Merge pull request #15266 from github/felicitymay-publish-docs

Update supported-versions-compilers.rst on release candidate branch
Merge branch 'codeql-cli-2.16.0' into felicitymay-publish-docs
2026-05-18 13:17:08 +02:00 · 2024-01-12 14:58:32 +00:00 · 2024-01-12 14:58:12 +00:00 · 2024-01-12 13:55:54 +00:00 · 2024-01-12 12:34:13 +01:00 · 2024-01-12 11:20:00 +01:00
4581 changed files with 454408 additions and 90734 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -71,3 +71,6 @@ go/extractor/opencsv/CSVReader.java -text
 # `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
+
+# Auto-generated modeling for Python
+python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/stale@v8
+    - uses: actions/stale@v9
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,9 +28,9 @@ jobs:

    steps:
    - name: Setup dotnet
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
      with:
-        dotnet-version: 7.0.102
+        dotnet-version: 8.0.100

    - name: Checkout repository
      uses: actions/checkout@v4
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -72,15 +72,15 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - name: Setup dotnet
-        uses: actions/setup-dotnet@v3
+        uses: actions/setup-dotnet@v4
        with:
-          dotnet-version: 7.0.102
+          dotnet-version: 8.0.100
      - name: Extractor unit tests
        run: |
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=8.0.0 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=8.0.0 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=8.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=8.0.0 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
        shell: bash
  stubgentest:
    runs-on: ubuntu-latest
--- a/.github/workflows/go-tests-other-os.yml
+++ b/.github/workflows/go-tests-other-os.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
        id: go
@@ -50,7 +50,7 @@ jobs:
    runs-on: windows-latest-xl
    steps:
      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
        id: go
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-latest-xl
    steps:
      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
        id: go
--- a/3
+++ b/3
@@ -8,6 +8,8 @@
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
+/java/ql/test-kotlin1/ @github/codeql-kotlin
+/java/ql/test-kotlin2/ @github/codeql-kotlin

 # ML-powered queries
 /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
@@ -42,3 +44,4 @@ WORKSPACE.bazel @github/codeql-ci-reviewers

 # Misc
 /misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
+/misc/scripts/generate-code-scanning-query-list.py @RasmusWL
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -1,7 +1,7 @@
 provide:
  - "*/ql/src/qlpack.yml"
  - "*/ql/lib/qlpack.yml"
-  - "*/ql/test/qlpack.yml"
+  - "*/ql/test*/qlpack.yml"
  - "*/ql/examples/qlpack.yml"
  - "*/ql/consistency-queries/qlpack.yml"
  - "*/ql/automodel/src/qlpack.yml"
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -53,14 +53,6 @@
    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
  ],
-  "DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
-  ],
  "SsaReadPosition Java/C#": [
    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
@@ -462,23 +454,6 @@
    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
    "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
  ],
-  "TypeTracker": [
-    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
-    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
-  ],
-  "SummaryTypeTracker": [
-    "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
-    "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
-  ],
-  "AccessPathSyntax": [
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
-    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/AccessPathSyntax.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/AccessPathSyntax.qll"
-  ],
  "IncompleteUrlSubstringSanitization": [
    "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
    "ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
@@ -534,4 +509,4 @@
    "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
    "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
  ]
-}
+}
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs
@@ -326,7 +326,7 @@ namespace Semmle.Autobuild.Cpp.Tests
        public void TestCppAutobuilderSuccess()
        {
            Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
-            Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
+            Actions.RunProcess[@"cmd.exe /C scratch\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program^ Files^ ^(x86^)\Microsoft^ Visual^ Studio^ 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
            Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
            Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
@@ -337,10 +337,11 @@ namespace Semmle.Autobuild.Cpp.Tests
            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = true;
            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true;
            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
+            Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CPP_SCRATCH_DIR"] = "scratch";
            Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
            Actions.EnumerateDirectories[@"C:\Project"] = "";
-            Actions.CreateDirectories.Add(@"C:\Project\.nuget");
-            Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
+            Actions.CreateDirectories.Add(@"scratch\.nuget");
+            Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"scratch\.nuget\nuget.exe"));

            var autobuilder = CreateAutoBuilder(true);
            var solution = new TestSolution(@"C:\Project\test.sln");
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
    <Nullable>enable</Nullable>
@@ -11,12 +11,12 @@
  <ItemGroup>
    <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
    <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.4.2" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
+    <PackageReference Include="xunit" Version="2.6.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.4">
      <PrivateAssets>all</PrivateAssets>
      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
    </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
  </ItemGroup>

  <ItemGroup>
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
    <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
    <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
    <ApplicationIcon />
@@ -17,7 +17,7 @@
  </ItemGroup>

  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="17.3.2" />
+    <PackageReference Include="Microsoft.Build" Version="17.8.3" />
  </ItemGroup>

  <ItemGroup>
--- a/cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/old.dbscheme
+++ b/cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/old.dbscheme
--- a/cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties
+++ b/cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties
@@ -0,0 +1,3 @@
+description: Expose whether a function was prototyped or not
+compatibility: backwards
+function_prototyped.rel: delete
--- a/cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/functions.ql
+++ b/cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/functions.ql
@@ -0,0 +1,9 @@
+class Function extends @function {
+  string toString() { none() }
+}
+
+from Function fun, string name, int kind, int kind_new
+where
+  functions(fun, name, kind) and
+  if kind = 7 or kind = 8 then kind_new = 0 else kind_new = kind
+select fun, name, kind_new
--- a/cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/old.dbscheme
+++ b/cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/old.dbscheme
--- a/cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/upgrade.properties
+++ b/cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/upgrade.properties
@@ -0,0 +1,3 @@
+description: Support more function types
+compatibility: full
+functions.rel: run functions.qlo
--- a/cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/attribute_args.ql
+++ b/cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/attribute_args.ql
@@ -0,0 +1,17 @@
+class AttributeArg extends @attribute_arg {
+  string toString() { none() }
+}
+
+class Attribute extends @attribute {
+  string toString() { none() }
+}
+
+class Location extends @location_default {
+  string toString() { none() }
+}
+
+from AttributeArg arg, int kind, int kind_new, Attribute attr, int index, Location location
+where
+  attribute_args(arg, kind, attr, index, location) and
+  if arg instanceof @attribute_arg_expr then kind_new = 0 else kind_new = kind
+select arg, kind_new, attr, index, location
--- a/cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/old.dbscheme
+++ b/cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/old.dbscheme
--- a/cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/upgrade.properties
+++ b/cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/upgrade.properties
@@ -0,0 +1,4 @@
+description: Support expression attribute arguments
+compatibility: partial
+attribute_arg_expr.rel: delete
+attribute_args.rel: run attribute_args.qlo
--- a/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/old.dbscheme
+++ b/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/old.dbscheme
--- a/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/upgrade.properties
+++ b/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/upgrade.properties
@@ -0,0 +1,2 @@
+description: Revert removal of uniqueness constraint on link_targets/2
+compatibility: backwards
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,48 @@
+## 0.12.3
+
+### Deprecated APIs
+
+* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
+
+### New Features
+
+* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
+
+### Minor Analysis Improvements
+
+* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
+* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
+* The deprecated `DefaultTaintTracking` library has been removed.
+* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
+
+### Bug Fixes
+
+* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
+
+## 0.12.2
+
+No user-facing changes.
+
+## 0.12.1
+
+### New Features
+
+* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
+
+## 0.12.0
+
+### Breaking Changes
+
+* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
+
+### Minor Analysis Improvements
+
+* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
+* Added models for `strlcpy` and `strlcat`.
+* Added models for the `sprintf` variants from the `StrSafe.h` header.
+* Added SQL API models for `ODBC`.
+* Added taint models for `realloc` and related functions.
+
 ## 0.11.0

 ### Breaking Changes
--- a/cpp/ql/lib/DefaultOptions.qll
+++ b/cpp/ql/lib/DefaultOptions.qll
@@ -52,17 +52,18 @@ class Options extends string {
  /**
   * Holds if a call to this function will never return.
   *
-   * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
-   * `longjmp`, `__builtin_unreachable` and any function with a
-   * `noreturn` attribute or specifier.
+   * By default, this holds for `exit`, `_exit`, `_Exit`, `abort`,
+   * `__assert_fail`, `longjmp`, `__builtin_unreachable` and any
+   * function with a `noreturn` or `__noreturn__` attribute or
+   * `noreturn` specifier.
   */
  predicate exits(Function f) {
-    f.getAnAttribute().hasName("noreturn")
+    f.getAnAttribute().hasName(["noreturn", "__noreturn__"])
    or
    f.getASpecifier().hasName("noreturn")
    or
    f.hasGlobalOrStdName([
-        "exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
+        "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
      ])
    or
    CustomOptions::exits(f) // old Options.qll
--- a/cpp/ql/lib/change-notes/2023-10-30-realloc-flow.md
+++ b/cpp/ql/lib/change-notes/2023-10-30-realloc-flow.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added taint models for `realloc` and related functions.
--- a/cpp/ql/lib/change-notes/2023-10-31-assign-pointer-add-sub-expr.md
+++ b/cpp/ql/lib/change-notes/2023-10-31-assign-pointer-add-sub-expr.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
--- a/cpp/ql/lib/change-notes/2023-11-08-strsafe-models.md
+++ b/cpp/ql/lib/change-notes/2023-11-08-strsafe-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added models for the `sprintf` variants from the `StrSafe.h` header.
--- a/cpp/ql/lib/change-notes/released/0.12.0.md
+++ b/cpp/ql/lib/change-notes/released/0.12.0.md
@@ -0,0 +1,13 @@
+## 0.12.0
+
+### Breaking Changes
+
+* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
+
+### Minor Analysis Improvements
+
+* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
+* Added models for `strlcpy` and `strlcat`.
+* Added models for the `sprintf` variants from the `StrSafe.h` header.
+* Added SQL API models for `ODBC`.
+* Added taint models for `realloc` and related functions.
--- a/cpp/ql/lib/change-notes/released/0.12.1.md
+++ b/cpp/ql/lib/change-notes/released/0.12.1.md
@@ -0,0 +1,5 @@
+## 0.12.1
+
+### New Features
+
+* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
--- a/cpp/ql/lib/change-notes/released/0.12.2.md
+++ b/cpp/ql/lib/change-notes/released/0.12.2.md
@@ -0,0 +1,3 @@
+## 0.12.2
+
+No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/0.12.3.md
+++ b/cpp/ql/lib/change-notes/released/0.12.3.md
@@ -0,0 +1,20 @@
+## 0.12.3
+
+### Deprecated APIs
+
+* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
+
+### New Features
+
+* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
+
+### Minor Analysis Improvements
+
+* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
+* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
+* The deprecated `DefaultTaintTracking` library has been removed.
+* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
+
+### Bug Fixes
+
+* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.11.0
+lastReleaseVersion: 0.12.3
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.11.1-dev
+version: 0.12.3
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -112,6 +112,16 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   */
  predicate isDeleted() { function_deleted(underlyingElement(this)) }

+  /**
+   * Holds if this function has a prototyped interface.
+   *
+   * Functions generally have a prototyped interface, unless they are
+   * K&R-style functions either without any forward function declaration,
+   * or with all the forward declarations omitting the parameters of the
+   * function.
+   */
+  predicate isPrototyped() { function_prototyped(underlyingElement(this)) }
+
  /**
   * Holds if this function is explicitly defaulted with the `= default`
   * specifier.
@@ -318,6 +328,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
  MetricFunction getMetrics() { result = this }

  /** Holds if this function calls the function `f`. */
+  pragma[nomagic]
  predicate calls(Function f) { this.calls(f, _) }

  /**
@@ -328,10 +339,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    exists(FunctionCall call |
      call.getEnclosingFunction() = this and call.getTarget() = f and call = l
    )
-    or
-    exists(DestructorCall call |
-      call.getEnclosingFunction() = this and call.getTarget() = f and call = l
-    )
  }

  /** Holds if this function accesses a function or variable or enumerator `a`. */
@@ -875,3 +882,17 @@ class BuiltInFunction extends Function {
 }

 private predicate suppressUnusedThis(Function f) { any() }
+
+/**
+ * A C++ user-defined literal [N4140 13.5.8].
+ */
+class UserDefinedLiteral extends Function {
+  UserDefinedLiteral() { functions(underlyingElement(this), _, 7) }
+}
+
+/**
+ * A C++ deduction guide [N4659 17.9].
+ */
+class DeductionGuide extends Function {
+  DeductionGuide() { functions(underlyingElement(this), _, 8) }
+}
--- a/cpp/ql/lib/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Specifier.qll
@@ -281,6 +281,11 @@ class AttributeArgument extends Element, @attribute_arg {
    attribute_arg_constant(underlyingElement(this), unresolveElement(result))
  }

+  /**
+   * Gets the value of this argument, if its value is an expression.
+   */
+  Expr getValueExpr() { attribute_arg_expr(underlyingElement(this), unresolveElement(result)) }
+
  /**
   * Gets the attribute to which this is an argument.
   */
@@ -308,7 +313,10 @@ class AttributeArgument extends Element, @attribute_arg {
          else
            if underlyingElement(this) instanceof @attribute_arg_constant_expr
            then tail = this.getValueConstant().toString()
-            else tail = this.getValueText()
+            else
+              if underlyingElement(this) instanceof @attribute_arg_expr
+              then tail = this.getValueExpr().toString()
+              else tail = this.getValueText()
        ) and
        result = prefix + tail
      )
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/Guards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/Guards.qll
@@ -7,371 +7,7 @@ import cpp
 import semmle.code.cpp.controlflow.BasicBlocks
 import semmle.code.cpp.controlflow.SSA
 import semmle.code.cpp.controlflow.Dominance
-
-/**
- * A Boolean condition that guards one or more basic blocks. This includes
- * operands of logical operators but not switch statements.
- */
-class GuardCondition extends Expr {
-  GuardCondition() { is_condition(this) }
-
-  /**
-   * Holds if this condition controls `block`, meaning that `block` is only
-   * entered if the value of this condition is `testIsTrue`.
-   *
-   * Illustration:
-   *
-   * ```
-   * [                    (testIsTrue)                        ]
-   * [             this ----------------succ ---- controlled  ]
-   * [               |                    |                   ]
-   * [ (testIsFalse) |                     ------ ...         ]
-   * [             other                                      ]
-   * ```
-   *
-   * The predicate holds if all paths to `controlled` go via the `testIsTrue`
-   * edge of the control-flow graph. In other words, the `testIsTrue` edge
-   * must dominate `controlled`. This means that `controlled` must be
-   * dominated by both `this` and `succ` (the target of the `testIsTrue`
-   * edge). It also means that any other edge into `succ` must be a back-edge
-   * from a node which is dominated by `succ`.
-   *
-   * The short-circuit boolean operations have slightly surprising behavior
-   * here: because the operation itself only dominates one branch (due to
-   * being short-circuited) then it will only control blocks dominated by the
-   * true (for `&&`) or false (for `||`) branch.
-   */
-  cached
-  predicate controls(BasicBlock controlled, boolean testIsTrue) {
-    // This condition must determine the flow of control; that is, this
-    // node must be a top-level condition.
-    this.controlsBlock(controlled, testIsTrue)
-    or
-    exists(BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
-      this = binop and
-      lhs = binop.getLeftOperand() and
-      rhs = binop.getRightOperand() and
-      lhs.controls(controlled, testIsTrue) and
-      rhs.controls(controlled, testIsTrue)
-    )
-    or
-    exists(GuardCondition ne, GuardCondition operand |
-      this = operand and
-      operand = ne.(NotExpr).getOperand() and
-      ne.controls(controlled, testIsTrue.booleanNot())
-    )
-  }
-
-  /** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
-  cached
-  predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
-    compares_lt(this, left, right, k, isLessThan, testIsTrue)
-  }
-
-  /**
-   * Holds if (determined by this guard) `left < right + k` must be `isLessThan` in `block`.
-   * If `isLessThan = false` then this implies `left >= right + k`.
-   */
-  cached
-  predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
-    exists(boolean testIsTrue |
-      compares_lt(this, left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
-    )
-  }
-
-  /** Holds if (determined by this guard) `left == right + k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */
-  cached
-  predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
-    compares_eq(this, left, right, k, areEqual, testIsTrue)
-  }
-
-  /**
-   * Holds if (determined by this guard) `left == right + k` must be `areEqual` in `block`.
-   * If `areEqual = false` then this implies `left != right + k`.
-   */
-  cached
-  predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
-    exists(boolean testIsTrue |
-      compares_eq(this, left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
-    )
-  }
-
-  /**
-   * Holds if this condition controls `block`, meaning that `block` is only
-   * entered if the value of this condition is `testIsTrue`. This helper
-   * predicate does not necessarily hold for binary logical operations like
-   * `&&` and `||`. See the detailed explanation on predicate `controls`.
-   */
-  private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
-    exists(BasicBlock thisblock | thisblock.contains(this) |
-      exists(BasicBlock succ |
-        testIsTrue = true and succ = this.getATrueSuccessor()
-        or
-        testIsTrue = false and succ = this.getAFalseSuccessor()
-      |
-        bbDominates(succ, controlled) and
-        forall(BasicBlock pred | pred.getASuccessor() = succ |
-          pred = thisblock or bbDominates(succ, pred) or not reachable(pred)
-        )
-      )
-    )
-  }
-}
-
-private predicate is_condition(Expr guard) {
-  guard.isCondition()
-  or
-  is_condition(guard.(BinaryLogicalOperation).getAnOperand())
-  or
-  exists(NotExpr cond | is_condition(cond) and cond.getOperand() = guard)
-}
-
-/*
- * Simplification of equality expressions:
- * Simplify conditions in the source to the canonical form l op r + k.
- */
-
-/**
- * Holds if `left == right + k` is `areEqual` given that test is `testIsTrue`.
- *
- * Beware making mistaken logical implications here relating `areEqual` and `testIsTrue`.
- */
-private predicate compares_eq(
-  Expr test, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
-) {
-  /* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */
-  exists(boolean eq | simple_comparison_eq(test, left, right, k, eq) |
-    areEqual = true and testIsTrue = eq
-    or
-    areEqual = false and testIsTrue = eq.booleanNot()
-  )
-  or
-  logical_comparison_eq(test, left, right, k, areEqual, testIsTrue)
-  or
-  /* a == b + k => b == a - k */
-  exists(int mk | k = -mk | compares_eq(test, right, left, mk, areEqual, testIsTrue))
-  or
-  complex_eq(test, left, right, k, areEqual, testIsTrue)
-  or
-  /* (x is true => (left == right + k)) => (!x is false => (left == right + k)) */
-  exists(boolean isFalse | testIsTrue = isFalse.booleanNot() |
-    compares_eq(test.(NotExpr).getOperand(), left, right, k, areEqual, isFalse)
-  )
-}
-
-/**
- * If `test => part` and `part => left == right + k` then `test => left == right + k`.
- * Similarly for the case where `test` is false.
- */
-private predicate logical_comparison_eq(
-  BinaryLogicalOperation test, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
-) {
-  exists(boolean partIsTrue, Expr part | test.impliesValue(part, partIsTrue, testIsTrue) |
-    compares_eq(part, left, right, k, areEqual, partIsTrue)
-  )
-}
-
-/** Rearrange various simple comparisons into `left == right + k` form. */
-private predicate simple_comparison_eq(
-  ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual
-) {
-  left = cmp.getLeftOperand() and
-  cmp.getOperator() = "==" and
-  right = cmp.getRightOperand() and
-  k = 0 and
-  areEqual = true
-  or
-  left = cmp.getLeftOperand() and
-  cmp.getOperator() = "!=" and
-  right = cmp.getRightOperand() and
-  k = 0 and
-  areEqual = false
-}
-
-private predicate complex_eq(
-  ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
-) {
-  sub_eq(cmp, left, right, k, areEqual, testIsTrue)
-  or
-  add_eq(cmp, left, right, k, areEqual, testIsTrue)
-}
-
-// left - x == right + c => left == right + (c+x)
-// left == (right - x) + c => left == right + (c-x)
-private predicate sub_eq(
-  ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
-) {
-  exists(SubExpr lhs, int c, int x |
-    compares_eq(cmp, lhs, right, c, areEqual, testIsTrue) and
-    left = lhs.getLeftOperand() and
-    x = int_value(lhs.getRightOperand()) and
-    k = c + x
-  )
-  or
-  exists(SubExpr rhs, int c, int x |
-    compares_eq(cmp, left, rhs, c, areEqual, testIsTrue) and
-    right = rhs.getLeftOperand() and
-    x = int_value(rhs.getRightOperand()) and
-    k = c - x
-  )
-}
-
-// left + x == right + c => left == right + (c-x)
-// left == (right + x) + c => left == right + (c+x)
-private predicate add_eq(
-  ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
-) {
-  exists(AddExpr lhs, int c, int x |
-    compares_eq(cmp, lhs, right, c, areEqual, testIsTrue) and
-    (
-      left = lhs.getLeftOperand() and x = int_value(lhs.getRightOperand())
-      or
-      left = lhs.getRightOperand() and x = int_value(lhs.getLeftOperand())
-    ) and
-    k = c - x
-  )
-  or
-  exists(AddExpr rhs, int c, int x |
-    compares_eq(cmp, left, rhs, c, areEqual, testIsTrue) and
-    (
-      right = rhs.getLeftOperand() and x = int_value(rhs.getRightOperand())
-      or
-      right = rhs.getRightOperand() and x = int_value(rhs.getLeftOperand())
-    ) and
-    k = c + x
-  )
-}
-
-/*
- * Simplification of inequality expressions:
- * Simplify conditions in the source to the canonical form l < r + k.
- */
-
-/** Holds if `left < right + k` evaluates to `isLt` given that test is `testIsTrue`. */
-private predicate compares_lt(
-  Expr test, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
-) {
-  /* In the simple case, the test is the comparison, so isLt = testIsTrue */
-  simple_comparison_lt(test, left, right, k) and isLt = true and testIsTrue = true
-  or
-  simple_comparison_lt(test, left, right, k) and isLt = false and testIsTrue = false
-  or
-  logical_comparison_lt(test, left, right, k, isLt, testIsTrue)
-  or
-  complex_lt(test, left, right, k, isLt, testIsTrue)
-  or
-  /* (not (left < right + k)) => (left >= right + k) */
-  exists(boolean isGe | isLt = isGe.booleanNot() |
-    compares_ge(test, left, right, k, isGe, testIsTrue)
-  )
-  or
-  /* (x is true => (left < right + k)) => (!x is false => (left < right + k)) */
-  exists(boolean isFalse | testIsTrue = isFalse.booleanNot() |
-    compares_lt(test.(NotExpr).getOperand(), left, right, k, isLt, isFalse)
-  )
-}
-
-/** `(a < b + k) => (b > a - k) => (b >= a + (1-k))` */
-private predicate compares_ge(
-  Expr test, Expr left, Expr right, int k, boolean isGe, boolean testIsTrue
-) {
-  exists(int onemk | k = 1 - onemk | compares_lt(test, right, left, onemk, isGe, testIsTrue))
-}
-
-/**
- * If `test => part` and `part => left < right + k` then `test => left < right + k`.
- * Similarly for the case where `test` evaluates false.
- */
-private predicate logical_comparison_lt(
-  BinaryLogicalOperation test, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
-) {
-  exists(boolean partIsTrue, Expr part | test.impliesValue(part, partIsTrue, testIsTrue) |
-    compares_lt(part, left, right, k, isLt, partIsTrue)
-  )
-}
-
-/** Rearrange various simple comparisons into `left < right + k` form. */
-private predicate simple_comparison_lt(ComparisonOperation cmp, Expr left, Expr right, int k) {
-  left = cmp.getLeftOperand() and
-  cmp.getOperator() = "<" and
-  right = cmp.getRightOperand() and
-  k = 0
-  or
-  left = cmp.getLeftOperand() and
-  cmp.getOperator() = "<=" and
-  right = cmp.getRightOperand() and
-  k = 1
-  or
-  right = cmp.getLeftOperand() and
-  cmp.getOperator() = ">" and
-  left = cmp.getRightOperand() and
-  k = 0
-  or
-  right = cmp.getLeftOperand() and
-  cmp.getOperator() = ">=" and
-  left = cmp.getRightOperand() and
-  k = 1
-}
-
-private predicate complex_lt(
-  ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
-) {
-  sub_lt(cmp, left, right, k, isLt, testIsTrue)
-  or
-  add_lt(cmp, left, right, k, isLt, testIsTrue)
-}
-
-// left - x < right + c => left < right + (c+x)
-// left < (right - x) + c => left < right + (c-x)
-private predicate sub_lt(
-  ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
-) {
-  exists(SubExpr lhs, int c, int x |
-    compares_lt(cmp, lhs, right, c, isLt, testIsTrue) and
-    left = lhs.getLeftOperand() and
-    x = int_value(lhs.getRightOperand()) and
-    k = c + x
-  )
-  or
-  exists(SubExpr rhs, int c, int x |
-    compares_lt(cmp, left, rhs, c, isLt, testIsTrue) and
-    right = rhs.getLeftOperand() and
-    x = int_value(rhs.getRightOperand()) and
-    k = c - x
-  )
-}
-
-// left + x < right + c => left < right + (c-x)
-// left < (right + x) + c => left < right + (c+x)
-private predicate add_lt(
-  ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
-) {
-  exists(AddExpr lhs, int c, int x |
-    compares_lt(cmp, lhs, right, c, isLt, testIsTrue) and
-    (
-      left = lhs.getLeftOperand() and x = int_value(lhs.getRightOperand())
-      or
-      left = lhs.getRightOperand() and x = int_value(lhs.getLeftOperand())
-    ) and
-    k = c - x
-  )
-  or
-  exists(AddExpr rhs, int c, int x |
-    compares_lt(cmp, left, rhs, c, isLt, testIsTrue) and
-    (
-      right = rhs.getLeftOperand() and x = int_value(rhs.getRightOperand())
-      or
-      right = rhs.getRightOperand() and x = int_value(rhs.getLeftOperand())
-    ) and
-    k = c + x
-  )
-}
-
-/** The `int` value of integer constant expression. */
-private int int_value(Expr e) {
-  e.getUnderlyingType() instanceof IntegralType and
-  result = e.getValue().toInt()
-}
+import IRGuards

 /** An `SsaDefinition` with an additional predicate `isLt`. */
 class GuardedSsa extends SsaDefinition {
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -5,6 +5,8 @@

 import cpp
 import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
+private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag

 /**
 * Holds if `block` consists of an `UnreachedInstruction`.
@@ -30,11 +32,6 @@ class GuardCondition extends Expr {
    or
    // no binary operators in the IR
    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
-    or
-    // the IR short-circuits if(!x)
-    // don't produce a guard condition for `y = !x` and other non-short-circuited cases
-    not exists(Instruction inst | this.getFullyConverted() = inst.getAst()) and
-    exists(IRGuardCondition ir | this.(NotExpr).getOperand() = ir.getAst())
  }

  /**
@@ -140,39 +137,6 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
  }
 }

-/**
- * A `!` operator in the AST that guards one or more basic blocks, and does not have a corresponding
- * IR instruction.
- */
-private class GuardConditionFromShortCircuitNot extends GuardCondition, NotExpr {
-  GuardConditionFromShortCircuitNot() {
-    not exists(Instruction inst | this.getFullyConverted() = inst.getAst()) and
-    exists(IRGuardCondition ir | this.getOperand() = ir.getAst())
-  }
-
-  override predicate controls(BasicBlock controlled, boolean testIsTrue) {
-    this.getOperand().(GuardCondition).controls(controlled, testIsTrue.booleanNot())
-  }
-
-  override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
-    this.getOperand()
-        .(GuardCondition)
-        .comparesLt(left, right, k, isLessThan, testIsTrue.booleanNot())
-  }
-
-  override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
-    this.getOperand().(GuardCondition).ensuresLt(left, right, k, block, isLessThan.booleanNot())
-  }
-
-  override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
-    this.getOperand().(GuardCondition).comparesEq(left, right, k, areEqual, testIsTrue.booleanNot())
-  }
-
-  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
-    this.getOperand().(GuardCondition).ensuresEq(left, right, k, block, areEqual.booleanNot())
-  }
-}
-
 /**
 * A Boolean condition in the AST that guards one or more basic blocks and has a corresponding IR
 * instruction.
@@ -239,12 +203,30 @@ private class GuardConditionFromIR extends GuardCondition {
   * `&&` and `||`. See the detailed explanation on predicate `controls`.
   */
  private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
-    exists(IRBlock irb |
+    exists(IRBlock irb, Instruction instr |
      ir.controls(irb, testIsTrue) and
-      irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
-      not isUnreachedBlock(irb)
+      instr = irb.getAnInstruction() and
+      instr.getAst().(ControlFlowNode).getBasicBlock() = controlled and
+      not isUnreachedBlock(irb) and
+      not this.excludeAsControlledInstruction(instr)
    )
  }
+
+  private predicate excludeAsControlledInstruction(Instruction instr) {
+    // Exclude the temporaries generated by a ternary expression.
+    exists(TranslatedConditionalExpr tce |
+      instr = tce.getInstruction(ConditionValueFalseStoreTag())
+      or
+      instr = tce.getInstruction(ConditionValueTrueStoreTag())
+      or
+      instr = tce.getInstruction(ConditionValueTrueTempAddressTag())
+      or
+      instr = tce.getInstruction(ConditionValueFalseTempAddressTag())
+    )
+    or
+    // Exclude unreached instructions, as their AST is the whole function and not a block.
+    instr instanceof UnreachedInstruction
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -110,8 +110,8 @@ private predicate loopConditionAlwaysUponEntry(ControlFlowNode loop, Expr condit
 * should be in this relation.
 */
 pragma[noinline]
-private predicate isFunction(Element el) {
-  el instanceof Function
+private predicate isFunction(@element el) {
+  el instanceof @function
  or
  el.(Expr).getParent() = el
 }
@@ -122,7 +122,7 @@ private predicate isFunction(Element el) {
 */
 pragma[noopt]
 private predicate callHasNoTarget(@funbindexpr fc) {
-  exists(Function f |
+  exists(@function f |
    funbind(fc, f) and
    not isFunction(f)
  )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -1,4 +1,6 @@
 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * Provides an implementation of global (interprocedural) taint tracking.
 * This file re-exports the local (intraprocedural) taint-tracking analysis
 * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -12,6 +14,8 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural taint tracking analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the taint tracking library must define its own unique extension of
@@ -51,7 +55,7 @@ private import TaintTrackingParameter::Private
 * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
 * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
 */
-abstract class Configuration extends DataFlow::Configuration {
+abstract deprecated class Configuration extends DataFlow::Configuration {
  bindingset[this]
  Configuration() { any() }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -1,4 +1,6 @@
 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * Provides an implementation of global (interprocedural) taint tracking.
 * This file re-exports the local (intraprocedural) taint-tracking analysis
 * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -12,6 +14,8 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural taint tracking analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the taint tracking library must define its own unique extension of
@@ -51,7 +55,7 @@ private import TaintTrackingParameter::Private
 * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
 * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
 */
-abstract class Configuration extends DataFlow::Configuration {
+abstract deprecated class Configuration extends DataFlow::Configuration {
  bindingset[this]
  Configuration() { any() }

--- a/cpp/ql/lib/semmle/code/cpp/internal/ResolveGlobalVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/ResolveGlobalVariable.qll
@@ -24,8 +24,8 @@ private predicate isGlobalWithMangledNameAndWithoutDefinition(@mangledname name,
 * a unique global variable `complete` with the same name that does have a definition.
 */
 private predicate hasTwinWithDefinition(@globalvariable incomplete, @globalvariable complete) {
+  not variable_instantiation(incomplete, complete) and
  exists(@mangledname name |
-    not variable_instantiation(incomplete, complete) and
    isGlobalWithMangledNameAndWithoutDefinition(name, incomplete) and
    isGlobalWithMangledNameAndWithDefinition(name, complete)
  )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -1,21 +0,0 @@
-/**
- * DEPRECATED: Use `semmle.code.cpp.ir.dataflow.TaintTracking` as a replacement.
- *
- * An IR taint tracking library that uses an IR DataFlow configuration to track
- * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
- */
-
-import cpp
-import semmle.code.cpp.security.Security
-private import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl as DefaultTaintTrackingImpl
-
-deprecated predicate predictableOnlyFlow = DefaultTaintTrackingImpl::predictableOnlyFlow/1;
-
-deprecated predicate tainted = DefaultTaintTrackingImpl::tainted/2;
-
-deprecated predicate taintedIncludingGlobalVars =
-  DefaultTaintTrackingImpl::taintedIncludingGlobalVars/3;
-
-deprecated predicate globalVarFromId = DefaultTaintTrackingImpl::globalVarFromId/1;
-
-deprecated module TaintedWithPath = DefaultTaintTrackingImpl::TaintedWithPath;
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -10,10 +10,12 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural data flow analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the global data flow library must define its own unique extension
@@ -48,7 +50,7 @@ private import codeql.util.Unit
 * should instead depend on a `DataFlow2::Configuration`, a
 * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
 */
-abstract class Configuration extends string {
+abstract deprecated class Configuration extends string {
  bindingset[this]
  Configuration() { any() }

@@ -189,7 +191,7 @@ abstract class Configuration extends string {
 * Good performance cannot be guaranteed in the presence of such recursion, so
 * it should be replaced by using more than one copy of the data flow library.
 */
-abstract private class ConfigurationRecursionPrevention extends Configuration {
+abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
  bindingset[this]
  ConfigurationRecursionPrevention() { any() }

@@ -210,7 +212,7 @@ abstract private class ConfigurationRecursionPrevention extends Configuration {
  }
 }

-private FlowState relevantState(Configuration config) {
+deprecated private FlowState relevantState(Configuration config) {
  config.isSource(_, result) or
  config.isSink(_, result) or
  config.isBarrier(_, result) or
@@ -219,17 +221,17 @@ private FlowState relevantState(Configuration config) {
 }

 private newtype TConfigState =
-  TMkConfigState(Configuration config, FlowState state) {
+  deprecated TMkConfigState(Configuration config, FlowState state) {
    state = relevantState(config) or state instanceof FlowStateEmpty
  }

-private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
+deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }

-private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
+deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }

-private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
+deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }

-private module Config implements FullStateConfigSig {
+deprecated private module Config implements FullStateConfigSig {
  class FlowState = TConfigState;

  predicate isSource(Node source, FlowState state) {
@@ -296,13 +298,13 @@ private module Config implements FullStateConfigSig {
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }

-private import Impl<Config> as I
+deprecated private import Impl<Config> as I

 /**
 * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
 * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
 */
-class PathNode instanceof I::PathNode {
+deprecated class PathNode instanceof I::PathNode {
  /** Gets a textual representation of this element. */
  final string toString() { result = super.toString() }

@@ -329,10 +331,10 @@ class PathNode instanceof I::PathNode {
  final Node getNode() { result = super.getNode() }

  /** Gets the `FlowState` of this node. */
-  final FlowState getState() { result = getState(super.getState()) }
+  deprecated final FlowState getState() { result = getState(super.getState()) }

  /** Gets the associated configuration. */
-  final Configuration getConfiguration() { result = getConfig(super.getState()) }
+  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }

  /** Gets a successor of this node, if any. */
  final PathNode getASuccessor() { result = super.getASuccessor() }
@@ -347,9 +349,9 @@ class PathNode instanceof I::PathNode {
  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
 }

-module PathGraph = I::PathGraph;
+deprecated module PathGraph = I::PathGraph;

-private predicate hasFlow(Node source, Node sink, Configuration config) {
+deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
  exists(PathNode source0, PathNode sink0 |
    hasFlowPath(source0, sink0, config) and
    source0.getNode() = source and
@@ -357,10 +359,10 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
  )
 }

-private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
+deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
  I::flowPath(source, sink) and source.getConfiguration() = config
 }

-private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
+deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

-predicate flowsTo = hasFlow/3;
+deprecated predicate flowsTo = hasFlow/3;
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll
@@ -20,4 +20,6 @@ module CppDataFlow implements InputSig {
  Node exprNode(DataFlowExpr e) { result = Public::exprNode(e) }

  predicate getAdditionalFlowIntoCallNodeTerm = Private::getAdditionalFlowIntoCallNodeTerm/2;
+
+  predicate validParameterAliasStep = Private::validParameterAliasStep/2;
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -6,6 +6,7 @@ private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
+private import Node0ToString

 cached
 private module Cached {
@@ -58,6 +59,41 @@ private module Cached {
 import Cached
 private import Nodes0

+/**
+ * A module for calculating the number of stars (i.e., `*`s) needed for various
+ * dataflow node `toString` predicates.
+ */
+module NodeStars {
+  private int getNumberOfIndirections(Node n) {
+    result = n.(RawIndirectOperand).getIndirectionIndex()
+    or
+    result = n.(RawIndirectInstruction).getIndirectionIndex()
+    or
+    result = n.(VariableNode).getIndirectionIndex()
+    or
+    result = n.(PostUpdateNodeImpl).getIndirectionIndex()
+    or
+    result = n.(FinalParameterNode).getIndirectionIndex()
+  }
+
+  private int maxNumberOfIndirections() { result = max(getNumberOfIndirections(_)) }
+
+  private string repeatStars(int n) {
+    n = 0 and result = ""
+    or
+    n = [1 .. maxNumberOfIndirections()] and
+    result = "*" + repeatStars(n - 1)
+  }
+
+  /**
+   * Gets the number of stars (i.e., `*`s) needed to produce the `toString`
+   * output for `n`.
+   */
+  string stars(Node n) { result = repeatStars(getNumberOfIndirections(n)) }
+}
+
+import NodeStars
+
 class Node0Impl extends TIRDataFlowNode0 {
  /**
   * INTERNAL: Do not use.
@@ -81,6 +117,14 @@ class Node0Impl extends TIRDataFlowNode0 {
  /** Gets the operands corresponding to this node, if any. */
  Operand asOperand() { result = this.(OperandNode0).getOperand() }

+  /** Gets the location of this node. */
+  final Location getLocation() { result = this.getLocationImpl() }
+
+  /** INTERNAL: Do not use. */
+  Location getLocationImpl() {
+    none() // overridden by subclasses
+  }
+
  /** INTERNAL: Do not use. */
  string toStringImpl() {
    none() // overridden by subclasses
@@ -130,10 +174,12 @@ abstract class InstructionNode0 extends Node0Impl {

  override DataFlowType getType() { result = getInstructionType(instr, _) }

-  override string toStringImpl() {
-    // This predicate is overridden in subclasses. This default implementation
-    // does not use `Instruction.toString` because that's expensive to compute.
-    result = instr.getOpcode().toString()
+  override string toStringImpl() { result = instructionToString(instr) }
+
+  override Location getLocationImpl() {
+    if exists(instr.getAst().getLocation())
+    then result = instr.getAst().getLocation()
+    else result instanceof UnknownDefaultLocation
  }

  final override predicate isGLValue() { exists(getInstructionType(instr, true)) }
@@ -173,7 +219,13 @@ abstract class OperandNode0 extends Node0Impl {

  override DataFlowType getType() { result = getOperandType(op, _) }

-  override string toStringImpl() { result = op.toString() }
+  override string toStringImpl() { result = operandToString(op) }
+
+  override Location getLocationImpl() {
+    if exists(op.getDef().getAst().getLocation())
+    then result = op.getDef().getAst().getLocation()
+    else result instanceof UnknownDefaultLocation
+  }

  final override predicate isGLValue() { exists(getOperandType(op, true)) }
 }
@@ -621,6 +673,24 @@ class GlobalLikeVariable extends Variable {
  }
 }

+/**
+ * Returns the smallest indirection for the type `t`.
+ *
+ * For most types this is `1`, but for `ArrayType`s (which are allocated on
+ * the stack) this is `0`
+ */
+int getMinIndirectionsForType(Type t) {
+  if t.getUnspecifiedType() instanceof Cpp::ArrayType then result = 0 else result = 1
+}
+
+private int getMinIndirectionForGlobalUse(Ssa::GlobalUse use) {
+  result = getMinIndirectionsForType(use.getUnspecifiedType())
+}
+
+private int getMinIndirectionForGlobalDef(Ssa::GlobalDef def) {
+  result = getMinIndirectionsForType(def.getUnspecifiedType())
+}
+
 /**
 * Holds if data can flow from `node1` to `node2` in a way that loses the
 * calling context. For example, this would happen with flow through a
@@ -632,7 +702,7 @@ predicate jumpStep(Node n1, Node n2) {
      v = globalUse.getVariable() and
      n1.(FinalGlobalValue).getGlobalUse() = globalUse
    |
-      globalUse.getIndirection() = 1 and
+      globalUse.getIndirection() = getMinIndirectionForGlobalUse(globalUse) and
      v = n2.asVariable()
      or
      v = n2.asIndirectVariable(globalUse.getIndirection())
@@ -642,7 +712,7 @@ predicate jumpStep(Node n1, Node n2) {
      v = globalDef.getVariable() and
      n2.(InitialGlobalValue).getGlobalDef() = globalDef
    |
-      globalDef.getIndirection() = 1 and
+      globalDef.getIndirection() = getMinIndirectionForGlobalDef(globalDef) and
      v = n1.asVariable()
      or
      v = n1.asIndirectVariable(globalDef.getIndirection())
@@ -1107,3 +1177,55 @@ private int countNumberOfBranchesUsingParameter(SwitchInstruction switch, Parame
      )
  )
 }
+
+/**
+ * Holds if the data-flow step from `node1` to `node2` can be used to
+ * determine where side-effects may return from a callable.
+ * For C/C++, this means that the step from `node1` to `node2` not only
+ * preserves the value, but also preserves the identity of the value.
+ * For example, the assignment to `x` that reads the value of `*p` in
+ * ```cpp
+ * int* p = ...
+ * int x = *p;
+ * ```
+ * does not preserve the identity of `*p`.
+ */
+bindingset[node1, node2]
+pragma[inline_late]
+predicate validParameterAliasStep(Node node1, Node node2) {
+  // When flow-through summaries are computed we track which parameters flow to out-going parameters.
+  // In an example such as:
+  // ```
+  // modify(int* px) { *px = source(); }
+  // void modify_copy(int* p) {
+  //   int x = *p;
+  //   modify(&x);
+  // }
+  // ```
+  // since dataflow tracks each indirection as a separate SSA variable dataflow
+  // sees the above roughly as
+  // ```
+  // modify(int* px, int deref_px) { deref_px = source(); }
+  // void modify_copy(int* p, int deref_p) {
+  //   int x = deref_p;
+  //   modify(&x, x);
+  // }
+  // ```
+  // and when dataflow computes flow from a parameter to a post-update node to
+  // conclude which parameters are "updated" by the call to `modify_copy` it
+  // finds flow from `x [post update]` to `deref_p [post update]`.
+  // To prevent this we exclude steps that don't preserve identity. We do this
+  // by excluding flow from the right-hand side of `StoreInstruction`s to the
+  // `StoreInstruction`. This is sufficient because, for flow-through summaries,
+  // we're only interested in indirect parameters such as `deref_p` in the
+  // exampe above (i.e., the parameters with a non-zero indirection index), and
+  // if that ever flows to the right-hand side of a `StoreInstruction` then
+  // there must have been a dereference to reduce its indirection index down to
+  // 0.
+  not exists(Operand operand |
+    node1.asOperand() = operand and
+    node2.asInstruction().(StoreInstruction).getSourceValueOperand() = operand
+  )
+  // TODO: Also block flow through models that don't preserve identity such
+  // as `strdup`.
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -15,35 +15,36 @@ private import ModelUtil
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
+private import Node0ToString

 /**
 * The IR dataflow graph consists of the following nodes:
- * - `Node0`, which injects most instructions and operands directly into the dataflow graph.
+ * - `Node0`, which injects most instructions and operands directly into the
+ *    dataflow graph.
 * - `VariableNode`, which is used to model flow through global variables.
- * - `PostFieldUpdateNode`, which is used to model the state of a field after a value has been stored
- * into an address after a number of loads.
- * - `SsaPhiNode`, which represents phi nodes as computed by the shared SSA library.
- * - `IndirectArgumentOutNode`, which represents the value of an argument (and its indirections) after
- * it leaves a function call.
- * - `RawIndirectOperand`, which represents the value of `operand` after loading the address a number
- * of times.
- * - `RawIndirectInstruction`, which represents the value of `instr` after loading the address a number
- * of times.
+ * - `PostUpdateNodeImpl`, which is used to model the state of an object after
+ *    an update after a number of loads.
+ * - `SsaPhiNode`, which represents phi nodes as computed by the shared SSA
+ *    library.
+ * - `RawIndirectOperand`, which represents the value of `operand` after
+ *    loading the address a number of times.
+ * - `RawIndirectInstruction`, which represents the value of `instr` after
+ *    loading the address a number of times.
 */
 cached
 private newtype TIRDataFlowNode =
  TNode0(Node0Impl node) { DataFlowImplCommon::forceCachingInSameStage() } or
  TVariableNode(Variable var, int indirectionIndex) {
-    indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
-  } or
-  TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
    indirectionIndex =
-      [1 .. Ssa::countIndirectionsForCppType(operand.getObjectAddress().getResultLanguageType())]
+      [getMinIndirectionsForType(var.getUnspecifiedType()) .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
  } or
-  TSsaPhiNode(Ssa::PhiNode phi) or
-  TIndirectArgumentOutNode(ArgumentOperand operand, int indirectionIndex) {
+  TPostUpdateNodeImpl(Operand operand, int indirectionIndex) {
+    operand = any(FieldAddress fa).getObjectAddressOperand() and
+    indirectionIndex = [0 .. Ssa::countIndirectionsForCppType(Ssa::getLanguageType(operand))]
+    or
    Ssa::isModifiableByCall(operand, indirectionIndex)
  } or
+  TSsaPhiNode(Ssa::PhiNode phi) or
  TRawIndirectOperand0(Node0Impl node, int indirectionIndex) {
    Ssa::hasRawIndirectOperand(node.asOperand(), indirectionIndex)
  } or
@@ -83,7 +84,7 @@ private predicate parameterIsRedefined(Parameter p) {
 class FieldAddress extends Operand {
  FieldAddressInstruction fai;

-  FieldAddress() { fai = this.getDef() }
+  FieldAddress() { fai = this.getDef() and not Ssa::ignoreOperand(this) }

  /** Gets the field associated with this instruction. */
  Field getField() { result = fai.getField() }
@@ -259,6 +260,71 @@ class Node extends TIRDataFlowNode {
   */
  Expr asDefiningArgument() { result = this.asDefiningArgument(_) }

+  /**
+   * Gets the definition associated with this node, if any.
+   *
+   * For example, consider the following example
+   * ```cpp
+   * int x = 42;     // 1
+   * x = 34;         // 2
+   * ++x;            // 3
+   * x++;            // 4
+   * x += 1;         // 5
+   * int y = x += 2; // 6
+   * ```
+   * - For (1) the result is `42`.
+   * - For (2) the result is `x = 34`.
+   * - For (3) the result is `++x`.
+   * - For (4) the result is `x++`.
+   * - For (5) the result is `x += 1`.
+   * - For (6) there are two results:
+   *   - For the definition generated by `x += 2` the result is `x += 2`
+   *   - For the definition generated by `int y = ...` the result is
+   *     also `x += 2`.
+   *
+   * For assignments, `node.asDefinition()` and `node.asExpr()` will both exist
+   * for the same dataflow node. However, for expression such as `x++` that
+   * both write to `x` and read the current value of `x`, `node.asDefinition()`
+   * will give the node corresponding to the value after the increment, and
+   * `node.asExpr()` will give the node corresponding to the value before the
+   * increment. For an example of this, consider the following:
+   *
+   * ```cpp
+   * sink(x++);
+   * ```
+   * in the above program, there will not be flow from a node `n` such that
+   * `n.asDefinition() instanceof IncrementOperation` to the argument of `sink`
+   * since the value passed to `sink` is the value before to the increment.
+   * However, there will be dataflow from a node `n` such that
+   * `n.asExpr() instanceof IncrementOperation` since the result of evaluating
+   * the expression `x++` is passed to `sink`.
+   */
+  Expr asDefinition() {
+    exists(StoreInstruction store |
+      store = this.asInstruction() and
+      result = asDefinitionImpl(store)
+    )
+  }
+
+  /**
+   * Gets the indirect definition at a given indirection corresponding to this
+   * node, if any.
+   *
+   * See the comments on `Node.asDefinition` for examples.
+   */
+  Expr asIndirectDefinition(int indirectionIndex) {
+    exists(StoreInstruction store |
+      this.(IndirectInstruction).hasInstructionAndIndirectionIndex(store, indirectionIndex) and
+      result = asDefinitionImpl(store)
+    )
+  }
+
+  /**
+   * Gets the indirect definition at some indirection corresponding to this
+   * node, if any.
+   */
+  Expr asIndirectDefinition() { result = this.asIndirectDefinition(_) }
+
  /**
   * Gets the argument that defines this `DefinitionByReferenceNode`, if any.
   *
@@ -346,7 +412,9 @@ class Node extends TIRDataFlowNode {
   * Gets the variable corresponding to this node, if any. This can be used for
   * modeling flow in and out of global variables.
   */
-  Variable asVariable() { this = TVariableNode(result, 1) }
+  Variable asVariable() {
+    this = TVariableNode(result, getMinIndirectionsForType(result.getUnspecifiedType()))
+  }

  /**
   * Gets the `indirectionIndex`'th indirection of this node's underlying variable, if any.
@@ -354,7 +422,7 @@ class Node extends TIRDataFlowNode {
   * This can be used for modeling flow in and out of global variables.
   */
  Variable asIndirectVariable(int indirectionIndex) {
-    indirectionIndex > 1 and
+    indirectionIndex > getMinIndirectionsForType(result.getUnspecifiedType()) and
    this = TVariableNode(result, indirectionIndex)
  }

@@ -369,7 +437,12 @@ class Node extends TIRDataFlowNode {
   * `x.set(taint())` is a partial definition of `x`, and `transfer(&x, taint())` is
   * a partial definition of `&x`).
   */
-  Expr asPartialDefinition() { result = this.(PartialDefinitionNode).getDefinedExpr() }
+  Expr asPartialDefinition() {
+    exists(PartialDefinitionNode pdn | this = pdn |
+      pdn.getIndirectionIndex() > 0 and
+      result = pdn.getDefinedExpr()
+    )
+  }

  /**
   * Gets an upper bound on the type of this node.
@@ -413,13 +486,6 @@ class Node extends TIRDataFlowNode {
  }
 }

-private string toExprString(Node n) {
-  result = n.asExpr(0).toString()
-  or
-  not exists(n.asExpr()) and
-  result = n.asIndirectExpr(0, 1).toString() + " indirection"
-}
-
 /**
 * A class that lifts pre-SSA dataflow nodes to regular dataflow nodes.
 */
@@ -432,6 +498,10 @@ private class Node0 extends Node, TNode0 {

  override Declaration getFunction() { result = node.getFunction() }

+  override Location getLocationImpl() { result = node.getLocation() }
+
+  override string toStringImpl() { result = node.toString() }
+
  override DataFlowType getType() { result = node.getType() }

  override predicate isGLValue() { node.isGLValue() }
@@ -448,18 +518,6 @@ class InstructionNode extends Node0 {

  /** Gets the instruction corresponding to this node. */
  Instruction getInstruction() { result = instr }
-
-  override Location getLocationImpl() {
-    if exists(instr.getAst().getLocation())
-    then result = instr.getAst().getLocation()
-    else result instanceof UnknownDefaultLocation
-  }
-
-  override string toStringImpl() {
-    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = instr.getAst().toString()
-  }
 }

 /**
@@ -473,18 +531,6 @@ class OperandNode extends Node, Node0 {

  /** Gets the operand corresponding to this node. */
  Operand getOperand() { result = op }
-
-  override Location getLocationImpl() {
-    if exists(op.getDef().getAst().getLocation())
-    then result = op.getDef().getAst().getLocation()
-    else result instanceof UnknownDefaultLocation
-  }
-
-  override string toStringImpl() {
-    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = op.getDef().getAst().toString()
-  }
 }

 /**
@@ -502,37 +548,53 @@ Type stripPointer(Type t) {
  result = t.(FunctionPointerIshType).getBaseType()
 }

+/**
+ * INTERNAL: Do not use.
+ */
+class PostUpdateNodeImpl extends PartialDefinitionNode, TPostUpdateNodeImpl {
+  int indirectionIndex;
+  Operand operand;
+
+  PostUpdateNodeImpl() { this = TPostUpdateNodeImpl(operand, indirectionIndex) }
+
+  override Declaration getFunction() { result = operand.getUse().getEnclosingFunction() }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  /** Gets the operand associated with this node. */
+  Operand getOperand() { result = operand }
+
+  /** Gets the indirection index associated with this node. */
+  override int getIndirectionIndex() { result = indirectionIndex }
+
+  override Location getLocationImpl() { result = operand.getLocation() }
+
+  final override Node getPreUpdateNode() {
+    indirectionIndex > 0 and
+    hasOperandAndIndex(result, operand, indirectionIndex)
+    or
+    indirectionIndex = 0 and
+    result.asOperand() = operand
+  }
+
+  final override Expr getDefinedExpr() {
+    result = operand.getDef().getUnconvertedResultExpression()
+  }
+}
+
 /**
 * INTERNAL: do not use.
 *
 * The node representing the value of a field after it has been updated.
 */
-class PostFieldUpdateNode extends TPostFieldUpdateNode, PartialDefinitionNode {
-  int indirectionIndex;
+class PostFieldUpdateNode extends PostUpdateNodeImpl {
  FieldAddress fieldAddress;

-  PostFieldUpdateNode() { this = TPostFieldUpdateNode(fieldAddress, indirectionIndex) }
-
-  override Declaration getFunction() { result = fieldAddress.getUse().getEnclosingFunction() }
-
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
+  PostFieldUpdateNode() { operand = fieldAddress.getObjectAddressOperand() }

  FieldAddress getFieldAddress() { result = fieldAddress }

-  Field getUpdatedField() { result = fieldAddress.getField() }
-
-  int getIndirectionIndex() { result = indirectionIndex }
-
-  override Node getPreUpdateNode() {
-    hasOperandAndIndex(result, pragma[only_bind_into](fieldAddress).getObjectAddressOperand(),
-      indirectionIndex)
-  }
-
-  override Expr getDefinedExpr() {
-    result = fieldAddress.getObjectAddress().getUnconvertedResultExpression()
-  }
-
-  override Location getLocationImpl() { result = fieldAddress.getLocation() }
+  Field getUpdatedField() { result = this.getFieldAddress().getField() }

  override string toStringImpl() { result = this.getPreUpdateNode() + " [post update]" }
 }
@@ -717,10 +779,12 @@ class IndirectParameterNode extends Node instanceof IndirectInstruction {
  override Location getLocationImpl() { result = this.getParameter().getLocation() }

  override string toStringImpl() {
-    result = this.getParameter().toString() + " indirection"
-    or
-    not exists(this.getParameter()) and
-    result = "this indirection"
+    exists(string prefix | prefix = stars(this) |
+      result = prefix + this.getParameter().toString()
+      or
+      not exists(this.getParameter()) and
+      result = prefix + "this"
+    )
  }
 }

@@ -768,13 +832,8 @@ class IndirectReturnNode extends Node {
 * A node representing the indirection of a value after it
 * has been returned from a function.
 */
-class IndirectArgumentOutNode extends Node, TIndirectArgumentOutNode, PartialDefinitionNode {
-  ArgumentOperand operand;
-  int indirectionIndex;
-
-  IndirectArgumentOutNode() { this = TIndirectArgumentOutNode(operand, indirectionIndex) }
-
-  int getIndirectionIndex() { result = indirectionIndex }
+class IndirectArgumentOutNode extends PostUpdateNodeImpl {
+  override ArgumentOperand operand;

  int getArgumentIndex() {
    exists(CallInstruction call | call.getArgumentOperand(result) = operand)
@@ -786,24 +845,16 @@ class IndirectArgumentOutNode extends Node, TIndirectArgumentOutNode, PartialDef

  Function getStaticCallTarget() { result = this.getCallInstruction().getStaticCallTarget() }

-  override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-  override Declaration getFunction() { result = this.getCallInstruction().getEnclosingFunction() }
-
-  override Node getPreUpdateNode() { hasOperandAndIndex(result, operand, indirectionIndex) }
-
  override string toStringImpl() {
-    // This string should be unique enough to be helpful but common enough to
-    // avoid storing too many different strings.
-    result = this.getStaticCallTarget().getName() + " output argument"
-    or
-    not exists(this.getStaticCallTarget()) and
-    result = "output argument"
+    exists(string prefix | if indirectionIndex > 0 then prefix = "" else prefix = "pointer to " |
+      // This string should be unique enough to be helpful but common enough to
+      // avoid storing too many different strings.
+      result = prefix + this.getStaticCallTarget().getName() + " output argument"
+      or
+      not exists(this.getStaticCallTarget()) and
+      result = prefix + "output argument"
+    )
  }
-
-  override Location getLocationImpl() { result = operand.getLocation() }
-
-  override Expr getDefinedExpr() { result = operand.getDef().getUnconvertedResultExpression() }
 }

 /**
@@ -908,7 +959,8 @@ private Type getTypeImpl0(Type t, int indirectionIndex) {
 *
 * If `indirectionIndex` cannot be stripped off `t`, an `UnknownType` is returned.
 */
-bindingset[indirectionIndex]
+bindingset[t, indirectionIndex]
+pragma[inline_late]
 Type getTypeImpl(Type t, int indirectionIndex) {
  result = getTypeImpl0(t, indirectionIndex)
  or
@@ -960,7 +1012,7 @@ private module RawIndirectNodes {
    }

    override string toStringImpl() {
-      result = operandNode(this.getOperand()).toStringImpl() + " indirection"
+      result = stars(this) + operandNode(this.getOperand()).toStringImpl()
    }
  }

@@ -1002,7 +1054,7 @@ private module RawIndirectNodes {
    }

    override string toStringImpl() {
-      result = instructionNode(this.getInstruction()).toStringImpl() + " indirection"
+      result = stars(this) + instructionNode(this.getInstruction()).toStringImpl()
    }
  }

@@ -1095,9 +1147,7 @@ class FinalParameterNode extends Node, TFinalParameterNode {
    result instanceof UnknownDefaultLocation
  }

-  override string toStringImpl() {
-    if indirectionIndex > 1 then result = p.toString() + " indirection" else result = p.toString()
-  }
+  override string toStringImpl() { result = stars(this) + p.toString() }
 }

 /**
@@ -1159,22 +1209,6 @@ private module GetConvertedResultExpression {
  }

  private Expr getConvertedResultExpressionImpl0(Instruction instr) {
-    // For an expression such as `i += 2` we pretend that the generated
-    // `StoreInstruction` contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedAssignOperation tao |
-      result = tao.getExpr() and
-      instr = tao.getInstruction(any(AssignmentStoreTag tag))
-    )
-    or
-    // Similarly for `i++` and `++i` we pretend that the generated
-    // `StoreInstruction` is contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedCrementOperation tco |
-      result = tco.getExpr() and
-      instr = tco.getInstruction(any(CrementStoreTag tag))
-    )
-    or
    // IR construction inserts an additional cast to a `size_t` on the extent
    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
    // a result for `getConvertedResultExpression`. We remap this here so that
@@ -1182,7 +1216,7 @@ private module GetConvertedResultExpression {
    // represents the extent.
    exists(TranslatedNonConstantAllocationSize tas |
      result = tas.getExtent().getExpr() and
-      instr = tas.getInstruction(any(AllocationExtentConvertTag tag))
+      instr = tas.getInstruction(AllocationExtentConvertTag())
    )
    or
    // There's no instruction that returns `ParenthesisExpr`, but some queries
@@ -1191,6 +1225,39 @@ private module GetConvertedResultExpression {
      result = ttc.getExpr().(ParenthesisExpr) and
      instr = ttc.getResult()
    )
+    or
+    // Certain expressions generate `CopyValueInstruction`s only when they
+    // are needed. Examples of this include crement operations and compound
+    // assignment operations. For example:
+    // ```cpp
+    // int x = ...
+    // int y = x++;
+    // ```
+    // this generate IR like:
+    // ```
+    // r1(glval<int>) = VariableAddress[x] :
+    // r2(int)        = Constant[0]        :
+    // m3(int)        = Store[x]           : &:r1, r2
+    // r4(glval<int>) = VariableAddress[y] :
+    // r5(glval<int>) = VariableAddress[x] :
+    // r6(int)        = Load[x]            : &:r5, m3
+    // r7(int)        = Constant[1]        :
+    // r8(int)        = Add                : r6, r7
+    // m9(int)        = Store[x]           : &:r5, r8
+    // r11(int)       = CopyValue         : r6
+    // m12(int)       = Store[y]          : &:r4, r11
+    // ```
+    // When the `CopyValueInstruction` is not generated there is no instruction
+    // whose `getConvertedResultExpression` maps back to the expression. When
+    // such an instruction doesn't exist it means that the old value is not
+    // needed, and in that case the only value that will propagate forward in
+    // the program is the value that's been updated. So in those cases we just
+    // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
+    exists(TranslatedCoreExpr tco |
+      tco.getInstruction(_) = instr and
+      tco.producesExprResult() and
+      result = asDefinitionImpl0(instr)
+    )
  }

  private Expr getConvertedResultExpressionImpl(Instruction instr) {
@@ -1199,6 +1266,75 @@ private module GetConvertedResultExpression {
    not exists(getConvertedResultExpressionImpl0(instr)) and
    result = instr.getConvertedResultExpression()
  }
+
+  /**
+   * Gets the result for `node.asDefinition()` (when `node` is the instruction
+   * node that wraps `store`) in the cases where `store.getAst()` should not be
+   * used to define the result of `node.asDefinition()`.
+   */
+  private Expr asDefinitionImpl0(StoreInstruction store) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedAssignOperation tao |
+      store = tao.getInstruction(AssignmentStoreTag()) and
+      result = tao.getExpr()
+    )
+    or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedCrementOperation tco |
+      store = tco.getInstruction(CrementStoreTag()) and
+      result = tco.getExpr()
+    )
+  }
+
+  /**
+   * Holds if the expression returned by `store.getAst()` should not be
+   * returned as the result of `node.asDefinition()` when `node` is the
+   * instruction node that wraps `store`.
+   */
+  private predicate excludeAsDefinitionResult(StoreInstruction store) {
+    // Exclude the store to the temporary generated by a ternary expression.
+    exists(TranslatedConditionalExpr tce |
+      store = tce.getInstruction(ConditionValueFalseStoreTag())
+      or
+      store = tce.getInstruction(ConditionValueTrueStoreTag())
+    )
+  }
+
+  /**
+   * Gets the expression that represents the result of `StoreInstruction` for
+   * dataflow purposes.
+   *
+   * For example, consider the following example
+   * ```cpp
+   * int x = 42;     // 1
+   * x = 34;         // 2
+   * ++x;            // 3
+   * x++;            // 4
+   * x += 1;         // 5
+   * int y = x += 2; // 6
+   * ```
+   * For (1) the result is `42`.
+   * For (2) the result is `x = 34`.
+   * For (3) the result is `++x`.
+   * For (4) the result is `x++`.
+   * For (5) the result is `x += 1`.
+   * For (6) there are two results:
+   *   - For the `StoreInstruction` generated by `x += 2` the result
+   *     is `x += 2`
+   *   - For the `StoreInstruction` generated by `int y = ...` the result
+   *     is also `x += 2`
+   */
+  Expr asDefinitionImpl(StoreInstruction store) {
+    not exists(asDefinitionImpl0(store)) and
+    not excludeAsDefinitionResult(store) and
+    result = store.getAst().(Expr).getUnconverted()
+    or
+    result = asDefinitionImpl0(store)
+  }
 }

 private import GetConvertedResultExpression
@@ -1293,31 +1429,90 @@ abstract private class IndirectExprNodeBase extends Node {
  }
 }

-private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
-{
-  IndirectOperandIndirectExprNode() {
-    exists(Expr e, int n, int indirectionIndex |
-      indirectExprNodeShouldBeIndirectOperand(this, e, n, indirectionIndex) and
-      not indirectExprNodeShouldBeIndirectOperand(_, e, n + 1, indirectionIndex)
-    )
+/** A signature for converting an indirect node to an expression. */
+private signature module IndirectNodeToIndirectExprSig {
+  /** The indirect node class to be converted to an expression */
+  class IndirectNode;
+
+  /**
+   * Holds if the indirect expression at indirection index `indirectionIndex`
+   * of `node` is `e`. The integer `n` specifies how many conversions has been
+   * applied to `node`.
+   */
+  predicate indirectNodeHasIndirectExpr(IndirectNode node, Expr e, int n, int indirectionIndex);
+}
+
+/**
+ * A module that implements the logic for deciding whether an indirect node
+ * should be an `IndirectExprNode`.
+ */
+private module IndirectNodeToIndirectExpr<IndirectNodeToIndirectExprSig Sig> {
+  import Sig
+
+  /**
+   * This predicate shifts the indirection index by one when `conv` is a
+   * `ReferenceDereferenceExpr`.
+   *
+   * This is necessary because `ReferenceDereferenceExpr` is a conversion
+   * in the AST, but appears as a `LoadInstruction` in the IR.
+   */
+  bindingset[e, indirectionIndex]
+  private predicate adjustForReference(
+    Expr e, int indirectionIndex, Expr conv, int adjustedIndirectionIndex
+  ) {
+    conv.(ReferenceDereferenceExpr).getExpr() = e and
+    adjustedIndirectionIndex = indirectionIndex - 1
+    or
+    not conv instanceof ReferenceDereferenceExpr and
+    conv = e and
+    adjustedIndirectionIndex = indirectionIndex
  }

-  final override Expr getConvertedExpr(int n, int index) {
-    indirectExprNodeShouldBeIndirectOperand(this, result, n, index)
+  /** Holds if `node` should be an `IndirectExprNode`. */
+  predicate charpred(IndirectNode node) {
+    exists(Expr e, int n, int indirectionIndex |
+      indirectNodeHasIndirectExpr(node, e, n, indirectionIndex) and
+      not exists(Expr conv, int adjustedIndirectionIndex |
+        adjustForReference(e, indirectionIndex, conv, adjustedIndirectionIndex) and
+        indirectNodeHasIndirectExpr(_, conv, n + 1, adjustedIndirectionIndex)
+      )
+    )
  }
 }

-private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
+private module IndirectOperandIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
+  class IndirectNode = IndirectOperand;
+
+  predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectOperand/4;
+}
+
+module IndirectOperandToIndirectExpr =
+  IndirectNodeToIndirectExpr<IndirectOperandIndirectExprNodeImpl>;
+
+private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
 {
-  IndirectInstructionIndirectExprNode() {
-    exists(Expr e, int n, int indirectionIndex |
-      indirectExprNodeShouldBeIndirectInstruction(this, e, n, indirectionIndex) and
-      not indirectExprNodeShouldBeIndirectInstruction(_, e, n + 1, indirectionIndex)
-    )
-  }
+  IndirectOperandIndirectExprNode() { IndirectOperandToIndirectExpr::charpred(this) }

  final override Expr getConvertedExpr(int n, int index) {
-    indirectExprNodeShouldBeIndirectInstruction(this, result, n, index)
+    IndirectOperandToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
+  }
+}
+
+private module IndirectInstructionIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
+  class IndirectNode = IndirectInstruction;
+
+  predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectInstruction/4;
+}
+
+module IndirectInstructionToIndirectExpr =
+  IndirectNodeToIndirectExpr<IndirectInstructionIndirectExprNodeImpl>;
+
+private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
+{
+  IndirectInstructionIndirectExprNode() { IndirectInstructionToIndirectExpr::charpred(this) }
+
+  final override Expr getConvertedExpr(int n, int index) {
+    IndirectInstructionToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
  }
 }

@@ -1515,6 +1710,10 @@ abstract class PostUpdateNode extends Node {
 * ```
 */
 abstract private class PartialDefinitionNode extends PostUpdateNode {
+  /** Gets the indirection index of this node. */
+  abstract int getIndirectionIndex();
+
+  /** Gets the expression that is partially defined by this node. */
  abstract Expr getDefinedExpr();
 }

@@ -1529,6 +1728,8 @@ abstract private class PartialDefinitionNode extends PostUpdateNode {
 * `getVariableAccess()` equal to `x`.
 */
 class DefinitionByReferenceNode extends IndirectArgumentOutNode {
+  DefinitionByReferenceNode() { this.getIndirectionIndex() > 0 }
+
  /** Gets the unconverted argument corresponding to this node. */
  Expr getArgument() { result = this.getAddressOperand().getDef().getUnconvertedResultExpression() }

@@ -1580,9 +1781,7 @@ class VariableNode extends Node, TVariableNode {
    result instanceof UnknownDefaultLocation
  }

-  override string toStringImpl() {
-    if indirectionIndex = 1 then result = v.toString() else result = v.toString() + " indirection"
-  }
+  override string toStringImpl() { result = stars(this) + v.toString() }
 }

 /**
@@ -2042,6 +2241,25 @@ class Content extends TContent {
  abstract predicate impliesClearOf(Content c);
 }

+private module ContentStars {
+  private int maxNumberOfIndirections() { result = max(any(Content c).getIndirectionIndex()) }
+
+  private string repeatStars(int n) {
+    n = 0 and result = ""
+    or
+    n = [1 .. maxNumberOfIndirections()] and
+    result = "*" + repeatStars(n - 1)
+  }
+
+  /**
+   * Gets the number of stars (i.e., `*`s) needed to produce the `toString`
+   * output for `c`.
+   */
+  string contentStars(Content c) { result = repeatStars(c.getIndirectionIndex() - 1) }
+}
+
+private import ContentStars
+
 /** A reference through a non-union instance field. */
 class FieldContent extends Content, TFieldContent {
  Field f;
@@ -2049,11 +2267,7 @@ class FieldContent extends Content, TFieldContent {

  FieldContent() { this = TFieldContent(f, indirectionIndex) }

-  override string toString() {
-    indirectionIndex = 1 and result = f.toString()
-    or
-    indirectionIndex > 1 and result = f.toString() + " indirection"
-  }
+  override string toString() { result = contentStars(this) + f.toString() }

  Field getField() { result = f }

@@ -2082,11 +2296,7 @@ class UnionContent extends Content, TUnionContent {

  UnionContent() { this = TUnionContent(u, bytes, indirectionIndex) }

-  override string toString() {
-    indirectionIndex = 1 and result = u.toString()
-    or
-    indirectionIndex > 1 and result = u.toString() + " indirection"
-  }
+  override string toString() { result = contentStars(this) + u.toString() }

  /** Gets a field of the underlying union of this `UnionContent`, if any. */
  Field getAField() { result = u.getAField() and getFieldSize(result) = bytes }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DebugPrinting.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DebugPrinting.qll
@@ -0,0 +1,24 @@
+/**
+ * This file contains the class that implements the _debug_ version of
+ * `toString` for `Instruction` and `Operand` dataflow nodes.
+ */
+
+private import semmle.code.cpp.ir.IR
+private import codeql.util.Unit
+private import Node0ToString
+private import DataFlowUtil
+
+private class DebugNode0ToString extends Node0ToString {
+  DebugNode0ToString() {
+    // Silence warning about `this` not being bound.
+    exists(this)
+  }
+
+  override string instructionToString(Instruction i) { result = i.getDumpString() }
+
+  override string operandToString(Operand op) {
+    result = op.getDumpString() + " @ " + op.getUse().getResultId()
+  }
+
+  override string toExprString(Node n) { none() }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll
@@ -1,668 +0,0 @@
-/**
- * INTERNAL: Do not use.
- *
- * An IR taint tracking library that uses an IR DataFlow configuration to track
- * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
- */
-
-import cpp
-import semmle.code.cpp.security.Security
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.ResolveCall
-private import semmle.code.cpp.controlflow.IRGuards
-private import semmle.code.cpp.models.interfaces.Taint
-private import semmle.code.cpp.models.interfaces.DataFlow
-private import semmle.code.cpp.ir.dataflow.TaintTracking
-private import semmle.code.cpp.ir.dataflow.TaintTracking2
-private import semmle.code.cpp.ir.dataflow.TaintTracking3
-private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-
-/**
- * A predictable instruction is one where an external user can predict
- * the value. For example, a literal in the source code is considered
- * predictable.
- */
-private predicate predictableInstruction(Instruction instr) {
-  instr instanceof ConstantInstruction
-  or
-  instr instanceof StringConstantInstruction
-  or
-  // This could be a conversion on a string literal
-  predictableInstruction(instr.(UnaryInstruction).getUnary())
-}
-
-/**
- * Functions that we should only allow taint to flow through (to the return
- * value) if all but the source argument are 'predictable'.  This is done to
- * emulate the old security library's implementation rather than due to any
- * strong belief that this is the right approach.
- *
- * Note that the list itself is not very principled; it consists of all the
- * functions listed in the old security library's [default] `isPureFunction`
- * that have more than one argument, but are not in the old taint tracking
- * library's `returnArgument` predicate.
- */
-predicate predictableOnlyFlow(string name) {
-  name =
-    [
-      "strcasestr", "strchnul", "strchr", "strchrnul", "strcmp", "strcspn", "strncmp", "strndup",
-      "strnlen", "strrchr", "strspn", "strstr", "strtod", "strtof", "strtol", "strtoll", "strtoq",
-      "strtoul"
-    ]
-}
-
-private DataFlow::Node getNodeForSource(Expr source) {
-  isUserInput(source, _) and
-  result = getNodeForExpr(source)
-}
-
-private DataFlow::Node getNodeForExpr(Expr node) {
-  node = DataFlow::ExprFlowCached::asExprInternal(result)
-  or
-  // Some of the sources in `isUserInput` are intended to match the value of
-  // an expression, while others (those modeled below) are intended to match
-  // the taint that propagates out of an argument, like the `char *` argument
-  // to `gets`. It's impossible here to tell which is which, but the "access
-  // to argv" source is definitely not intended to match an output argument,
-  // and it causes false positives if we let it.
-  //
-  // This case goes together with the similar (but not identical) rule in
-  // `nodeIsBarrierIn`.
-  result = DataFlow::definitionByReferenceNodeFromArgument(node) and
-  not argv(node.(VariableAccess).getTarget())
-}
-
-private predicate conflatePointerAndPointee(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  // Flow from `op` to `*op`.
-  exists(Operand operand, int indirectionIndex |
-    nodeHasOperand(nodeFrom, operand, indirectionIndex) and
-    nodeHasOperand(nodeTo, operand, indirectionIndex - 1)
-  )
-  or
-  // Flow from `instr` to `*instr`.
-  exists(Instruction instr, int indirectionIndex |
-    nodeHasInstruction(nodeFrom, instr, indirectionIndex) and
-    nodeHasInstruction(nodeTo, instr, indirectionIndex - 1)
-  )
-}
-
-private module DefaultTaintTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
-
-  predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
-
-  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
-
-  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-
-  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    conflatePointerAndPointee(nodeFrom, nodeTo)
-  }
-}
-
-private module DefaultTaintTrackingFlow = TaintTracking::Global<DefaultTaintTrackingConfig>;
-
-private module ToGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
-
-  predicate isSink(DataFlow::Node sink) { sink.asVariable() instanceof GlobalOrNamespaceVariable }
-
-  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
-    writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
-    or
-    readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
-  }
-
-  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
-
-  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-}
-
-private module ToGlobalVarTaintTrackingFlow = TaintTracking::Global<ToGlobalVarTaintTrackingConfig>;
-
-private module FromGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    // This set of sources should be reasonably small, which is good for
-    // performance since the set of sinks is very large.
-    ToGlobalVarTaintTrackingFlow::flowTo(source)
-  }
-
-  predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
-
-  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
-    // Additional step for flow out of variables. There is no flow _into_
-    // variables in this configuration, so this step only serves to take flow
-    // out of a variable that's a source.
-    readsVariable(n2.asInstruction(), n1.asVariable())
-  }
-
-  predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
-
-  predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-}
-
-private module FromGlobalVarTaintTrackingFlow =
-  TaintTracking::Global<FromGlobalVarTaintTrackingConfig>;
-
-private predicate readsVariable(LoadInstruction load, Variable var) {
-  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
-}
-
-private predicate writesVariable(StoreInstruction store, Variable var) {
-  store.getDestinationAddress().(VariableAddressInstruction).getAstVariable() = var
-}
-
-/**
- * A variable that has any kind of upper-bound check anywhere in the program.  This is
- * biased towards being inclusive because there are a lot of valid ways of doing an
- * upper bounds checks if we don't consider where it occurs, for example:
- * ```
- *   if (x < 10) { sink(x); }
- *
- *   if (10 > y) { sink(y); }
- *
- *   if (z > 10) { z = 10; }
- *   sink(z);
- * ```
- */
-// TODO: This coarse overapproximation, ported from the old taint tracking
-// library, could be replaced with an actual semantic check that a particular
-// variable _access_ is guarded by an upper-bound check. We probably don't want
-// to do this right away since it could expose a lot of FPs that were
-// previously suppressed by this predicate by coincidence.
-private predicate hasUpperBoundsCheck(Variable var) {
-  exists(RelationalOperation oper, VariableAccess access |
-    oper.getAnOperand() = access and
-    access.getTarget() = var and
-    // Comparing to 0 is not an upper bound check
-    not oper.getAnOperand().getValue() = "0"
-  )
-}
-
-private predicate nodeIsBarrierEqualityCandidate(
-  DataFlow::Node node, Operand access, Variable checkedVar
-) {
-  exists(Instruction instr | instr = node.asOperand().getDef() |
-    readsVariable(instr, checkedVar) and
-    any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
-  )
-}
-
-cached
-private module Cached {
-  cached
-  predicate nodeIsBarrier(DataFlow::Node node) {
-    exists(Variable checkedVar, Instruction instr | instr = node.asOperand().getDef() |
-      readsVariable(instr, checkedVar) and
-      hasUpperBoundsCheck(checkedVar)
-    )
-    or
-    exists(Variable checkedVar, Operand access |
-      /*
-       * This node is guarded by a condition that forces the accessed variable
-       * to equal something else.  For example:
-       * ```
-       * x = taintsource()
-       * if (x == 10) {
-       *   taintsink(x); // not considered tainted
-       * }
-       * ```
-       */
-
-      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
-      readsVariable(access.getDef(), checkedVar)
-    )
-  }
-
-  cached
-  predicate nodeIsBarrierIn(DataFlow::Node node) {
-    // don't use dataflow into taint sources, as this leads to duplicate results.
-    exists(Expr source | isUserInput(source, _) |
-      source = DataFlow::ExprFlowCached::asExprInternal(node)
-      or
-      // This case goes together with the similar (but not identical) rule in
-      // `getNodeForSource`.
-      node = DataFlow::definitionByReferenceNodeFromArgument(source)
-    )
-    or
-    // don't use dataflow into binary instructions if both operands are unpredictable
-    exists(BinaryInstruction iTo |
-      iTo = node.asInstruction() and
-      not predictableInstruction(iTo.getLeft()) and
-      not predictableInstruction(iTo.getRight()) and
-      // propagate taint from either the pointer or the offset, regardless of predictability
-      not iTo instanceof PointerArithmeticInstruction
-    )
-    or
-    // don't use dataflow through calls to pure functions if two or more operands
-    // are unpredictable
-    exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
-      iTo = node.asInstruction() and
-      isPureFunction(iTo.getStaticCallTarget().getName()) and
-      iFrom1 = iTo.getAnArgument() and
-      iFrom2 = iTo.getAnArgument() and
-      not predictableInstruction(iFrom1) and
-      not predictableInstruction(iFrom2) and
-      iFrom1 != iFrom2
-    )
-  }
-
-  cached
-  Element adjustedSink(DataFlow::Node sink) {
-    // TODO: is it more appropriate to use asConvertedExpr here and avoid
-    // `getConversion*`? Or will that cause us to miss some cases where there's
-    // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
-    // pretend there was flow to the converted `Expr` for the sake of
-    // compatibility.
-    sink.asExpr().getConversion*() = result
-    or
-    // For compatibility, send flow from arguments to parameters, even for
-    // functions with no body.
-    exists(FunctionCall call, int i |
-      sink.asExpr() = call.getArgument(pragma[only_bind_into](i)) and
-      result = resolveCall(call).getParameter(pragma[only_bind_into](i))
-    )
-    or
-    // For compatibility, send flow into a `Variable` if there is flow to any
-    // Load or Store of that variable.
-    exists(CopyInstruction copy |
-      copy.getSourceValue() = sink.asInstruction() and
-      (
-        readsVariable(copy, result) or
-        writesVariable(copy, result)
-      ) and
-      not hasUpperBoundsCheck(result)
-    )
-    or
-    // For compatibility, send flow into a `NotExpr` even if it's part of a
-    // short-circuiting condition and thus might get skipped.
-    result.(NotExpr).getOperand() = sink.asExpr()
-    or
-    // Taint postfix and prefix crement operations when their operand is tainted.
-    result.(CrementOperation).getAnOperand() = sink.asExpr()
-    or
-    // Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
-    result.(AssignOperation).getAnOperand() = sink.asExpr()
-    or
-    result =
-      sink.asOperand()
-          .(SideEffectOperand)
-          .getUse()
-          .(ReadSideEffectInstruction)
-          .getArgumentDef()
-          .getUnconvertedResultExpression()
-  }
-
-  /**
-   * Step to return value of a modeled function when an input taints the
-   * dereference of the return value.
-   */
-  cached
-  predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
-    exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
-      n1 = callInput(call, modelIn) and
-      (
-        func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
-        or
-        func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
-      ) and
-      call.getStaticCallTarget() = func and
-      modelOut.isReturnValueDeref() and
-      call = n2.asInstruction()
-    )
-  }
-}
-
-private import Cached
-
-/**
- * Holds if `tainted` may contain taint from `source`.
- *
- * A tainted expression is either directly user input, or is
- * computed from user input in a way that users can probably
- * control the exact output of the computation.
- *
- * This doesn't include data flow through global variables.
- * If you need that you must call `taintedIncludingGlobalVars`.
- */
-cached
-predicate tainted(Expr source, Element tainted) {
-  exists(DataFlow::Node sink |
-    DefaultTaintTrackingFlow::flow(getNodeForSource(source), sink) and
-    tainted = adjustedSink(sink)
-  )
-}
-
-/**
- * Holds if `tainted` may contain taint from `source`, where the taint passed
- * through a global variable named `globalVar`.
- *
- * A tainted expression is either directly user input, or is
- * computed from user input in a way that users can probably
- * control the exact output of the computation.
- *
- * This version gives the same results as tainted but also includes
- * data flow through global variables.
- *
- * The parameter `globalVar` is the qualified name of the last global variable
- * used to move the value from source to tainted. If the taint did not pass
- * through a global variable, then `globalVar = ""`.
- */
-cached
-predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
-  tainted(source, tainted) and
-  globalVar = ""
-  or
-  exists(
-    DataFlow::VariableNode variableNode, GlobalOrNamespaceVariable global, DataFlow::Node sink
-  |
-    global = variableNode.getVariable() and
-    ToGlobalVarTaintTrackingFlow::flow(getNodeForSource(source), variableNode) and
-    FromGlobalVarTaintTrackingFlow::flow(variableNode, sink) and
-    tainted = adjustedSink(sink) and
-    global = globalVarFromId(globalVar)
-  )
-}
-
-/**
- * Gets the global variable whose qualified name is `id`. Use this predicate
- * together with `taintedIncludingGlobalVars`. Example:
- *
- * ```
- * exists(string varName |
- *   taintedIncludingGlobalVars(source, tainted, varName) and
- *   var = globalVarFromId(varName)
- * )
- * ```
- */
-GlobalOrNamespaceVariable globalVarFromId(string id) { id = result.getQualifiedName() }
-
-/**
- * Provides definitions for augmenting source/sink pairs with data-flow paths
- * between them. From a `@kind path-problem` query, import this module in the
- * global scope, extend `TaintTrackingConfiguration`, and use `taintedWithPath`
- * in place of `tainted`.
- *
- * Importing this module will also import the query predicates that contain the
- * taint paths.
- */
-module TaintedWithPath {
-  private newtype TSingleton = MkSingleton()
-
-  /**
-   * A taint-tracking configuration that matches sources and sinks in the same
-   * way as the `tainted` predicate.
-   *
-   * Override `isSink` and `taintThroughGlobals` as needed, but do not provide
-   * a characteristic predicate.
-   */
-  class TaintTrackingConfiguration extends TSingleton {
-    /** Override this to specify which elements are sources in this configuration. */
-    predicate isSource(Expr source) { exists(getNodeForSource(source)) }
-
-    /** Override this to specify which elements are sinks in this configuration. */
-    abstract predicate isSink(Element e);
-
-    /** Override this to specify which expressions are barriers in this configuration. */
-    predicate isBarrier(Expr e) { nodeIsBarrier(getNodeForExpr(e)) }
-
-    /**
-     * Override this predicate to `any()` to allow taint to flow through global
-     * variables.
-     */
-    predicate taintThroughGlobals() { none() }
-
-    /** Gets a textual representation of this element. */
-    string toString() { result = "TaintTrackingConfiguration" }
-  }
-
-  private module AdjustedConfig implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node source) {
-      exists(TaintTrackingConfiguration cfg, Expr e |
-        cfg.isSource(e) and source = getNodeForExpr(e)
-      )
-    }
-
-    predicate isSink(DataFlow::Node sink) {
-      exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
-    }
-
-    predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
-      conflatePointerAndPointee(n1, n2)
-      or
-      // Steps into and out of global variables
-      exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
-        writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
-        or
-        readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
-      )
-      or
-      additionalTaintStep(n1, n2)
-    }
-
-    predicate isBarrier(DataFlow::Node node) {
-      exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
-    }
-
-    predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
-
-    predicate neverSkip(Node node) { none() }
-  }
-
-  private module AdjustedFlow = TaintTracking::Global<AdjustedConfig>;
-
-  /*
-   * A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
-   * inverse of) `adjustedSink`. For example, an `Expr` maps to all its
-   * conversions, and a `Variable` maps to all loads and stores from it. Because
-   * the path node is part of the tuple that constitutes the alert, this leads
-   * to duplicate alerts.
-   *
-   * To avoid showing duplicates, we edit the graph to replace the final node
-   * coming from the data-flow library with a node that matches exactly the
-   * `Element` sink that's requested.
-   *
-   * The same is done for sources.
-   */
-
-  private newtype TPathNode =
-    TWrapPathNode(AdjustedFlow::PathNode n) or
-    // There's a single newtype constructor for both sources and sinks since
-    // that makes it easiest to deal with the case where source = sink.
-    TEndpointPathNode(Element e) {
-      exists(DataFlow::Node sourceNode, DataFlow::Node sinkNode |
-        AdjustedFlow::flow(sourceNode, sinkNode)
-      |
-        sourceNode = getNodeForExpr(e) and
-        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
-        or
-        e = adjustedSink(sinkNode) and
-        exists(TaintTrackingConfiguration ttCfg | ttCfg.isSink(e))
-      )
-    }
-
-  /** An opaque type used for the nodes of a data-flow path. */
-  class PathNode extends TPathNode {
-    /** Gets a textual representation of this element. */
-    string toString() { none() }
-
-    /**
-     * Holds if this element is at the specified location.
-     * The location spans column `startcolumn` of line `startline` to
-     * column `endcolumn` of line `endline` in file `filepath`.
-     * For more information, see
-     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-     */
-    predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      none()
-    }
-  }
-
-  /**
-   * INTERNAL: Do not use.
-   */
-  module Private {
-    /** Gets a predecessor `PathNode` of `pathNode`, if any. */
-    PathNode getAPredecessor(PathNode pathNode) { edges(result, pathNode) }
-
-    /** Gets the element that `pathNode` wraps, if any. */
-    Element getElementFromPathNode(PathNode pathNode) {
-      exists(DataFlow::Node node | node = pathNode.(WrapPathNode).inner().getNode() |
-        result = node.asInstruction().getAst()
-        or
-        result = node.asOperand().getDef().getAst()
-      )
-      or
-      result = pathNode.(EndpointPathNode).inner()
-    }
-  }
-
-  private class WrapPathNode extends PathNode, TWrapPathNode {
-    AdjustedFlow::PathNode inner() { this = TWrapPathNode(result) }
-
-    override string toString() { result = this.inner().toString() }
-
-    override predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.inner().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-  }
-
-  private class EndpointPathNode extends PathNode, TEndpointPathNode {
-    Expr inner() { this = TEndpointPathNode(result) }
-
-    override string toString() { result = this.inner().toString() }
-
-    override predicate hasLocationInfo(
-      string filepath, int startline, int startcolumn, int endline, int endcolumn
-    ) {
-      this.inner()
-          .getLocation()
-          .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    }
-  }
-
-  /** A PathNode whose `Element` is a source. It may also be a sink. */
-  private class InitialPathNode extends EndpointPathNode {
-    InitialPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSource(this.inner())) }
-  }
-
-  /** A PathNode whose `Element` is a sink. It may also be a source. */
-  private class FinalPathNode extends EndpointPathNode {
-    FinalPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSink(this.inner())) }
-  }
-
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) {
-    AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
-    or
-    // To avoid showing trivial-looking steps, we _replace_ the last node instead
-    // of adding an edge out of it.
-    exists(WrapPathNode sinkNode |
-      AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
-      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-    or
-    // Same for the first node
-    exists(WrapPathNode sourceNode |
-      AdjustedFlow::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner())
-    )
-    or
-    // Finally, handle the case where the path goes directly from a source to a
-    // sink, meaning that they both need to be translated.
-    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      AdjustedFlow::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner()) and
-      b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-  }
-
-  /**
-   * Holds if there is flow from `arg` to `out` across a call that can by summarized by the flow
-   * from `par` to `ret` within it, in the graph of data flow path explanations.
-   */
-  query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
-      ret.(WrapPathNode).inner(), out.(WrapPathNode).inner())
-    or
-    // To avoid showing trivial-looking steps, we _replace_ the last node instead
-    // of adding an edge out of it.
-    exists(WrapPathNode sinkNode |
-      AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), sinkNode.inner()) and
-      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-    or
-    // Same for the first node
-    exists(WrapPathNode sourceNode |
-      AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
-    )
-    or
-    // Finally, handle the case where the path goes directly from a source to a
-    // sink, meaning that they both need to be translated.
-    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), sinkNode.inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
-      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-  }
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  query predicate nodes(PathNode n, string key, string val) {
-    key = "semmle.label" and val = n.toString()
-  }
-
-  /**
-   * Holds if `tainted` may contain taint from `source`, where `sourceNode` and
-   * `sinkNode` are the corresponding `PathNode`s that can be used in a query
-   * to provide path explanations. Extend `TaintTrackingConfiguration` to use
-   * this predicate.
-   *
-   * A tainted expression is either directly user input, or is computed from
-   * user input in a way that users can probably control the exact output of
-   * the computation.
-   */
-  predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
-    exists(DataFlow::Node flowSource, DataFlow::Node flowSink |
-      source = sourceNode.(InitialPathNode).inner() and
-      flowSource = getNodeForExpr(source) and
-      AdjustedFlow::flow(flowSource, flowSink) and
-      tainted = adjustedSink(flowSink) and
-      tainted = sinkNode.(FinalPathNode).inner()
-    )
-  }
-
-  private predicate isGlobalVariablePathNode(WrapPathNode n) {
-    n.inner().getNode().asVariable() instanceof GlobalOrNamespaceVariable
-    or
-    n.inner().getNode().asIndirectVariable() instanceof GlobalOrNamespaceVariable
-  }
-
-  private predicate edgesWithoutGlobals(PathNode a, PathNode b) {
-    edges(a, b) and
-    not isGlobalVariablePathNode(a) and
-    not isGlobalVariablePathNode(b)
-  }
-
-  /**
-   * Holds if `tainted` can be reached from a taint source without passing
-   * through a global variable.
-   */
-  predicate taintedWithoutGlobals(Element tainted) {
-    exists(PathNode sourceNode, FinalPathNode sinkNode |
-      AdjustedConfig::isSource(sourceNode.(WrapPathNode).inner().getNode()) and
-      edgesWithoutGlobals+(sourceNode, sinkNode) and
-      tainted = sinkNode.inner()
-    )
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Node0ToString.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Node0ToString.qll
@@ -0,0 +1,53 @@
+/**
+ * This file imports the class that is used to construct the strings used by
+ * `Node.ToString`.
+ *
+ * Normally, this file should just import `NormalNode0ToString` to compute the
+ * efficient `toString`, but for debugging purposes one can import
+ * `DebugPrinting.qll` to better correlate the dataflow nodes with their
+ * underlying instructions and operands.
+ */
+
+private import semmle.code.cpp.ir.IR
+private import codeql.util.Unit
+private import DataFlowUtil
+import NormalNode0ToString // Change this import to control which version should be used.
+
+/** An abstract class to control the behavior of `Node.toString`. */
+abstract class Node0ToString extends Unit {
+  /**
+   * Gets the string that should be used by `OperandNode.toString` to print the
+   * dataflow node whose underlying operand is `op.`
+   */
+  abstract string operandToString(Operand op);
+
+  /**
+   * Gets the string that should be used by `InstructionNode.toString` to print
+   * the dataflow node whose underlying instruction is `instr`.
+   */
+  abstract string instructionToString(Instruction i);
+
+  /**
+   * Gets the string representation of the `Expr` associated with `n`, if any.
+   */
+  abstract string toExprString(Node n);
+}
+
+/**
+ * Gets the string that should be used by `OperandNode.toString` to print the
+ * dataflow node whose underlying operand is `op.`
+ */
+string operandToString(Operand op) { result = any(Node0ToString s).operandToString(op) }
+
+/**
+ * Gets the string that should be used by `InstructionNode.toString` to print
+ * the dataflow node whose underlying instruction is `instr`.
+ */
+string instructionToString(Instruction instr) {
+  result = any(Node0ToString s).instructionToString(instr)
+}
+
+/**
+ * Gets the string representation of the `Expr` associated with `n`, if any.
+ */
+string toExprString(Node n) { result = any(Node0ToString s).toExprString(n) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll
@@ -0,0 +1,36 @@
+/**
+ * This file contains the class that implements the non-debug version of
+ * `toString` for `Instruction` and `Operand` dataflow nodes.
+ */
+
+private import semmle.code.cpp.ir.IR
+private import codeql.util.Unit
+private import Node0ToString
+private import DataFlowUtil
+private import DataFlowPrivate
+
+private class NormalNode0ToString extends Node0ToString {
+  NormalNode0ToString() {
+    // Silence warning about `this` not being bound.
+    exists(this)
+  }
+
+  override string instructionToString(Instruction i) {
+    if i.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = i.getAst().toString()
+  }
+
+  override string operandToString(Operand op) {
+    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = op.getDef().getAst().toString()
+  }
+
+  override string toExprString(Node n) {
+    result = n.asExpr(0).toString()
+    or
+    not exists(n.asExpr()) and
+    result = stars(n) + n.asIndirectExpr(0, 1).toString()
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintDataFlowRelevantIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintDataFlowRelevantIR.qll
@@ -0,0 +1,12 @@
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import SsaInternals as Ssa
+
+/**
+ * A property provider that hides all instructions and operands that are not relevant for IR dataflow.
+ */
+class DataFlowRelevantIRPropertyProvider extends IRPropertyProvider {
+  override predicate shouldPrintOperand(Operand operand) { not Ssa::ignoreOperand(operand) }
+
+  override predicate shouldPrintInstruction(Instruction instr) { not Ssa::ignoreInstruction(instr) }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
@@ -1,6 +1,7 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 private import SsaInternals as Ssa
 private import PrintIRUtilities

@@ -33,9 +34,9 @@ private string getNodeProperty(Node node, string key) {
  key = "flow" and
  result =
    strictconcat(string flow, boolean to, int order1, int order2 |
-      flow = getFromFlow(node, order1, order2) + "->" + starsForNode(node) + "@" and to = false
+      flow = getFromFlow(node, order1, order2) + "->" + stars(node) + "@" and to = false
      or
-      flow = starsForNode(node) + "@->" + getToFlow(node, order1, order2) and to = true
+      flow = stars(node) + "@->" + getToFlow(node, order1, order2) and to = true
    |
      flow, ", " order by to, order1, order2, flow
    )
@@ -59,8 +60,4 @@ class LocalFlowPropertyProvider extends IRPropertyProvider {
      result = getNodeProperty(node, key)
    )
  }
-
-  override predicate shouldPrintOperand(Operand operand) { not Ssa::ignoreOperand(operand) }
-
-  override predicate shouldPrintInstruction(Instruction instr) { not Ssa::ignoreInstruction(instr) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll
@@ -7,37 +7,14 @@ private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate

-private string stars(int k) {
-  k =
-    [0 .. max([
-            any(RawIndirectInstruction n).getIndirectionIndex(),
-            any(RawIndirectOperand n).getIndirectionIndex()
-          ]
-      )] and
-  (if k = 0 then result = "" else result = "*" + stars(k - 1))
-}
-
-string starsForNode(Node node) {
-  exists(int indirectionIndex |
-    node.(IndirectInstruction).hasInstructionAndIndirectionIndex(_, indirectionIndex) or
-    node.(IndirectOperand).hasOperandAndIndirectionIndex(_, indirectionIndex)
-  |
-    result = stars(indirectionIndex)
-  )
-  or
-  not node instanceof IndirectInstruction and
-  not node instanceof IndirectOperand and
-  result = ""
-}
-
 private Instruction getInstruction(Node n, string stars) {
  result = [n.asInstruction(), n.(RawIndirectInstruction).getInstruction()] and
-  stars = starsForNode(n)
+  stars = stars(n)
 }

 private Operand getOperand(Node n, string stars) {
  result = [n.asOperand(), n.(RawIndirectOperand).getOperand()] and
-  stars = starsForNode(n)
+  stars = stars(n)
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -16,6 +16,15 @@ private module SourceVariables {
      ind = [0 .. countIndirectionsForCppType(base.getLanguageType()) + 1]
    }

+  private int maxNumberOfIndirections() { result = max(SourceVariable sv | | sv.getIndirection()) }
+
+  private string repeatStars(int n) {
+    n = 0 and result = ""
+    or
+    n = [1 .. maxNumberOfIndirections()] and
+    result = "*" + repeatStars(n - 1)
+  }
+
  class SourceVariable extends TSourceVariable {
    SsaInternals0::SourceVariable base;
    int ind;
@@ -32,13 +41,7 @@ private module SourceVariables {
    SsaInternals0::SourceVariable getBaseVariable() { result = base }

    /** Gets a textual representation of this element. */
-    string toString() {
-      ind = 0 and
-      result = this.getBaseVariable().toString()
-      or
-      ind > 0 and
-      result = this.getBaseVariable().toString() + " indirection"
-    }
+    string toString() { result = repeatStars(this.getIndirection()) + base.toString() }

    /**
     * Gets the number of loads performed on the base source variable
@@ -59,6 +62,9 @@ private module SourceVariables {
      then result = base.getType()
      else result = getTypeImpl(base.getType(), ind - 1)
    }
+
+    /** Gets the location of this variable. */
+    Location getLocation() { result = this.getBaseVariable().getLocation() }
  }
 }

@@ -869,7 +875,7 @@ private predicate sourceVariableIsGlobal(
  )
 }

-private module SsaInput implements SsaImplCommon::InputSig {
+private module SsaInput implements SsaImplCommon::InputSig<Location> {
  import InputSigCommon
  import SourceVariables

@@ -1092,7 +1098,7 @@ class Def extends DefOrUse {
  predicate isCertain() { defOrUse.isCertain() }
 }

-private module SsaImpl = SsaImplCommon::Make<SsaInput>;
+private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;

 class PhiNode extends SsaImpl::DefinitionExt {
  PhiNode() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
@@ -377,6 +377,9 @@ abstract private class AbstractBaseSourceVariable extends TBaseSourceVariable {
  /** Gets a textual representation of this element. */
  abstract string toString();

+  /** Gets the location of this variable. */
+  abstract Location getLocation();
+
  /** Gets the type of this base source variable. */
  final DataFlowType getType() { this.getLanguageType().hasUnspecifiedType(result, _) }

@@ -395,6 +398,8 @@ class BaseIRVariable extends AbstractBaseSourceVariable, TBaseIRVariable {

  override string toString() { result = var.toString() }

+  override Location getLocation() { result = var.getLocation() }
+
  override CppType getLanguageType() { result = var.getLanguageType() }
 }

@@ -407,63 +412,47 @@ class BaseCallVariable extends AbstractBaseSourceVariable, TBaseCallVariable {

  override string toString() { result = call.toString() }

+  override Location getLocation() { result = call.getLocation() }
+
  override CppType getLanguageType() { result = getResultLanguageType(call) }
 }

-/**
- * Holds if the value pointed to by `operand` can potentially be
- * modified be the caller.
- */
-predicate isModifiableByCall(ArgumentOperand operand, int indirectionIndex) {
-  exists(CallInstruction call, int index, CppType type |
-    indirectionIndex = [1 .. countIndirectionsForCppType(type)] and
-    type = getLanguageType(operand) and
-    call.getArgumentOperand(index) = operand and
-    if index = -1
-    then
-      // A qualifier is "modifiable" if:
-      // 1. the member function is not const specified, or
-      // 2. the member function is `const` specified, but returns a pointer or reference
-      // type that is non-const.
-      //
-      // To see why this is necessary, consider the following function:
-      // ```
-      // struct C {
-      //   void* data_;
-      //   void* data() const { return data; }
-      // };
-      // ...
-      // C c;
-      // memcpy(c.data(), source, 16)
-      // ```
-      // the data pointed to by `c.data_` is potentially modified by the call to `memcpy` even though
-      // `C::data` has a const specifier. So we further place the restriction that the type returned
-      // by `call` should not be of the form `const T*` (for some deeply const type `T`).
-      if call.getStaticCallTarget() instanceof Cpp::ConstMemberFunction
-      then
-        exists(PointerOrArrayOrReferenceType resultType |
-          resultType = call.getResultType() and
-          not resultType.isDeeplyConstBelow()
-        )
-      else any()
-    else
-      // An argument is modifiable if it's a non-const pointer or reference type.
-      isModifiableAt(type, indirectionIndex)
-  )
-}
+private module IsModifiableAtImpl {
+  pragma[nomagic]
+  private predicate isUnderlyingIndirectionType(Type t) {
+    t = any(Indirection ind).getUnderlyingType()
+  }

-/**
- * Holds if `t` is a pointer or reference type that supports at least `indirectionIndex` number
- * of indirections, and the `indirectionIndex` indirection cannot be modfiied by passing a
- * value of `t` to a function.
- */
-private predicate isModifiableAtImpl(CppType cppType, int indirectionIndex) {
-  indirectionIndex = [1 .. countIndirectionsForCppType(cppType)] and
-  (
-    exists(Type pointerType, Type base, Type t |
-      pointerType = t.getUnderlyingType() and
-      pointerType = any(Indirection ind).getUnderlyingType() and
-      cppType.hasType(t, _) and
+  /**
+   * Holds if the `indirectionIndex`'th dereference of a value of type
+   * `cppType` is a type that can be modified (either by modifying the value
+   * itself or one of its fields if it's a class type).
+   *
+   * For example, a value of type `const int* const` cannot be modified
+   * at any indirection index (because it's a constant pointer to constant
+   * data), and a value of type `int *const *` is modifiable at indirection index
+   * 2 only.
+   *
+   * A value of type `const S2* s2` where `s2` is
+   * ```cpp
+   * struct S { int x; }
+   * ```
+   * can be modified at indirection index 1. This is to ensure that we generate
+   * a `PostUpdateNode` for the argument corresponding to the `s2` parameter in
+   * an example such as:
+   * ```cpp
+   * void set_field(const S2* s2)
+   * {
+   *  s2->s->x = 42;
+   * }
+   * ```
+   */
+  bindingset[cppType, indirectionIndex]
+  pragma[inline_late]
+  private predicate impl(CppType cppType, int indirectionIndex) {
+    exists(Type pointerType, Type base |
+      isUnderlyingIndirectionType(pointerType) and
+      cppType.hasUnderlyingType(pointerType, _) and
      base = getTypeImpl(pointerType, indirectionIndex)
    |
      // The value cannot be modified if it has a const specifier,
@@ -473,28 +462,114 @@ private predicate isModifiableAtImpl(CppType cppType, int indirectionIndex) {
      // one of the members was modified.
      exists(base.stripType().(Cpp::Class).getAField())
    )
+  }
+
+  /**
+   * Holds if `cppType` is modifiable with an indirection index of at least 1.
+   *
+   * This predicate factored out into a separate predicate for two reasons:
+   * - This predicate needs to be recursive because, if a type is modifiable
+   * at indirection `i`, then it's also modifiable at indirection index `i+1`
+   * (because the pointer could be completely re-assigned at indirection `i`).
+   * - We special-case indirection index `0` so that pointer arguments that can
+   * be modified at some index always have a `PostUpdateNode` at indiretion
+   * index 0 even though the 0'th indirection can never be modified by a
+   * callee.
+   */
+  private predicate isModifiableAtImplAtLeast1(CppType cppType, int indirectionIndex) {
+    indirectionIndex = [1 .. countIndirectionsForCppType(cppType)] and
+    (
+      impl(cppType, indirectionIndex)
+      or
+      // If the `indirectionIndex`'th dereference of a type can be modified
+      // then so can the  `indirectionIndex + 1`'th dereference.
+      isModifiableAtImplAtLeast1(cppType, indirectionIndex - 1)
+    )
+  }
+
+  /**
+   * Holds if `cppType` is modifiable at indirection index 0.
+   *
+   * In reality, the 0'th indirection of a pointer (i.e., the pointer itself)
+   * can never be modified by a callee, but it is sometimes useful to be able
+   * to specify the value of the pointer, as its coming out of a function, as
+   * a source of dataflow since the shared library's reverse-read mechanism
+   * then ensures that field-flow is accounted for.
+   */
+  private predicate isModifiableAtImplAt0(CppType cppType) { impl(cppType, 0) }
+
+  /**
+   * Holds if `t` is a pointer or reference type that supports at least
+   * `indirectionIndex` number of indirections, and the `indirectionIndex`
+   * indirection cannot be modfiied by passing a value of `t` to a function.
+   */
+  private predicate isModifiableAtImpl(CppType cppType, int indirectionIndex) {
+    isModifiableAtImplAtLeast1(cppType, indirectionIndex)
    or
-    // If the `indirectionIndex`'th dereference of a type can be modified
-    // then so can the  `indirectionIndex + 1`'th dereference.
-    isModifiableAtImpl(cppType, indirectionIndex - 1)
-  )
+    indirectionIndex = 0 and
+    isModifiableAtImplAt0(cppType)
+  }
+
+  /**
+   * Holds if `t` is a type with at least `indirectionIndex` number of
+   * indirections, and the `indirectionIndex` indirection can be modified by
+   * passing a value of type `t` to a function function.
+   */
+  bindingset[indirectionIndex]
+  predicate isModifiableAt(CppType cppType, int indirectionIndex) {
+    isModifiableAtImpl(cppType, indirectionIndex)
+    or
+    exists(PointerWrapper pw, Type t |
+      cppType.hasType(t, _) and
+      t.stripType() = pw and
+      not pw.pointsToConst()
+    )
+  }
+
+  /**
+   * Holds if the value pointed to by `operand` can potentially be
+   * modified be the caller.
+   */
+  predicate isModifiableByCall(ArgumentOperand operand, int indirectionIndex) {
+    exists(CallInstruction call, int index, CppType type |
+      indirectionIndex = [0 .. countIndirectionsForCppType(type)] and
+      type = getLanguageType(operand) and
+      call.getArgumentOperand(index) = operand and
+      if index = -1
+      then
+        // A qualifier is "modifiable" if:
+        // 1. the member function is not const specified, or
+        // 2. the member function is `const` specified, but returns a pointer or reference
+        // type that is non-const.
+        //
+        // To see why this is necessary, consider the following function:
+        // ```
+        // struct C {
+        //   void* data_;
+        //   void* data() const { return data; }
+        // };
+        // ...
+        // C c;
+        // memcpy(c.data(), source, 16)
+        // ```
+        // the data pointed to by `c.data_` is potentially modified by the call to `memcpy` even though
+        // `C::data` has a const specifier. So we further place the restriction that the type returned
+        // by `call` should not be of the form `const T*` (for some deeply const type `T`).
+        if call.getStaticCallTarget() instanceof Cpp::ConstMemberFunction
+        then
+          exists(PointerOrArrayOrReferenceType resultType |
+            resultType = call.getResultType() and
+            not resultType.isDeeplyConstBelow()
+          )
+        else any()
+      else
+        // An argument is modifiable if it's a non-const pointer or reference type.
+        isModifiableAt(type, indirectionIndex)
+    )
+  }
 }

-/**
- * Holds if `t` is a type with at least `indirectionIndex` number of indirections,
- * and the `indirectionIndex` indirection can be modified by passing a value of
- * type `t` to a function function.
- */
-bindingset[indirectionIndex]
-predicate isModifiableAt(CppType cppType, int indirectionIndex) {
-  isModifiableAtImpl(cppType, indirectionIndex)
-  or
-  exists(PointerWrapper pw, Type t |
-    cppType.hasType(t, _) and
-    t.stripType() = pw and
-    not pw.pointsToConst()
-  )
-}
+import IsModifiableAtImpl

 abstract class BaseSourceVariableInstruction extends Instruction {
  /** Gets the base source variable accessed by this instruction. */
@@ -872,7 +947,7 @@ private module Cached {
      upper = countIndirectionsForCppType(type) and
      ind = ind0 + [lower .. upper] and
      indirectionIndex = ind - (ind0 + lower) and
-      (if type.hasType(any(Cpp::ArrayType arrayType), true) then lower = 0 else lower = 1)
+      lower = getMinIndirectionsForType(any(Type t | type.hasUnspecifiedType(t, _)))
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -72,6 +72,16 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
    or
    instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
  )
+  or
+  // Taint from int to boolean casts. This ensures that we have flow to `!x` in:
+  // ```cpp
+  // x = integer_source();
+  // if(!x) { ... }
+  // ```
+  exists(Operand zero |
+    zero.getDef().(ConstantValueInstruction).getValue() = "0" and
+    instrTo.(CompareNEInstruction).hasOperands(opFrom, zero)
+  )
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll
@@ -229,7 +229,7 @@ private class FinalParameterUse extends UseImpl, TFinalParameterUse {
  override predicate isCertain() { any() }
 }

-private module SsaInput implements SsaImplCommon::InputSig {
+private module SsaInput implements SsaImplCommon::InputSig<Location> {
  import InputSigCommon
  import SourceVariables

@@ -335,7 +335,7 @@ class Def extends DefOrUse {
  predicate isIteratorDef() { defOrUse instanceof IteratorDef }
 }

-private module SsaImpl = SsaImplCommon::Make<SsaInput>;
+private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;

 class PhiNode extends SsaImpl::DefinitionExt {
  PhiNode() {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -1,4 +1,6 @@
 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * Provides an implementation of global (interprocedural) taint tracking.
 * This file re-exports the local (intraprocedural) taint-tracking analysis
 * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -12,6 +14,8 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural taint tracking analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the taint tracking library must define its own unique extension of
@@ -51,7 +55,7 @@ private import TaintTrackingParameter::Private
 * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
 * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
 */
-abstract class Configuration extends DataFlow::Configuration {
+abstract deprecated class Configuration extends DataFlow::Configuration {
  bindingset[this]
  Configuration() { any() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -1,4 +1,6 @@
 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * Provides an implementation of global (interprocedural) taint tracking.
 * This file re-exports the local (intraprocedural) taint-tracking analysis
 * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -12,6 +14,8 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural taint tracking analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the taint tracking library must define its own unique extension of
@@ -51,7 +55,7 @@ private import TaintTrackingParameter::Private
 * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
 * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
 */
-abstract class Configuration extends DataFlow::Configuration {
+abstract deprecated class Configuration extends DataFlow::Configuration {
  bindingset[this]
  Configuration() { any() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -1,4 +1,6 @@
 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * Provides an implementation of global (interprocedural) taint tracking.
 * This file re-exports the local (intraprocedural) taint-tracking analysis
 * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
@@ -12,6 +14,8 @@ import TaintTrackingParameter::Public
 private import TaintTrackingParameter::Private

 /**
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *
 * A configuration of interprocedural taint tracking analysis. This defines
 * sources, sinks, and any other configurable aspect of the analysis. Each
 * use of the taint tracking library must define its own unique extension of
@@ -51,7 +55,7 @@ private import TaintTrackingParameter::Private
 * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
 * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
 */
-abstract class Configuration extends DataFlow::Configuration {
+abstract deprecated class Configuration extends DataFlow::Configuration {
  bindingset[this]
  Configuration() { any() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll
@@ -12,6 +12,9 @@ int getConstantValue(Instruction instr) {
  or
  result = getConstantValue(instr.(CopyInstruction).getSourceValue())
  or
+  getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
+  result = 0
+  or
  exists(PhiInstruction phi |
    phi = instr and
    result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
@@ -26,28 +29,25 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i

 pragma[noinline]
 private int getBinaryInstructionValue(BinaryInstruction instr) {
-  exists(int left, int right |
-    binaryInstructionOperands(instr, left, right) and
-    (
-      instr instanceof AddInstruction and result = add(left, right)
-      or
-      instr instanceof SubInstruction and result = sub(left, right)
-      or
-      instr instanceof MulInstruction and result = mul(left, right)
-      or
-      instr instanceof DivInstruction and result = div(left, right)
-      or
-      instr instanceof CompareEQInstruction and result = compareEQ(left, right)
-      or
-      instr instanceof CompareNEInstruction and result = compareNE(left, right)
-      or
-      instr instanceof CompareLTInstruction and result = compareLT(left, right)
-      or
-      instr instanceof CompareGTInstruction and result = compareGT(left, right)
-      or
-      instr instanceof CompareLEInstruction and result = compareLE(left, right)
-      or
-      instr instanceof CompareGEInstruction and result = compareGE(left, right)
-    )
+  exists(int left, int right | binaryInstructionOperands(instr, left, right) |
+    instr instanceof AddInstruction and result = add(left, right)
+    or
+    instr instanceof SubInstruction and result = sub(left, right)
+    or
+    instr instanceof MulInstruction and result = mul(left, right)
+    or
+    instr instanceof DivInstruction and result = div(left, right)
+    or
+    instr instanceof CompareEQInstruction and result = compareEQ(left, right)
+    or
+    instr instanceof CompareNEInstruction and result = compareNE(left, right)
+    or
+    instr instanceof CompareLTInstruction and result = compareLT(left, right)
+    or
+    instr instanceof CompareGTInstruction and result = compareGT(left, right)
+    or
+    instr instanceof CompareLEInstruction and result = compareLE(left, right)
+    or
+    instr instanceof CompareGEInstruction and result = compareGE(left, right)
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll
@@ -23,9 +23,8 @@ private module Internal {
  newtype TOperand =
    // RAW
    TRegisterOperand(TRawInstruction useInstr, RegisterOperandTag tag, TRawInstruction defInstr) {
-      defInstr = RawConstruction::getRegisterOperandDefinition(useInstr, tag) and
-      not RawConstruction::isInCycle(useInstr) and
-      strictcount(RawConstruction::getRegisterOperandDefinition(useInstr, tag)) = 1
+      defInstr = unique( | | RawConstruction::getRegisterOperandDefinition(useInstr, tag)) and
+      not RawConstruction::isInCycle(useInstr)
    } or
    // Placeholder for Phi and Chi operands in stages that don't have the corresponding instructions
    TNoOperand() { none() } or
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll
@@ -12,6 +12,9 @@ int getConstantValue(Instruction instr) {
  or
  result = getConstantValue(instr.(CopyInstruction).getSourceValue())
  or
+  getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
+  result = 0
+  or
  exists(PhiInstruction phi |
    phi = instr and
    result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
@@ -26,28 +29,25 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i

 pragma[noinline]
 private int getBinaryInstructionValue(BinaryInstruction instr) {
-  exists(int left, int right |
-    binaryInstructionOperands(instr, left, right) and
-    (
-      instr instanceof AddInstruction and result = add(left, right)
-      or
-      instr instanceof SubInstruction and result = sub(left, right)
-      or
-      instr instanceof MulInstruction and result = mul(left, right)
-      or
-      instr instanceof DivInstruction and result = div(left, right)
-      or
-      instr instanceof CompareEQInstruction and result = compareEQ(left, right)
-      or
-      instr instanceof CompareNEInstruction and result = compareNE(left, right)
-      or
-      instr instanceof CompareLTInstruction and result = compareLT(left, right)
-      or
-      instr instanceof CompareGTInstruction and result = compareGT(left, right)
-      or
-      instr instanceof CompareLEInstruction and result = compareLE(left, right)
-      or
-      instr instanceof CompareGEInstruction and result = compareGE(left, right)
-    )
+  exists(int left, int right | binaryInstructionOperands(instr, left, right) |
+    instr instanceof AddInstruction and result = add(left, right)
+    or
+    instr instanceof SubInstruction and result = sub(left, right)
+    or
+    instr instanceof MulInstruction and result = mul(left, right)
+    or
+    instr instanceof DivInstruction and result = div(left, right)
+    or
+    instr instanceof CompareEQInstruction and result = compareEQ(left, right)
+    or
+    instr instanceof CompareNEInstruction and result = compareNE(left, right)
+    or
+    instr instanceof CompareLTInstruction and result = compareLT(left, right)
+    or
+    instr instanceof CompareGTInstruction and result = compareGT(left, right)
+    or
+    instr instanceof CompareLEInstruction and result = compareLE(left, right)
+    or
+    instr instanceof CompareGEInstruction and result = compareGE(left, right)
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll
@@ -77,24 +77,6 @@ class TranslatedParenthesisCondition extends TranslatedFlexibleCondition {
  }
 }

-class TranslatedNotCondition extends TranslatedFlexibleCondition {
-  override NotExpr expr;
-
-  override Instruction getChildTrueSuccessor(TranslatedCondition child) {
-    child = this.getOperand() and
-    result = this.getConditionContext().getChildFalseSuccessor(this)
-  }
-
-  override Instruction getChildFalseSuccessor(TranslatedCondition child) {
-    child = this.getOperand() and
-    result = this.getConditionContext().getChildTrueSuccessor(this)
-  }
-
-  override TranslatedCondition getOperand() {
-    result = getTranslatedCondition(expr.getOperand().getFullyConverted())
-  }
-}
-
 abstract class TranslatedNativeCondition extends TranslatedCondition, TTranslatedNativeCondition {
  TranslatedNativeCondition() { this = TTranslatedNativeCondition(expr) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -190,10 +190,7 @@ private predicate isNativeCondition(Expr expr) {
 * depending on context.
 */
 private predicate isFlexibleCondition(Expr expr) {
-  (
-    expr instanceof ParenthesisExpr or
-    expr instanceof NotExpr
-  ) and
+  expr instanceof ParenthesisExpr and
  usedAsCondition(expr) and
  not isIRConstant(expr)
 }
@@ -218,11 +215,6 @@ private predicate usedAsCondition(Expr expr) {
    condExpr.getCondition().getFullyConverted() = expr and not condExpr.isTwoOperand()
  )
  or
-  exists(NotExpr notExpr |
-    notExpr.getOperand().getFullyConverted() = expr and
-    usedAsCondition(notExpr)
-  )
-  or
  exists(ParenthesisExpr paren |
    paren.getExpr() = expr and
    usedAsCondition(paren)
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll
@@ -12,6 +12,9 @@ int getConstantValue(Instruction instr) {
  or
  result = getConstantValue(instr.(CopyInstruction).getSourceValue())
  or
+  getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
+  result = 0
+  or
  exists(PhiInstruction phi |
    phi = instr and
    result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
@@ -26,28 +29,25 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i

 pragma[noinline]
 private int getBinaryInstructionValue(BinaryInstruction instr) {
-  exists(int left, int right |
-    binaryInstructionOperands(instr, left, right) and
-    (
-      instr instanceof AddInstruction and result = add(left, right)
-      or
-      instr instanceof SubInstruction and result = sub(left, right)
-      or
-      instr instanceof MulInstruction and result = mul(left, right)
-      or
-      instr instanceof DivInstruction and result = div(left, right)
-      or
-      instr instanceof CompareEQInstruction and result = compareEQ(left, right)
-      or
-      instr instanceof CompareNEInstruction and result = compareNE(left, right)
-      or
-      instr instanceof CompareLTInstruction and result = compareLT(left, right)
-      or
-      instr instanceof CompareGTInstruction and result = compareGT(left, right)
-      or
-      instr instanceof CompareLEInstruction and result = compareLE(left, right)
-      or
-      instr instanceof CompareGEInstruction and result = compareGE(left, right)
-    )
+  exists(int left, int right | binaryInstructionOperands(instr, left, right) |
+    instr instanceof AddInstruction and result = add(left, right)
+    or
+    instr instanceof SubInstruction and result = sub(left, right)
+    or
+    instr instanceof MulInstruction and result = mul(left, right)
+    or
+    instr instanceof DivInstruction and result = div(left, right)
+    or
+    instr instanceof CompareEQInstruction and result = compareEQ(left, right)
+    or
+    instr instanceof CompareNEInstruction and result = compareNE(left, right)
+    or
+    instr instanceof CompareLTInstruction and result = compareLT(left, right)
+    or
+    instr instanceof CompareGTInstruction and result = compareGT(left, right)
+    or
+    instr instanceof CompareLEInstruction and result = compareLE(left, right)
+    or
+    instr instanceof CompareGEInstruction and result = compareGE(left, right)
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
@@ -227,7 +227,7 @@ class CppType extends TCppType {
  predicate hasType(Type type, boolean isGLValue) { none() }

  /**
-   * Holds if this type represents the C++ type `type`. If `isGLValue` is `true`, then this type
+   * Holds if this type represents the C++ unspecified type `type`. If `isGLValue` is `true`, then this type
   * represents a glvalue of type `type`. Otherwise, it represents a prvalue of type `type`.
   */
  final predicate hasUnspecifiedType(Type type, boolean isGLValue) {
@@ -236,6 +236,18 @@ class CppType extends TCppType {
      type = specifiedType.getUnspecifiedType()
    )
  }
+
+  /**
+   * Holds if this type represents the C++ type `type` (after resolving
+   * typedefs). If `isGLValue` is `true`, then this type represents a glvalue
+   * of type `type`. Otherwise, it represents a prvalue of type `type`.
+   */
+  final predicate hasUnderlyingType(Type type, boolean isGLValue) {
+    exists(Type typedefType |
+      this.hasType(typedefType, isGLValue) and
+      type = typedefType.getUnderlyingType()
+    )
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Getenv.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Getenv.qll
@@ -16,10 +16,7 @@ class Getenv extends LocalFlowSourceFunction {
  }

  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    (
-      output.isReturnValueDeref() or
-      output.isReturnValue()
-    ) and
+    output.isReturnValueDeref() and
    description = "an environment variable"
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
@@ -51,7 +51,6 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
    (
      output.isParameterDeref(0) or
-      output.isReturnValue() or
      output.isReturnValueDeref()
    ) and
    description = "string read by " + this.getName()
@@ -102,7 +101,6 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
    (
      output.isParameterDeref(0) or
-      output.isReturnValue() or
      output.isReturnValueDeref()
    ) and
    description = "string read by " + this.getName()
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -123,7 +123,7 @@ private class StdSequenceContainerData extends TaintFunction {
 /**
 * The standard container functions `push_back` and `push_front`.
 */
-private class StdSequenceContainerPush extends TaintFunction {
+class StdSequenceContainerPush extends MemberFunction {
  StdSequenceContainerPush() {
    this.getClassAndName("push_back") instanceof Vector or
    this.getClassAndName(["push_back", "push_front"]) instanceof Deque or
@@ -131,6 +131,17 @@ private class StdSequenceContainerPush extends TaintFunction {
    this.getClassAndName(["push_back", "push_front"]) instanceof List
  }

+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceContainerPushModel extends StdSequenceContainerPush, TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from parameter to qualifier
    input.isParameterDeref(0) and
@@ -160,7 +171,7 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
 /**
 * The standard container functions `insert` and `insert_after`.
 */
-private class StdSequenceContainerInsert extends TaintFunction {
+class StdSequenceContainerInsert extends MemberFunction {
  StdSequenceContainerInsert() {
    this.getClassAndName("insert") instanceof Deque or
    this.getClassAndName("insert") instanceof List or
@@ -181,7 +192,9 @@ private class StdSequenceContainerInsert extends TaintFunction {
   * Gets the index of a parameter to this function that is an iterator.
   */
  int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
+}

+private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert, TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from parameter to container itself (qualifier) and return value
    (
@@ -253,11 +266,28 @@ private class StdSequenceContainerAt extends TaintFunction {
 }

 /**
- * The standard vector `emplace` function.
+ * The standard `emplace` function.
 */
-class StdVectorEmplace extends TaintFunction {
-  StdVectorEmplace() { this.getClassAndName("emplace") instanceof Vector }
+class StdSequenceEmplace extends MemberFunction {
+  StdSequenceEmplace() {
+    this.getClassAndName("emplace") instanceof Vector
+    or
+    this.getClassAndName("emplace") instanceof List
+    or
+    this.getClassAndName("emplace") instanceof Deque
+  }

+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from any parameter except the position iterator to qualifier and return value
    // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -269,12 +299,36 @@ class StdVectorEmplace extends TaintFunction {
  }
 }

+/**
+ * The standard vector `emplace` function.
+ */
+class StdVectorEmplace extends StdSequenceEmplace {
+  StdVectorEmplace() { this.getDeclaringType() instanceof Vector }
+}
+
 /**
 * The standard vector `emplace_back` function.
 */
-class StdVectorEmplaceBack extends TaintFunction {
-  StdVectorEmplaceBack() { this.getClassAndName("emplace_back") instanceof Vector }
+class StdSequenceEmplaceBack extends MemberFunction {
+  StdSequenceEmplaceBack() {
+    this.getClassAndName("emplace_back") instanceof Vector
+    or
+    this.getClassAndName("emplace_back") instanceof List
+    or
+    this.getClassAndName("emplace_back") instanceof Deque
+  }

+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from any parameter to qualifier
    // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -282,3 +336,10 @@ class StdVectorEmplaceBack extends TaintFunction {
    output.isQualifierObject()
  }
 }
+
+/**
+ * The standard vector `emplace_back` function.
+ */
+class StdVectorEmplaceBack extends StdSequenceEmplaceBack {
+  StdVectorEmplaceBack() { this.getDeclaringType() instanceof Vector }
+}
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
@@ -99,9 +99,11 @@ private class StdStringConstructor extends Constructor, StdStringTaintFunction {
 /**
 * The `std::string` function `c_str`.
 */
-private class StdStringCStr extends StdStringTaintFunction {
+class StdStringCStr extends MemberFunction {
  StdStringCStr() { this.getClassAndName("c_str") instanceof StdBasicString }
+}

+private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from string itself (qualifier) to return value
    input.isQualifierObject() and
@@ -112,9 +114,11 @@ private class StdStringCStr extends StdStringTaintFunction {
 /**
 * The `std::string` function `data`.
 */
-private class StdStringData extends StdStringTaintFunction {
+class StdStringData extends MemberFunction {
  StdStringData() { this.getClassAndName("data") instanceof StdBasicString }
+}

+private class StdStringDataModel extends StdStringData, StdStringTaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from string itself (qualifier) to return value
    input.isQualifierObject() and
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
@@ -10,6 +10,8 @@ import semmle.code.cpp.models.interfaces.SideEffect

 /**
 * The standard function `strcat` and its wide, sized, and Microsoft variants.
+ *
+ * Does not include `strlcat`, which is covered by `StrlcatFunction`
 */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
  StrcatFunction() {
@@ -90,3 +92,64 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
    buffer = true
  }
 }
+
+/**
+ * The `strlcat` function.
+ */
+class StrlcatFunction extends TaintFunction, ArrayFunction, SideEffectFunction {
+  StrlcatFunction() {
+    this.hasGlobalName("strlcat") // strlcat(dst, src, dst_size)
+  }
+
+  /**
+   * Gets the index of the parameter that is the size of the copy (in characters).
+   */
+  int getParamSize() { result = 2 }
+
+  /**
+   * Gets the index of the parameter that is the source of the copy.
+   */
+  int getParamSrc() { result = 1 }
+
+  /**
+   * Gets the index of the parameter that is the destination to be appended to.
+   */
+  int getParamDest() { result = 0 }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      input.isParameter(2)
+      or
+      input.isParameterDeref(0)
+      or
+      input.isParameterDeref(1)
+    ) and
+    output.isParameterDeref(0)
+  }
+
+  override predicate hasArrayInput(int param) {
+    param = 0 or
+    param = 1
+  }
+
+  override predicate hasArrayOutput(int param) { param = 0 }
+
+  override predicate hasArrayWithNullTerminator(int param) { param = 1 }
+
+  override predicate hasArrayWithUnknownSize(int param) { param = 0 }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 0 and
+    buffer = true and
+    mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    (i = 0 or i = 1) and
+    buffer = true
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
@@ -32,7 +32,8 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
        "wcsxfrm_l", // _strxfrm_l(dest, src, max_amount, locale)
        "_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount)
        "stpcpy", // stpcpy(dest, src)
-        "stpncpy" // stpcpy(dest, src, max_amount)
+        "stpncpy", // stpncpy(dest, src, max_amount)
+        "strlcpy" // strlcpy(dst, src, dst_size)
      ])
    or
    (
@@ -53,6 +54,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
   */
  private predicate isSVariant() { this.getName().matches("%\\_s") }

+  /**
+   * Holds if the function returns the total length the string would have had if the size was unlimited.
+   */
+  private predicate returnsTotalLength() { this.getName() = "strlcpy" }
+
  /**
   * Gets the index of the parameter that is the maximum size of the copy (in characters).
   */
@@ -60,7 +66,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    if this.isSVariant()
    then result = 1
    else (
-      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%"]) and
+      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and
      result = 2
    )
  }
@@ -100,6 +106,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    input.isParameterDeref(this.getParamSrc()) and
    output.isReturnValueDeref()
    or
+    not this.returnsTotalLength() and
    input.isParameter(this.getParamDest()) and
    output.isReturnValue()
  }
@@ -110,8 +117,9 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    exists(this.getParamSize()) and
    input.isParameterDeref(this.getParamSrc()) and
    (
-      output.isParameterDeref(this.getParamDest()) or
-      output.isReturnValueDeref()
+      output.isParameterDeref(this.getParamDest())
+      or
+      not this.returnsTotalLength() and output.isReturnValueDeref()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -9,8 +9,9 @@
 import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Taint

+pragma[nomagic]
 private Type stripTopLevelSpecifiersOnly(Type t) {
-  result = stripTopLevelSpecifiersOnly(t.(SpecifiedType).getBaseType())
+  result = stripTopLevelSpecifiersOnly(pragma[only_bind_out](t.(SpecifiedType).getBaseType()))
  or
  result = t and
  not t instanceof SpecifiedType
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll
@@ -22,8 +22,6 @@ class SemSsaExplicitUpdate extends SemSsaVariable {

  SemSsaExplicitUpdate() { Specific::explicitUpdate(this, sourceExpr) }

-  final SemExpr getSourceExpr() { result = sourceExpr }
-
  final SemExpr getDefiningExpr() { result = sourceExpr }
 }

--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ConstantAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ConstantAnalysis.qll
@@ -14,7 +14,7 @@ private predicate constantIntegerExpr(SemExpr e, int val) {
  // Copy of another constant
  exists(SemSsaExplicitUpdate v, SemExpr src |
    e = v.getAUse() and
-    src = v.getSourceExpr() and
+    src = v.getDefiningExpr() and
    constantIntegerExpr(src, val)
  )
  or
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll
@@ -22,30 +22,11 @@ module CppLangImplConstant implements LangSig<Sem, FloatDelta> {
  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }

  /**
-   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
+   * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
   */
-  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
+  predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }

-  /**
-   * Holds if the value of `dest` is known to be `src + delta`.
-   */
-  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
+  predicate includeConstantBounds() { any() }

-  /**
-   * Gets the type that range analysis should use to track the result of the specified expression,
-   * if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateType(SemExpr e) { none() }
-
-  /**
-   * Gets the type that range analysis should use to track the result of the specified source
-   * variable, if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
+  predicate includeRelativeBounds() { none() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll
@@ -1,7 +1,6 @@
 private import RangeAnalysisConstantSpecific
 private import RangeAnalysisRelativeSpecific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
-private import RangeUtils
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticCFG
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticGuard
@@ -88,12 +87,18 @@ module Sem implements Semantic {

  class AddressType = SemAddressType;

+  SemType getExprType(SemExpr e) { result = e.getSemType() }
+
+  SemType getSsaType(SemSsaVariable var) { result = var.getType() }
+
  class SsaVariable = SemSsaVariable;

  class SsaPhiNode = SemSsaPhiNode;

  class SsaExplicitUpdate = SemSsaExplicitUpdate;

+  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, int delta) { none() }
+
  predicate conversionCannotOverflow(Type fromType, Type toType) {
    SemanticType::conversionCannotOverflow(fromType, toType)
  }
@@ -101,7 +106,7 @@ module Sem implements Semantic {

 module SignAnalysis implements SignAnalysisSig<Sem> {
  private import SignAnalysisCommon as SA
-  import SA::SignAnalysis<FloatDelta, Util>
+  import SA::SignAnalysis<FloatDelta>
 }

 module ConstantBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
@@ -164,18 +169,16 @@ private module ModulusAnalysisInstantiated implements ModulusAnalysisSig<Sem> {
  class ModBound = AllBounds::SemBound;

  private import codeql.rangeanalysis.ModulusAnalysis as MA
-  import MA::ModulusAnalysis<SemLocation, Sem, FloatDelta, AllBounds, Util>
+  import MA::ModulusAnalysis<SemLocation, Sem, FloatDelta, AllBounds>
 }

-module Util = RangeUtil<FloatDelta, CppLangImplConstant>;
-
 module ConstantStage =
-  RangeStage<SemLocation, Sem, FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
-    SignAnalysis, ModulusAnalysisInstantiated, Util>;
+  RangeStage<SemLocation, Sem, FloatDelta, AllBounds, FloatOverflow, CppLangImplConstant,
+    SignAnalysis, ModulusAnalysisInstantiated>;

 module RelativeStage =
-  RangeStage<SemLocation, Sem, FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
-    SignAnalysis, ModulusAnalysisInstantiated, Util>;
+  RangeStage<SemLocation, Sem, FloatDelta, AllBounds, FloatOverflow, CppLangImplRelative,
+    SignAnalysis, ModulusAnalysisInstantiated>;

 private newtype TSemReason =
  TSemNoReason() or
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll
@@ -54,30 +54,11 @@ module CppLangImplRelative implements LangSig<Sem, FloatDelta> {
  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }

  /**
-   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
+   * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
   */
-  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
+  predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }

-  /**
-   * Holds if the value of `dest` is known to be `src + delta`.
-   */
-  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
+  predicate includeConstantBounds() { none() }

-  /**
-   * Gets the type that range analysis should use to track the result of the specified expression,
-   * if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateType(SemExpr e) { none() }
-
-  /**
-   * Gets the type that range analysis should use to track the result of the specified source
-   * variable, if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
+  predicate includeRelativeBounds() { any() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeUtils.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeUtils.qll
@@ -1,136 +0,0 @@
-/**
- * Provides utility predicates for range analysis.
- */
-
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
-private import RangeAnalysisRelativeSpecific
-private import codeql.rangeanalysis.RangeAnalysis
-private import RangeAnalysisImpl
-private import ConstantAnalysis
-
-module RangeUtil<DeltaSig D, LangSig<Sem, D> Lang> implements UtilSig<Sem, D> {
-  /**
-   * Gets an expression that equals `v - d`.
-   */
-  private SemExpr semSsaRead(SemSsaVariable v, D::Delta delta) {
-    // There are various language-specific extension points that can be removed once we no longer
-    // expect to match the original Java implementation's results exactly.
-    result = v.getAUse() and delta = D::fromInt(0)
-    or
-    exists(D::Delta d1, SemConstantIntegerExpr c |
-      result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
-      delta = D::fromFloat(D::toFloat(d1) - c.getIntValue())
-    )
-    or
-    exists(SemSubExpr sub, D::Delta d1, SemConstantIntegerExpr c |
-      result = sub and
-      sub.getLeftOperand() = semSsaRead(v, d1) and
-      sub.getRightOperand() = c and
-      delta = D::fromFloat(D::toFloat(d1) + c.getIntValue())
-    )
-    or
-    result = v.(SemSsaExplicitUpdate).getSourceExpr() and
-    delta = D::fromFloat(0)
-    or
-    result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta)
-    or
-    result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
-  }
-
-  /**
-   * Gets a condition that tests whether `v` equals `e + delta`.
-   *
-   * If the condition evaluates to `testIsTrue`:
-   * - `isEq = true`  : `v == e + delta`
-   * - `isEq = false` : `v != e + delta`
-   */
-  pragma[nomagic]
-  SemGuard semEqFlowCond(
-    SemSsaVariable v, SemExpr e, D::Delta delta, boolean isEq, boolean testIsTrue
-  ) {
-    exists(boolean eqpolarity |
-      result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
-      (testIsTrue = true or testIsTrue = false) and
-      eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
-    )
-    or
-    exists(boolean testIsTrue0 |
-      semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
-    )
-  }
-
-  /**
-   * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
-   */
-  predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, D::Delta delta) {
-    exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
-      defExpr.(SemCopyValueExpr).getOperand() = e and delta = D::fromFloat(0)
-      or
-      defExpr.(SemStoreExpr).getOperand() = e and delta = D::fromFloat(0)
-      or
-      defExpr.(SemAddOneExpr).getOperand() = e and delta = D::fromFloat(1)
-      or
-      defExpr.(SemSubOneExpr).getOperand() = e and delta = D::fromFloat(-1)
-      or
-      e = defExpr and
-      not (
-        defExpr instanceof SemCopyValueExpr or
-        defExpr instanceof SemStoreExpr or
-        defExpr instanceof SemAddOneExpr or
-        defExpr instanceof SemSubOneExpr
-      ) and
-      delta = D::fromFloat(0)
-    )
-  }
-
-  /**
-   * Holds if `e1 + delta` equals `e2`.
-   */
-  predicate semValueFlowStep(SemExpr e2, SemExpr e1, D::Delta delta) {
-    e2.(SemCopyValueExpr).getOperand() = e1 and delta = D::fromFloat(0)
-    or
-    e2.(SemStoreExpr).getOperand() = e1 and delta = D::fromFloat(0)
-    or
-    e2.(SemAddOneExpr).getOperand() = e1 and delta = D::fromFloat(1)
-    or
-    e2.(SemSubOneExpr).getOperand() = e1 and delta = D::fromFloat(-1)
-    or
-    Lang::additionalValueFlowStep(e2, e1, delta)
-    or
-    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-      D::fromInt(x.(SemConstantIntegerExpr).getIntValue()) = delta
-    )
-    or
-    exists(SemExpr x, SemSubExpr sub |
-      e2 = sub and
-      sub.getLeftOperand() = e1 and
-      sub.getRightOperand() = x
-    |
-      D::fromInt(-x.(SemConstantIntegerExpr).getIntValue()) = delta
-    )
-  }
-
-  /**
-   * Gets the type used to track the specified expression's range information.
-   *
-   * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
-   * primitive types as the underlying primitive type.
-   */
-  SemType getTrackedType(SemExpr e) {
-    result = Lang::getAlternateType(e)
-    or
-    not exists(Lang::getAlternateType(e)) and result = e.getSemType()
-  }
-
-  /**
-   * Gets the type used to track the specified source variable's range information.
-   *
-   * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
-   * primitive types as the underlying primitive type.
-   */
-  SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
-    result = Lang::getAlternateTypeForSsaVariable(var)
-    or
-    not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll
@@ -11,10 +11,9 @@ private import RangeAnalysisImpl
 private import SignAnalysisSpecific as Specific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 private import ConstantAnalysis
-private import RangeUtils
 private import Sign

-module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
+module SignAnalysis<DeltaSig D> {
  private import codeql.rangeanalysis.internal.RangeUtils::MakeUtils<Sem, D>

  /**
@@ -39,7 +38,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {

  /** An SSA definition whose sign is determined by the sign of that definitions source expression. */
  private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
-    final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
+    final override Sign getSign() { result = semExprSign(super.getDefiningExpr()) }
  }

  /** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
@@ -148,7 +147,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
      not this instanceof ConstantSignExpr and
      (
        // Only track numeric types.
-        Utils::getTrackedType(this) instanceof SemNumericType
+        Sem::getExprType(this) instanceof SemNumericType
        or
        // Unless the language says to track this expression anyway.
        Specific::trackUnknownNonNumericExpr(this)
@@ -203,7 +202,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {

  /** An expression of an unsigned type. */
  private class UnsignedExpr extends FlowSignExpr {
-    UnsignedExpr() { Utils::getTrackedType(this) instanceof SemUnsignedIntegerType }
+    UnsignedExpr() { Sem::getExprType(this) instanceof SemUnsignedIntegerType }

    override Sign getSignRestriction() {
      result = TPos() or
@@ -276,7 +275,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
    override SemUnboxExpr cast;

    UnboxSignExpr() {
-      exists(SemType fromType | fromType = Utils::getTrackedType(cast.getOperand()) |
+      exists(SemType fromType | fromType = Sem::getExprType(cast.getOperand()) |
        // Only numeric source types are handled here.
        fromType instanceof SemNumericType
      )
@@ -471,7 +470,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
  Sign semExprSign(SemExpr e) {
    exists(Sign s | s = e.(SignExpr).getSign() |
      if
-        Utils::getTrackedType(e) instanceof SemUnsignedIntegerType and
+        Sem::getExprType(e) instanceof SemUnsignedIntegerType and
        s = TNeg() and
        not Specific::ignoreTypeRestrictions(e)
      then result = TPos()
--- a/cpp/ql/lib/semmle/code/cpp/security/Security.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/Security.qll
@@ -45,7 +45,7 @@ class SecurityOptions extends string {
  /**
   * The argument of the given function is filled in from user input.
   */
-  predicate userInputArgument(FunctionCall functionCall, int arg) {
+  deprecated predicate userInputArgument(FunctionCall functionCall, int arg) {
    exists(string fname |
      functionCall.getTarget().hasGlobalOrStdName(fname) and
      exists(functionCall.getArgument(arg)) and
@@ -73,7 +73,7 @@ class SecurityOptions extends string {
  /**
   * The return value of the given function is filled in from user input.
   */
-  predicate userInputReturned(FunctionCall functionCall) {
+  deprecated predicate userInputReturned(FunctionCall functionCall) {
    exists(string fname |
      functionCall.getTarget().getName() = fname and
      (
@@ -91,12 +91,8 @@ class SecurityOptions extends string {

  /**
   * DEPRECATED: Users should override `userInputReturned()` instead.
-   *
-   * note: this function is not formally tagged as `deprecated` since the
-   * new `userInputReturned` uses it to provide compatibility with older
-   * custom SecurityOptions.qll files.
   */
-  predicate userInputReturn(string function) { none() }
+  deprecated predicate userInputReturn(string function) { none() }

  /**
   * The argument of the given function is used for running a process or loading
@@ -117,7 +113,7 @@ class SecurityOptions extends string {
   * computed from user input. Such expressions are treated as
   * sources of taint.
   */
-  predicate isUserInput(Expr expr, string cause) {
+  deprecated predicate isUserInput(Expr expr, string cause) {
    exists(FunctionCall fc, int i |
      this.userInputArgument(fc, i) and
      expr = fc.getArgument(i) and
@@ -178,17 +174,17 @@ predicate argv(Parameter argv) {
 predicate isPureFunction(string name) { exists(SecurityOptions opts | opts.isPureFunction(name)) }

 /** Convenience accessor for SecurityOptions.userInputArgument */
-predicate userInputArgument(FunctionCall functionCall, int arg) {
+deprecated predicate userInputArgument(FunctionCall functionCall, int arg) {
  exists(SecurityOptions opts | opts.userInputArgument(functionCall, arg))
 }

 /** Convenience accessor for SecurityOptions.userInputReturn */
-predicate userInputReturned(FunctionCall functionCall) {
+deprecated predicate userInputReturned(FunctionCall functionCall) {
  exists(SecurityOptions opts | opts.userInputReturned(functionCall))
 }

 /** Convenience accessor for SecurityOptions.isUserInput */
-predicate isUserInput(Expr expr, string cause) {
+deprecated predicate isUserInput(Expr expr, string cause) {
  exists(SecurityOptions opts | opts.isUserInput(expr, cause))
 }

--- a/cpp/ql/lib/semmle/code/cpp/security/SecurityOptions.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/SecurityOptions.qll
@@ -23,7 +23,7 @@ class CustomSecurityOptions extends SecurityOptions {
    none() // rules to match custom functions replace this line
  }

-  override predicate userInputArgument(FunctionCall functionCall, int arg) {
+  deprecated override predicate userInputArgument(FunctionCall functionCall, int arg) {
    SecurityOptions.super.userInputArgument(functionCall, arg)
    or
    exists(string fname |
@@ -36,7 +36,7 @@ class CustomSecurityOptions extends SecurityOptions {
    )
  }

-  override predicate userInputReturned(FunctionCall functionCall) {
+  deprecated override predicate userInputReturned(FunctionCall functionCall) {
    SecurityOptions.super.userInputReturned(functionCall)
    or
    exists(string fname |
--- a/cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll
@@ -1,10 +0,0 @@
-/**
- * Support for tracking tainted data through the program. This is an alias for
- * `semmle.code.cpp.ir.dataflow.DefaultTaintTracking` provided for backwards
- * compatibility.
- *
- * Prefer to use `semmle.code.cpp.dataflow.TaintTracking` or
- * `semmle.code.cpp.ir.dataflow.TaintTracking` when designing new queries.
- */
-
-import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
--- a/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll
@@ -1,654 +0,0 @@
-/**
- * DEPRECATED: we now use `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`,
- * which is based on the IR but designed to behave similarly to this old
- * library.
- *
- * Provides the implementation of `semmle.code.cpp.security.TaintTracking`. Do
- * not import this file directly.
- */
-
-import cpp
-import Security
-
-/** Expressions that change the value of a variable */
-private predicate valueSource(Expr expr) {
-  exists(AssignExpr ae | expr = ae.getLValue())
-  or
-  exists(FunctionCall fc, int i |
-    userInputArgument(fc, i) and
-    expr = fc.getArgument(i)
-  )
-  or
-  exists(FunctionCall c, int arg |
-    copyValueBetweenArguments(c.getTarget(), _, arg) and
-    expr = c.getArgument(arg)
-  )
-  or
-  exists(FunctionCall c, int arg |
-    c.getTarget().getParameter(arg).getType() instanceof ReferenceType and
-    expr = c.getArgument(arg)
-  )
-}
-
-/** Expressions that are inside an expression that changes the value of a variable */
-private predicate insideValueSource(Expr expr) {
-  valueSource(expr)
-  or
-  insideValueSource(expr.getParent()) and
-  // A modification of array[offset] does not modify offset
-  not expr.getParent().(ArrayExpr).getArrayOffset() = expr
-}
-
-private predicate isPointer(Type type) {
-  type instanceof PointerType or
-  isPointer(type.(ReferenceType).getBaseType())
-}
-
-/**
- * Tracks data flow from src to dest.
- * If this is used in the left side of an assignment src and dest should be swapped
- */
-private predicate moveToDependingOnSide(Expr src, Expr dest) {
-  exists(ParenthesisExpr e |
-    src = e.getAChild() and
-    dest = e
-  )
-  or
-  exists(ArrayExpr e |
-    src = e.getArrayBase() and
-    dest = e
-  )
-  or
-  exists(PointerDereferenceExpr e |
-    src = e.getOperand() and
-    dest = e
-  )
-  or
-  exists(AddressOfExpr e |
-    src = e.getOperand() and
-    dest = e
-  )
-  or
-  // if var+offset is tainted, then so is var
-  exists(VariableAccess base, BinaryOperation binop |
-    dest = binop and
-    (base = binop.getLeftOperand() or base = binop.getRightOperand()) and
-    isPointer(base.getType()) and
-    base.getTarget() instanceof LocalScopeVariable and
-    src = base and
-    // flow through pointer-pointer subtraction is dubious, the result should be
-    // a number bounded by the size of the pointed-to thing.
-    not binop instanceof PointerDiffExpr
-  )
-  or
-  exists(UnaryOperation unop |
-    dest = unop and
-    unop.getAnOperand() = src
-  )
-  or
-  exists(BinaryOperation binop |
-    dest = binop and
-    binop.getLeftOperand() = src and
-    predictable(binop.getRightOperand())
-  )
-  or
-  exists(BinaryOperation binop |
-    dest = binop and
-    binop.getRightOperand() = src and
-    predictable(binop.getLeftOperand())
-  )
-  or
-  exists(Cast cast |
-    dest = cast and
-    src = cast.getExpr()
-  )
-  or
-  exists(ConditionalExpr cond |
-    cond = dest and
-    (
-      cond.getThen() = src or
-      cond.getElse() = src
-    )
-  )
-}
-
-/**
- * Track value flow between functions.
- * Handles the following cases:
- * - If an argument to a function is tainted, all the usages of the parameter inside the function are tainted
- * - If a function obtains input from the user internally and returns it, all calls to the function are tainted
- * - If an argument to a function is tainted and that parameter is returned, all calls to the function are not tainted
- *   (this is done to avoid false positives). Because of this we need to track if the tainted element came from an argument
- *   or not, and for that we use destFromArg
- */
-deprecated private predicate betweenFunctionsValueMoveTo(
-  Element src, Element dest, boolean destFromArg
-) {
-  not unreachable(src) and
-  not unreachable(dest) and
-  (
-    exists(Call call, int i |
-      src = call.getArgument(i) and
-      resolveCallWithParam(call, _, i, dest) and
-      destFromArg = true
-    )
-    or
-    // Only move the return of the function to the function itself if the value didn't came from an
-    // argument, or else we would taint all the calls to one function if one argument is tainted
-    // somewhere
-    exists(Function f, ReturnStmt ret |
-      ret.getEnclosingFunction() = f and
-      src = ret.getExpr() and
-      destFromArg = false and
-      dest = f
-    )
-    or
-    exists(Call call, Function f |
-      f = resolveCall(call) and
-      src = f and
-      dest = call and
-      destFromArg = false
-    )
-    or
-    // If a parameter of type reference is tainted inside a function, taint the argument too
-    exists(Call call, int pi, Parameter p |
-      resolveCallWithParam(call, _, pi, p) and
-      p.getType() instanceof ReferenceType and
-      src = p and
-      dest = call.getArgument(pi) and
-      destFromArg = false
-    )
-  )
-}
-
-// predicate folding for proper join-order
-// bad magic: pushes down predicate that ruins join-order
-pragma[nomagic]
-deprecated private predicate resolveCallWithParam(Call call, Function called, int i, Parameter p) {
-  called = resolveCall(call) and
-  p = called.getParameter(i)
-}
-
-/** A variable for which flow through is allowed. */
-deprecated library class FlowVariable extends Variable {
-  FlowVariable() {
-    (
-      this instanceof LocalScopeVariable or
-      this instanceof GlobalOrNamespaceVariable
-    ) and
-    not argv(this)
-  }
-}
-
-/** A local scope variable for which flow through is allowed. */
-deprecated library class FlowLocalScopeVariable extends Variable {
-  FlowLocalScopeVariable() { this instanceof LocalScopeVariable }
-}
-
-deprecated private predicate insideFunctionValueMoveTo(Element src, Element dest) {
-  not unreachable(src) and
-  not unreachable(dest) and
-  (
-    // Taint all variable usages when one is tainted
-    // This function taints global variables but doesn't taint from a global variable (see globalVariableValueMoveTo)
-    exists(FlowLocalScopeVariable v |
-      src = v and
-      dest = v.getAnAccess() and
-      not insideValueSource(dest)
-    )
-    or
-    exists(FlowVariable v |
-      src = v.getAnAccess() and
-      dest = v and
-      insideValueSource(src)
-    )
-    or
-    // Taint all union usages when one is tainted
-    // This function taints global variables but doesn't taint from a global variable (see globalVariableValueMoveTo)
-    exists(FlowLocalScopeVariable v, FieldAccess a |
-      unionAccess(v, _, a) and
-      src = v and
-      dest = a and
-      not insideValueSource(dest)
-    )
-    or
-    exists(FlowVariable v, FieldAccess a |
-      unionAccess(v, _, a) and
-      src = a and
-      dest = v and
-      insideValueSource(src)
-    )
-    or
-    // If a pointer is tainted, taint the original variable
-    exists(FlowVariable p, FlowVariable v, AddressOfExpr e |
-      p.getAnAssignedValue() = e and
-      e.getOperand() = v.getAnAccess() and
-      src = p and
-      dest = v
-    )
-    or
-    // If a reference is tainted, taint the original variable
-    exists(FlowVariable r, FlowVariable v |
-      r.getType() instanceof ReferenceType and
-      r.getInitializer().getExpr() = v.getAnAccess() and
-      src = r and
-      dest = v
-    )
-    or
-    exists(Variable var |
-      var = dest and
-      var.getInitializer().getExpr() = src
-    )
-    or
-    exists(AssignExpr ae |
-      src = ae.getRValue() and
-      dest = ae.getLValue()
-    )
-    or
-    exists(CommaExpr comma |
-      comma = dest and
-      comma.getRightOperand() = src
-    )
-    or
-    exists(FunctionCall c, int sourceArg, int destArg |
-      copyValueBetweenArguments(c.getTarget(), sourceArg, destArg) and
-      // Only consider copies from `printf`-like functions if the format is a string
-      (
-        exists(FormattingFunctionCall ffc, FormatLiteral format |
-          ffc = c and
-          format = ffc.getFormat() and
-          format.getConversionChar(sourceArg - ffc.getTarget().getNumberOfParameters()) = ["s", "S"]
-        )
-        or
-        not c.(FormattingFunctionCall).getFormat() instanceof FormatLiteral
-        or
-        not c instanceof FormattingFunctionCall
-      ) and
-      src = c.getArgument(sourceArg) and
-      dest = c.getArgument(destArg)
-    )
-    or
-    exists(FunctionCall c, int sourceArg |
-      returnArgument(c.getTarget(), sourceArg) and
-      src = c.getArgument(sourceArg) and
-      dest = c
-    )
-    or
-    exists(FormattingFunctionCall formattingSend, int arg, FormatLiteral format |
-      dest = formattingSend and
-      formattingSend.getArgument(arg) = src and
-      format = formattingSend.getFormat() and
-      format.getConversionChar(arg - formattingSend.getTarget().getNumberOfParameters()) =
-        ["s", "S", "@"]
-    )
-    or
-    // Expressions computed from tainted data are also tainted
-    exists(FunctionCall call | dest = call and isPureFunction(call.getTarget().getName()) |
-      call.getAnArgument() = src and
-      forall(Expr arg | arg = call.getAnArgument() | arg = src or predictable(arg)) and
-      // flow through `strlen` tends to cause dubious results, if the length is
-      // bounded.
-      not call.getTarget().getName() = "strlen"
-    )
-    or
-    exists(Element a, Element b |
-      moveToDependingOnSide(a, b) and
-      if insideValueSource(a) then (src = b and dest = a) else (src = a and dest = b)
-    )
-  )
-}
-
-/**
- * Handles data flow from global variables to its usages.
- * The tainting for the global variable itself is done at insideFunctionValueMoveTo.
- */
-private predicate globalVariableValueMoveTo(GlobalOrNamespaceVariable src, Expr dest) {
-  not unreachable(dest) and
-  (
-    exists(GlobalOrNamespaceVariable v |
-      src = v and
-      dest = v.getAnAccess() and
-      not insideValueSource(dest)
-    )
-    or
-    exists(GlobalOrNamespaceVariable v, FieldAccess a |
-      unionAccess(v, _, a) and
-      src = v and
-      dest = a and
-      not insideValueSource(dest)
-    )
-  )
-}
-
-private predicate unionAccess(Variable v, Field f, FieldAccess a) {
-  f.getDeclaringType() instanceof Union and
-  a.getTarget() = f and
-  a.getQualifier() = v.getAnAccess()
-}
-
-deprecated GlobalOrNamespaceVariable globalVarFromId(string id) {
-  if result instanceof NamespaceVariable
-  then id = result.getNamespace() + "::" + result.getName()
-  else id = result.getName()
-}
-
-/**
- * A variable that has any kind of upper-bound check anywhere in the program.  This is
- * biased towards being inclusive because there are a lot of valid ways of doing an
- * upper bounds checks if we don't consider where it occurs, for example:
- * ```
- *   if (x < 10) { sink(x); }
- *
- *   if (10 > y) { sink(y); }
- *
- *   if (z > 10) { z = 10; }
- *   sink(z);
- * ```
- */
-private predicate hasUpperBoundsCheck(Variable var) {
-  exists(RelationalOperation oper, VariableAccess access |
-    oper.getAnOperand() = access and
-    access.getTarget() = var and
-    // Comparing to 0 is not an upper bound check
-    not oper.getAnOperand().getValue() = "0"
-  )
-}
-
-cached
-deprecated private predicate taintedWithArgsAndGlobalVars(
-  Element src, Element dest, boolean destFromArg, string globalVar
-) {
-  isUserInput(src, _) and
-  not unreachable(src) and
-  dest = src and
-  destFromArg = false and
-  globalVar = ""
-  or
-  exists(Element other, boolean otherFromArg, string otherGlobalVar |
-    taintedWithArgsAndGlobalVars(src, other, otherFromArg, otherGlobalVar)
-  |
-    not unreachable(dest) and
-    not hasUpperBoundsCheck(dest) and
-    (
-      // Direct flow from one expression to another.
-      betweenFunctionsValueMoveTo(other, dest, destFromArg) and
-      (destFromArg = true or otherFromArg = false) and
-      globalVar = otherGlobalVar
-      or
-      insideFunctionValueMoveTo(other, dest) and
-      destFromArg = otherFromArg and
-      globalVar = otherGlobalVar
-      or
-      exists(GlobalOrNamespaceVariable v |
-        v = other and
-        globalVariableValueMoveTo(v, dest) and
-        destFromArg = false and
-        v = globalVarFromId(globalVar)
-      )
-    )
-  )
-}
-
-/**
- * A tainted expression is either directly user input, or is
- * computed from user input in a way that users can probably
- * control the exact output of the computation.
- *
- * This doesn't include data flow through global variables.
- * If you need that you must call taintedIncludingGlobalVars.
- */
-deprecated predicate tainted(Expr source, Element tainted) {
-  taintedWithArgsAndGlobalVars(source, tainted, _, "")
-}
-
-/**
- * A tainted expression is either directly user input, or is
- * computed from user input in a way that users can probably
- * control the exact output of the computation.
- *
- * This version gives the same results as tainted but also includes
- * data flow through global variables.
- *
- * The parameter `globalVar` is the name of the last global variable used to move the
- * value from source to tainted.
- */
-deprecated predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
-  taintedWithArgsAndGlobalVars(source, tainted, _, globalVar)
-}
-
-/**
- * A predictable expression is one where an external user can predict
- * the value. For example, a literal in the source code is considered
- * predictable.
- */
-private predicate predictable(Expr expr) {
-  expr instanceof Literal
-  or
-  exists(BinaryOperation binop | binop = expr |
-    predictable(binop.getLeftOperand()) and predictable(binop.getRightOperand())
-  )
-  or
-  exists(UnaryOperation unop | unop = expr | predictable(unop.getOperand()))
-}
-
-private int maxArgIndex(Function f) {
-  result =
-    max(FunctionCall fc, int toMax |
-      fc.getTarget() = f and toMax = fc.getNumberOfArguments() - 1
-    |
-      toMax
-    )
-}
-
-/** Functions that copy the value of one argument to another */
-private predicate copyValueBetweenArguments(Function f, int sourceArg, int destArg) {
-  f.hasGlobalOrStdName("memcpy") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalName("__builtin___memcpy_chk") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalOrStdName("memmove") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalOrStdName("strcat") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalName("_mbscat") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalOrStdName("wcscat") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalOrStdName("strncat") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalName("_mbsncat") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalName("wcsncat") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalOrStdName("strcpy") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalName("_mbscpy") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalOrStdName("wcscpy") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalOrStdName("strncpy") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalName("_mbsncpy") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalOrStdName("wcsncpy") and sourceArg = 1 and destArg = 0
-  or
-  f.hasGlobalName("inet_aton") and sourceArg = 0 and destArg = 1
-  or
-  f.hasGlobalName("inet_pton") and sourceArg = 1 and destArg = 2
-  or
-  f.hasGlobalOrStdName("strftime") and sourceArg in [2 .. maxArgIndex(f)] and destArg = 0
-  or
-  exists(FormattingFunction ff | ff = f |
-    sourceArg in [ff.getFormatParameterIndex() .. maxArgIndex(f)] and
-    destArg = ff.getOutputParameterIndex(false)
-  )
-}
-
-/** Functions where if one of the arguments is tainted, the result should be tainted */
-private predicate returnArgument(Function f, int sourceArg) {
-  f.hasGlobalName("memcpy") and sourceArg = 0
-  or
-  f.hasGlobalName("__builtin___memcpy_chk") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("memmove") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("strcat") and sourceArg = 0
-  or
-  f.hasGlobalName("_mbscat") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("wcsncat") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("strncat") and sourceArg = 0
-  or
-  f.hasGlobalName("_mbsncat") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("wcsncat") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("strcpy") and sourceArg = 0
-  or
-  f.hasGlobalName("_mbscpy") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("wcscpy") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("strncpy") and sourceArg = 0
-  or
-  f.hasGlobalName("_mbsncpy") and sourceArg = 0
-  or
-  f.hasGlobalOrStdName("wcsncpy") and sourceArg = 0
-  or
-  f.hasGlobalName("inet_ntoa") and sourceArg = 0
-  or
-  f.hasGlobalName("inet_addr") and sourceArg = 0
-  or
-  f.hasGlobalName("inet_network") and sourceArg = 0
-  or
-  f.hasGlobalName("inet_ntoa") and sourceArg = 0
-  or
-  f.hasGlobalName("inet_makeaddr") and
-  (sourceArg = 0 or sourceArg = 1)
-  or
-  f.hasGlobalName("inet_lnaof") and sourceArg = 0
-  or
-  f.hasGlobalName("inet_netof") and sourceArg = 0
-  or
-  f.hasGlobalName("gethostbyname") and sourceArg = 0
-  or
-  f.hasGlobalName("gethostbyaddr") and sourceArg = 0
-}
-
-/**
- * Resolve potential target function(s) for `call`.
- *
- * If `call` is a call through a function pointer (`ExprCall`) or
- * targets a virtual method, simple data flow analysis is performed
- * in order to identify target(s).
- */
-deprecated Function resolveCall(Call call) {
-  result = call.getTarget()
-  or
-  result = call.(DataSensitiveCallExpr).resolve()
-}
-
-/** A data sensitive call expression. */
-abstract deprecated library class DataSensitiveCallExpr extends Expr {
-  DataSensitiveCallExpr() { not unreachable(this) }
-
-  abstract Expr getSrc();
-
-  cached
-  abstract Function resolve();
-
-  /**
-   * Whether `src` can flow to this call expression.
-   *
-   * Searches backwards from `getSrc()` to `src`.
-   */
-  predicate flowsFrom(Element src, boolean allowFromArg) {
-    src = this.getSrc() and allowFromArg = true
-    or
-    exists(Element other, boolean allowOtherFromArg | this.flowsFrom(other, allowOtherFromArg) |
-      exists(boolean otherFromArg | betweenFunctionsValueMoveToStatic(src, other, otherFromArg) |
-        otherFromArg = true and allowOtherFromArg = true and allowFromArg = true
-        or
-        otherFromArg = false and allowFromArg = false
-      )
-      or
-      insideFunctionValueMoveTo(src, other) and allowFromArg = allowOtherFromArg
-      or
-      globalVariableValueMoveTo(src, other) and allowFromArg = true
-    )
-  }
-}
-
-/** Call through a function pointer. */
-deprecated library class DataSensitiveExprCall extends DataSensitiveCallExpr, ExprCall {
-  override Expr getSrc() { result = this.getExpr() }
-
-  override Function resolve() {
-    exists(FunctionAccess fa | this.flowsFrom(fa, true) | result = fa.getTarget())
-  }
-}
-
-/** Call to a virtual function. */
-deprecated library class DataSensitiveOverriddenFunctionCall extends DataSensitiveCallExpr,
-  FunctionCall
-{
-  DataSensitiveOverriddenFunctionCall() {
-    exists(this.getTarget().(VirtualFunction).getAnOverridingFunction())
-  }
-
-  override Expr getSrc() { result = this.getQualifier() }
-
-  override MemberFunction resolve() {
-    exists(NewExpr new |
-      this.flowsFrom(new, true) and
-      memberFunctionFromNewExpr(new, result) and
-      result.overrides*(this.getTarget().(VirtualFunction))
-    )
-  }
-}
-
-private predicate memberFunctionFromNewExpr(NewExpr new, MemberFunction f) {
-  f = new.getAllocatedType().(Class).getAMemberFunction()
-}
-
-/** Same as `betweenFunctionsValueMoveTo`, but calls are resolved to their static target. */
-private predicate betweenFunctionsValueMoveToStatic(Element src, Element dest, boolean destFromArg) {
-  not unreachable(src) and
-  not unreachable(dest) and
-  (
-    exists(FunctionCall call, Function called, int i |
-      src = call.getArgument(i) and
-      called = call.getTarget() and
-      dest = called.getParameter(i) and
-      destFromArg = true
-    )
-    or
-    // Only move the return of the function to the function itself if the value didn't came from an
-    // argument, or else we would taint all the calls to one function if one argument is tainted
-    // somewhere
-    exists(Function f, ReturnStmt ret |
-      ret.getEnclosingFunction() = f and
-      src = ret.getExpr() and
-      destFromArg = false and
-      dest = f
-    )
-    or
-    exists(FunctionCall call, Function f |
-      call.getTarget() = f and
-      src = f and
-      dest = call and
-      destFromArg = false
-    )
-    or
-    // If a parameter of type reference is tainted inside a function, taint the argument too
-    exists(FunctionCall call, Function f, int pi, Parameter p |
-      call.getTarget() = f and
-      f.getParameter(pi) = p and
-      p.getType() instanceof ReferenceType and
-      src = p and
-      dest = call.getArgument(pi) and
-      destFromArg = false
-    )
-  )
-}
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -356,6 +356,8 @@ case @function.kind of
 | 4 = @conversion_function
 | 5 = @operator
 | 6 = @builtin_function     // GCC built-in functions, e.g. __builtin___memcpy_chk
+| 7 = @user_defined_literal
+| 8 = @deduction_guide
 ;
 */

@@ -405,6 +407,8 @@ function_deleted(unique int id: @function ref);

 function_defaulted(unique int id: @function ref);

+function_prototyped(unique int id: @function ref)
+
 member_function_this_type(
    unique int id: @function ref,
    int this_type: @type ref
@@ -935,6 +939,7 @@ case @attribute_arg.kind of
 | 2 = @attribute_arg_constant
 | 3 = @attribute_arg_type
 | 4 = @attribute_arg_constant_expr
+| 5 = @attribute_arg_expr
 ;

 attribute_arg_value(
@@ -949,6 +954,10 @@ attribute_arg_constant(
    unique int arg: @attribute_arg ref,
    int constant: @expr ref
 )
+attribute_arg_expr(
+    unique int arg: @attribute_arg ref,
+    int expr: @expr ref
+)
 attribute_arg_name(
    unique int arg: @attribute_arg ref,
    string name: string ref
@@ -2147,7 +2156,7 @@ includes(
 );

 link_targets(
-    unique int id: @link_target,
+    int id: @link_target,
    int binary: @file ref
 );

--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/old.dbscheme
+++ b/cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/old.dbscheme
--- a/Show More
+++ b/Show More