C/C++ overlay: add discard predicate consistency query

C++: Support C23/C++26 `#embed` preprocessor directives

.github/workflows/compile-queries.yml

@@ -17,9 +17,41 @@ permissions:
   contents: read
 
 jobs:
-  compile-queries:
+  detect-changes:
     if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest
+    outputs:
+      languages: ${{ steps.detect.outputs.languages }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Detect changed languages
+        id: detect
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            # For PRs, detect which languages have changes
+            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
+            languages=()
+            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
+              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
+                languages+=("$lang")
+              fi
+            done
+            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
+          else
+            # For pushes to main/rc branches, run all languages
+            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  compile-queries:
+    needs: detect-changes
+    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
     runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
 
     steps:
       - uses: actions/checkout@v5
@@ -31,16 +63,16 @@ jobs:
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
         with: 
-          key: all-queries
+          key: ${{ matrix.language }}-queries
       - name: check formatting
-        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000

actions/ql/examples/codeql-pack.lock.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

actions/ql/examples/qlpack.yml

@@ -0,0 +1,7 @@
+name: codeql/actions-examples
+groups:
+  - actions
+  - examples
+dependencies:
+  codeql/actions-all: ${workspace}
+warnOnImplicitThis: true

actions/ql/examples/snippets/uses_pinned_sha.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Uses step with pinned SHA
+ * @description Finds 'uses' steps where the version is a pinned SHA.
+ * @id actions/examples/uses-pinned-sha
+ * @tags example
+ */
+
+import actions
+
+from UsesStep uses
+where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
+select uses, "This 'uses' step has a pinned SHA version."

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.26
+
+### Major Analysis Improvements
+
+* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
+
 ## 0.4.25
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.26.md

@@ -1,4 +1,5 @@
----
-category: majorAnalysis
----
+## 0.4.26
+
+### Major Analysis Improvements
+
 * The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.25
+lastReleaseVersion: 0.4.26

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.26-dev
+version: 0.4.27-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.18
+
+No user-facing changes.
+
 ## 0.6.17
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.18.md

@@ -0,0 +1,3 @@
+## 0.6.18
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.17
+lastReleaseVersion: 0.6.18

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.18-dev
+version: 0.6.19-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql

@@ -0,0 +1,17 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_default {
+  string toString() { none() }
+}
+
+predicate isExprWithNewBuiltin(Expr expr) {
+  exists(int kind | exprs(expr, kind, _) | 394 <= kind and kind <= 396)
+}
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
+select expr, kind_new, location

cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties

@@ -0,0 +1,4 @@
+description: Add new builtin operations and this parameter access table
+compatibility: partial
+exprs.rel: run exprs.qlo
+param_ref_to_this.rel: delete

cpp/downgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/upgrade.properties

@@ -0,0 +1,2 @@
+description: Sections for databaseMetadata and overlayChangedFiles
+compatibility: full

cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/preprocdirects.ql

@@ -0,0 +1,13 @@
+class PreprocessorDirective extends @preprocdirect {
+  string toString() { none() }
+}
+
+class Location extends @location_default {
+  string toString() { none() }
+}
+
+from PreprocessorDirective ppd, int kind, int kind_new, Location l
+where
+  preprocdirects(ppd, kind, l) and
+  if kind = 17 then kind_new = /* ppd_warning */ 18 else kind_new = kind
+select ppd, kind_new, l

cpp/downgrades/9439176c1d1312787926458dd54d65a849069118/upgrade.properties

@@ -0,0 +1,4 @@
+description: Support embed preprocessor directive
+compatibility: partial
+embeds.rel: delete
+preprocdirects.rel: run preprocdirects.qlo

cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties

@@ -0,0 +1,2 @@
+description: Remove _Decimal{32,64,128} types
+compatibility: full

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,27 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
+
+### Deprecated APIs
+
+* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
+* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
+* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
+
+### Minor Analysis Improvements
+
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
+
+### Bug Fixes
+
+* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.
+
 ## 6.1.4
 
 No user-facing changes.

cpp/ql/lib/change-notes/2026-01-02-constant-folding.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.

cpp/ql/lib/change-notes/2026-01-19-embed.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a subclass `Embed` of `PreprocessorDirective` for C23 and C++26 `#embed` preprocessor directives.

cpp/ql/lib/change-notes/released/7.0.0.md

@@ -0,0 +1,23 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
+
+### Deprecated APIs
+
+* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
+* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
+* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
+
+### Minor Analysis Improvements
+
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
+
+### Bug Fixes
+
+* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.1.4
+lastReleaseVersion: 7.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 6.1.5-dev
+version: 7.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Preprocessor.qll

@@ -328,3 +328,27 @@ class PreprocessorPragma extends PreprocessorDirective, @ppd_pragma {
 class PreprocessorLine extends PreprocessorDirective, @ppd_line {
   override string toString() { result = "#line " + this.getHead() }
 }
+
+/**
+ * A C23 or C++26 `#embed` preprocessor directive. For example, the following code
+ * contains one `Embed` directive:
+ * ```cpp
+ * char arr[] = {
+ * #embed "bin"
+ * };
+ * ```
+ */
+class Embed extends PreprocessorDirective, @ppd_embed {
+  override string toString() { result = "#embed " + this.getIncludeText() }
+
+  /**
+   * Gets the token which occurs after `#embed`, for example `"filename"`
+   * or `<filename>`.
+   */
+  string getIncludeText() { result = this.getHead() }
+
+  /**
+   * Gets the file directly embedded by this `#embed`.
+   */
+  File getEmbeddedFile() { embeds(underlyingElement(this), unresolveElement(result)) }
+}

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -1050,10 +1050,10 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     expr.(Call).getQualifier() = ele and
     pred = "getQualifier()"
     or
-    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/0 also consider arguments, and are already handled below.
+    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/1 also consider arguments, and are already handled below.
     exists(int n, Expr arg | expr.(Call).getArgument(n) = arg |
       not expr.(OverloadedArrayExpr).getArrayBase() = arg and
-      not expr.(OverloadedArrayExpr).getArrayOffset() = arg and
+      not expr.(OverloadedArrayExpr).getAnArrayOffset() = arg and
       arg = ele and
       pred = "getArgument(" + n.toString() + ")"
     )
@@ -1062,7 +1062,10 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(OverloadedArrayExpr).getArrayBase() = ele and pred = "getArrayBase()"
     or
-    expr.(OverloadedArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
+    exists(int n |
+      expr.(OverloadedArrayExpr).getArrayOffset(n) = ele and
+      pred = "getArrayOffset(" + n.toString() + ")"
+    )
     or
     // OverloadedPointerDereferenceExpr::getExpr/0 also considers qualifiers, and is already handled above for all Call classes.
     not expr.(OverloadedPointerDereferenceExpr).getQualifier() =

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -802,15 +802,6 @@ private predicate floatingPointTypeMapping(
   // _Complex __float128
   kind = 39 and base = 2 and domain = TComplexDomain() and realKind = 38 and extended = false
   or
-  // _Decimal32
-  kind = 40 and base = 10 and domain = TRealDomain() and realKind = 40 and extended = false
-  or
-  // _Decimal64
-  kind = 41 and base = 10 and domain = TRealDomain() and realKind = 41 and extended = false
-  or
-  // _Decimal128
-  kind = 42 and base = 10 and domain = TRealDomain() and realKind = 42 and extended = false
-  or
   // _Float32
   kind = 45 and base = 2 and domain = TRealDomain() and realKind = 45 and extended = false
   or
@@ -871,9 +862,8 @@ private predicate floatingPointTypeMapping(
 
 /**
  * The C/C++ floating point types. See 4.5.  This includes `float`, `double` and `long double`, the
- * fixed-size floating-point types like `_Float32`, the extended-precision floating-point types like
- * `_Float64x`, and the decimal floating-point types like `_Decimal32`. It also includes the complex
- * and imaginary versions of all of these types.
+ * fixed-size floating-point types like `_Float32`, and the extended-precision floating-point types
+ * like `_Float64x`. It also includes the complex and imaginary versions of all of these types.
  */
 class FloatingPointType extends ArithmeticType {
   final int base;
@@ -991,42 +981,6 @@ class Float128Type extends RealNumberType, BinaryFloatingPointType {
   override string getAPrimaryQlClass() { result = "Float128Type" }
 }
 
-/**
- * The GNU C `_Decimal32` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal32 d32;
- * ```
- */
-class Decimal32Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal32Type() { builtintypes(underlyingElement(this), _, 40, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal32Type" }
-}
-
-/**
- * The GNU C `_Decimal64` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal64 d64;
- * ```
- */
-class Decimal64Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal64Type() { builtintypes(underlyingElement(this), _, 41, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal64Type" }
-}
-
-/**
- * The GNU C `_Decimal128` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal128 d128;
- * ```
- */
-class Decimal128Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal128Type() { builtintypes(underlyingElement(this), _, 42, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal128Type" }
-}
-
 /**
  * The C/C++ `void` type. See 4.7.
  * ```

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -394,6 +394,11 @@ class FunctionAccess extends Access, @routineexpr {
  */
 class ParamAccessForType extends Expr, @param_ref {
   override string toString() { result = "param access" }
+
+  /**
+   * Holds if the accessed parameter is implicit object parameter of the function.
+   */
+  predicate isThisAccess() { param_ref_to_this(underlyingElement(this)) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -1941,3 +1941,61 @@ class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istrivia
 
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
 }
+
+/**
+ * A C++ `__is_bitwise_cloneable` built-in operation.
+ *
+ * Returns `true` if an object of type `_Tp` is bitwise cloneable.
+ *
+ * ```
+ * template<typename _Tp>
+ *   struct is_bitwise_cloneable
+ *   : public integral_constant<bool, __is_bitwise_cloneable(_Tp)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsBitwiseCloneable extends BuiltInOperation, @isbitwisecloneable {
+  override string toString() { result = "__is_bitwise_cloneable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsBitwiseCloneable" }
+}
+
+/**
+ * A C++ `__is_invocable` built-in operation (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * Returns `true` if a function of type `_FTpn` can be invoked with arguments of
+ * type `_Tps`.
+ *
+ * ```
+ * template<typename _FTpn, typename... _Tps>
+ *   struct is_invocable
+ *   : public integral_constant<bool, __is_invocable(_FTpn, _Tps...)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsInvocable extends BuiltInOperation, @isinvocable {
+  override string toString() { result = "__is_invocable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsInvocable" }
+}
+
+/**
+ * A C++ `__is_nothrow_invocable` built-in operation (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * Returns `true` if a function of non-throwing type `_FTpn` can be invoked
+ * with arguments of type `_Tps`.
+ *
+ * ```
+ * template<typename _FTpn, typename... _Tps>
+ *   struct is_nothrow_invocable
+ *   : public integral_constant<bool, __is_nothrow_invocable(_FTpn, _Tps...)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsNothrowInvocable extends BuiltInOperation, @isnothrowinvocable {
+  override string toString() { result = "__is_nothrow_invocable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowInvocable" }
+}

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -387,10 +387,23 @@ class OverloadedArrayExpr extends FunctionCall {
 
   /**
    * Gets the expression giving the index.
+   *
+   * DEPRECATED: Use getArrayOffset/1 instead.
    */
-  Expr getArrayOffset() {
-    if exists(this.getQualifier()) then result = this.getChild(0) else result = this.getChild(1)
+  deprecated Expr getArrayOffset() { result = this.getArrayOffset(0) }
+
+  /**
+   * Gets the expression giving the nth index.
+   */
+  Expr getArrayOffset(int n) {
+    n >= 0 and
+    if exists(this.getQualifier()) then result = this.getChild(n) else result = this.getChild(n + 1)
   }
+
+  /**
+   * Gets an expression giving an index.
+   */
+  Expr getAnArrayOffset() { result = this.getArrayOffset(_) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -21,7 +21,7 @@ private string getLocationFilePath(@location_default loc) {
  * Gets the file path for an element with a single location.
  */
 overlay[local]
-private string getSingleLocationFilePath(@element e) {
+string getSingleLocationFilePath(@element e) {
   exists(@location_default loc |
     var_decls(e, _, _, _, loc)
     or
@@ -34,6 +34,38 @@ private string getSingleLocationFilePath(@element e) {
     macroinvocations(e, _, loc, _)
     or
     preprocdirects(e, _, loc)
+    or
+    diagnostics(e, _, _, _, _, loc)
+    or
+    usings(e, _, loc, _)
+    or
+    static_asserts(e, _, _, loc, _)
+    or
+    derivations(e, _, _, _, loc)
+    or
+    frienddecls(e, _, _, loc)
+    or
+    comments(e, _, loc)
+    or
+    exprs(e, _, loc)
+    or
+    stmts(e, _, loc)
+    or
+    initialisers(e, _, _, loc)
+    or
+    attributes(e, _, _, _, loc)
+    or
+    attribute_args(e, _, _, _, loc)
+    or
+    namequalifiers(e, _, _, loc)
+    or
+    enumconstants(e, _, _, _, _, loc)
+    or
+    type_mentions(e, _, loc, _)
+    or
+    lambda_capture(e, _, _, _, _, _, loc)
+    or
+    concept_templates(e, _, loc)
   |
     result = getLocationFilePath(loc)
   )
@@ -43,7 +75,7 @@ private string getSingleLocationFilePath(@element e) {
  * Gets the file path for an element with potentially multiple locations.
  */
 overlay[local]
-private string getMultiLocationFilePath(@element e) {
+string getMultiLocationFilePath(@element e) {
   exists(@location_default loc |
     exists(@var_decl vd | var_decls(vd, e, _, _, loc))
     or

cpp/ql/lib/semmle/code/cpp/internal/OverlayDiscardConsistencyQuery.qll

@@ -0,0 +1,64 @@
+/**
+ * Provides consistency queries for checking that every database entity
+ * that can be discarded (i.e. everything but `@compilation` and some external
+ * entities) in an overlay database is indeed discarded.
+ *
+ * This validates that Overlay.qll's `getSingleLocationFilePath` and
+ * `getMultiLocationFilePath` predicates cover all entity types.
+ */
+
+import cpp
+private import Overlay
+
+/**
+ * Holds if `element` is not covered by the discard predicates in Overlay.qll.
+ *
+ * This query is intended to flag cases where new entity types are added
+ * to the dbscheme but the corresponding discard predicate is not updated.
+ *
+ * An element is considered covered if it has a path via either
+ * `getSingleLocationFilePath` or `getMultiLocationFilePath`.
+ */
+query predicate consistencyTest(Element element, string message) {
+  (
+    // Check that every @element has a path via the discard predicates
+    not exists(getSingleLocationFilePath(element)) and
+    not exists(getMultiLocationFilePath(element)) and
+    // Exclude global/synthetic entities that don't need to be discarded
+    not element instanceof @specifier and
+    not element instanceof @builtintype and
+    not element instanceof @derivedtype and
+    not element instanceof @routinetype and
+    not element instanceof @ptrtomember and
+    not element instanceof @decltype and
+    not element instanceof @type_operator and
+    not element instanceof @specialnamequalifyingelement and
+    // Exclude files/folders (handled separately by overlay infrastructure)
+    not element instanceof @file and
+    not element instanceof @folder and
+    // Exclude XML entities (not C++ code)
+    not element instanceof @xmllocatable and
+    // Exclude compiler diagnostics (metadata, not source entities)
+    not element instanceof @diagnostic and
+    // Exclude usertypes without declarations (compiler built-ins like 'auto', '__va_list')
+    not (element instanceof @usertype and not exists(@type_decl td | type_decls(td, element, _))) and
+    // Exclude namespaces without declarations (global namespace)
+    not (
+      element instanceof @namespace and
+      not exists(@namespace_decl nd | namespace_decls(nd, element, _, _))
+    ) and
+    // Exclude functions without declarations (compiler-generated like implicit operator=)
+    not (
+      element instanceof @function and not exists(@fun_decl fd | fun_decls(fd, element, _, _, _))
+    ) and
+    // Exclude variables without declarations (parameters of compiler-generated functions)
+    not (
+      element instanceof @variable and not exists(@var_decl vd | var_decls(vd, element, _, _, _))
+    ) and
+    exists(Location loc | loc = element.getLocation() |
+      message =
+        element.getPrimaryQlClasses() + " at " + loc.getFile().getRelativePath() + ":" +
+          loc.getStartLine().toString() + " not covered by discard predicates"
+    )
+  )
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -156,7 +156,7 @@ class Node extends TIRDataFlowNode {
    * If `isGLValue()` holds, then the type of this node
    * should be thought of as "pointer to `getType()`".
    */
-  DataFlowType getType() { none() } // overridden in subclasses
+  Type getType() { none() } // overridden in subclasses
 
   /** Gets the instruction corresponding to this node, if any. */
   Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
@@ -541,7 +541,7 @@ class Node extends TIRDataFlowNode {
   /**
    * Gets an upper bound on the type of this node.
    */
-  DataFlowType getTypeBound() { result = this.getType() }
+  Type getTypeBound() { result = this.getType() }
 
   /** Gets the location of this element. */
   cached
@@ -585,7 +585,7 @@ private class Node0 extends Node, TNode0 {
 
   override string toStringImpl() { result = node.toString() }
 
-  override DataFlowType getType() { result = node.getType() }
+  override Type getType() { result = node.getType() }
 
   override predicate isGLValue() { node.isGLValue() }
 }
@@ -704,7 +704,7 @@ class SsaSynthNode extends Node, TSsaSynthNode {
 
   override Declaration getFunction() { result = node.getBasicBlock().getEnclosingFunction() }
 
-  override DataFlowType getType() { result = node.getSourceVariable().getType() }
+  override Type getType() { result = node.getSourceVariable().getType() }
 
   override predicate isGLValue() { node.getSourceVariable().isGLValue() }
 
@@ -732,7 +732,7 @@ class SsaIteratorNode extends Node, TSsaIteratorNode {
 
   override Declaration getFunction() { result = node.getFunction() }
 
-  override DataFlowType getType() { result = node.getType() }
+  override Type getType() { result = node.getType() }
 
   final override Location getLocationImpl() { result = node.getLocation() }
 
@@ -792,7 +792,7 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {
 
   override Declaration getFunction() { result = globalUse.getIRFunction().getFunction() }
 
-  override DataFlowType getType() {
+  override Type getType() {
     exists(int indirectionIndex |
       indirectionIndex = globalUse.getIndirectionIndex() and
       result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex)
@@ -826,7 +826,7 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
 
   final override predicate isGLValue() { globalDef.getIndirectionIndex() = 0 }
 
-  override DataFlowType getType() { result = globalDef.getUnderlyingType() }
+  override Type getType() { result = globalDef.getUnderlyingType() }
 
   final override Location getLocationImpl() { result = globalDef.getLocation() }
 
@@ -853,7 +853,7 @@ class BodyLessParameterNodeImpl extends Node, TBodyLessParameterNodeImpl {
   /** Gets the indirection index of this node. */
   int getIndirectionIndex() { result = indirectionIndex }
 
-  override DataFlowType getType() {
+  override Type getType() {
     result = getTypeImpl(p.getUnderlyingType(), this.getIndirectionIndex())
   }
 
@@ -1117,8 +1117,8 @@ private module RawIndirectNodes {
 
     override predicate isGLValue() { this.getOperand().isGLValue() }
 
-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
+    override Type getType() {
+      exists(int sub, Type type, boolean isGLValue |
         type = getOperandType(this.getOperand(), isGLValue) and
         if isGLValue = true then sub = 1 else sub = 0
       |
@@ -1163,8 +1163,8 @@ private module RawIndirectNodes {
 
     override predicate isGLValue() { this.getInstruction().isGLValue() }
 
-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
+    override Type getType() {
+      exists(int sub, Type type, boolean isGLValue |
         type = getInstructionType(this.getInstruction(), isGLValue) and
         if isGLValue = true then sub = 1 else sub = 0
       |
@@ -1263,7 +1263,7 @@ class FinalParameterNode extends Node, TFinalParameterNode {
     result.asSourceCallable() = this.getFunction()
   }
 
-  override DataFlowType getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
+  override Type getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
 
   final override Location getLocationImpl() {
     // Parameters can have multiple locations. When there's a unique location we use
@@ -1539,7 +1539,7 @@ abstract class PostUpdateNode extends Node {
    */
   abstract Node getPreUpdateNode();
 
-  final override DataFlowType getType() { result = this.getPreUpdateNode().getType() }
+  final override Type getType() { result = this.getPreUpdateNode().getType() }
 }
 
 /**
@@ -1632,9 +1632,7 @@ class VariableNode extends Node, TGlobalLikeVariableNode {
     result.asSourceCallable() = v
   }
 
-  override DataFlowType getType() {
-    result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1)
-  }
+  override Type getType() { result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1) }
 
   final override Location getLocationImpl() {
     // Certain variables (such as parameters) can have multiple locations.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll

@@ -53,7 +53,7 @@ private module SourceVariables {
      * the type of this source variable should be thought of as "pointer
      * to `getType()`".
      */
-    DataFlowType getType() {
+    Type getType() {
       if this.isGLValue()
       then result = base.getType()
       else result = getTypeImpl(base.getType(), ind - 1)
@@ -1064,8 +1064,15 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
     DataFlowIntegrationInput::Guard g, SsaImpl::Definition def, IRGuards::GuardValue val,
     int indirectionIndex
   ) {
-    IRGuards::Guards_v1::ParameterizedValidationWrapper<int, guardChecksInstr/4>::guardChecksDef(g,
-      def, val, indirectionIndex)
+    exists(Instruction e |
+      IRGuards::Guards_v1::ParameterizedValidationWrapper<int, guardChecksInstr/4>::guardChecks(g,
+        e, val, indirectionIndex)
+    |
+      indirectionIndex = 0 and
+      def.(Definition).getAUse().getDef() = e
+      or
+      def.(Definition).getAnIndirectUse(indirectionIndex).getDef() = e
+    )
   }
 
   Node getABarrierNode(int indirectionIndex) {

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -617,9 +617,9 @@ case @builtintype.kind of
 | 37 = @signed_int128         // signed __int128
 | 38 = @float128              // __float128
 | 39 = @complex_float128      // _Complex __float128
-| 40 = @decimal32             // _Decimal32
-| 41 = @decimal64             // _Decimal64
-| 42 = @decimal128            // _Decimal128
+// ... 40 _Decimal32
+// ... 41 _Decimal64
+// ... 42 _Decimal128
 | 43 = @char16_t
 | 44 = @char32_t
 | 45 = @std_float32           // _Float32
@@ -1902,6 +1902,9 @@ case @expr.kind of
 | 391 = @nested_requirement
 | 392 = @compound_requirement
 | 393 = @concept_id
+| 394 = @isinvocable
+| 395 = @isnothrowinvocable
+| 396 = @isbitwisecloneable
 ;
 
 @var_args_expr = @vastartexpr
@@ -2018,6 +2021,9 @@ case @expr.kind of
             | @istriviallyequalitycomparable
             | @isscopedenum
             | @istriviallyrelocatable
+            | @isinvocable
+            | @isnothrowinvocable
+            | @isbitwisecloneable
             ;
 
 compound_requirement_is_noexcept(
@@ -2034,6 +2040,10 @@ new_array_allocated_type(
     int type_id: @type ref
 );
 
+param_ref_to_this(
+    int expr: @param_ref ref
+)
+
 /**
  * The field being initialized by an initializer expression within an aggregate
  * initializer for a class/struct/union. Position is used to sort repeated initializers.
@@ -2343,6 +2353,7 @@ case @preprocdirect.kind of
 | 14 = @ppd_ms_import
 | 15 = @ppd_elifdef
 | 16 = @ppd_elifndef
+| 17 = @ppd_embed
 | 18 = @ppd_warning
 ;
 
@@ -2369,6 +2380,11 @@ includes(
     int included: @file ref
 );
 
+embeds(
+    unique int id: @ppd_embed ref,
+    int included: @file ref
+);
+
 link_targets(
     int id: @link_target,
     int binary: @file ref
@@ -2379,6 +2395,8 @@ link_parent(
     int link_target : @link_target ref
 );
 
+/*- Database metadata -*/
+
 /**
  * The CLI will automatically emit applicable tuples for this table,
  * such as `databaseMetadata("isOverlay", "true")` when building an
@@ -2389,6 +2407,8 @@ databaseMetadata(
   string value: string ref
 );
 
+/*- Overlay support -*/
+
 /**
  * The CLI will automatically emit tuples for each new/modified/deleted file
  * when building an overlay database.

cpp/ql/lib/upgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties

@@ -0,0 +1,2 @@
+description: Sections for databaseMetadata and overlayChangedFiles
+compatibility: full

cpp/ql/lib/upgrades/83100310bf73eefc37c1d8d0ac98b2ca3019c7b6/upgrade.properties

@@ -0,0 +1,2 @@
+description: Support embed preprocessor directive
+compatibility: partial

cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/builtintypes.ql

@@ -0,0 +1,11 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+predicate isDecimalBuiltinType(BuiltinType type) { builtintypes(type, _, [40, 41, 42], _, _, _) }
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if isDecimalBuiltinType(type) then kind_new = 1 else kind_new = kind
+select type, name, kind_new, size, sign, alignment

cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties

@@ -0,0 +1,3 @@
+description: Remove _Decimal{32,64,128} types
+compatibility: partial
+builtintypes.rel: run builtintypes.qlo

cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties

@@ -0,0 +1,2 @@
+description: Add new builtin operations and this parameter access table
+compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.5.9
+
+### Minor Analysis Improvements
+
+* The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.
+
 ## 1.5.8
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -122,7 +122,8 @@ module Config implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) {
     // Block flow if the node is guarded by any <, <= or = operations.
-    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
+    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode() or
+    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getAnIndirectBarrierNode()
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }

cpp/ql/src/change-notes/released/1.5.9.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 1.5.9
+
+### Minor Analysis Improvements
+
 * The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.8
+lastReleaseVersion: 1.5.9

cpp/ql/src/jsf/lib/section_4_21_Operators/AV_Rule_166.qll

@@ -13,7 +13,7 @@ class SizeofImpureExprOperator extends SizeofExprOperator {
       not e.(OverloadedPointerDereferenceExpr).getExpr().isPure() and
       not exists(OverloadedArrayExpr op | op = e |
         op.getArrayBase().isPure() and
-        op.getArrayOffset().isPure()
+        forall(Expr offset | offset = op.getAnArrayOffset() | offset.isPure())
       )
     )
   }

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.9-dev
+version: 1.5.10-dev
 groups:
   - cpp
   - queries

cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -78,7 +78,7 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
 {
   private module DataFlow = Df::DataFlow;
 
-  class Type = DataFlowPrivate::DataFlowType;
+  class Type = Cpp::Type;
 
   // Note: This also includes `this`
   class Parameter = DataFlow::ParameterNode;

cpp/ql/test/library-tests/builtins/type_traits/clang.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang --clang_version 190000
+// semmle-extractor-options: --clang --clang_version 210000
 
 struct S {
     void f() {}
@@ -121,3 +121,11 @@ bool b_is_scoped_enum2 = __is_scoped_enum(int);
 
 bool b_is_trivially_relocatable1 = __is_trivially_relocatable(int);
 bool b_is_trivially_relocatable2 = __is_trivially_relocatable(void);
+
+struct S3{
+    S3(S3 &);
+    S3& operator=(S3&);
+};
+
+bool bok_is_bitwise_cloneable1 = __is_bitwise_cloneable(int);
+bool bok_is_bitwise_cloneable2 = __is_bitwise_cloneable(S3);

cpp/ql/test/library-tests/builtins/type_traits/expr.expected

@@ -165,6 +165,10 @@
 | clang.cpp:122:36:122:66 | int |  | <none> |
 | clang.cpp:123:36:123:67 | __is_trivially_relocatable | void | 0 |
 | clang.cpp:123:36:123:67 | void |  | <none> |
+| clang.cpp:130:34:130:60 | __is_bitwise_cloneable | int | 1 |
+| clang.cpp:130:34:130:60 | int |  | <none> |
+| clang.cpp:131:34:131:59 | S3 |  | <none> |
+| clang.cpp:131:34:131:59 | __is_bitwise_cloneable | S3 | 0 |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 1 |  | 1 |
@@ -211,6 +215,16 @@
 | gcc.cpp:29:45:29:93 | __reference_converts_from_temporary | int &&,int && | 0 |
 | gcc.cpp:29:45:29:93 | int && |  | <none> |
 | gcc.cpp:29:45:29:93 | int && |  | <none> |
+| gcc.cpp:33:24:33:45 | __is_invocable | f_type | 1 |
+| gcc.cpp:33:24:33:45 | f_type |  | <none> |
+| gcc.cpp:34:24:34:51 | __is_invocable | f_type,bool | 0 |
+| gcc.cpp:34:24:34:51 | bool |  | <none> |
+| gcc.cpp:34:24:34:51 | f_type |  | <none> |
+| gcc.cpp:36:32:36:61 | __is_nothrow_invocable | f_type | 1 |
+| gcc.cpp:36:32:36:61 | f_type |  | <none> |
+| gcc.cpp:37:32:37:67 | __is_nothrow_invocable | f_type,bool | 0 |
+| gcc.cpp:37:32:37:67 | bool |  | <none> |
+| gcc.cpp:37:32:37:67 | f_type |  | <none> |
 | ms.cpp:38:41:38:45 | 0 |  | 0 |
 | ms.cpp:88:27:88:45 | __has_assign | empty | 0 |
 | ms.cpp:88:27:88:45 | empty |  | <none> |

cpp/ql/test/library-tests/builtins/type_traits/gcc.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --gnu_version 130000
+// semmle-extractor-options: --gnu_version 150000
 
 __attribute__ ((aligned(8))) int v;
 bool b_has_attribute1 = __builtin_has_attribute(v, aligned);
@@ -27,3 +27,11 @@ bool b_reference_constructs_from_temporary2 = __reference_constructs_from_tempor
 
 bool b_reference_converts_from_temporary1 = __reference_converts_from_temporary(int&&, int);
 bool b_reference_converts_from_temporary2 = __reference_converts_from_temporary(int&&, int&&);
+
+using f_type = void(*)() noexcept;
+
+bool b_is_invocable1 = __is_invocable(f_type);
+bool b_is_invocable2 = __is_invocable(f_type, bool);
+
+bool b_is_nothrow_invocable1 = __is_nothrow_invocable(f_type);
+bool b_is_nothrow_invocable2 = __is_nothrow_invocable(f_type, bool);

cpp/ql/test/library-tests/builtins/types/types.c

@@ -1,5 +0,0 @@
-
-_Decimal32 d32;
-_Decimal64 d64;
-_Decimal128 d128;
-

cpp/ql/test/library-tests/builtins/types/types.expected

@@ -1,7 +0,0 @@
-| file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int |
-| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int |
-| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * |
-| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * |
-| types.c:2:12:2:14 | d32 | file://:0:0:0:0 | _Decimal32 |
-| types.c:3:12:3:14 | d64 | file://:0:0:0:0 | _Decimal64 |
-| types.c:4:13:4:16 | d128 | file://:0:0:0:0 | _Decimal128 |

cpp/ql/test/library-tests/builtins/types/types.ql

@@ -1,5 +0,0 @@
-import cpp
-
-from Variable v, Type t
-where t = v.getType()
-select v, t

cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.cpp

@@ -4,6 +4,12 @@ void sink(int);
 
 void testCheckArgument(int* p) {
   if (checkArgument(p)) {
-    sink(*p); // $ barrier barrier=1
+    sink(*p); // $ indirect_barrier=int barrier=int*
+  }
+}
+
+void testCheckArgument(int p) {
+  if (checkArgument(&p)) {
+    sink(p); // $ barrier=glval<int> indirect_barrier=int
   }
 }

cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.ql

@@ -13,26 +13,33 @@ predicate instructionGuardChecks(IRGuardCondition gc, Instruction checked, boole
 
 module BarrierGuard = DataFlow::InstructionBarrierGuard<instructionGuardChecks/3>;
 
-predicate indirectBarrierGuard(DataFlow::Node node, int indirectionIndex) {
-  node = BarrierGuard::getAnIndirectBarrierNode(indirectionIndex)
+predicate indirectBarrierGuard(DataFlow::Node node, string s) {
+  node = BarrierGuard::getAnIndirectBarrierNode(_) and
+  if node.isGLValue()
+  then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
+  else s = node.getType().toString().replaceAll(" ", "")
 }
 
-predicate barrierGuard(DataFlow::Node node) { node = BarrierGuard::getABarrierNode() }
+predicate barrierGuard(DataFlow::Node node, string s) {
+  node = BarrierGuard::getABarrierNode() and
+  if node.isGLValue()
+  then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
+  else s = node.getType().toString().replaceAll(" ", "")
+}
 
 module Test implements TestSig {
-  string getARelevantTag() { result = "barrier" }
+  string getARelevantTag() { result = ["barrier", "indirect_barrier"] }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(DataFlow::Node node |
-      barrierGuard(node) and
-      value = ""
+    exists(DataFlow::Node node, string s |
+      indirectBarrierGuard(node, s) and
+      value = s and
+      tag = "indirect_barrier"
       or
-      exists(int indirectionIndex |
-        indirectBarrierGuard(node, indirectionIndex) and
-        value = indirectionIndex.toString()
-      )
+      barrierGuard(node, s) and
+      value = s and
+      tag = "barrier"
     |
-      tag = "barrier" and
       element = node.toString() and
       location = node.getLocation()
     )

cpp/ql/test/library-tests/friends/loop/friends.expected

@@ -1,9 +1,14 @@
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -24309,7 +24309,7 @@ ir.cpp:
 # 2727|         getArrayBase(): [VariableAccess] x
 # 2727|             Type = [SpecifiedType] const WithBracketOperator
 # 2727|             ValueCategory = lvalue
-# 2727|         getArrayOffset(): [VariableAccess] i
+# 2727|         getArrayOffset(0): [VariableAccess] i
 # 2727|             Type = [IntType] int
 # 2727|             ValueCategory = prvalue(load)
 # 2727|       getExpr().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)

cpp/ql/test/library-tests/literals/literals/literals.c

@@ -1,6 +1,4 @@
 
-double dd = 1.0d;
-double dD = 1.0D;
 double df = 1.0f;
 double dF = 1.0F;
 double di = 1.0i;

cpp/ql/test/library-tests/literals/literals/literals.expected

@@ -1,14 +1,12 @@
 | literals.c:2:13:2:16 | 1.0 |
 | literals.c:3:13:3:16 | 1.0 |
-| literals.c:4:13:4:16 | 1.0 |
-| literals.c:5:13:5:16 | 1.0 |
+| literals.c:4:13:4:16 | (0.0,1.0i) |
+| literals.c:5:13:5:16 | (0.0,1.0i) |
 | literals.c:6:13:6:16 | (0.0,1.0i) |
 | literals.c:7:13:7:16 | (0.0,1.0i) |
-| literals.c:8:13:8:16 | (0.0,1.0i) |
-| literals.c:9:13:9:16 | (0.0,1.0i) |
+| literals.c:8:13:8:16 | 1.0 |
+| literals.c:9:13:9:16 | 1.0 |
 | literals.c:10:13:10:16 | 1.0 |
 | literals.c:11:13:11:16 | 1.0 |
 | literals.c:12:13:12:16 | 1.0 |
 | literals.c:13:13:13:16 | 1.0 |
-| literals.c:14:13:14:16 | 1.0 |
-| literals.c:15:13:15:16 | 1.0 |

cpp/ql/test/library-tests/subscript_operator/PrintAST.expected

@@ -0,0 +1,69 @@
+#-----| [CopyAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag const&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const __va_list_tag &
+#-----| [MoveAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag&&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] __va_list_tag &&
+test.cpp:
+#    3| [CopyAssignmentOperator] S& S::operator=(S const&)
+#    3|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const S &
+#    3| [MoveAssignmentOperator] S& S::operator=(S&&)
+#    3|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] S &&
+#    5| [MemberFunction] int S::operator[](int, int)
+#    5|   <params>: 
+#    5|     getParameter(0): [Parameter] i
+#    5|         Type = [IntType] int
+#    5|     getParameter(1): [Parameter] j
+#    5|         Type = [IntType] int
+#    5|   getEntryPoint(): [BlockStmt] { ... }
+#    6|     getStmt(0): [ReturnStmt] return ...
+#    6|       getExpr(): [ArrayExpr] access to array
+#    6|           Type = [IntType] int
+#    6|           ValueCategory = prvalue(load)
+#    6|         getArrayBase(): [ArrayExpr] access to array
+#    6|             Type = [ArrayType] int[2]
+#    6|             ValueCategory = lvalue
+#    6|           getArrayBase(): [ImplicitThisFieldAccess,PointerFieldAccess] xs
+#    6|               Type = [ArrayType] int[2][2]
+#    6|               ValueCategory = lvalue
+#    6|             getQualifier(): [ThisExpr] this
+#    6|                 Type = [PointerType] S *
+#    6|                 ValueCategory = prvalue(load)
+#    6|           getArrayOffset(): [VariableAccess] i
+#    6|               Type = [IntType] int
+#    6|               ValueCategory = prvalue(load)
+#-----|           getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#-----|               Type = [PointerType] int(*)[2]
+#-----|               ValueCategory = prvalue
+#    6|         getArrayOffset(): [VariableAccess] j
+#    6|             Type = [IntType] int
+#    6|             ValueCategory = prvalue(load)
+#    6|         getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#    6|             Type = [IntPointerType] int *
+#    6|             ValueCategory = prvalue
+#   10| [TopLevelFunction] int foo(S)
+#   10|   <params>: 
+#   10|     getParameter(0): [Parameter] s
+#   10|         Type = [Struct] S
+#   10|   getEntryPoint(): [BlockStmt] { ... }
+#   11|     getStmt(0): [ReturnStmt] return ...
+#   11|       getExpr(): [OverloadedArrayExpr] call to operator[]
+#   11|           Type = [IntType] int
+#   11|           ValueCategory = prvalue
+#   11|         getArrayBase(): [VariableAccess] s
+#   11|             Type = [Struct] S
+#   11|             ValueCategory = lvalue
+#   11|         getArrayOffset(0): [Literal] 1
+#   11|             Type = [IntType] int
+#   11|             Value = [Literal] 1
+#   11|             ValueCategory = prvalue
+#   11|         getArrayOffset(1): [Literal] 2
+#   11|             Type = [IntType] int
+#   11|             Value = [Literal] 2
+#   11|             ValueCategory = prvalue

cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref

@@ -0,0 +1 @@
+semmle/code/cpp/PrintAST.ql

cpp/ql/test/library-tests/subscript_operator/test.cpp

@@ -0,0 +1,12 @@
+// semmle-extractor-options: -std=c++23
+
+struct S {
+    int xs[2][2];
+    int operator[](int i, int j) {
+        return xs[i][j];
+    }
+};
+
+int foo(S s) {
+    return s[1, 2];
+}

cpp/ql/test/library-tests/templates/type_instantiations/types.expected

@@ -12,9 +12,6 @@
 | file://:0:0:0:0 | _Complex float |
 | file://:0:0:0:0 | _Complex long double |
 | file://:0:0:0:0 | _Complex std::float16_t |
-| file://:0:0:0:0 | _Decimal32 |
-| file://:0:0:0:0 | _Decimal64 |
-| file://:0:0:0:0 | _Decimal128 |
 | file://:0:0:0:0 | _Float16 |
 | file://:0:0:0:0 | _Float32 |
 | file://:0:0:0:0 | _Float32x |

cpp/ql/test/library-tests/type_sizes/type_sizes.expected

@@ -32,9 +32,6 @@
 | file://:0:0:0:0 | _Complex float | 8 |
 | file://:0:0:0:0 | _Complex long double | 32 |
 | file://:0:0:0:0 | _Complex std::float16_t | 4 |
-| file://:0:0:0:0 | _Decimal32 | 4 |
-| file://:0:0:0:0 | _Decimal64 | 8 |
-| file://:0:0:0:0 | _Decimal128 | 16 |
 | file://:0:0:0:0 | _Float16 | 2 |
 | file://:0:0:0:0 | _Float32 | 4 |
 | file://:0:0:0:0 | _Float32x | 8 |

cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected

@@ -14,9 +14,6 @@
 | file://:0:0:0:0 | _Complex float | _Complex float |
 | file://:0:0:0:0 | _Complex long double | _Complex long double |
 | file://:0:0:0:0 | _Complex std::float16_t | _Complex std::float16_t |
-| file://:0:0:0:0 | _Decimal32 | _Decimal32 |
-| file://:0:0:0:0 | _Decimal64 | _Decimal64 |
-| file://:0:0:0:0 | _Decimal128 | _Decimal128 |
 | file://:0:0:0:0 | _Float16 | _Float16 |
 | file://:0:0:0:0 | _Float32 | _Float32 |
 | file://:0:0:0:0 | _Float32x | _Float32x |

cpp/ql/test/library-tests/variables/variables/types.expected

@@ -13,9 +13,6 @@
 | _Complex float | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
 | _Complex long double | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
 | _Complex std::float16_t | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
-| _Decimal32 | Decimal32Type, GuardConditionImpl |  |  |  |  |
-| _Decimal64 | Decimal64Type, GuardConditionImpl |  |  |  |  |
-| _Decimal128 | Decimal128Type, GuardConditionImpl |  |  |  |  |
 | _Float16 | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |
 | _Float32 | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |
 | _Float32x | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.57
+
+No user-facing changes.
+
 ## 1.7.56
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.57.md

@@ -0,0 +1,3 @@
+## 1.7.57
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.56
+lastReleaseVersion: 1.7.57

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.57-dev
+version: 1.7.58-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.57
+
+No user-facing changes.
+
 ## 1.7.56
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.57.md

@@ -0,0 +1,3 @@
+## 1.7.57
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.56
+lastReleaseVersion: 1.7.57

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.57-dev
+version: 1.7.58-dev
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 5.4.5
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
+* Updated the generated .NET “models as data” runtime models to cover .NET 10.
+* C# 14: Support for *implicit* span conversions in the QL library.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
+* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
+
+### Bug Fixes
+
+* Fixed two issues affecting build mode `none`:
+  * Corrected version sorting logic when detecting the newest .NET framework to use.
+  * Improved stability for .NET 10 compatibility.
+* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.
+
 ## 5.4.4
 
 No user-facing changes.

csharp/ql/lib/change-notes/2025-12-03-implicit-map-value-reads.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.

csharp/ql/lib/change-notes/2025-12-03-run-tracer-after-compilation.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.

csharp/ql/lib/change-notes/2025-12-04-bmn-dotnet-fixes.md

@@ -1,6 +0,0 @@
----
-category: fix
----
-* Fixed two issues affecting build mode `none`:
-  * Corrected version sorting logic when detecting the newest .NET framework to use.
-  * Improved stability for .NET 10 compatibility.

csharp/ql/lib/change-notes/2025-12-09-bmn-default-dotnet.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.

csharp/ql/lib/change-notes/2025-12-11-net10-basic-support.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.

csharp/ql/lib/change-notes/2025-12-11-slnx-support.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added autobuilder and `build-mode: none` support for `.slnx` solution files.

csharp/ql/lib/change-notes/2025-12-18-implicit-span-conversions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* C# 14: Support for *implicit* span conversions in the QL library.

csharp/ql/lib/change-notes/2026-01-05-net-runtime-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Updated the generated .NET “models as data” runtime models to cover .NET 10.