Merge pull request #18242 from github/release-prep/2.20.0

Release preparation for version 2.20.0

.bazelrc

@@ -23,6 +23,5 @@ common --registry=file:///%workspace%/misc/bazel/registry
 common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-common --experimental_isolated_extension_usages
 
 try-import %workspace%/local.bazelrc

.bazelrc.internal

@@ -8,4 +8,3 @@ common --registry=https://bcr.bazel.build
 # its implementation packages without providing any code itself.
 # We either can depend on internal implementation details, or turn of strict deps.
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-common --experimental_isolated_extension_usages

.devcontainer/devcontainer.json

@@ -1,4 +1,5 @@
 {
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
   "extensions": [
     "rust-lang.rust-analyzer",
     "bungcip.better-toml",

.github/workflows/codeql-analysis.yml

@@ -30,7 +30,7 @@ jobs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 8.0.101
+        dotnet-version: 9.0.100
 
     - name: Checkout repository
       uses: actions/checkout@v4

.github/workflows/compile-queries.yml

@@ -7,6 +7,11 @@ on:
       - "rc/*"
       - "codeql-cli-*"
   pull_request:
+    paths:
+      - '**.ql'
+      - '**.qll'
+      - '**/qlpack.yml'
+      - '**.dbscheme'
 
 permissions:
   contents: read
@@ -33,9 +38,9 @@ jobs:
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000

.github/workflows/cpp-swift-analysis.yml

@@ -48,7 +48,7 @@ jobs:
     - name: "Build Swift extractor using Bazel"
       run: |
         bazel clean --expunge
-        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local
+        bazel run //swift:install --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local
         bazel shutdown
 
     - name: Perform CodeQL Analysis

.github/workflows/csharp-qltest.yml

@@ -5,8 +5,10 @@ on:
     paths:
       - "csharp/**"
       - "shared/**"
+      - "misc/bazel/**"
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
+      - "MODULE.bazel"
     branches:
       - main
       - "rc/*"
@@ -14,9 +16,11 @@ on:
     paths:
       - "csharp/**"
       - "shared/**"
+      - "misc/bazel/**"
       - .github/workflows/csharp-qltest.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
+      - "MODULE.bazel"
     branches:
       - main
       - "rc/*"
@@ -39,14 +43,14 @@ jobs:
       - name: Setup dotnet
         uses: actions/setup-dotnet@v4
         with:
-          dotnet-version: 8.0.101
+          dotnet-version: 9.0.100
       - name: Extractor unit tests
         run: |
           dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest

.pre-commit-config.yaml

@@ -72,7 +72,7 @@ repos:
 
       - id: rust-codegen
         name: Run Rust checked in code generation
-        files: ^misc/codegen/|^rust/(schema.py$|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
+        files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
         language: system
         entry: bazel run //rust/codegen -- --quiet
         pass_filenames: false

.vscode/tasks.json

@@ -38,6 +38,93 @@
                 "command": "${config:python.pythonPath}",
             },
             "problemMatcher": []
+        },
+        {
+            "label": "Create query change note",
+            "type": "process",
+            "command": "python3",
+            "args": [
+                "misc/scripts/create-change-note.py",
+                "${input:language}",
+                "src",
+                "${input:name}",
+                "${input:categoryQuery}"
+            ],
+            "presentation": {
+                "reveal": "never",
+                "close": true
+            },
+            "problemMatcher": []
+        },
+                {
+            "label": "Create library change note",
+            "type": "process",
+            "command": "python3",
+            "args": [
+                "misc/scripts/create-change-note.py",
+                "${input:language}",
+                "lib",
+                "${input:name}",
+                "${input:categoryLibrary}"
+            ],
+            "presentation": {
+                "reveal": "never",
+                "close": true
+            },
+            "problemMatcher": []
+        }
+    ],
+    "inputs": [
+        {
+            "type": "pickString",
+            "id": "language",
+            "description": "Language",
+            "options":
+            [
+                "go",
+                "java",
+                "javascript",
+                "cpp",
+                "csharp",
+                "python",
+                "ruby",
+                "rust",
+                "swift",
+            ]
+        },
+        {
+            "type": "promptString",
+            "id": "name",
+            "description": "Short name (kebab-case)"
+        },
+        {
+            "type": "pickString",
+            "id": "categoryQuery",
+            "description": "Category (query change)",
+            "options":
+            [
+                "breaking",
+                "deprecated",
+                "newQuery",
+                "queryMetadata",
+                "majorAnalysis",
+                "minorAnalysis",
+                "fix",
+            ]
+        },
+                {
+            "type": "pickString",
+            "id": "categoryLibrary",
+            "description": "Category (library change)",
+            "options":
+            [
+                "breaking",
+                "deprecated",
+                "feature",
+                "majorAnalysis",
+                "minorAnalysis",
+                "fix",
+            ]
         }
     ]
 }

2024-11-25-ts57.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added support for TypeScript 5.7.

BUILD.bazel

@@ -1 +1,5 @@
-exports_files(["LICENSE"])
+exports_files([
+    "LICENSE",
+    "Cargo.lock",
+    "Cargo.toml",
+])

CODEOWNERS

@@ -42,3 +42,6 @@ MODULE.bazel @github/codeql-ci-reviewers
 # Misc
 /misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
 /misc/scripts/generate-code-scanning-query-list.py @RasmusWL
+
+# .devcontainer
+/.devcontainer/ @github/codeql-ci-reviewers

Cargo.lock

@@ -381,18 +381,22 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "argfile",
+ "chrono",
  "clap",
  "codeql-extractor",
+ "dunce",
  "figment",
  "glob",
  "itertools 0.13.0",
  "log",
  "num-traits",
  "ra_ap_base_db",
+ "ra_ap_cfg",
  "ra_ap_hir",
  "ra_ap_hir_def",
  "ra_ap_hir_expand",
  "ra_ap_ide_db",
+ "ra_ap_intern",
  "ra_ap_load-cargo",
  "ra_ap_parser",
  "ra_ap_paths",
@@ -402,6 +406,7 @@ dependencies = [
  "ra_ap_vfs",
  "rust-extractor-macros",
  "serde",
+ "serde_json",
  "serde_with",
  "stderrlog",
  "triomphe",
@@ -538,6 +543,12 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9bda8e21c04aca2ae33ffc2fd8c23134f3cac46db123ba97bd9d3f3b8a4a85e1"
 
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
 [[package]]
 name = "either"
 version = "1.13.0"
@@ -2032,9 +2043,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.132"
+version = "1.0.133"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03"
+checksum = "c7fceb2473b9166b2294ef05efcb65a3db80803f0b03ef86a5fc88a2b85ee377"
 dependencies = [
  "itoa",
  "memchr",

MODULE.bazel

@@ -25,50 +25,53 @@ bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.38.0")
-bazel_dep(name = "rules_dotnet", version = "0.16.1")
+bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
 bazel_dep(name = "rules_rust", version = "0.52.2")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
-# crate_py but shortened due to Windows file path considerations
-cp = use_extension(
-    "@rules_rust//crate_universe:extension.bzl",
-    "crate",
-    isolate = True,
-)
-cp.from_cargo(
-    name = "py_deps",
-    cargo_lockfile = "//python/extractor/tsg-python:Cargo.lock",
-    manifests = [
-        "//python/extractor/tsg-python:Cargo.toml",
-        "//python/extractor/tsg-python/tsp:Cargo.toml",
-    ],
-)
-use_repo(cp, "py_deps")
+# Keep edition and version approximately in sync with internal repo.
+# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
+RUST_EDITION = "2021"
 
-# deps for ruby+rust, but shortened due to windows file paths
-r = use_extension(
-    "@rules_rust//crate_universe:extension.bzl",
-    "crate",
-    isolate = True,
-)
-r.from_cargo(
-    name = "r",
-    cargo_lockfile = "//:Cargo.lock",
-    manifests = [
-        "//:Cargo.toml",
-        "//ruby/extractor:Cargo.toml",
-        "//rust/extractor:Cargo.toml",
-        "//rust/extractor/macros:Cargo.toml",
-        "//rust/ast-generator:Cargo.toml",
-        "//shared/tree-sitter-extractor:Cargo.toml",
+RUST_VERSION = "1.81.0"
+
+rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
+rust.toolchain(
+    edition = RUST_EDITION,
+    # We need those extra target triples so that we can build universal binaries on macos
+    extra_target_triples = [
+        "x86_64-apple-darwin",
+        "aarch64-apple-darwin",
     ],
+    versions = [RUST_VERSION],
 )
-use_repo(r, tree_sitter_extractors_deps = "r")
+use_repo(rust, "rust_toolchains")
+
+register_toolchains("@rust_toolchains//:all")
+
+rust_host_tools = use_extension("@rules_rust//rust:extensions.bzl", "rust_host_tools")
+
+# Don't download a second toolchain as host toolchain, make sure this is the same version as above
+# The host toolchain is used for vendoring dependencies.
+rust_host_tools.host_tools(
+    edition = RUST_EDITION,
+    version = RUST_VERSION,
+)
+
+# deps for python extractor
+# keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
+py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
+use_repo(py_deps, "vendor__anyhow-1.0.44", "vendor__cc-1.0.70", "vendor__clap-2.33.3", "vendor__regex-1.5.5", "vendor__smallvec-1.6.1", "vendor__string-interner-0.12.2", "vendor__thiserror-1.0.29", "vendor__tree-sitter-0.20.4", "vendor__tree-sitter-graph-0.7.0")
+
+# deps for ruby+rust
+# keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
+tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
+use_repo(tree_sitter_extractors_deps, "vendor__anyhow-1.0.93", "vendor__argfile-0.2.1", "vendor__chrono-0.4.38", "vendor__clap-4.5.20", "vendor__dunce-1.0.5", "vendor__encoding-0.2.33", "vendor__figment-0.10.19", "vendor__flate2-1.0.34", "vendor__glob-0.3.1", "vendor__globset-0.4.15", "vendor__itertools-0.10.5", "vendor__itertools-0.13.0", "vendor__lazy_static-1.5.0", "vendor__log-0.4.22", "vendor__num-traits-0.2.19", "vendor__num_cpus-1.16.0", "vendor__proc-macro2-1.0.89", "vendor__quote-1.0.37", "vendor__ra_ap_base_db-0.0.232", "vendor__ra_ap_cfg-0.0.232", "vendor__ra_ap_hir-0.0.232", "vendor__ra_ap_hir_def-0.0.232", "vendor__ra_ap_hir_expand-0.0.232", "vendor__ra_ap_ide_db-0.0.232", "vendor__ra_ap_intern-0.0.232", "vendor__ra_ap_load-cargo-0.0.232", "vendor__ra_ap_parser-0.0.232", "vendor__ra_ap_paths-0.0.232", "vendor__ra_ap_project_model-0.0.232", "vendor__ra_ap_span-0.0.232", "vendor__ra_ap_syntax-0.0.232", "vendor__ra_ap_vfs-0.0.232", "vendor__rand-0.8.5", "vendor__rayon-1.10.0", "vendor__regex-1.11.1", "vendor__serde-1.0.214", "vendor__serde_json-1.0.133", "vendor__serde_with-3.11.0", "vendor__stderrlog-0.6.0", "vendor__syn-2.0.87", "vendor__tracing-0.1.40", "vendor__tracing-subscriber-0.3.18", "vendor__tree-sitter-0.24.4", "vendor__tree-sitter-embedded-template-0.23.2", "vendor__tree-sitter-json-0.24.8", "vendor__tree-sitter-ql-0.23.1", "vendor__tree-sitter-ruby-0.23.1", "vendor__triomphe-0.1.14", "vendor__ungrammar-1.16.1")
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "8.0.101")
+dotnet.toolchain(dotnet_version = "9.0.100")
 use_repo(dotnet, "dotnet_toolchains")
 
 register_toolchains("@dotnet_toolchains//:all")

actions/BUILD.bazel

@@ -2,19 +2,8 @@ load("//misc/bazel:pkg.bzl", "codeql_pack")
 
 package(default_visibility = ["//visibility:public"])
 
-[
-    codeql_pack(
-        name = "-".join(parts),
-        srcs = [
-            "//actions/extractor",
-        ],
-        pack_prefix = "/".join(parts),
-    )
-    for parts in (
-        [
-            "experimental",
-            "actions",
-        ],
-        ["actions"],
-    )
-]
+codeql_pack(
+    name = "actions",
+    srcs = ["//actions/extractor"],
+    experimental = True,
+)

config/identical-files.json

@@ -1,58 +1,4 @@
 {
-  "DataFlow Java/C++/C#/Go/Python/Ruby/Swift Legacy Configuration": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll"
-  ],
-  "TaintTracking Legacy Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
-  ],
   "SsaReadPosition Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"

cpp/downgrades/f0156f5f88ab5967c79162012c20f30600ca5ebf/upgrade.properties

@@ -0,0 +1,3 @@
+description: Implement compilation_build_mode/2
+compatibility: full
+compilation_build_mode.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 3.0.0
+
+### Breaking Changes
+
+* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
+
+### Deprecated APIs
+
+* The `NonThrowing` class (`semmle.code.cpp.models.interfaces.NonThrowing`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.
+
+## 2.1.1
+
+No user-facing changes.
+
 ## 2.1.0
 
 ### New Features

cpp/ql/lib/change-notes/released/2.1.1.md

@@ -0,0 +1,3 @@
+## 2.1.1
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/3.0.0.md

@@ -0,0 +1,9 @@
+## 3.0.0
+
+### Breaking Changes
+
+* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
+
+### Deprecated APIs
+
+* The `NonThrowing` class (`semmle.code.cpp.models.interfaces.NonThrowing`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.1.0
+lastReleaseVersion: 3.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 2.1.1-dev
+version: 3.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Compilation.qll

@@ -112,4 +112,7 @@ class Compilation extends @compilation {
    * termination, but crashing due to something like a segfault is not.
    */
   predicate normalTermination() { compilation_finished(this, _, _) }
+
+  /** Holds if this compilation was compiled using the "none" build mode. */
+  predicate buildModeNone() { compilation_build_mode(this, 0) }
 }

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll

@@ -29,5 +29,5 @@ deprecated module DataFlow {
   private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
   import DataFlowMake<Location, CppOldDataFlow>
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl1
+  import Public
 }

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow2.qll

@@ -1,22 +0,0 @@
-/**
- * Provides a `DataFlow2` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-/**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow2` instead.
- *
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-deprecated module DataFlow2 {
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl2
-}

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow3.qll

@@ -1,22 +0,0 @@
-/**
- * Provides a `DataFlow3` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-/**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow3` instead.
- *
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-deprecated module DataFlow3 {
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl3
-}

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow4.qll

@@ -1,22 +0,0 @@
-/**
- * Provides a `DataFlow4` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-/**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow4` instead.
- *
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-deprecated module DataFlow4 {
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl4
-}

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -793,28 +793,27 @@ private Element interpretElement0(
 ) {
   (
     // Non-member functions
-    elementSpec(namespace, type, subtypes, name, signature, _) and
+    funcHasQualifiedName(result, namespace, name) and
     subtypes = false and
     type = "" and
     (
       elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
       or
       signature = "" and
-      elementSpec(namespace, type, subtypes, name, "", _) and
-      funcHasQualifiedName(result, namespace, name)
+      elementSpec(namespace, type, subtypes, name, signature, _)
     )
     or
     // Member functions
     exists(Class namedClass, Class classWithMethod |
+      hasClassAndName(classWithMethod, result, name) and
+      classHasQualifiedName(namedClass, namespace, type)
+    |
       (
-        elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature) and
-        hasClassAndName(classWithMethod, result, name)
+        elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
         or
         signature = "" and
-        elementSpec(namespace, type, subtypes, name, "", _) and
-        hasClassAndName(classWithMethod, result, name)
+        elementSpec(namespace, type, subtypes, name, "", _)
       ) and
-      classHasQualifiedName(namedClass, namespace, type) and
       (
         // member declared in the named type or a subtype of it
         subtypes = true and

cpp/ql/lib/semmle/code/cpp/dataflow/RecursionPrevention.qll

@@ -1,39 +0,0 @@
-/**
- * DEPRECATED: Recursion through `DataFlow::Configuration` is impossible in
- * any supported tooling. There is no need for this module because it's
- * impossible to accidentally depend on recursion through
- * `DataFlow::Configuration` in current releases.
- *
- * When this module is imported, recursive use of `DataFlow::Configuration` is
- * disallowed. Importing this module will guarantee the absence of such
- * recursion, which is unsupported and will be unconditionally disallowed in a
- * future release.
- *
- * Recursive use of `DataFlow{2..4}::Configuration` is always disallowed, so no
- * import is needed for those.
- */
-
-import cpp
-private import semmle.code.cpp.dataflow.DataFlow
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- * Four copies are available: `DataFlow` through `DataFlow4`.
- */
-abstract private class ConfigurationRecursionPrevention extends DataFlow::Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    strictcount(DataFlow::Node n | this.isSource(n)) < 0
-    or
-    strictcount(DataFlow::Node n | this.isSink(n)) < 0
-    or
-    strictcount(DataFlow::Node n1, DataFlow::Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll

@@ -16,7 +16,6 @@
  */
 
 import semmle.code.cpp.dataflow.DataFlow
-import semmle.code.cpp.dataflow.DataFlow2
 
 /**
  * DEPRECATED: Use `semmle.code.cpp.dataflow.new.TaintTracking` instead.
@@ -25,10 +24,9 @@ import semmle.code.cpp.dataflow.DataFlow2
  * global (inter-procedural) taint-tracking analyses.
  */
 deprecated module TaintTracking {
-  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  import semmle.code.cpp.dataflow.internal.TaintTrackingUtil
   private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
   import TaintFlowMake<Location, CppOldDataFlow, CppOldTaintTracking>
-  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking2.qll

@@ -1,22 +0,0 @@
-/**
- * Provides a `TaintTracking2` module, which is a copy of the `TaintTracking`
- * module. Use this class when data-flow configurations or taint-tracking
- * configurations must depend on each other. Two classes extending
- * `DataFlow::Configuration` should never depend on each other, but one of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
- * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
- * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.TaintTracking` for the full documentation.
- */
-
-/**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.TaintTracking2` instead.
- *
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-deprecated module TaintTracking2 {
-  import semmle.code.cpp.dataflow.internal.tainttracking2.TaintTrackingImpl
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -729,41 +729,39 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
 
 private module FieldFlow {
   private import DataFlowImplCommon
-  private import DataFlowImplLocal
   private import DataFlowPrivate
+  private import semmle.code.cpp.dataflow.DataFlow
 
   /**
-   * A configuration for finding local-only flow through fields. This uses the
-   * `Configuration` class in the dedicated `DataFlowImplLocal` copy of the
-   * shared library that's not user-exposed directly.
+   * A configuration for finding local-only flow through fields.
    *
    * To keep the flow local to a single function, we put barriers on parameters
    * and return statements. Sources and sinks are the values that go into and
    * out of fields, respectively.
    */
-  private class FieldConfiguration extends Configuration {
-    FieldConfiguration() { this = "FieldConfiguration" }
-
-    override predicate isSource(Node source) {
+  private module FieldConfig implements DataFlow::ConfigSig {
+    predicate isSource(Node source) {
       storeStep(source, _, _)
       or
       // Also mark `foo(a.b);` as a source when `a.b` may be overwritten by `foo`.
       readStep(_, _, any(Node node | node.asExpr() = source.asDefiningArgument()))
     }
 
-    override predicate isSink(Node sink) { readStep(_, _, sink) }
+    predicate isSink(Node sink) { readStep(_, _, sink) }
 
-    override predicate isBarrier(Node node) { node instanceof ParameterNode }
+    predicate isBarrier(Node node) { node instanceof ParameterNode }
 
-    override predicate isBarrierOut(Node node) {
+    predicate isBarrierOut(Node node) {
       node.asExpr().getParent() instanceof ReturnStmt
       or
       node.asExpr().getParent() instanceof ThrowExpr
     }
   }
 
+  private module Flow = DataFlow::Global<FieldConfig>;
+
   predicate fieldFlow(Node node1, Node node2) {
-    exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and
+    Flow::flow(node1, node2) and
     // This configuration should not be able to cross function boundaries, but
     // we double-check here just to be sure.
     getNodeEnclosingCallable(node1) = getNodeEnclosingCallable(node2)

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll

@@ -1,10 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- */
-
-import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import semmle.code.cpp.dataflow.DataFlow::DataFlow as DataFlow
-  import semmle.code.cpp.dataflow.internal.DataFlowImpl as DataFlowInternal
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll

@@ -1,9 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- */
-
-import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import semmle.code.cpp.dataflow.DataFlow2::DataFlow2 as DataFlow
-}

cpp/ql/lib/semmle/code/cpp/dataflow/new/DataFlow.qll

@@ -29,5 +29,5 @@ module DataFlow {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
   import DataFlowMake<Location, CppDataFlow>
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl1
+  import Public
 }

cpp/ql/lib/semmle/code/cpp/dataflow/new/DataFlow2.qll

@@ -1,20 +0,0 @@
-/**
- * Provides a `DataFlow2` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.new.DataFlow` for the full documentation.
- */
-
-import cpp
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-module DataFlow2 {
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl2
-}

cpp/ql/lib/semmle/code/cpp/dataflow/new/DataFlow3.qll

@@ -1,20 +0,0 @@
-/**
- * Provides a `DataFlow3` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.new.DataFlow` for the full documentation.
- */
-
-import cpp
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-module DataFlow3 {
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl3
-}

cpp/ql/lib/semmle/code/cpp/dataflow/new/DataFlow4.qll

@@ -1,20 +0,0 @@
-/**
- * Provides a `DataFlow4` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.new.DataFlow` for the full documentation.
- */
-
-import cpp
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) data flow analyses.
- */
-module DataFlow4 {
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl4
-}

cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll

@@ -16,18 +16,16 @@
  */
 
 import semmle.code.cpp.dataflow.new.DataFlow
-import semmle.code.cpp.dataflow.new.DataFlow2
 
 /**
  * Provides classes for performing local (intra-procedural) and
  * global (inter-procedural) taint-tracking analyses.
  */
 module TaintTracking {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  import semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
   private import semmle.code.cpp.Location
   import TaintFlowMake<Location, CppDataFlow, CppTaintTracking>
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking2.qll

@@ -1,20 +0,0 @@
-/**
- * Provides a `TaintTracking2` module, which is a copy of the `TaintTracking`
- * module. Use this class when data-flow configurations or taint-tracking
- * configurations must depend on each other. Two classes extending
- * `DataFlow::Configuration` should never depend on each other, but one of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
- * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
- * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.new.TaintTracking` for the full documentation.
- */
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-module TaintTracking2 {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking2.TaintTrackingImpl
-}

cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking3.qll

@@ -1,20 +0,0 @@
-/**
- * Provides a `TaintTracking3` module, which is a copy of the `TaintTracking`
- * module. Use this class when data-flow configurations or taint-tracking
- * configurations must depend on each other. Two classes extending
- * `DataFlow::Configuration` should never depend on each other, but one of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
- * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
- * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
- *
- * See `semmle.code.cpp.dataflow.new.TaintTracking` for the full documentation.
- */
-
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- */
-module TaintTracking3 {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking3.TaintTrackingImpl
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DataFlow.qll

@@ -25,5 +25,5 @@ module DataFlow {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
   import DataFlowMake<Location, CppDataFlow>
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl1
+  import Public
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DataFlow2.qll

@@ -1,16 +0,0 @@
-/**
- * Provides a `DataFlow2` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-module DataFlow2 {
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl2
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DataFlow3.qll

@@ -1,16 +0,0 @@
-/**
- * Provides a `DataFlow3` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-module DataFlow3 {
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl3
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DataFlow4.qll

@@ -1,16 +0,0 @@
-/**
- * Provides a `DataFlow4` module, which is a copy of the `DataFlow` module. Use
- * this class when data-flow configurations must depend on each other. Two
- * classes extending `DataFlow::Configuration` should never depend on each
- * other, but one of them should instead depend on a
- * `DataFlow2::Configuration`, a `DataFlow3::Configuration`, or a
- * `DataFlow4::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.DataFlow` for the full documentation.
- */
-
-import cpp
-
-module DataFlow4 {
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl4
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/TaintTracking.qll

@@ -16,13 +16,11 @@
  */
 
 import semmle.code.cpp.ir.dataflow.DataFlow
-import semmle.code.cpp.ir.dataflow.DataFlow2
 
 module TaintTracking {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  import semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
   import TaintFlowMake<Location, CppDataFlow, CppTaintTracking>
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/TaintTracking2.qll

@@ -1,15 +0,0 @@
-/**
- * Provides a `TaintTracking2` module, which is a copy of the `TaintTracking`
- * module. Use this class when data-flow configurations or taint-tracking
- * configurations must depend on each other. Two classes extending
- * `DataFlow::Configuration` should never depend on each other, but one of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
- * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
- * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
- */
-module TaintTracking2 {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking2.TaintTrackingImpl
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/TaintTracking3.qll

@@ -1,15 +0,0 @@
-/**
- * Provides a `TaintTracking3` module, which is a copy of the `TaintTracking`
- * module. Use this class when data-flow configurations or taint-tracking
- * configurations must depend on each other. Two classes extending
- * `DataFlow::Configuration` should never depend on each other, but one of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
- * `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
- * `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
- *
- * See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
- */
-module TaintTracking3 {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking3.TaintTrackingImpl
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -1,361 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides a `Configuration` class backwards-compatible interface to the data
- * flow library.
- */
-
-private import DataFlowImplCommon
-private import DataFlowImplSpecific::Private
-import DataFlowImplSpecific::Public
-private import DataFlowImpl
-import DataFlowImplCommonPublic
-deprecated import FlowStateString
-private import codeql.util.Unit
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural data flow analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the global data flow library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with
- * a subclass whose characteristic predicate is a unique singleton string.
- * For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends DataFlow::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isBarrier`.
- *   // Optionally override `isAdditionalFlowStep`.
- * }
- * ```
- * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
- * the edges are those data-flow steps that preserve the value of the node
- * along with any additional edges defined by `isAdditionalFlowStep`.
- * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
- * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
- * and/or out-going edges from those nodes, respectively.
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but two classes extending
- * `DataFlow::Configuration` should never depend on each other. One of them
- * should instead depend on a `DataFlow2::Configuration`, a
- * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
- */
-abstract deprecated class Configuration extends string {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant data flow source.
-   */
-  predicate isSource(Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant data flow source with the given initial
-   * `state`.
-   */
-  predicate isSource(Node source, FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  predicate isSink(Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant data flow sink accepting `state`.
-   */
-  predicate isSink(Node sink, FlowState state) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited. This completely removes
-   * `node` from the data flow graph.
-   */
-  predicate isBarrier(Node node) { none() }
-
-  /**
-   * Holds if data flow through `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isBarrier(Node node, FlowState state) { none() }
-
-  /** Holds if data flow into `node` is prohibited. */
-  predicate isBarrierIn(Node node) { none() }
-
-  /** Holds if data flow out of `node` is prohibited. */
-  predicate isBarrierOut(Node node) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   */
-  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
-
-  /**
-   * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
-    none()
-  }
-
-  /**
-   * Holds if an arbitrary number of implicit read steps of content `c` may be
-   * taken at `node`.
-   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
-
-  /**
-   * Gets the virtual dispatch branching limit when calculating field flow.
-   * This can be overridden to a smaller value to improve performance (a
-   * value of 0 disables field flow), or a larger value to get more results.
-   */
-  int fieldFlowBranchLimit() { result = 2 }
-
-  /**
-   * Gets a data flow configuration feature to add restrictions to the set of
-   * valid flow paths.
-   *
-   * - `FeatureHasSourceCallContext`:
-   *    Assume that sources have some existing call context to disallow
-   *    conflicting return-flow directly following the source.
-   * - `FeatureHasSinkCallContext`:
-   *    Assume that sinks have some existing call context to disallow
-   *    conflicting argument-to-parameter flow directly preceding the sink.
-   * - `FeatureEqualSourceSinkCallContext`:
-   *    Implies both of the above and additionally ensures that the entire flow
-   *    path preserves the call context.
-   *
-   * These features are generally not relevant for typical end-to-end data flow
-   * queries, but should only be used for constructing paths that need to
-   * somehow be pluggable in another path context.
-   */
-  FlowFeature getAFeature() { none() }
-
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
-  predicate sourceGrouping(Node source, string sourceGroup) { none() }
-
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
-  predicate sinkGrouping(Node sink, string sinkGroup) { none() }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   */
-  predicate hasFlow(Node source, Node sink) { hasFlow(source, sink, this) }
-
-  /**
-   * Holds if data may flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  predicate hasFlowPath(PathNode source, PathNode sink) { hasFlowPath(source, sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowTo(Node sink) { hasFlowTo(sink, this) }
-
-  /**
-   * Holds if data may flow from some source to `sink` for this configuration.
-   */
-  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
-
-  /**
-   * Holds if hidden nodes should be included in the data flow graph.
-   *
-   * This feature should only be used for debugging or when the data flow graph
-   * is not visualized (for example in a `path-problem` query).
-   */
-  predicate includeHiddenNodes() { none() }
-}
-
-/**
- * This class exists to prevent mutual recursion between the user-overridden
- * member predicates of `Configuration` and the rest of the data-flow library.
- * Good performance cannot be guaranteed in the presence of such recursion, so
- * it should be replaced by using more than one copy of the data flow library.
- */
-abstract deprecated private class ConfigurationRecursionPrevention extends Configuration {
-  bindingset[this]
-  ConfigurationRecursionPrevention() { any() }
-
-  override predicate hasFlow(Node source, Node sink) {
-    strictcount(Node n | this.isSource(n)) < 0
-    or
-    strictcount(Node n | this.isSource(n, _)) < 0
-    or
-    strictcount(Node n | this.isSink(n)) < 0
-    or
-    strictcount(Node n | this.isSink(n, _)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
-    or
-    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, _, n2, _)) < 0
-    or
-    super.hasFlow(source, sink)
-  }
-}
-
-deprecated private FlowState relevantState(Configuration config) {
-  config.isSource(_, result) or
-  config.isSink(_, result) or
-  config.isBarrier(_, result) or
-  config.isAdditionalFlowStep(_, result, _, _) or
-  config.isAdditionalFlowStep(_, _, _, result)
-}
-
-private newtype TConfigState =
-  deprecated TMkConfigState(Configuration config, FlowState state) {
-    state = relevantState(config) or state instanceof FlowStateEmpty
-  }
-
-deprecated private Configuration getConfig(TConfigState state) { state = TMkConfigState(result, _) }
-
-deprecated private FlowState getState(TConfigState state) { state = TMkConfigState(_, result) }
-
-deprecated private predicate singleConfiguration() { 1 = strictcount(Configuration c) }
-
-deprecated private module Config implements FullStateConfigSig {
-  class FlowState = TConfigState;
-
-  predicate isSource(Node source, FlowState state) {
-    getConfig(state).isSource(source, getState(state))
-    or
-    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isSink(Node sink) { none() }
-
-  predicate isSink(Node sink, FlowState state) {
-    getConfig(state).isSink(sink, getState(state))
-    or
-    getConfig(state).isSink(sink) and getState(state) instanceof FlowStateEmpty
-  }
-
-  predicate isBarrier(Node node) { none() }
-
-  predicate isBarrier(Node node, FlowState state) {
-    getConfig(state).isBarrier(node, getState(state)) or
-    getConfig(state).isBarrier(node)
-  }
-
-  predicate isBarrierIn(Node node) { any(Configuration config).isBarrierIn(node) }
-
-  predicate isBarrierOut(Node node) { any(Configuration config).isBarrierOut(node) }
-
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
-    singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
-  }
-
-  predicate isAdditionalFlowStep(
-    Node node1, FlowState state1, Node node2, FlowState state2, string model
-  ) {
-    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1) and
-    model = ""
-    or
-    not singleConfiguration() and
-    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1 and
-    model = ""
-  }
-
-  predicate allowImplicitRead(Node node, ContentSet c) {
-    any(Configuration config).allowImplicitRead(node, c)
-  }
-
-  predicate neverSkip(Node node) { none() }
-
-  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
-
-  int accessPathLimit() { result = 5 }
-
-  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
-
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
-
-  predicate observeDiffInformedIncrementalMode() { none() }
-}
-
-deprecated private import Impl<Config> as I
-
-/**
- * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
- * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
- */
-deprecated class PathNode instanceof I::PathNode {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = super.toString() }
-
-  /**
-   * Gets a textual representation of this element, including a textual
-   * representation of the call context.
-   */
-  final string toStringWithContext() { result = super.toStringWithContext() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  final predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets the underlying `Node`. */
-  final Node getNode() { result = super.getNode() }
-
-  /** Gets the `FlowState` of this node. */
-  deprecated final FlowState getState() { result = getState(super.getState()) }
-
-  /** Gets the associated configuration. */
-  deprecated final Configuration getConfiguration() { result = getConfig(super.getState()) }
-
-  /** Gets a successor of this node, if any. */
-  final PathNode getASuccessor() { result = super.getASuccessor() }
-
-  /** Holds if this node is a source. */
-  final predicate isSource() { super.isSource() }
-
-  /** Holds if this node is a grouping of source nodes. */
-  final predicate isSourceGroup(string group) { super.isSourceGroup(group) }
-
-  /** Holds if this node is a grouping of sink nodes. */
-  final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
-}
-
-deprecated module PathGraph = I::PathGraph;
-
-deprecated private predicate hasFlow(Node source, Node sink, Configuration config) {
-  exists(PathNode source0, PathNode sink0 |
-    hasFlowPath(source0, sink0, config) and
-    source0.getNode() = source and
-    sink0.getNode() = sink
-  )
-}
-
-deprecated private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  I::flowPath(source, sink) and source.getConfiguration() = config
-}
-
-deprecated private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
-
-deprecated predicate flowsTo = hasFlow/3;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll

@@ -545,7 +545,7 @@ module ProductFlow {
     private predicate outImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
       Flow1::PathGraph::edges(pred1, succ1, _, _) and
       exists(ReturnKindExt returnKind |
-        succ1.getNode() = returnKind.getAnOutNode(call) and
+        succ1.getNode() = getAnOutNodeExt(call, returnKind) and
         returnKind = getParamReturnPosition(_, pred1.asParameterReturnNode()).getKind()
       )
     }
@@ -573,7 +573,7 @@ module ProductFlow {
     private predicate outImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
       Flow2::PathGraph::edges(pred2, succ2, _, _) and
       exists(ReturnKindExt returnKind |
-        succ2.getNode() = returnKind.getAnOutNode(call) and
+        succ2.getNode() = getAnOutNodeExt(call, returnKind) and
         returnKind = getParamReturnPosition(_, pred2.asParameterReturnNode()).getKind()
       )
     }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingParameter.qll

@@ -1,6 +0,0 @@
-import semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow as DataFlow
-  import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl as DataFlowInternal
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingParameter.qll

@@ -1,5 +0,0 @@
-import semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import semmle.code.cpp.ir.dataflow.DataFlow2::DataFlow2 as DataFlow
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -1,168 +0,0 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- *
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract deprecated class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
-
-  /**
-   * Holds if `source` is a relevant taint source with the given initial
-   * `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
-
-  /**
-   * Holds if `sink` is a relevant taint sink accepting `state`.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { none() }
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    this.isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /**
-   * Holds if the node `node` is a taint sanitizer when the flow state is
-   * `state`.
-   */
-  predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizer(node, state)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
-  }
-
-  /**
-   * Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow and taint steps.
-   * This step is only applicable in `state1` and updates the flow state to `state2`.
-   */
-  predicate isAdditionalTaintStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    none()
-  }
-
-  final override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    this.isAdditionalTaintStep(node1, state1, node2, state2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (
-      this.isSink(node) or
-      this.isSink(node, _) or
-      this.isAdditionalTaintStep(node, _) or
-      this.isAdditionalTaintStep(node, _, _, _)
-    ) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingParameter.qll

@@ -1,5 +0,0 @@
-import semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
-
-module Private {
-  import semmle.code.cpp.ir.dataflow.DataFlow3::DataFlow3 as DataFlow
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll

@@ -546,4 +546,26 @@ module InstructionConsistency {
         "' has no associated variable, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonBooleanOperand(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(Instruction unary |
+      unary = instr.(LogicalNotInstruction).getUnary() and
+      not unary.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Logical Not instruction " + instr.toString() +
+          " with non-Boolean operand, in function '$@'."
+    )
+    or
+    exists(Instruction cond |
+      cond = instr.(ConditionalBranchInstruction).getCondition() and
+      not cond.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Conditional branch instruction " + instr.toString() +
+          " with non-Boolean condition, in function '$@'."
+    )
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll

@@ -546,4 +546,26 @@ module InstructionConsistency {
         "' has no associated variable, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonBooleanOperand(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(Instruction unary |
+      unary = instr.(LogicalNotInstruction).getUnary() and
+      not unary.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Logical Not instruction " + instr.toString() +
+          " with non-Boolean operand, in function '$@'."
+    )
+    or
+    exists(Instruction cond |
+      cond = instr.(ConditionalBranchInstruction).getCondition() and
+      not cond.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Conditional branch instruction " + instr.toString() +
+          " with non-Boolean condition, in function '$@'."
+    )
+  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -364,10 +364,14 @@ class TranslatedFunctionCall extends TranslatedCallExpr, TranslatedDirectCall {
 
   final override predicate mayThrowException() {
     expr.getTarget().(ThrowingFunction).mayThrowException(_)
+    or
+    expr.getTarget() instanceof AlwaysSehThrowingFunction
   }
 
   final override predicate mustThrowException() {
     expr.getTarget().(ThrowingFunction).mayThrowException(true)
+    or
+    expr.getTarget() instanceof AlwaysSehThrowingFunction
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll

@@ -546,4 +546,26 @@ module InstructionConsistency {
         "' has no associated variable, in function '$@'." and
     irFunc = getInstructionIRFunction(instr, irFuncText)
   }
+
+  query predicate nonBooleanOperand(
+    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
+  ) {
+    exists(Instruction unary |
+      unary = instr.(LogicalNotInstruction).getUnary() and
+      not unary.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Logical Not instruction " + instr.toString() +
+          " with non-Boolean operand, in function '$@'."
+    )
+    or
+    exists(Instruction cond |
+      cond = instr.(ConditionalBranchInstruction).getCondition() and
+      not cond.getResultIRType() instanceof IRBooleanType and
+      irFunc = getInstructionIRFunction(instr, irFuncText) and
+      message =
+        "Conditional branch instruction " + instr.toString() +
+          " with non-Boolean condition, in function '$@'."
+    )
+  }
 }

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -49,3 +49,4 @@ private import implementations.PostgreSql
 private import implementations.System
 private import implementations.StructuredExceptionHandling
 private import implementations.ZMQ
+private import implementations.Win32CommandExecution

cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll

@@ -16,7 +16,7 @@ import semmle.code.cpp.models.interfaces.NonThrowing
  * `__builtin___memcpy_chk`.
  */
 private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction,
-  AliasFunction, NonThrowingFunction
+  AliasFunction, NonCppThrowingFunction
 {
   MemcpyFunction() {
     // memcpy(dest, src, num)

cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll

@@ -11,7 +11,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.NonThrowing
 
 private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,
-  SideEffectFunction, NonThrowingFunction
+  SideEffectFunction, NonCppThrowingFunction
 {
   MemsetFunctionModel() {
     this.hasGlobalOrStdOrBslName("memset")

cpp/ql/lib/semmle/code/cpp/models/implementations/NoexceptFunction.qll

@@ -6,6 +6,6 @@ import semmle.code.cpp.models.interfaces.NonThrowing
  *
  * Note: The `throw` specifier was deprecated in C++11 and removed in C++17.
  */
-class NoexceptFunction extends NonThrowingFunction {
+class NoexceptFunction extends NonCppThrowingFunction {
   NoexceptFunction() { this.isNoExcept() or this.isNoThrow() }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -13,7 +13,7 @@ import semmle.code.cpp.models.interfaces.NonThrowing
 /**
  * The standard functions `printf`, `wprintf` and their glib variants.
  */
-private class Printf extends FormattingFunction, AliasFunction, NonThrowingFunction {
+private class Printf extends FormattingFunction, AliasFunction, NonCppThrowingFunction {
   Printf() {
     this instanceof TopLevelFunction and
     (
@@ -37,7 +37,7 @@ private class Printf extends FormattingFunction, AliasFunction, NonThrowingFunct
 /**
  * The standard functions `fprintf`, `fwprintf` and their glib variants.
  */
-private class Fprintf extends FormattingFunction, NonThrowingFunction {
+private class Fprintf extends FormattingFunction, NonCppThrowingFunction {
   Fprintf() {
     this instanceof TopLevelFunction and
     (
@@ -55,7 +55,7 @@ private class Fprintf extends FormattingFunction, NonThrowingFunction {
 /**
  * The standard function `sprintf` and its Microsoft and glib variants.
  */
-private class Sprintf extends FormattingFunction, NonThrowingFunction {
+private class Sprintf extends FormattingFunction, NonCppThrowingFunction {
   Sprintf() {
     this instanceof TopLevelFunction and
     (
@@ -98,7 +98,9 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
 /**
  * Implements `Snprintf`.
  */
-private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction, NonThrowingFunction {
+private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction,
+  NonCppThrowingFunction
+{
   SnprintfImpl() {
     this instanceof TopLevelFunction and
     (
@@ -205,7 +207,7 @@ private class StringCchPrintf extends FormattingFunction {
 /**
  * The standard function `syslog`.
  */
-private class Syslog extends FormattingFunction, NonThrowingFunction {
+private class Syslog extends FormattingFunction, NonCppThrowingFunction {
   Syslog() {
     this instanceof TopLevelFunction and
     this.hasGlobalName("syslog") and

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll

@@ -15,7 +15,7 @@ import semmle.code.cpp.models.interfaces.NonThrowing
  * Does not include `strlcat`, which is covered by `StrlcatFunction`
  */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction,
-  NonThrowingFunction
+  NonCppThrowingFunction
 {
   StrcatFunction() {
     this.hasGlobalOrStdOrBslName([

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll

@@ -13,7 +13,7 @@ import semmle.code.cpp.models.interfaces.NonThrowing
  * The standard function `strcpy` and its wide, sized, and Microsoft variants.
  */
 class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, SideEffectFunction,
-  NonThrowingFunction
+  NonCppThrowingFunction
 {
   StrcpyFunction() {
     this.hasGlobalOrStdOrBslName([

cpp/ql/lib/semmle/code/cpp/models/implementations/StructuredExceptionHandling.qll

@@ -1,9 +1,7 @@
 import semmle.code.cpp.models.interfaces.Throwing
 
-class WindowsDriverFunction extends ThrowingFunction {
-  WindowsDriverFunction() {
+class WindowsDriverExceptionAnnotation extends AlwaysSehThrowingFunction {
+  WindowsDriverExceptionAnnotation() {
     this.hasGlobalName(["RaiseException", "ExRaiseAccessViolation", "ExRaiseDatatypeMisalignment"])
   }
-
-  final override predicate mayThrowException(boolean unconditional) { unconditional = true }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Win32CommandExecution.qll

@@ -0,0 +1,56 @@
+private import semmle.code.cpp.models.interfaces.CommandExecution
+
+/** The `ShellExecute` family of functions from Win32. */
+class ShellExecute extends Function {
+  ShellExecute() { this.hasGlobalName("ShellExecute" + ["", "A", "W"]) }
+}
+
+private class ShellExecuteModel extends ShellExecute, CommandExecutionFunction {
+  override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(2) }
+}
+
+/** The `WinExec` function from Win32. */
+class WinExec extends Function {
+  WinExec() { this.hasGlobalName("WinExec") }
+}
+
+private class WinExecModel extends WinExec, CommandExecutionFunction {
+  override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(0) }
+}
+
+/** The `CreateProcess` family of functions from Win32. */
+class CreateProcess extends Function {
+  CreateProcess() { this.hasGlobalName("CreateProcess" + ["", "A", "W"]) }
+}
+
+private class CreateProcessModel extends CreateProcess, CommandExecutionFunction {
+  override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(0) }
+}
+
+/** The `CreateProcessAsUser` family of functions from Win32. */
+class CreateProcessAsUser extends Function {
+  CreateProcessAsUser() { this.hasGlobalName("CreateProcessAsUser" + ["", "A", "W"]) }
+}
+
+private class CreateProcessAsUserModel extends CreateProcessAsUser, CommandExecutionFunction {
+  override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(1) }
+}
+
+/** The `CreateProcessWithLogonW` function from Win32. */
+class CreateProcessWithLogonW extends Function {
+  CreateProcessWithLogonW() { this.hasGlobalName("CreateProcessWithLogonW") }
+}
+
+private class CreateProcessWithLogonModel extends CreateProcessWithLogonW, CommandExecutionFunction {
+  override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(4) }
+}
+
+/** The `CreateProcessWithTokenW` function from Win32. */
+class CreateProcessWithTokenW extends Function {
+  CreateProcessWithTokenW() { this.hasGlobalName("CreateProcessWithTokenW") }
+}
+
+private class CreateProcessWithTokenWModel extends CreateProcessWithTokenW, CommandExecutionFunction
+{
+  override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(2) }
+}

cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll

@@ -6,6 +6,15 @@ import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models
 
 /**
- * A function that is guaranteed to never throw.
+ * A function that is guaranteed to never throw a C++ exception
+ *
+ * The function may still raise a structured exception handling (SEH) exception.
  */
-abstract class NonThrowingFunction extends Function { }
+abstract class NonCppThrowingFunction extends Function { }
+
+/**
+ * A function that is guaranteed to never throw.
+ *
+ * DEPRECATED: use `NonCppThrowingFunction` instead.
+ */
+deprecated class NonThrowingFunction = NonCppThrowingFunction;

cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll

@@ -11,7 +11,7 @@ import semmle.code.cpp.models.Models
 import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
 
 /**
- * A class that models the exceptional behavior of a function.
+ * A function that is known to raise an exception.
  */
 abstract class ThrowingFunction extends Function {
   /**
@@ -20,3 +20,8 @@ abstract class ThrowingFunction extends Function {
    */
   abstract predicate mayThrowException(boolean unconditional);
 }
+
+/**
+ * A function that unconditionally raises a structured exception handling (SEH) exception.
+ */
+abstract class AlwaysSehThrowingFunction extends Function { }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -46,6 +46,22 @@ compilation_args(
     string arg : string ref
 );
 
+/**
+ * Optionally, record the build mode for each compilation.
+ */
+compilation_build_mode(
+    unique int id : @compilation ref,
+    int mode : int ref
+);
+
+/*
+case @compilation_build_mode.mode of
+  0 = @build_mode_none
+| 1 = @build_mode_manual
+| 2 = @build_mode_auto
+;
+*/
+
 /**
  * The source files that are compiled by a compiler invocation.
  * If `id` is for the compiler invocation

cpp/ql/lib/upgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/upgrade.properties

@@ -0,0 +1,2 @@
+description: Implement compilation_build_mode/2
+compatibility: backwards

cpp/ql/src/Best Practices/GuardedFree.qhelp

@@ -1,18 +1,28 @@
-<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
 <qhelp>
+
 <overview>
-<p>The <code>free</code> function, which deallocates heap memory, may accept a NULL pointer and take no action. Therefore, it is unnecessary to check its argument for the value of NULL before a function call to <code>free</code>. As such, these guards may hinder performance and readability.</p>
+<p>The <code>free</code> function, which deallocates heap memory, may accept a NULL pointer and take no action. Therefore, it is unnecessary to check the argument for the value of NULL before a function call to <code>free</code>. As such, these guards may hinder performance and readability.</p>
 </overview>
+
 <recommendation>
-<p>A function call to <code>free</code> should not depend upon the value of its argument. Delete the <code>if</code> condition preceeding a function call to <code>free</code> when its only purpose is to check the value of the pointer to be freed.</p>
+<p>A function call to <code>free</code> should not depend upon the value of its argument. Delete the condition preceding a function call to <code>free</code> when its only purpose is to check the value of the pointer to be freed.</p>
 </recommendation>
+
 <example>
 <sample src = "GuardedFree.cpp" />
+
+<p>In this example, the condition checking the value of <code>foo</code> can be deleted.</p>
+
 </example>
+
 <references>
 <li>
     The Open Group Base Specifications Issue 7, 2018 Edition:
-    <a href="https://pubs.opengroup.org/onlinepubs/9699919799/functions/free.html">free - free allocated memory</a>
+    <a href="https://pubs.opengroup.org/onlinepubs/9699919799/functions/free.html">free - free allocated memory</a>.
 </li>
 </references>
-</qhelp>
+
+</qhelp>

cpp/ql/src/Best Practices/GuardedFree.ql

@@ -0,0 +1,47 @@
+/**
+ * @name Guarded Free
+ * @description NULL-condition guards before function calls to the memory-deallocation
+ *              function free(3) are unnecessary, because passing NULL to free(3) is a no-op.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision very-high
+ * @id cpp/guarded-free
+ * @tags maintainability
+ *       readability
+ */
+
+import cpp
+import semmle.code.cpp.controlflow.Guards
+
+class FreeCall extends FunctionCall {
+  FreeCall() { this.getTarget().hasGlobalName("free") }
+}
+
+predicate blockContainsPreprocessorBranches(BasicBlock bb) {
+  exists(PreprocessorBranch ppb, Location bbLoc, Location ppbLoc |
+    bbLoc = bb.(Stmt).getLocation() and ppbLoc = ppb.getLocation()
+  |
+    bbLoc.getFile() = ppb.getFile() and
+    bbLoc.getStartLine() < ppbLoc.getStartLine() and
+    ppbLoc.getEndLine() < bbLoc.getEndLine()
+  )
+}
+
+from GuardCondition gc, FreeCall fc, Variable v, BasicBlock bb
+where
+  gc.ensuresEq(v.getAnAccess(), 0, bb, false) and
+  fc.getArgument(0) = v.getAnAccess() and
+  bb = fc.getBasicBlock() and
+  (
+    // No block statement: if (x) free(x);
+    bb = fc.getEnclosingStmt()
+    or
+    // Block statement with a single nested statement: if (x) { free(x); }
+    strictcount(bb.(BlockStmt).getAStmt()) = 1
+  ) and
+  strictcount(BasicBlock bb2 | gc.ensuresEq(_, 0, bb2, _) | bb2) = 1 and
+  not fc.isInMacroExpansion() and
+  not blockContainsPreprocessorBranches(bb) and
+  not (gc instanceof BinaryOperation and not gc instanceof ComparisonOperation) and
+  not exists(CommaExpr c | c.getAChild*() = fc)
+select gc, "unnecessary NULL check before call to $@", fc, "free"

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 1.3.0
+
+### New Queries
+
+* Added a new high-precision quality query, `cpp/guarded-free`, which detects useless NULL pointer checks before calls to `free`. A variation of this query was originally contributed as an [experimental query by @mario-campos](https://github.com/github/codeql/pull/16331).
+
+### Minor Analysis Improvements
+
+* The "Call to function with fewer arguments than declared parameters" query (`cpp/too-few-arguments`) query no longer produces results if the function has been implicitly declared.
+
+## 1.2.7
+
+No user-facing changes.
+
 ## 1.2.6
 
 ### Minor Analysis Improvements

cpp/ql/src/Critical/UseAfterFree.qhelp

@@ -8,7 +8,7 @@
 <p>
 This rule finds accesses through a pointer of a memory location that has already been freed (i.e. through a dangling pointer). 
 Such memory blocks have already been released to the dynamic memory manager, and modifying them can lead to anything 
-from a segfault to memory corruption that would cause subsequent calls to the dynamic memory manger to behave 
+from a segfault to memory corruption that would cause subsequent calls to the dynamic memory manager to behave 
 erratically, to a possible security vulnerability.
 </p>
 

cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.qll

@@ -51,5 +51,7 @@ predicate tooFewArguments(FunctionCall fc, Function f) {
     hasDefiniteNumberOfParameters(fde)
   |
     fde.getNumberOfParameters() > fc.getNumberOfArguments()
-  )
+  ) and
+  // Don't report on implicit function declarations, as these are likely extraction errors.
+  not f.getADeclarationEntry().isImplicit()
 }

cpp/ql/src/Metrics/Internal/IRConsistency.ql

@@ -40,4 +40,5 @@ select count(Instruction i | IRConsistency::missingOperand(i, _, _, _) | i) as m
   count(Instruction i | IRConsistency::nonUniqueEnclosingIRFunction(i, _, _, _) | i) as nonUniqueEnclosingIRFunction,
   count(FieldAddressInstruction i | IRConsistency::fieldAddressOnNonPointer(i, _, _, _) | i) as fieldAddressOnNonPointer,
   count(Instruction i | IRConsistency::thisArgumentIsNonPointer(i, _, _, _) | i) as thisArgumentIsNonPointer,
-  count(Instruction i | IRConsistency::nonUniqueIRVariable(i, _, _, _) | i) as nonUniqueIRVariable
+  count(Instruction i | IRConsistency::nonUniqueIRVariable(i, _, _, _) | i) as nonUniqueIRVariable,
+  count(Instruction i | IRConsistency::nonBooleanOperand(i, _, _, _) | i) as nonBooleanOperand

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -19,7 +19,6 @@ import semmle.code.cpp.security.Security
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.TaintTracking
-import semmle.code.cpp.ir.dataflow.TaintTracking2
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.models.implementations.Strcat
 import ExecTaint::PathGraph

cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql

@@ -45,7 +45,7 @@ predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
  * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
  */
 predicate functionMayThrow(Function f) {
-  not f instanceof NonThrowingFunction and
+  not f instanceof NonCppThrowingFunction and
   (not exists(f.getBlock()) or stmtMayThrow(f.getBlock()))
 }
 

cpp/ql/src/change-notes/released/1.2.7.md

@@ -0,0 +1,3 @@
+## 1.2.7
+
+No user-facing changes.

cpp/ql/src/change-notes/released/1.3.0.md

@@ -0,0 +1,9 @@
+## 1.3.0
+
+### New Queries
+
+* Added a new high-precision quality query, `cpp/guarded-free`, which detects useless NULL pointer checks before calls to `free`. A variation of this query was originally contributed as an [experimental query by @mario-campos](https://github.com/github/codeql/pull/16331).
+
+### Minor Analysis Improvements
+
+* The "Call to function with fewer arguments than declared parameters" query (`cpp/too-few-arguments`) query no longer produces results if the function has been implicitly declared.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.6
+lastReleaseVersion: 1.3.0