call to `createXMLReader`.
+    exists(Call call |
+      call.getTarget() instanceof CreateXmlReader and
+      call = node.asExpr() and
+      encodeXercesFlowState(flowstate, 0, 1) // default configuration
+    )
+  }
+
+  override predicate configurationSink(DataFlow::Node node, string flowstate) {
+    // sink is the read of the qualifier of a call to `SAX2XMLReader.parse`.
+    exists(Call call |
+      call.getTarget().getClassAndName("parse") instanceof Sax2XmlReader and
+      call.getQualifier() = node.asConvertedExpr()
+    ) and
+    flowstate instanceof XercesFlowState and
+    not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
+  }
+}
+
+/**
+ * A flow state transformer for a call to
+ * `AbstractDOMParser.setDisableDefaultEntityResolution` or
+ * `SAXParser.setDisableDefaultEntityResolution`. Transforms the flow
+ * state through the qualifier according to the setting in the parameter.
+ */
+class DisableDefaultEntityResolutionTransformer extends XxeFlowStateTransformer {
+  Expr newValue;
+
+  DisableDefaultEntityResolutionTransformer() {
+    exists(Call call, Function f |
+      call.getTarget() = f and
+      (
+        f.getDeclaringType() instanceof AbstractDomParserClass or
+        f.getDeclaringType() instanceof SaxParserClass
+      ) and
+      f.hasName("setDisableDefaultEntityResolution") and
+      this = call.getQualifier() and
+      newValue = call.getArgument(0)
+    )
+  }
+
+  final override XxeFlowState transform(XxeFlowState flowstate) {
+    exists(int createEntityReferenceNodes |
+      encodeXercesFlowState(flowstate, _, createEntityReferenceNodes) and
+      (
+        globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // true
+        encodeXercesFlowState(result, 1, createEntityReferenceNodes)
+        or
+        not globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // false or unknown
+        encodeXercesFlowState(result, 0, createEntityReferenceNodes)
+      )
+    )
+  }
+}
+
+/**
+ * A flow state transformer for a call to
+ * `AbstractDOMParser.setCreateEntityReferenceNodes`. Transforms the flow
+ * state through the qualifier according to the setting in the parameter.
+ */
+class CreateEntityReferenceNodesTransformer extends XxeFlowStateTransformer {
+  Expr newValue;
+
+  CreateEntityReferenceNodesTransformer() {
+    exists(Call call, Function f |
+      call.getTarget() = f and
+      f.getClassAndName("setCreateEntityReferenceNodes") instanceof AbstractDomParserClass and
+      this = call.getQualifier() and
+      newValue = call.getArgument(0)
+    )
+  }
+
+  final override XxeFlowState transform(XxeFlowState flowstate) {
+    exists(int disabledDefaultEntityResolution |
+      encodeXercesFlowState(flowstate, disabledDefaultEntityResolution, _) and
+      (
+        globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // true
+        encodeXercesFlowState(result, disabledDefaultEntityResolution, 1)
+        or
+        not globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // false or unknown
+        encodeXercesFlowState(result, disabledDefaultEntityResolution, 0)
+      )
+    )
+  }
+}
+
+/**
+ * The `XMLUni.fgXercesDisableDefaultEntityResolution` constant.
+ */
+class FeatureDisableDefaultEntityResolution extends Variable {
+  FeatureDisableDefaultEntityResolution() {
+    this.getName() = "fgXercesDisableDefaultEntityResolution" and
+    this.getDeclaringType().getName() = "XMLUni"
+  }
+}
+
+/**
+ * A flow state transformer for a call to `SAX2XMLReader.setFeature`
+ * specifying the feature `XMLUni::fgXercesDisableDefaultEntityResolution`.
+ * Transforms the flow state through the qualifier according to this setting.
+ */
+class SetFeatureTransformer extends XxeFlowStateTransformer {
+  Expr newValue;
+
+  SetFeatureTransformer() {
+    exists(Call call, Function f |
+      call.getTarget() = f and
+      f.getClassAndName("setFeature") instanceof Sax2XmlReader and
+      this = call.getQualifier() and
+      globalValueNumber(call.getArgument(0)).getAnExpr().(VariableAccess).getTarget() instanceof
+        FeatureDisableDefaultEntityResolution and
+      newValue = call.getArgument(1)
+    )
+  }
+
+  final override XxeFlowState transform(XxeFlowState flowstate) {
+    exists(int createEntityReferenceNodes |
+      encodeXercesFlowState(flowstate, _, createEntityReferenceNodes) and
+      (
+        globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // true
+        encodeXercesFlowState(result, 1, createEntityReferenceNodes)
+        or
+        not globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // false or unknown
+        encodeXercesFlowState(result, 0, createEntityReferenceNodes)
+      )
+    )
+  }
+}
+
+/**
+ * The `DOMLSParser.getDomConfig` function.
+ */
+class GetDomConfig extends Function {
+  GetDomConfig() { this.getClassAndName("getDomConfig") instanceof DomLSParserClass }
+}
+
+/**
+ * The `DOMConfiguration.setParameter` function.
+ */
+class DomConfigurationSetParameter extends Function {
+  DomConfigurationSetParameter() {
+    this.getClassAndName("setParameter").getName() = "DOMConfiguration"
+  }
+}
+
+/**
+ * A flow state transformer for a call to `DOMConfiguration.setParameter`
+ * specifying the feature `XMLUni::fgXercesDisableDefaultEntityResolution`.
+ * This is a slightly more complex transformer because the qualifier is a
+ * `DOMConfiguration` pointer returned by `DOMLSParser.getDomConfig` - and it
+ * is *that* qualifier we want to transform the flow state of.
+ */
+class DomConfigurationSetParameterTransformer extends XxeFlowStateTransformer {
+  Expr newValue;
+
+  DomConfigurationSetParameterTransformer() {
+    exists(FunctionCall getDomConfigCall, FunctionCall setParameterCall |
+      // this is the qualifier of a call to `DOMLSParser.getDomConfig`.
+      getDomConfigCall.getTarget() instanceof GetDomConfig and
+      this = getDomConfigCall.getQualifier() and
+      // `setParameterCall` is a call to `setParameter` on the return value of
+      // the same call to `DOMLSParser.getDomConfig`.
+      setParameterCall.getTarget() instanceof DomConfigurationSetParameter and
+      globalValueNumber(setParameterCall.getQualifier()).getAnExpr() = getDomConfigCall and
+      // the parameter being set is
+      // `XMLUni::fgXercesDisableDefaultEntityResolution`.
+      globalValueNumber(setParameterCall.getArgument(0)).getAnExpr().(VariableAccess).getTarget()
+        instanceof FeatureDisableDefaultEntityResolution and
+      // the value being set is `newValue`.
+      newValue = setParameterCall.getArgument(1)
+    )
+  }
+
+  final override XxeFlowState transform(XxeFlowState flowstate) {
+    exists(int createEntityReferenceNodes |
+      encodeXercesFlowState(flowstate, _, createEntityReferenceNodes) and
+      (
+        globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // true
+        encodeXercesFlowState(result, 1, createEntityReferenceNodes)
+        or
+        not globalValueNumber(newValue).getAnExpr().getValue().toInt() = 1 and // false or unknown
+        encodeXercesFlowState(result, 0, createEntityReferenceNodes)
+      )
+    )
+  }
+}

cpp/ql/src/change-notes/released/0.1.3.md

@@ -0,0 +1,6 @@
+## 0.1.3
+
+### Minor Analysis Improvements
+
+* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.
+* The `cpp/unused-local-variable` no longer ignores functions that include `if` and `switch` statements with C++17-style initializers.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.1.2
+lastReleaseVersion: 0.1.3

cpp/ql/src/experimental/Best Practices/WrongUintAccess.cpp

@@ -0,0 +1,7 @@
+void test()
+{
+    uint16_t j = 256;
+    char testSubject[122];
+
+    testSubject[j] = 12; // You can use a uint8 here
+}

cpp/ql/src/experimental/Best Practices/WrongUintAccess.qhelp

@@ -0,0 +1,18 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Find access to an array with a Uint16 when the array has a size lower than 256.</p>
+</overview>
+
+<recommendation>
+<p>Use a int with a lower bit size instead. For instance in this example use a 8 bit int.</p>
+</recommendation>
+
+<example>
+<sample src="WrongUintAccess.cpp" />
+</example>
+
+</qhelp>

cpp/ql/src/experimental/Best Practices/WrongUintAccess.ql

@@ -0,0 +1,25 @@
+/**
+ * @id cpp/wrong-uint-access
+ * @name Wrong Uint
+ * @descripion Acess an array of size lower than 256 with a uint16.
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags efficiency
+ */
+
+import cpp
+
+from Variable var, ArrayExpr useExpr, ArrayType defLine, VariableAccess use
+where
+  var.getUnspecifiedType() = defLine and
+  use = useExpr.getArrayBase() and
+  var = use.getTarget() and
+  (
+    useExpr.getArrayOffset().getType() instanceof UInt16_t or
+    useExpr.getArrayOffset().getType() instanceof UInt32_t or
+    useExpr.getArrayOffset().getType() instanceof UInt64_t
+  ) and
+  defLine.getArraySize() <= 256
+select useExpr,
+  "Using a " + useExpr.getArrayOffset().getType() + " to acess the array $@ of size " +
+    defLine.getArraySize() + ".", var, var.getName()

cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql

@@ -17,6 +17,36 @@
 import cpp
 import semmle.code.cpp.dataflow.DataFlow
 
+/**
+ * A Linux system call.
+ */
+class SystemCallFunction extends Function {
+  SystemCallFunction() {
+    exists(MacroInvocation m |
+      m.getMacro().getName().matches("SYSCALL\\_DEFINE%") and
+      this = m.getEnclosingFunction()
+    )
+  }
+}
+
+/**
+ * A value that comes from a Linux system call (sources).
+ */
+class SystemCallSource extends DataFlow::Node {
+  SystemCallSource() {
+    exists(FunctionCall fc |
+      fc.getTarget() instanceof SystemCallFunction and
+      (
+        this.asDefiningArgument() = fc.getAnArgument().getAChild*() or
+        this.asExpr() = fc
+      )
+    )
+  }
+}
+
+/**
+ * Macros used to check the value (barriers).
+ */
 class WriteAccessCheckMacro extends Macro {
   VariableAccess va;
 
@@ -28,6 +58,9 @@ class WriteAccessCheckMacro extends Macro {
   VariableAccess getArgument() { result = va }
 }
 
+/**
+ * The `unsafe_put_user` macro and its uses (sinks).
+ */
 class UnSafePutUserMacro extends Macro {
   PointerDereferenceExpr writeUserPtr;
 
@@ -42,15 +75,13 @@ class UnSafePutUserMacro extends Macro {
   }
 }
 
-class ExploitableUserModePtrParam extends Parameter {
+class ExploitableUserModePtrParam extends SystemCallSource {
   ExploitableUserModePtrParam() {
-    not exists(WriteAccessCheckMacro writeAccessCheck |
-      DataFlow::localFlow(DataFlow::parameterNode(this),
-        DataFlow::exprNode(writeAccessCheck.getArgument()))
-    ) and
     exists(UnSafePutUserMacro unsafePutUser |
-      DataFlow::localFlow(DataFlow::parameterNode(this),
-        DataFlow::exprNode(unsafePutUser.getUserModePtr()))
+      DataFlow::localFlow(this, DataFlow::exprNode(unsafePutUser.getUserModePtr()))
+    ) and
+    not exists(WriteAccessCheckMacro writeAccessCheck |
+      DataFlow::localFlow(this, DataFlow::exprNode(writeAccessCheck.getArgument()))
     )
   }
 }

cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql

@@ -58,7 +58,7 @@ where
       // unfortunately cannot use numeric value here because // O_CREAT is defined differently on different OSes:
       // https://github.com/red/red/blob/92feb0c0d5f91e087ab35fface6906afbf99b603/runtime/definitions.reds#L477-L491
       // this may introduce false negatives
-      fctmp.getArgument(1).(BitwiseOrExpr).getAChild*().getValueText().matches("O_CREAT") or
+      fctmp.getArgument(1).(BitwiseOrExpr).getAChild*().getValueText() = "O_CREAT" or
       fctmp.getArgument(1).getValueText().matches("%O_CREAT%")
     ) and
     fctmp.getNumberOfArguments() = 2 and

cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql

@@ -13,7 +13,7 @@ import cpp
 
 from Function f
 where
-  f.getName().regexpMatch("atof|atoi|atol") and
+  f.getName() = ["atof", "atoi", "atol"] and
   f.getFile().getAbsolutePath().matches("%stdlib.h")
 select f.getACallToThisFunction(),
   "AV Rule 23: The library functions atof, atoi and atol from library <stdlib.h> shall not be used."

cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql

@@ -13,7 +13,7 @@ import cpp
 
 from Function f
 where
-  f.getName().regexpMatch("abort|exit|getenv|system") and
+  f.getName() = ["abort", "exit", "getenv", "system"] and
   f.getFile().getAbsolutePath().matches("%stdlib.h")
 select f.getACallToThisFunction(),
   "The library functions abort, exit, getenv and system from library <stdlib.h> should not be used."

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.1.2
+version: 0.1.4-dev
 groups: 
   - cpp
   - queries