Post-release preparation

2026-05-29 18:41:27 +02:00 · 2021-12-02 00:22:43 +00:00
495 changed files with 5782 additions and 33876 deletions
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -24,7 +24,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
+        repo: [rails/rails, discourse/discourse, spree/spree]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
--- a/cpp/change-notes/2021-11-25-certificate-not-checked.md
+++ b/cpp/change-notes/2021-11-25-certificate-not-checked.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* A new query `cpp/certificate-not-checked` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
--- a/cpp/change-notes/2021-11-25-certificate-result-conflation.md
+++ b/cpp/change-notes/2021-11-25-certificate-result-conflation.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* A new query `cpp/certificate-result-conflation` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -626,9 +626,9 @@ library class ExprEvaluator extends int {
      // All assignments must have the same int value
      result =
        unique(Expr value |
-          value = v.getAnAssignedValue() and not this.ignoreVariableAssignment(e, v, value)
+          value = v.getAnAssignedValue() and not ignoreVariableAssignment(e, v, value)
        |
-          this.getValueInternalNonSubExpr(value)
+          getValueInternalNonSubExpr(value)
        )
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
@@ -1,6 +1,4 @@
 private import cpp
-private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.dataflow.internal.DataFlowUtil

 /**
 * Gets a function that might be called by `call`.
@@ -65,17 +63,3 @@ predicate mayBenefitFromCallContext(Call call, Function f) { none() }
 * restricted to those `call`s for which a context might make a difference.
 */
 Function viableImplInCallContext(Call call, Call ctx) { none() }
-
-/** A parameter position represented by an integer. */
-class ParameterPosition extends int {
-  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
-}
-
-/** An argument position represented by an integer. */
-class ArgumentPosition extends int {
-  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
-}
-
-/** Holds if arguments at position `apos` match parameters at position `ppos`. */
-pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -62,18 +62,6 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  tupleLimit = 1000
 }

-/**
- * Holds if `arg` is an argument of `call` with an argument position that matches
- * parameter position `ppos`.
- */
-pragma[noinline]
-predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
-  exists(ArgumentPosition apos |
-    arg.argumentOf(call, apos) and
-    parameterMatch(ppos, apos)
-  )
-}
-
 /**
 * Provides a simple data-flow analysis for resolving lambda calls. The analysis
 * currently excludes read-steps, store-steps, and flow-through.
@@ -83,27 +71,25 @@ predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPositio
 * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
 */
 private module LambdaFlow {
-  pragma[noinline]
-  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallable(call), ppos)
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallable(call), i)
  }

-  pragma[noinline]
-  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), ppos)
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), i)
  }

  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamNonLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamNonLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

@@ -336,7 +322,7 @@ private module Cached {
    or
    exists(ArgNode arg |
      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
    )
  }

@@ -344,7 +330,7 @@ private module Cached {
  predicate returnNodeExt(Node n, ReturnKindExt k) {
    k = TValueReturn(n.(ReturnNode).getKind())
    or
-    exists(ParamNode p, ParameterPosition pos |
+    exists(ParamNode p, int pos |
      parameterValueFlowsToPreUpdate(p, n) and
      p.isParameterOf(_, pos) and
      k = TParamUpdate(pos)
@@ -366,13 +352,11 @@ private module Cached {
  }

  cached
-  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
-    isParameterNode(p, c, pos)
-  }
+  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }

  cached
-  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
-    isArgumentNode(n, call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
  }

  /**
@@ -390,12 +374,12 @@ private module Cached {
  }

  /**
-   * Holds if `p` is the parameter of a viable dispatch target of `call`,
-   * and `p` has position `ppos`.
+   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
+   * The instance parameter is considered to have index `-1`.
   */
  pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), ppos)
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), i)
  }

  /**
@@ -404,9 +388,9 @@ private module Cached {
   */
  cached
  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParam(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos) and
+    exists(int i |
+      viableParam(call, i, p) and
+      arg.argumentOf(call, i) and
      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
    )
  }
@@ -878,7 +862,7 @@ private module Cached {
  cached
  newtype TReturnKindExt =
    TValueReturn(ReturnKind kind) or
-    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }

  cached
  newtype TBooleanOption =
@@ -1070,9 +1054,9 @@ class ParamNode extends Node {

  /**
   * Holds if this node is the parameter of callable `c` at the specified
-   * position.
+   * (zero-based) position.
   */
-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
 }

 /** A data-flow node that represents a call argument. */
@@ -1080,9 +1064,7 @@ class ArgNode extends Node {
  ArgNode() { argumentNode(this, _, _) }

  /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    argumentNode(this, call, pos)
-  }
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
 }

 /**
@@ -1128,14 +1110,11 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }

 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private ParameterPosition pos;
+  private int pos;

  ParamUpdateReturnKind() { this = TParamUpdate(pos) }

-  ParameterPosition getPosition() { result = pos }
-
-  pragma[nomagic]
-  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }
+  int getPosition() { result = pos }

  override string toString() { result = "param update " + pos }
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -8,14 +8,7 @@ private import DataFlowImplConsistency
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c, pos)
-}
-
-/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
-predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
-  arg.argumentOf(c, pos)
-}
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }

 /** Gets the instance argument of a non-static call. */
 private Node getInstanceArgument(Call call) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -2,7 +2,6 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon

 /**
@@ -267,17 +266,3 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
    result = ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget()
  )
 }
-
-/** A parameter position represented by an integer. */
-class ParameterPosition extends int {
-  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
-}
-
-/** An argument position represented by an integer. */
-class ArgumentPosition extends int {
-  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
-}
-
-/** Holds if arguments at position `apos` match parameters at position `ppos`. */
-pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -62,18 +62,6 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  tupleLimit = 1000
 }

-/**
- * Holds if `arg` is an argument of `call` with an argument position that matches
- * parameter position `ppos`.
- */
-pragma[noinline]
-predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
-  exists(ArgumentPosition apos |
-    arg.argumentOf(call, apos) and
-    parameterMatch(ppos, apos)
-  )
-}
-
 /**
 * Provides a simple data-flow analysis for resolving lambda calls. The analysis
 * currently excludes read-steps, store-steps, and flow-through.
@@ -83,27 +71,25 @@ predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPositio
 * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
 */
 private module LambdaFlow {
-  pragma[noinline]
-  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallable(call), ppos)
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallable(call), i)
  }

-  pragma[noinline]
-  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), ppos)
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), i)
  }

  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamNonLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamNonLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

@@ -336,7 +322,7 @@ private module Cached {
    or
    exists(ArgNode arg |
      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
    )
  }

@@ -344,7 +330,7 @@ private module Cached {
  predicate returnNodeExt(Node n, ReturnKindExt k) {
    k = TValueReturn(n.(ReturnNode).getKind())
    or
-    exists(ParamNode p, ParameterPosition pos |
+    exists(ParamNode p, int pos |
      parameterValueFlowsToPreUpdate(p, n) and
      p.isParameterOf(_, pos) and
      k = TParamUpdate(pos)
@@ -366,13 +352,11 @@ private module Cached {
  }

  cached
-  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
-    isParameterNode(p, c, pos)
-  }
+  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }

  cached
-  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
-    isArgumentNode(n, call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
  }

  /**
@@ -390,12 +374,12 @@ private module Cached {
  }

  /**
-   * Holds if `p` is the parameter of a viable dispatch target of `call`,
-   * and `p` has position `ppos`.
+   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
+   * The instance parameter is considered to have index `-1`.
   */
  pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), ppos)
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), i)
  }

  /**
@@ -404,9 +388,9 @@ private module Cached {
   */
  cached
  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParam(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos) and
+    exists(int i |
+      viableParam(call, i, p) and
+      arg.argumentOf(call, i) and
      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
    )
  }
@@ -878,7 +862,7 @@ private module Cached {
  cached
  newtype TReturnKindExt =
    TValueReturn(ReturnKind kind) or
-    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }

  cached
  newtype TBooleanOption =
@@ -1070,9 +1054,9 @@ class ParamNode extends Node {

  /**
   * Holds if this node is the parameter of callable `c` at the specified
-   * position.
+   * (zero-based) position.
   */
-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
 }

 /** A data-flow node that represents a call argument. */
@@ -1080,9 +1064,7 @@ class ArgNode extends Node {
  ArgNode() { argumentNode(this, _, _) }

  /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    argumentNode(this, call, pos)
-  }
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
 }

 /**
@@ -1128,14 +1110,11 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }

 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private ParameterPosition pos;
+  private int pos;

  ParamUpdateReturnKind() { this = TParamUpdate(pos) }

-  ParameterPosition getPosition() { result = pos }
-
-  pragma[nomagic]
-  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }
+  int getPosition() { result = pos }

  override string toString() { result = "param update " + pos }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -8,14 +8,7 @@ private import DataFlowImplConsistency
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c, pos)
-}
-
-/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
-predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
-  arg.argumentOf(c, pos)
-}
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }

 /**
 * A data flow node that occurs as the argument of a call and is passed as-is
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -452,7 +452,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {

  /** Holds if this phi node has input from the `rnk`'th write operation in block `block`. */
  final predicate hasInputAtRankInBlock(IRBlock block, int rnk) {
-    this.hasInputAtRankInBlock(block, rnk, _)
+    hasInputAtRankInBlock(block, rnk, _)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/src/AlertSuppression.ql
+++ b/cpp/ql/src/AlertSuppression.ql
@@ -18,12 +18,12 @@ class SuppressionComment extends Comment {
    (
      this instanceof CppStyleComment and
      // strip the beginning slashes
-      text = this.getContents().suffix(2)
+      text = getContents().suffix(2)
      or
      this instanceof CStyleComment and
      // strip both the beginning /* and the end */ the comment
      exists(string text0 |
-        text0 = this.getContents().suffix(2) and
+        text0 = getContents().suffix(2) and
        text = text0.prefix(text0.length() - 2)
      ) and
      // The /* */ comment must be a single-line comment
--- a/Opportunities/ClassesWithManyFields.ql
+++ b/Opportunities/ClassesWithManyFields.ql
@@ -153,12 +153,12 @@ class ExtClass extends Class {
  }

  predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
-    if this.hasOneVariableGroup()
+    if hasOneVariableGroup()
    then
      exists(VariableDeclarationGroup vdg | vdg.getClass() = this |
        vdg.hasLocationInfo(path, startline, startcol, endline, endcol)
      )
-    else this.getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
+    else getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
  }
 }

--- a/Entities/UnusedStaticFunctions.ql
+++ b/Entities/UnusedStaticFunctions.ql
@@ -50,16 +50,6 @@ predicate reachableThing(Thing t) {
  exists(Thing mid | reachableThing(mid) and mid.callsOrAccesses() = t)
 }

-pragma[nomagic]
-predicate callsOrAccessesPlus(Thing thing1, FunctionToRemove thing2) {
-  thing1.callsOrAccesses() = thing2
-  or
-  exists(Thing mid |
-    thing1.callsOrAccesses() = mid and
-    callsOrAccessesPlus(mid, thing2)
-  )
-}
-
 class Thing extends Locatable {
  Thing() {
    this instanceof Function or
@@ -91,7 +81,7 @@ class FunctionToRemove extends Function {
  }

  Thing getOther() {
-    callsOrAccessesPlus(result, this) and
+    result.callsOrAccesses+() = this and
    this != result and
    // We will already be reporting the enclosing function of a
    // local variable, so don't also report the variable
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -103,9 +103,9 @@ class CallWithBufferSize extends FunctionCall {
    // `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
    // result in this case we pick the minimum value obtainable from dataflow and range analysis.
    result =
-      upperBound(this.statedSizeExpr())
+      upperBound(statedSizeExpr())
          .minimum(min(Expr statedSizeSrc |
-              DataFlow::localExprFlow(statedSizeSrc, this.statedSizeExpr())
+              DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
            |
              statedSizeSrc.getValue().toInt()
            ))
--- a/cpp/ql/src/JPL_C/LOC-2/Rule
+++ b/cpp/ql/src/JPL_C/LOC-2/Rule
@@ -22,7 +22,7 @@ abstract class LockOperation extends FunctionCall {
  ControlFlowNode getAReachedNode() {
    result = this
    or
-    exists(ControlFlowNode mid | mid = this.getAReachedNode() |
+    exists(ControlFlowNode mid | mid = getAReachedNode() |
      not mid != this.getMatchingUnlock() and
      result = mid.getASuccessor()
    )
--- a/Year/LeapYear.qll
+++ b/Year/LeapYear.qll
@@ -156,8 +156,8 @@ abstract class LeapYearFieldAccess extends YearFieldAccess {
    //
    // https://aa.usno.navy.mil/faq/docs/calendars.php
    this.isUsedInMod4Operation() and
-    this.additionalModulusCheckForLeapYear(400) and
-    this.additionalModulusCheckForLeapYear(100)
+    additionalModulusCheckForLeapYear(400) and
+    additionalModulusCheckForLeapYear(100)
  }
 }

@@ -176,17 +176,17 @@ class StructTmLeapYearFieldAccess extends LeapYearFieldAccess {

  override predicate isUsedInCorrectLeapYearCheck() {
    this.isUsedInMod4Operation() and
-    this.additionalModulusCheckForLeapYear(400) and
-    this.additionalModulusCheckForLeapYear(100) and
+    additionalModulusCheckForLeapYear(400) and
+    additionalModulusCheckForLeapYear(100) and
    // tm_year represents years since 1900
    (
-      this.additionalAdditionOrSubstractionCheckForLeapYear(1900)
+      additionalAdditionOrSubstractionCheckForLeapYear(1900)
      or
      // some systems may use 2000 for 2-digit year conversions
-      this.additionalAdditionOrSubstractionCheckForLeapYear(2000)
+      additionalAdditionOrSubstractionCheckForLeapYear(2000)
      or
      // converting from/to Unix epoch
-      this.additionalAdditionOrSubstractionCheckForLeapYear(1970)
+      additionalAdditionOrSubstractionCheckForLeapYear(1970)
    )
  }
 }
--- a/Management/AllocaInLoop.ql
+++ b/Management/AllocaInLoop.ql
@@ -57,7 +57,7 @@ class LoopWithAlloca extends Stmt {
    or
    // `e == 0`
    exists(EQExpr eq |
-      this.conditionRequires(eq, truth.booleanNot()) and
+      conditionRequires(eq, truth.booleanNot()) and
      eq.getAnOperand().getValue().toInt() = 0 and
      e = eq.getAnOperand() and
      not exists(e.getValue())
@@ -65,7 +65,7 @@ class LoopWithAlloca extends Stmt {
    or
    // `e != 0`
    exists(NEExpr eq |
-      this.conditionRequires(eq, truth) and
+      conditionRequires(eq, truth) and
      eq.getAnOperand().getValue().toInt() = 0 and
      e = eq.getAnOperand() and
      not exists(e.getValue())
@@ -73,7 +73,7 @@ class LoopWithAlloca extends Stmt {
    or
    // `(bool)e == true`
    exists(EQExpr eq |
-      this.conditionRequires(eq, truth) and
+      conditionRequires(eq, truth) and
      eq.getAnOperand().getValue().toInt() = 1 and
      e = eq.getAnOperand() and
      e.getUnspecifiedType() instanceof BoolType and
@@ -82,7 +82,7 @@ class LoopWithAlloca extends Stmt {
    or
    // `(bool)e != true`
    exists(NEExpr eq |
-      this.conditionRequires(eq, truth.booleanNot()) and
+      conditionRequires(eq, truth.booleanNot()) and
      eq.getAnOperand().getValue().toInt() = 1 and
      e = eq.getAnOperand() and
      e.getUnspecifiedType() instanceof BoolType and
@@ -90,7 +90,7 @@ class LoopWithAlloca extends Stmt {
    )
    or
    exists(NotExpr notExpr |
-      this.conditionRequires(notExpr, truth.booleanNot()) and
+      conditionRequires(notExpr, truth.booleanNot()) and
      e = notExpr.getOperand()
    )
    or
@@ -98,7 +98,7 @@ class LoopWithAlloca extends Stmt {
    // requires both of its operand to be true as well.
    exists(LogicalAndExpr andExpr |
      truth = true and
-      this.conditionRequires(andExpr, truth) and
+      conditionRequires(andExpr, truth) and
      e = andExpr.getAnOperand()
    )
    or
@@ -106,7 +106,7 @@ class LoopWithAlloca extends Stmt {
    // it requires both of its operand to be false as well.
    exists(LogicalOrExpr orExpr |
      truth = false and
-      this.conditionRequires(orExpr, truth) and
+      conditionRequires(orExpr, truth) and
      e = orExpr.getAnOperand()
    )
  }
@@ -141,9 +141,9 @@ class LoopWithAlloca extends Stmt {
   * `conditionRequiresInequality`.
   */
  private Variable getAControllingVariable() {
-    this.conditionRequires(result.getAnAccess(), _)
+    conditionRequires(result.getAnAccess(), _)
    or
-    this.conditionRequiresInequality(result.getAnAccess(), _, _)
+    conditionRequiresInequality(result.getAnAccess(), _, _)
  }

  /**
--- a/Management/NtohlArrayNoBound.qll
+++ b/Management/NtohlArrayNoBound.qll
@@ -61,72 +61,72 @@ class PointerArithmeticAccess extends BufferAccess, Expr {
 * A pair of buffer accesses through a call to memcpy.
 */
 class MemCpy extends BufferAccess, FunctionCall {
-  MemCpy() { this.getTarget().hasName("memcpy") }
+  MemCpy() { getTarget().hasName("memcpy") }

  override Expr getPointer() {
-    result = this.getArgument(0) or
-    result = this.getArgument(1)
+    result = getArgument(0) or
+    result = getArgument(1)
  }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class StrncpySizeExpr extends BufferAccess, FunctionCall {
-  StrncpySizeExpr() { this.getTarget().hasName("strncpy") }
+  StrncpySizeExpr() { getTarget().hasName("strncpy") }

  override Expr getPointer() {
-    result = this.getArgument(0) or
-    result = this.getArgument(1)
+    result = getArgument(0) or
+    result = getArgument(1)
  }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class RecvSizeExpr extends BufferAccess, FunctionCall {
-  RecvSizeExpr() { this.getTarget().hasName("recv") }
+  RecvSizeExpr() { getTarget().hasName("recv") }

-  override Expr getPointer() { result = this.getArgument(1) }
+  override Expr getPointer() { result = getArgument(1) }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class SendSizeExpr extends BufferAccess, FunctionCall {
-  SendSizeExpr() { this.getTarget().hasName("send") }
+  SendSizeExpr() { getTarget().hasName("send") }

-  override Expr getPointer() { result = this.getArgument(1) }
+  override Expr getPointer() { result = getArgument(1) }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class SnprintfSizeExpr extends BufferAccess, FunctionCall {
-  SnprintfSizeExpr() { this.getTarget().hasName("snprintf") }
+  SnprintfSizeExpr() { getTarget().hasName("snprintf") }

-  override Expr getPointer() { result = this.getArgument(0) }
+  override Expr getPointer() { result = getArgument(0) }

-  override Expr getAccessedLength() { result = this.getArgument(1) }
+  override Expr getAccessedLength() { result = getArgument(1) }
 }

 class MemcmpSizeExpr extends BufferAccess, FunctionCall {
-  MemcmpSizeExpr() { this.getTarget().hasName("Memcmp") }
+  MemcmpSizeExpr() { getTarget().hasName("Memcmp") }

  override Expr getPointer() {
-    result = this.getArgument(0) or
-    result = this.getArgument(1)
+    result = getArgument(0) or
+    result = getArgument(1)
  }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class MallocSizeExpr extends BufferAccess, FunctionCall {
-  MallocSizeExpr() { this.getTarget().hasName("malloc") }
+  MallocSizeExpr() { getTarget().hasName("malloc") }

  override Expr getPointer() { none() }

-  override Expr getAccessedLength() { result = this.getArgument(0) }
+  override Expr getAccessedLength() { result = getArgument(0) }
 }

 class NetworkFunctionCall extends FunctionCall {
-  NetworkFunctionCall() { this.getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
+  NetworkFunctionCall() { getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
 }

 class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {
--- a/Bugs/Protocols/TlsSettingsMisconfiguration.ql
+++ b/Bugs/Protocols/TlsSettingsMisconfiguration.ql
@@ -3,10 +3,8 @@
 * @description Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols, or disabling minimum-recommended protocols.
 * @kind problem
 * @problem.severity error
- * @security-severity 7.5
 * @id cpp/boost/tls-settings-misconfiguration
 * @tags security
- *       external/cwe/cwe-326
 */

 import cpp
--- a/Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+++ b/Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
@@ -3,10 +3,8 @@
 * @description Using a deprecated hard-coded protocol using the boost::asio library.
 * @kind problem
 * @problem.severity error
- * @security-severity 7.5
 * @id cpp/boost/use-of-deprecated-hardcoded-security-protocol
 * @tags security
- *       external/cwe/cwe-327
 */

 import cpp
--- a/4/FunctionTooLong.ql
+++ b/4/FunctionTooLong.ql
@@ -13,7 +13,7 @@ import cpp

 class MacroFunctionCall extends MacroInvocation {
  MacroFunctionCall() {
-    not exists(this.getParentInvocation()) and
+    not exists(getParentInvocation()) and
    this.getMacro().getHead().matches("%(%")
  }

--- a/5/AssertionDensity.ql
+++ b/5/AssertionDensity.ql
@@ -13,7 +13,7 @@ import semmle.code.cpp.commons.Assertions

 class MacroFunctionCall extends MacroInvocation {
  MacroFunctionCall() {
-    not exists(this.getParentInvocation()) and
+    not exists(getParentInvocation()) and
    this.getMacro().getHead().matches("%(%")
  }

--- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
+++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
@@ -38,7 +38,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
  int getIndex() { result = i }

  /** Gets the description of the function being called. */
-  string getFunctionDescription() { result = this.getExternalFunction().toString() }
+  string getFunctionDescription() { result = getExternalFunction().toString() }
 }

 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */
--- a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
+++ b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
@@ -38,7 +38,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
  int getIndex() { result = i }

  /** Gets the description of the function being called. */
-  string getFunctionDescription() { result = this.getExternalFunction().toString() }
+  string getFunctionDescription() { result = getExternalFunction().toString() }
 }

 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -42,7 +42,7 @@ class VarargsFunction extends Function {
  }

  private int trailingArgValueCount(string value) {
-    result = strictcount(FunctionCall fc | this.trailingArgValue(fc) = value)
+    result = strictcount(FunctionCall fc | trailingArgValue(fc) = value)
  }

  string nonTrailingVarArgValue(FunctionCall fc, int index) {
@@ -58,11 +58,11 @@ class VarargsFunction extends Function {

  string normalTerminator(int cnt) {
    result = ["0", "-1"] and
-    cnt = this.trailingArgValueCount(result) and
-    2 * cnt > this.totalCount() and
+    cnt = trailingArgValueCount(result) and
+    2 * cnt > totalCount() and
    not exists(FunctionCall fc, int index |
      // terminator value is used in a non-terminating position
-      this.nonTrailingVarArgValue(fc, index) = result
+      nonTrailingVarArgValue(fc, index) = result
    )
  }

--- a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
@@ -42,7 +42,7 @@ class TaintSource extends VariableAccess {
    definitionUsePair(_, this, va)
    or
    exists(VariableAccess mid, Expr def |
-      this.sourceReaches(mid) and
+      sourceReaches(mid) and
      exprDefinition(_, def, mid) and
      definitionUsePair(_, def, va)
    )
@@ -53,11 +53,11 @@ class TaintSource extends VariableAccess {
   * from `va`, possibly using intermediate reassignments.
   */
  private predicate reachesSink(VariableAccess va, VariableAccess sink) {
-    this.isSink(sink) and
+    isSink(sink) and
    va = sink
    or
    exists(VariableAccess mid, Expr def |
-      this.reachesSink(mid, sink) and
+      reachesSink(mid, sink) and
      exprDefinition(_, def, va) and
      definitionUsePair(_, def, mid)
    )
@@ -71,15 +71,15 @@ class TaintSource extends VariableAccess {
   * this source to `sink` found via `tainted(source, sink)`.)
   */
  predicate reaches(VariableAccess sink) {
-    this.isSink(sink) and
+    isSink(sink) and
    not exists(VariableAccess va |
      va != this and
      va != sink and
      mayAddNullTerminator(_, va)
    |
-      this.sourceReaches(va)
+      sourceReaches(va)
      or
-      this.reachesSink(va, sink)
+      reachesSink(va, sink)
    )
  }
 }
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.qhelp
@@ -1,28 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>When checking the result of SSL certificate verification, accepting any error code may allow an attacker to impersonate someone who is trusted.</p>
-
-</overview>
-<recommendation>
-
-<p>When checking an SSL certificate with <code>SSL_get_verify_result</code>, only <code>X509_V_OK</code> is a success code. If there is any other result the certificate should not be accepted.</p>
-
-</recommendation>
-<example>
-
-<p>In this example the error code <code>X509_V_ERR_CERT_HAS_EXPIRED</code> is treated the same as an OK result. An expired certificate should not be accepted as it is more likely to be compromised than a valid certificate.</p>
-
-<sample src="SSLResultConflationBad.cpp" />
-
-<p>In the corrected example, only a result of <code>X509_V_OK</code> is accepted.</p>
-
-<sample src="SSLResultConflationGood.cpp" />
-
-</example>
-<references>
-
-</references>
-</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
@@ -1,50 +0,0 @@
-/**
- * @name Certificate result conflation
- * @description Only accept SSL certificates that pass certificate verification.
- * @kind problem
- * @problem.severity error
- * @security-severity 7.5
- * @precision medium
- * @id cpp/certificate-result-conflation
- * @tags security
- *       external/cwe/cwe-295
- */
-
-import cpp
-import semmle.code.cpp.controlflow.Guards
-import semmle.code.cpp.dataflow.DataFlow
-
-/**
- * A call to `SSL_get_verify_result`.
- */
-class SSLGetVerifyResultCall extends FunctionCall {
-  SSLGetVerifyResultCall() { getTarget().getName() = "SSL_get_verify_result" }
-}
-
-/**
- * Data flow from a call to `SSL_get_verify_result` to a guard condition
- * that references the result.
- */
-class VerifyResultConfig extends DataFlow::Configuration {
-  VerifyResultConfig() { this = "VerifyResultConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof SSLGetVerifyResultCall
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(GuardCondition guard | guard.getAChild*() = sink.asExpr())
-  }
-}
-
-from
-  VerifyResultConfig config, DataFlow::Node source, DataFlow::Node sink1, DataFlow::Node sink2,
-  GuardCondition guard, Expr c1, Expr c2, boolean testIsTrue
-where
-  config.hasFlow(source, sink1) and
-  config.hasFlow(source, sink2) and
-  guard.comparesEq(sink1.asExpr(), c1, 0, false, testIsTrue) and // (value != c1) => testIsTrue
-  guard.comparesEq(sink2.asExpr(), c2, 0, false, testIsTrue) and // (value != c2) => testIsTrue
-  c1.getValue().toInt() = 0 and
-  c2.getValue().toInt() != 0
-select guard, "This expression conflates OK and non-OK results from $@.", source, source.toString()
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationBad.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationBad.cpp
@@ -1,13 +0,0 @@
-// ...
-
-if (cert = SSL_get_peer_certificate(ssl))
-{
-	result = SSL_get_verify_result(ssl);
-
-	if ((result == X509_V_OK) || (result == X509_V_ERR_CERT_HAS_EXPIRED)) // BAD (conflates OK and a non-OK codes)
-	{
-		do_ok();
-	} else {
-		do_error();
-	}
-}
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationGood.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationGood.cpp
@@ -1,13 +0,0 @@
-// ...
-
-if (cert = SSL_get_peer_certificate(ssl))
-{
-	result = SSL_get_verify_result(ssl);
-
-	if (result == X509_V_OK) // GOOD
-	{
-		do_ok();
-	} else {
-		do_error();
-	}
-}
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.qhelp
@@ -1,28 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>After fetching an SSL certificate, always check the result of certificate verification.</p>
-
-</overview>
-<recommendation>
-
-<p>Always check the result of SSL certificate verification. A certificate that has been revoked may indicate that data is coming from an attacker, whereas a certificate that has expired or was self-signed may indicate an increased likelihood that the data is malicious.</p>
-
-</recommendation>
-<example>
-
-<p>In this example, the <code>SSL_get_peer_certificate</code> function is used to get the certificate of a peer. However it is unsafe to use that information without checking if the certificate is valid.</p>
-
-<sample src="SSLResultNotCheckedBad.cpp" />
-
-<p>In the corrected example, we use <code>SSL_get_verify_result</code> to check that certificate verification was successful.</p>
-
-<sample src="SSLResultNotCheckedGood.cpp" />
-
-</example>
-<references>
-
-</references>
-</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
@@ -1,120 +0,0 @@
-/**
- * @name Certificate not checked
- * @description Always check the result of certificate verification after fetching an SSL certificate.
- * @kind problem
- * @problem.severity error
- * @security-severity 7.5
- * @precision medium
- * @id cpp/certificate-not-checked
- * @tags security
- *       external/cwe/cwe-295
- */
-
-import cpp
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-import semmle.code.cpp.controlflow.IRGuards
-
-/**
- * A call to `SSL_get_peer_certificate`.
- */
-class SSLGetPeerCertificateCall extends FunctionCall {
-  SSLGetPeerCertificateCall() {
-    getTarget().getName() = "SSL_get_peer_certificate" // SSL_get_peer_certificate(ssl)
-  }
-
-  Expr getSSLArgument() { result = getArgument(0) }
-}
-
-/**
- * A call to `SSL_get_verify_result`.
- */
-class SSLGetVerifyResultCall extends FunctionCall {
-  SSLGetVerifyResultCall() {
-    getTarget().getName() = "SSL_get_verify_result" // SSL_get_peer_certificate(ssl)
-  }
-
-  Expr getSSLArgument() { result = getArgument(0) }
-}
-
-/**
- * Holds if the SSL object passed into `SSL_get_peer_certificate` is checked with
- * `SSL_get_verify_result` entering `node`.
- */
-predicate resultIsChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
-  exists(Expr ssl, SSLGetVerifyResultCall check |
-    ssl = globalValueNumber(getCertCall.getSSLArgument()).getAnExpr() and
-    ssl = check.getSSLArgument() and
-    node = check
-  )
-}
-
-/**
- * Holds if the certificate returned by `SSL_get_peer_certificate` is found to be
- * `0` on the edge `node1` to `node2`.
- */
-predicate certIsZero(
-  SSLGetPeerCertificateCall getCertCall, ControlFlowNode node1, ControlFlowNode node2
-) {
-  exists(Expr cert | cert = globalValueNumber(getCertCall).getAnExpr() |
-    exists(GuardCondition guard, Expr zero |
-      zero.getValue().toInt() = 0 and
-      node1 = guard and
-      (
-        // if (cert == zero) {
-        guard.comparesEq(cert, zero, 0, true, true) and
-        node2 = guard.getATrueSuccessor()
-        or
-        // if (cert != zero) { }
-        guard.comparesEq(cert, zero, 0, false, true) and
-        node2 = guard.getAFalseSuccessor()
-      )
-    )
-    or
-    (
-      // if (cert) { }
-      node1 = cert
-      or
-      // if (!cert) {
-      node1.(NotExpr).getAChild() = cert
-    ) and
-    node2 = node1.getASuccessor() and
-    not cert.(GuardCondition).controls(node2, true) // cert may be false
-  )
-}
-
-/**
- * Holds if the SSL object passed into `SSL_get_peer_certificate` has not been checked with
- * `SSL_get_verify_result` at `node`. Note that this is only computed at the call to
- * `SSL_get_peer_certificate` and at the start and end of `BasicBlock`s.
- */
-predicate certNotChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
-  // cert is not checked at the call to `SSL_get_peer_certificate`
-  node = getCertCall
-  or
-  exists(BasicBlock bb, int pos |
-    // flow to end of a `BasicBlock`
-    certNotChecked(getCertCall, bb.getNode(pos)) and
-    node = bb.getEnd() and
-    // check for barrier node
-    not exists(int pos2 |
-      pos2 > pos and
-      resultIsChecked(getCertCall, bb.getNode(pos2))
-    )
-  )
-  or
-  exists(BasicBlock pred, BasicBlock bb |
-    // flow from the end of one `BasicBlock` to the beginning of a successor
-    certNotChecked(getCertCall, pred.getEnd()) and
-    bb = pred.getASuccessor() and
-    node = bb.getStart() and
-    // check for barrier bb
-    not certIsZero(getCertCall, pred.getEnd(), bb.getStart())
-  )
-}
-
-from SSLGetPeerCertificateCall getCertCall, ControlFlowNode node
-where
-  certNotChecked(getCertCall, node) and
-  node instanceof Function // (function exit)
-select getCertCall,
-  "This " + getCertCall.toString() + " is not followed by a call to SSL_get_verify_result."
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedBad.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedBad.cpp
@@ -1,5 +0,0 @@
-// ...
-
-X509 *cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)
-
-// ...
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedGood.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedGood.cpp
@@ -1,9 +0,0 @@
-// ...
-
-X509 *cert = SSL_get_peer_certificate(ssl); // GOOD
-if (cert)
-{
-	result = SSL_get_verify_result(ssl);
-	if (result == X509_V_OK)
-	{
-		// ...
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -8,7 +8,6 @@
 * @precision high
 * @id cpp/cleartext-storage-file
 * @tags security
- *       external/cwe/cwe-260
 *       external/cwe/cwe-313
 */

--- a/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll
+++ b/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll
@@ -84,8 +84,8 @@ class ParameterNullCheck extends ParameterCheck {
    p.getFunction() instanceof InitializationFunction and
    p.getType().getUnspecifiedType() instanceof PointerType and
    exists(VariableAccess va | va = p.getAnAccess() |
-      nullSuccessor = this.getATrueSuccessor() and
-      notNullSuccessor = this.getAFalseSuccessor() and
+      nullSuccessor = getATrueSuccessor() and
+      notNullSuccessor = getAFalseSuccessor() and
      (
        va = this.(NotExpr).getOperand() or
        va = any(EQExpr eq | eq = this and eq.getAnOperand().getValue() = "0").getAnOperand() or
@@ -95,8 +95,8 @@ class ParameterNullCheck extends ParameterCheck {
              .getAnOperand()
      )
      or
-      nullSuccessor = this.getAFalseSuccessor() and
-      notNullSuccessor = this.getATrueSuccessor() and
+      nullSuccessor = getAFalseSuccessor() and
+      notNullSuccessor = getATrueSuccessor() and
      (
        va = this or
        va = any(NEExpr eq | eq = this and eq.getAnOperand().getValue() = "0").getAnOperand() or
@@ -132,7 +132,7 @@ class ValidatedExternalCondInitFunction extends ExternalData {
  ValidatedExternalCondInitFunction() { this.getDataPath().matches("%cond-init%.csv") }

  predicate isExternallyVerified(Function f, int param) {
-    functionSignature(f, this.getField(1), this.getField(2)) and param = this.getFieldAsInt(3)
+    functionSignature(f, getField(1), getField(2)) and param = getFieldAsInt(3)
  }
 }

@@ -193,7 +193,7 @@ class InitializationFunction extends Function {
            .getAnOverridingFunction+()
            .(InitializationFunction)
            .initializedParameter() or
-      this.getParameter(i) = any(InitializationFunctionCall c).getAnInitParameter()
+      getParameter(i) = any(InitializationFunctionCall c).getAnInitParameter()
    )
    or
    // If we have no definition, we look at SAL annotations
@@ -227,7 +227,7 @@ class InitializationFunction extends Function {
        result = getAnInitializedArgument(any(Call c))
        or
        exists(IfStmt check | result = check.getCondition().getAChild*() |
-          this.paramReassignmentCondition(check)
+          paramReassignmentCondition(check)
        )
      )
      or
@@ -249,15 +249,15 @@ class InitializationFunction extends Function {

  /** Holds if `n` can be reached without the parameter at `index` being reassigned. */
  predicate paramNotReassignedAt(ControlFlowNode n, int index, Context c) {
-    c = this.getAContext(index) and
+    c = getAContext(index) and
    (
      not exists(this.getEntryPoint()) and index = i and n = this
      or
      n = this.getEntryPoint() and index = i
      or
-      exists(ControlFlowNode mid | this.paramNotReassignedAt(mid, index, c) |
+      exists(ControlFlowNode mid | paramNotReassignedAt(mid, index, c) |
        n = mid.getASuccessor() and
-        not n = this.paramReassignment(index) and
+        not n = paramReassignment(index) and
        /*
         * Ignore successor edges where the parameter is null, because it is then confirmed to be
         * initialized.
@@ -265,7 +265,7 @@ class InitializationFunction extends Function {

        not exists(ParameterNullCheck nullCheck |
          nullCheck = mid and
-          nullCheck = this.getANullCheck(index) and
+          nullCheck = getANullCheck(index) and
          n = nullCheck.getNullSuccessor()
        ) and
        /*
@@ -281,13 +281,13 @@ class InitializationFunction extends Function {

  /** Gets a null-check on the parameter at `index`. */
  private ParameterNullCheck getANullCheck(int index) {
-    this.getParameter(index) = result.getParameter()
+    getParameter(index) = result.getParameter()
  }

  /** Gets a parameter which is not at the given index. */
  private Parameter getOtherParameter(int index) {
    index = i and
-    result = this.getAParameter() and
+    result = getAParameter() and
    not result.getIndex() = index
  }

@@ -306,10 +306,10 @@ class InitializationFunction extends Function {
    if
      strictcount(Parameter p |
        exists(Context c | c = ParamNull(p) or c = ParamNotNull(p)) and
-        p = this.getOtherParameter(index)
+        p = getOtherParameter(index)
      ) = 1
    then
-      exists(Parameter p | p = this.getOtherParameter(index) |
+      exists(Parameter p | p = getOtherParameter(index) |
        result = ParamNull(p) or result = ParamNotNull(p)
      )
    else
@@ -424,8 +424,8 @@ class ConditionalInitializationCall extends FunctionCall {

  /** Gets the argument passed for the given parameter to this call. */
  Expr getArgumentForParameter(Parameter p) {
-    p = this.getTarget().getAParameter() and
-    result = this.getArgument(p.getIndex())
+    p = getTarget().getAParameter() and
+    result = getArgument(p.getIndex())
  }

  /**
@@ -442,7 +442,7 @@ class ConditionalInitializationCall extends FunctionCall {
        context = ParamNotNull(otherP) or
        context = ParamNull(otherP)
      |
-        otherArg = this.getArgumentForParameter(otherP) and
+        otherArg = getArgumentForParameter(otherP) and
        (otherArg instanceof AddressOfExpr implies context = ParamNotNull(otherP)) and
        (otherArg.getType() instanceof ArrayType implies context = ParamNotNull(otherP)) and
        (otherArg.getValue() = "0" implies context = ParamNull(otherP))
@@ -511,8 +511,8 @@ class ConditionalInitializationCall extends FunctionCall {
        )
    )
    or
-    exists(ControlFlowNode mid | mid = this.uncheckedReaches(var) |
-      not mid = this.getStatusVariable().getAnAccess() and
+    exists(ControlFlowNode mid | mid = uncheckedReaches(var) |
+      not mid = getStatusVariable().getAnAccess() and
      not mid = var.getAnAccess() and
      not exists(VariableAccess write | result = write and write = var.getAnAccess() |
        write = any(AssignExpr a).getLValue() or
--- a/cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll
+++ b/cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll
@@ -44,7 +44,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
    // Find a call that conditionally initializes this variable
    hasConditionalInitialization(f, call, this, initAccess, e) and
    // Ignore cases where the variable is assigned prior to the call
-    not reaches(this.getAnAssignedValue(), initAccess) and
+    not reaches(getAnAssignedValue(), initAccess) and
    // Ignore cases where the variable is assigned field-wise prior to the call.
    not exists(FieldAccess fa |
      exists(Assignment a |
@@ -56,7 +56,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
    ) and
    // Ignore cases where the variable is assigned by a prior call to an initialization function
    not exists(Call c |
-      this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
+      getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
      reaches(c, initAccess)
    ) and
    /*
@@ -64,7 +64,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
     * the CFG, but should always be considered as initialized, so exclude them.
     */

-    not exists(this.getInitializer().getExpr())
+    not exists(getInitializer().getExpr())
  }

  /**
@@ -90,7 +90,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
    // Variable associated with this particular call
    call = initializingCall and
    // Access is a meaningful read access
-    result = this.getAReadAccess() and
+    result = getAReadAccess() and
    // Which occurs after the call
    reaches(call, result) and
    /*
@@ -124,7 +124,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
    call = initializingCall and
    initializingFunction = f and
    e = evidence and
-    result = this.getAReadAccessAfterCall(initializingCall) and
+    result = getAReadAccessAfterCall(initializingCall) and
    (
      // Access is risky because status return code ignored completely
      call instanceof ExprInVoidContext
@@ -148,7 +148,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
    call = initializingCall and
    initializingFunction = f and
    e = evidence and
-    result = this.getAReadAccessAfterCall(initializingCall) and
+    result = getAReadAccessAfterCall(initializingCall) and
    exists(LocalVariable status, Assignment a |
      a.getRValue() = call and
      call = status.getAnAssignedValue() and
@@ -184,7 +184,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
    ConditionalInitializationFunction initializingFunction,
    ConditionalInitializationCall initializingCall, Evidence evidence
  ) {
-    result = this.getARiskyAccessBeforeStatusCheck(initializingFunction, initializingCall, evidence) or
-    result = this.getARiskyAccessWithNoStatusCheck(initializingFunction, initializingCall, evidence)
+    result = getARiskyAccessBeforeStatusCheck(initializingFunction, initializingCall, evidence) or
+    result = getARiskyAccessWithNoStatusCheck(initializingFunction, initializingCall, evidence)
  }
 }
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -31,15 +31,15 @@ abstract class SystemData extends Element {
   */
  Expr getAnExprIndirect() {
    // direct SystemData
-    result = this.getAnExpr() or
+    result = getAnExpr() or
    // flow via global or member variable (conservative approximation)
-    result = this.getAnAffectedVar().getAnAccess() or
+    result = getAnAffectedVar().getAnAccess() or
    // flow via stack variable
-    definitionUsePair(_, this.getAnExprIndirect(), result) or
-    useUsePair(_, this.getAnExprIndirect(), result) or
-    useUsePair(_, result, this.getAnExprIndirect()) or
+    definitionUsePair(_, getAnExprIndirect(), result) or
+    useUsePair(_, getAnExprIndirect(), result) or
+    useUsePair(_, result, getAnExprIndirect()) or
    // flow from assigned value to assignment expression
-    result.(AssignExpr).getRValue() = this.getAnExprIndirect()
+    result.(AssignExpr).getRValue() = getAnExprIndirect()
  }

  /**
--- a/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+++ b/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
@@ -67,16 +67,16 @@ class IFStream extends Type {
 */
 class CinVariable extends NamespaceVariable {
  CinVariable() {
-    this.getName() = ["cin", "wcin"] and
-    this.getNamespace().getName() = "std"
+    getName() = ["cin", "wcin"] and
+    getNamespace().getName() = "std"
  }
 }

 /** A call to `std::operator>>`. */
 class OperatorRShiftCall extends FunctionCall {
  OperatorRShiftCall() {
-    this.getTarget().getNamespace().getName() = "std" and
-    this.getTarget().hasName("operator>>")
+    getTarget().getNamespace().getName() = "std" and
+    getTarget().hasName("operator>>")
  }

  /*
@@ -87,15 +87,15 @@ class OperatorRShiftCall extends FunctionCall {
   */

  Expr getSource() {
-    if this.getTarget() instanceof MemberFunction
-    then result = this.getQualifier()
-    else result = this.getArgument(0)
+    if getTarget() instanceof MemberFunction
+    then result = getQualifier()
+    else result = getArgument(0)
  }

  Expr getDest() {
-    if this.getTarget() instanceof MemberFunction
-    then result = this.getArgument(0)
-    else result = this.getArgument(1)
+    if getTarget() instanceof MemberFunction
+    then result = getArgument(0)
+    else result = getArgument(1)
  }
 }

@@ -119,7 +119,7 @@ abstract class PotentiallyDangerousInput extends Expr {
   * Gets the width restriction that applies to the input stream
   * for this expression, if any.
   */
-  Expr getWidth() { result = this.getPreviousAccess().getWidthAfter() }
+  Expr getWidth() { result = getPreviousAccess().getWidthAfter() }

  private Expr getWidthSetHere() {
    exists(FunctionCall widthCall |
@@ -154,11 +154,11 @@ abstract class PotentiallyDangerousInput extends Expr {
   * after this expression, if any.
   */
  Expr getWidthAfter() {
-    result = this.getWidthSetHere()
+    result = getWidthSetHere()
    or
-    not exists(this.getWidthSetHere()) and
-    not this.isWidthConsumedHere() and
-    result = this.getWidth()
+    not exists(getWidthSetHere()) and
+    not isWidthConsumedHere() and
+    result = getWidth()
  }
 }

--- a/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
@@ -21,9 +21,9 @@ predicate argumentMayBeRoot(Expr e) {

 class SetuidLikeFunctionCall extends FunctionCall {
  SetuidLikeFunctionCall() {
-    (this.getTarget().hasGlobalName("setuid") or this.getTarget().hasGlobalName("setresuid")) and
+    (getTarget().hasGlobalName("setuid") or getTarget().hasGlobalName("setresuid")) and
    // setuid/setresuid with the root user are false positives.
-    not argumentMayBeRoot(this.getArgument(0))
+    not argumentMayBeRoot(getArgument(0))
  }
 }

@@ -44,7 +44,7 @@ class SetuidLikeWrapperCall extends FunctionCall {

 class CallBeforeSetuidFunctionCall extends FunctionCall {
  CallBeforeSetuidFunctionCall() {
-    this.getTarget()
+    getTarget()
        .hasGlobalName([
            "setgid", "setresgid",
            // Compatibility may require skipping initgroups and setgroups return checks.
@@ -52,7 +52,7 @@ class CallBeforeSetuidFunctionCall extends FunctionCall {
            "initgroups", "setgroups"
          ]) and
    // setgid/setresgid/etc with the root group are false positives.
-    not argumentMayBeRoot(this.getArgument(0))
+    not argumentMayBeRoot(getArgument(0))
  }
 }

--- a/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
@@ -24,7 +24,7 @@ class CallMayNotReturn extends FunctionCall {
    not exists(this.(ControlFlowNode).getASuccessor())
    or
    // call to another function that may not return
-    exists(CallMayNotReturn exit | this.getTarget() = exit.getEnclosingFunction())
+    exists(CallMayNotReturn exit | getTarget() = exit.getEnclosingFunction())
  }
 }

--- a/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
@@ -38,7 +38,13 @@ where
    fc.getTargetType().(Class).getABaseClass+().hasGlobalOrStdName("exception") or
    fc.getTargetType().(Class).getABaseClass+().hasGlobalOrStdName("CException")
  ) and
-  fc instanceof ExprInVoidContext and
  not fc.isInMacroExpansion() and
-  msg = "Object creation of exception type on stack. Did you forget the throw keyword?"
+  not exists(ThrowExpr texp | fc.getEnclosingStmt() = texp.getEnclosingStmt()) and
+  not exists(FunctionCall fctmp | fctmp.getAnArgument() = fc) and
+  not fc instanceof ConstructorDirectInit and
+  not fc.getEnclosingStmt() instanceof DeclStmt and
+  not fc instanceof ConstructorDelegationInit and
+  not fc.getParent() instanceof Initializer and
+  not fc.getParent() instanceof AllocationExpr and
+  msg = "This object does not generate an exception."
 select fc, msg
--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -118,7 +118,7 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
 }

 class Resource extends MemberVariable {
-  Resource() { not this.isStatic() }
+  Resource() { not isStatic() }

  // Check that an expr is somewhere in this class - does not have to be a constructor
  predicate inSameClass(Expr e) {
@@ -129,7 +129,7 @@ class Resource extends MemberVariable {
    f instanceof Destructor and f.getDeclaringType() = this.getDeclaringType()
    or
    exists(Function mid, FunctionCall fc |
-      this.calledFromDestructor(mid) and
+      calledFromDestructor(mid) and
      fc.getEnclosingFunction() = mid and
      fc.getTarget() = f and
      f.getDeclaringType() = this.getDeclaringType()
@@ -137,7 +137,7 @@ class Resource extends MemberVariable {
  }

  predicate inDestructor(Expr e) {
-    exists(Function f | f = e.getEnclosingFunction() | this.calledFromDestructor(f))
+    exists(Function f | f = e.getEnclosingFunction() | calledFromDestructor(f))
  }

  predicate acquisitionWithRequiredKind(Assignment acquireAssign, string kind) {
--- a/cpp/ql/test/experimental/library-tests/rangeanalysis/extensibility/extensibility.ql
+++ b/cpp/ql/test/experimental/library-tests/rangeanalysis/extensibility/extensibility.ql
@@ -29,8 +29,7 @@ class CustomAddFunctionCall extends SimpleRangeAnalysisExpr, FunctionCall {

 class SelfSub extends SimpleRangeAnalysisExpr, SubExpr {
  SelfSub() {
-    this.getLeftOperand().(VariableAccess).getTarget() =
-      this.getRightOperand().(VariableAccess).getTarget()
+    getLeftOperand().(VariableAccess).getTarget() = getRightOperand().(VariableAccess).getTarget()
  }

  override float getLowerBounds() { result = 0 }
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.expected
@@ -1,3 +1,3 @@
-| test.cpp:35:3:35:33 | call to runtime_error | Object creation of exception type on stack. Did you forget the throw keyword? |
+| test.cpp:35:3:35:33 | call to runtime_error | This object does not generate an exception. |
 | test.cpp:41:3:41:11 | call to funcTest1 | There is an exception in the function that requires your attention. |
 | test.cpp:42:3:42:9 | call to DllMain | DllMain contains an exeption not wrapped in a try..catch block. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
@@ -3,17 +3,13 @@
 | tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
-| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
-| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
-| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
-| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
-| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
-| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
+| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
+| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
 | tests.cpp:341:2:341:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | tests.cpp:343:2:343:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | tests.cpp:345:2:345:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
 | tests.cpp:347:2:347:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
-| tests.cpp:350:2:350:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
-| tests.cpp:354:2:354:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
-| tests.cpp:358:2:358:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
-| tests.cpp:363:2:363:8 | call to sprintf | This 'call to sprintf' operation requires 5 bytes but the destination is only 4 bytes. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
@@ -310,56 +310,39 @@ namespace custom_sprintf_impl {
 }

 void test6(unsigned unsigned_value, int value) {
-	char buffer2[2], buffer3[3], buffer4[4], buffer5[5];
+	char buffer[2];
 	
-	sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
-	sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow
-	if (unsigned_value < 1000) {
-		sprintf(buffer4, "%u", unsigned_value); // GOOD
+	sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
+	sprintf(buffer, "%d", unsigned_value); // BAD: buffer overflow
+	if (unsigned_value < 10) {
+		sprintf(buffer, "%u", unsigned_value); // GOOD
 	}

-	sprintf(buffer4, "%u", -100); // BAD: buffer overflow
+	sprintf(buffer, "%u", -10); // BAD: buffer overflow

-	if(unsigned_value == (unsigned)-100) {
-		sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
+	if(unsigned_value == (unsigned)-10) {
+		sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
 	}

-	sprintf(buffer4, "%d", value); // BAD: buffer overflow
-	if (value < 1000) {
-		sprintf(buffer4, "%d", value); // BAD: buffer overflow
+	sprintf(buffer, "%d", value); // BAD: buffer overflow
+	if (value < 10) {
+		sprintf(buffer, "%d", value); // BAD: buffer overflow

-		if(value > -100) {
-			sprintf(buffer4, "%d", value); // GOOD
+		if(value > 0) {
+			sprintf(buffer, "%d", value); // GOOD
 		}
 	}

-	sprintf(buffer2, "%u", 0); // GOOD
-	sprintf(buffer2, "%d", 0); // GOOD
-	sprintf(buffer2, "%u", 5); // GOOD
-	sprintf(buffer2, "%d", 5); // GOOD
+	sprintf(buffer, "%u", 0); // GOOD
+	sprintf(buffer, "%d", 0); // GOOD
+	sprintf(buffer, "%u", 5); // GOOD
+	sprintf(buffer, "%d", 5); // GOOD

-	sprintf(buffer2, "%d", -1); // BAD
-	sprintf(buffer2, "%d", 9); // GOOD
-	sprintf(buffer2, "%d", 10); // BAD
+	sprintf(buffer, "%d", -1); // BAD
+	sprintf(buffer, "%d", 9); // GOOD
+	sprintf(buffer, "%d", 10); // BAD

-	sprintf(buffer2, "%u", -1); // BAD
-	sprintf(buffer2, "%u", 9); // GOOD
-	sprintf(buffer2, "%u", 10); // BAD
-
-	unsigned char unsigned_char = unsigned_value;
-	sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD
-	sprintf(buffer4, "%u", (unsigned)unsigned_char); // GOOD: 0..255 fits
-
-	unsigned small = unsigned_value >> (sizeof(unsigned_value) * 8 - 9);  // in range 0..511
-	sprintf(buffer3, "%u", small); // BAD
-	sprintf(buffer4, "%u", small); // GOOD
-
-	small = unsigned_value & ((1u << 9) - 1);  // in range 0..511
-	sprintf(buffer3, "%u", small); // BAD
-	sprintf(buffer4, "%u", small); // GOOD: 0..511 fits
-
-	char c = value;
-
-	sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit
-	sprintf(buffer5, "%d", (int)c); // GOOD: -127..128 fits
+	sprintf(buffer, "%u", -1); // BAD
+	sprintf(buffer, "%u", 9); // GOOD
+	sprintf(buffer, "%u", 10); // BAD
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.expected
@@ -1,8 +0,0 @@
-| test.cpp:18:9:18:38 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:100:18:100:38 | call to SSL_get_verify_result | call to SSL_get_verify_result |
-| test.cpp:38:7:38:36 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:36:16:36:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
-| test.cpp:54:7:54:47 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:52:16:52:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
-| test.cpp:62:7:62:36 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:60:16:60:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
-| test.cpp:70:7:70:36 | ... && ... | This expression conflates OK and non-OK results from $@. | test.cpp:68:16:68:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
-| test.cpp:83:7:83:40 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:78:16:78:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
-| test.cpp:87:7:87:38 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:7:57:7:77 | call to SSL_get_verify_result | call to SSL_get_verify_result |
-| test.cpp:107:13:107:42 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:105:16:105:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-295/SSLResultConflation.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.expected
@@ -1,4 +0,0 @@
-| test2.cpp:13:13:13:36 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
-| test2.cpp:28:13:28:36 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
-| test2.cpp:61:9:61:32 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
-| test2.cpp:89:9:89:32 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-295/SSLResultNotChecked.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp
@@ -1,149 +0,0 @@
-
-struct SSL {
-	// ...
-};
-
-int SSL_get_verify_result(const SSL *ssl);
-int get_verify_result_indirect(const SSL *ssl) { return SSL_get_verify_result(ssl); }
-
-int something_else(const SSL *ssl);
-
-bool is_ok(int result)
-{
-	return (result == 0); // GOOD
-}
-
-bool is_maybe_ok(int result)
-{
-	return (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes)
-}
-
-void test1_1(SSL *ssl)
-{
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		if (result == 0) // GOOD
-		{
-		}
-
-		if (result == 1) // GOOD
-		{
-		}
-	}
-
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		if ((result == 0) || (result == 1)) // BAD (conflates OK and a non-OK codes)
-		{
-		}
-	}
-
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		if ((result == 1) || (result == 2)) // GOOD (both results are non-OK)
-		{
-		}
-	}
-
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		if ((result == 0) || (false) || (result == 2)) // BAD (conflates OK and a non-OK codes)
-		{
-		}
-	}
-
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		if ((0 == result) || (1 == result)) // BAD (conflates OK and a non-OK codes)
-		{
-		}
-	}
-
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		if ((result != 0) && (result != 1)) // BAD (conflates OK and a non-OK codes)
-		{
-		} else {
-			// conflation occurs here
-		}
-	}
-
-	{
-		int result = SSL_get_verify_result(ssl);
-		int result_cpy = result;
-		int result2 = get_verify_result_indirect(ssl);
-		int result3 = something_else(ssl);
-
-		if ((result == 0) || (result_cpy == 1)) // BAD (conflates OK and a non-OK codes)
-		{
-		}
-	
-		if ((result2 == 0) || (result2 == 1)) // BAD (conflates OK and a non-OK codes)
-		{
-		}
-	
-		if ((result3 == 0) || (result3 == 1)) // GOOD (not an SSL result)
-		{
-		}
-	}
-
-	if (is_ok(SSL_get_verify_result(ssl)))
-	{
-	}
-
-	if (is_maybe_ok(SSL_get_verify_result(ssl)))
-	{
-	}
-
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		bool ok = (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes)
-	
-		if (ok) {
-		}
-	}
-
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		if (result == 1) // BAD (conflates OK and a non-OK codes in `else`) [NOT DETECTED]
-		{
-		} else {
-		}
-	}
-}
-
-void do_good();
-
-void test1_2(SSL *ssl)
-{
-	int result = SSL_get_verify_result(ssl);
-
-	if (result == 0) { // GOOD
-		do_good();
-	} else if (result == 1) {
-		throw 1;
-	} else {
-		throw 1;
-	}
-}
-
-void test1_3(SSL *ssl)
-{
-	int result = SSL_get_verify_result(ssl);
-
-	if (result == 0) { // BAD (error code 1 is treated as OK, not as non-OK) [NOT DETECTED]
-		do_good();
-	} else if (result == 1) {
-		do_good();
-	} else {
-		throw 1;
-	}
-}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp
@@ -1,147 +0,0 @@
-
-struct SSL {
-	// ...
-};
-
-int SSL_get_peer_certificate(const SSL *ssl);
-int SSL_get_verify_result(const SSL *ssl);
-
-bool maybe();
-
-bool test2_1(SSL *ssl)
-{
-	int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)
-
-	return true;
-}
-
-bool test2_2(SSL *ssl)
-{
-	int cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is always called)
-	int result = SSL_get_verify_result(ssl);
-
-	return (result == 0);
-}
-
-bool test2_3(SSL *ssl)
-{
-	int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result may not be called)
-
-	if (maybe())
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		return (result == 0);
-	}
-
-	return true;
-}
-
-bool test2_4(SSL *ssl)
-{
-	int cert, result;
-
-	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
-	if (cert != 0)
-	{
-		result = SSL_get_verify_result(ssl);
-		if (result == 0)
-		{
-			return true;
-		}
-	}
-
-	return false;
-}
-
-bool test2_5(SSL *ssl)
-{
-	int cert, result;
-
-	cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is not used reliably)
-	if ((cert != 0) && (maybe()))
-	{
-		result = SSL_get_verify_result(ssl);
-		if (result == 0)
-		{
-			return true;
-		}
-	}
-
-	return false;
-}
-
-bool test2_6(SSL *ssl)
-{
-	int cert;
-
-	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
-	if (cert == 0) return false;
-	if (SSL_get_verify_result(ssl) != 0) return false;
-
-	return true;
-}
-
-bool test2_7(SSL *ssl)
-{
-	int cert;
-
-	cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is only called when there is not a cert)
-	if (cert != 0) return false;
-	if (SSL_get_verify_result(ssl) != 0) return false;
-
-	return true;
-}
-
-bool test2_8(SSL *ssl)
-{
-	int cert;
-
-	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
-	if (!cert) return false;
-	if (!SSL_get_verify_result(ssl)) return false;
-
-	return true;
-}
-
-bool test2_9(SSL *ssl)
-{
-	int cert;
-
-	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
-	if ((!cert) || (SSL_get_verify_result(ssl) != 0)) {
-		return false;
-	}
-
-	return true;
-}
-
-bool test2_10(SSL *ssl)
-{
-	int cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
-
-	if (cert)
-	{
-		int result = SSL_get_verify_result(ssl);
-
-		if (result == 0)
-		{
-			return true;
-		}
-	}
-
-	return true;
-}
-
-bool test2_11(SSL *ssl)
-{
-	int cert;
-
-	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
-
-	if ((cert) && (SSL_get_verify_result(ssl) == 0)) {
-		return true;
-	}
-
-	return false;
-}
--- a/csharp/documentation/library-coverage/coverage.csv
+++ b/csharp/documentation/library-coverage/coverage.csv
@@ -3,4 +3,4 @@ Dapper,55,,,,,,55,,,
 Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,
 MySql.Data.MySqlClient,48,,,,,,48,,,
 ServiceStack,194,,7,27,,75,92,,,7
-System,28,3,25,,4,,23,1,3,25
+System,28,3,13,,4,,23,1,3,13
--- a/csharp/documentation/library-coverage/coverage.rst
+++ b/csharp/documentation/library-coverage/coverage.rst
@@ -8,7 +8,7 @@ C# framework & library support

   Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
   `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",3,25,28,5
+   System,"``System.*``, ``System``",3,13,28,5
   Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``MySql.Data.MySqlClient``",,,131,
-   Totals,,3,32,353,5
+   Totals,,3,20,353,5

--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
@@ -1,6 +1,7 @@
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Semmle.Extraction.CSharp.Populators;
+using Semmle.Extraction.Entities;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -35,7 +36,6 @@ namespace Semmle.Extraction.CSharp.Entities
        {
            if (Symbol.TypeKind == TypeKind.Error)
            {
-                UnknownType.Create(Context); // make sure this exists so we can use it in `TypeRef::getReferencedType`
                Context.Extractor.MissingType(Symbol.ToString()!, Context.FromSource);
                return;
            }
@@ -48,7 +48,7 @@ namespace Semmle.Extraction.CSharp.Entities
                if (Symbol.IsBoundNullable())
                {
                    // An instance of Nullable<T>
-                    trapFile.nullable_underlying_type(this, TypeArguments[0].TypeRef);
+                    trapFile.nullable_underlying_type(this, Create(Context, Symbol.TypeArguments[0]).TypeRef);
                }
                else if (Symbol.IsReallyUnbound())
                {
@@ -67,7 +67,7 @@ namespace Semmle.Extraction.CSharp.Entities
                        : Type.Create(Context, Symbol.ConstructedFrom);
                    trapFile.constructed_generic(this, unbound.TypeRef);

-                    for (var i = 0; i < TypeArguments.Length; ++i)
+                    for (var i = 0; i < Symbol.TypeArguments.Length; ++i)
                    {
                        trapFile.type_arguments(TypeArguments[i].TypeRef, i, this);
                    }
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
@@ -1,5 +1,6 @@
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Util;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -23,9 +24,9 @@ namespace Semmle.Extraction.CSharp.Entities
                symbol.ContainingType is not null && ConstructedOrParentIsConstructed(symbol.ContainingType);
        }

-        public Kinds.TypeKind GetTypeKind(Context cx, bool constructUnderlyingTupleType)
+        private static Kinds.TypeKind GetClassType(Context cx, ITypeSymbol t, bool constructUnderlyingTupleType)
        {
-            switch (Symbol.SpecialType)
+            switch (t.SpecialType)
            {
                case SpecialType.System_Int32: return Kinds.TypeKind.INT;
                case SpecialType.System_UInt32: return Kinds.TypeKind.UINT;
@@ -43,14 +44,14 @@ namespace Semmle.Extraction.CSharp.Entities
                case SpecialType.System_Single: return Kinds.TypeKind.FLOAT;
                case SpecialType.System_IntPtr: return Kinds.TypeKind.INT_PTR;
                default:
-                    if (Symbol.IsBoundNullable())
+                    if (t.IsBoundNullable())
                        return Kinds.TypeKind.NULLABLE;

-                    switch (Symbol.TypeKind)
+                    switch (t.TypeKind)
                    {
                        case TypeKind.Class: return Kinds.TypeKind.CLASS;
                        case TypeKind.Struct:
-                            return ((INamedTypeSymbol)Symbol).IsTupleType && !constructUnderlyingTupleType
+                            return ((INamedTypeSymbol)t).IsTupleType && !constructUnderlyingTupleType
                                ? Kinds.TypeKind.TUPLE
                                : Kinds.TypeKind.STRUCT;
                        case TypeKind.Interface: return Kinds.TypeKind.INTERFACE;
@@ -61,7 +62,7 @@ namespace Semmle.Extraction.CSharp.Entities
                        case TypeKind.FunctionPointer: return Kinds.TypeKind.FUNCTION_POINTER;
                        case TypeKind.Error: return Kinds.TypeKind.UNKNOWN;
                        default:
-                            cx.ModelError(Symbol, $"Unhandled type kind '{Symbol.TypeKind}'");
+                            cx.ModelError(t, $"Unhandled type kind '{t.TypeKind}'");
                            return Kinds.TypeKind.UNKNOWN;
                    }
            }
@@ -75,7 +76,7 @@ namespace Semmle.Extraction.CSharp.Entities
            trapFile.Write("types(");
            trapFile.WriteColumn(this);
            trapFile.Write(',');
-            trapFile.WriteColumn((int)GetTypeKind(Context, constructUnderlyingTupleType));
+            trapFile.WriteColumn((int)GetClassType(Context, Symbol, constructUnderlyingTupleType));
            trapFile.Write(",\"");
            Symbol.BuildDisplayName(Context, trapFile, constructUnderlyingTupleType);
            trapFile.WriteLine("\")");
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/UnknownType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/UnknownType.cs
@@ -1,39 +0,0 @@
-using System.IO;
-using Microsoft.CodeAnalysis;
-
-namespace Semmle.Extraction.CSharp.Entities
-{
-    internal class UnknownType : Type
-    {
-        private UnknownType(Context cx)
-            : base(cx, null) { }
-
-        public override void Populate(TextWriter trapFile)
-        {
-            trapFile.types(this, Kinds.TypeKind.UNKNOWN, "<unknown type>");
-        }
-
-        public override void WriteId(EscapingTextWriter trapFile)
-        {
-            trapFile.Write("<unknown>;type");
-        }
-
-        public override bool NeedsPopulation => true;
-
-        public override int GetHashCode() => 98744554;
-
-        public override bool Equals(object? obj)
-        {
-            return obj is not null && obj.GetType() == typeof(UnknownType);
-        }
-
-        public static Type Create(Context cx) => UnknownTypeFactory.Instance.CreateEntity(cx, typeof(UnknownType), null);
-
-        private class UnknownTypeFactory : CachedEntityFactory<ITypeSymbol?, UnknownType>
-        {
-            public static UnknownTypeFactory Instance { get; } = new UnknownTypeFactory();
-
-            public override UnknownType Create(Context cx, ITypeSymbol? init) => new UnknownType(cx);
-        }
-    }
-}
--- a/csharp/ql/lib/csharp.qll
+++ b/csharp/ql/lib/csharp.qll
@@ -2,5 +2,40 @@
 * The default C# QL library.
 */

-// Do not add other imports here; add to `semmle.code.csharp.internal.csharp` instead
-import semmle.code.csharp.internal.csharp
+import Customizations
+import semmle.code.csharp.Attribute
+import semmle.code.csharp.Callable
+import semmle.code.csharp.Comments
+import semmle.code.csharp.Element
+import semmle.code.csharp.Event
+import semmle.code.csharp.File
+import semmle.code.csharp.Generics
+import semmle.code.csharp.Location
+import semmle.code.csharp.Member
+import semmle.code.csharp.Namespace
+import semmle.code.csharp.AnnotatedType
+import semmle.code.csharp.Property
+import semmle.code.csharp.Stmt
+import semmle.code.csharp.Type
+import semmle.code.csharp.Using
+import semmle.code.csharp.Variable
+import semmle.code.csharp.XML
+import semmle.code.csharp.Preprocessor
+import semmle.code.csharp.exprs.Access
+import semmle.code.csharp.exprs.ArithmeticOperation
+import semmle.code.csharp.exprs.Assignment
+import semmle.code.csharp.exprs.BitwiseOperation
+import semmle.code.csharp.exprs.Call
+import semmle.code.csharp.exprs.ComparisonOperation
+import semmle.code.csharp.exprs.Creation
+import semmle.code.csharp.exprs.Dynamic
+import semmle.code.csharp.exprs.Expr
+import semmle.code.csharp.exprs.Literal
+import semmle.code.csharp.exprs.LogicalOperation
+import semmle.code.csharp.controlflow.ControlFlowGraph
+import semmle.code.csharp.dataflow.DataFlow
+import semmle.code.csharp.dataflow.TaintTracking
+import semmle.code.csharp.dataflow.SSA
+
+/** Whether the source was extracted without a build command. */
+predicate extractionIsStandalone() { exists(SourceFile f | f.extractedStandalone()) }
--- a/csharp/ql/lib/semmle/code/cil/CallableReturns.qll
+++ b/csharp/ql/lib/semmle/code/cil/CallableReturns.qll
@@ -25,7 +25,7 @@ private module Cached {
  cached
  predicate alwaysThrowsException(Method m, Type t) {
    alwaysThrowsMethod(m) and
-    forex(Throw ex | ex = m.getImplementation().getAnInstruction() | t = ex.getExceptionType())
+    forex(Throw ex | ex = m.getImplementation().getAnInstruction() | t = ex.getExpr().getType())
  }
 }

--- a/csharp/ql/lib/semmle/code/cil/ConsistencyChecks.qll
+++ b/csharp/ql/lib/semmle/code/cil/ConsistencyChecks.qll
@@ -612,7 +612,7 @@ class ExprMissingType extends InstructionViolation {
    not instruction instanceof Opcodes::Ldvirtftn and
    not instruction instanceof Opcodes::Arglist and
    not instruction instanceof Opcodes::Refanytype and
-    instruction.getPushCount() >= 1 and
+    instruction.getPushCount() = 1 and
    count(instruction.getType()) != 1
  }

--- a/csharp/ql/lib/semmle/code/cil/ControlFlow.qll
+++ b/csharp/ql/lib/semmle/code/cil/ControlFlow.qll
@@ -56,32 +56,6 @@ class ControlFlowNode extends @cil_controlflow_node {
    )
  }

-  /**
-   * Gets the type of the `i`th operand. Unlike `getOperand(i).getType()`, this
-   * predicate takes into account when there are multiple possible operands with
-   * different types.
-   */
-  Type getOperandType(int i) {
-    strictcount(this.getOperand(i)) = 1 and
-    result = this.getOperand(i).getType()
-    or
-    strictcount(this.getOperand(i)) = 2 and
-    exists(ControlFlowNode op1, ControlFlowNode op2, Type t2 |
-      op1 = this.getOperand(i) and
-      op2 = this.getOperand(i) and
-      op1 != op2 and
-      result = op1.getType() and
-      t2 = op2.getType()
-    |
-      result = t2
-      or
-      result.(PrimitiveType).getUnderlyingType().getConversionIndex() >
-        t2.(PrimitiveType).getUnderlyingType().getConversionIndex()
-      or
-      op2 instanceof NullLiteral
-    )
-  }
-
  /** Gets an operand of this instruction, if any. */
  ControlFlowNode getAnOperand() { result = this.getOperand(_) }

@@ -128,12 +102,7 @@ class ControlFlowNode extends @cil_controlflow_node {
  /** Gets the method containing this control flow node. */
  MethodImplementation getImplementation() { none() }

-  /**
-   * Gets the type of the item pushed onto the stack, if any.
-   *
-   * If called via `ControlFlowNode::getOperand(i).getType()`, consider using
-   * `ControlFlowNode::getOperandType(i)` instead.
-   */
+  /** Gets the type of the item pushed onto the stack, if any. */
  cached
  Type getType() { none() }

--- a/csharp/ql/lib/semmle/code/cil/InstructionGroups.qll
+++ b/csharp/ql/lib/semmle/code/cil/InstructionGroups.qll
@@ -73,8 +73,8 @@ class ComparisonOperation extends BinaryExpr, @cil_comparison_operation {
 class BinaryArithmeticExpr extends BinaryExpr, @cil_binary_arithmetic_operation {
  override Type getType() {
    exists(Type t0, Type t1 |
-      t0 = this.getOperandType(0).getUnderlyingType() and
-      t1 = this.getOperandType(1).getUnderlyingType()
+      t0 = this.getOperand(0).getType().getUnderlyingType() and
+      t1 = this.getOperand(1).getType().getUnderlyingType()
    |
      t0 = t1 and result = t0
      or
@@ -242,9 +242,6 @@ class Return extends Instruction, @cil_ret {
 class Throw extends Instruction, DotNet::Throw, @cil_throw_any {
  override Expr getExpr() { result = this.getOperand(0) }

-  /** Gets the type of the exception being thrown. */
-  Type getExceptionType() { result = this.getOperandType(0) }
-
  override predicate canFlowNext() { none() }
 }

--- a/csharp/ql/lib/semmle/code/cil/Instructions.qll
+++ b/csharp/ql/lib/semmle/code/cil/Instructions.qll
@@ -199,9 +199,9 @@ module Opcodes {
    override string getOpcodeName() { result = "neg" }

    override NumericType getType() {
-      result = this.getOperandType(0)
+      result = this.getOperand().getType()
      or
-      this.getOperandType(0) instanceof Enum and result instanceof IntType
+      this.getOperand().getType() instanceof Enum and result instanceof IntType
    }
  }

@@ -260,7 +260,7 @@ module Opcodes {

    override int getPushCount() { result = 2 } // This is the only instruction that pushes 2 items

-    override Type getType() { result = this.getOperandType(0) }
+    override Type getType() { result = this.getOperand(0).getType() }
  }

  /** A `ret` instruction. */
@@ -887,7 +887,7 @@ module Opcodes {
  class Ldelem_ref extends ReadArrayElement, @cil_ldelem_ref {
    override string getOpcodeName() { result = "ldelem.ref" }

-    override Type getType() { result = this.getOperandType(1) }
+    override Type getType() { result = this.getArray().getType() }
  }

  /** An `ldelema` instruction. */
--- a/csharp/ql/lib/semmle/code/csharp/TypeRef.qll
+++ b/csharp/ql/lib/semmle/code/csharp/TypeRef.qll
@@ -12,12 +12,7 @@ private class TypeRef extends @typeref {

  string toString() { result = this.getName() }

-  Type getReferencedType() {
-    typeref_type(this, result)
-    or
-    not typeref_type(this, _) and
-    result instanceof UnknownType
-  }
+  Type getReferencedType() { typeref_type(this, result) }
 }

 /**
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll
@@ -241,7 +241,7 @@ module ControlFlow {
    predicate isBranch() { strictcount(this.getASuccessor()) > 1 }

    /** Gets the enclosing callable of this control flow node. */
-    final Callable getEnclosingCallable() { result = getNodeCfgScope(this) }
+    Callable getEnclosingCallable() { none() }
  }

  /** Provides different types of control flow nodes. */
@@ -253,6 +253,8 @@ module ControlFlow {

      override BasicBlocks::EntryBlock getBasicBlock() { result = Node.super.getBasicBlock() }

+      override Callable getEnclosingCallable() { result = this.getCallable() }
+
      private Assignable getAssignable() { this = TEntryNode(result) }

      override Location getLocation() {
@@ -281,6 +283,8 @@ module ControlFlow {
        result = Node.super.getBasicBlock()
      }

+      override Callable getEnclosingCallable() { result = this.getCallable() }
+
      override Location getLocation() { result = scope.getLocation() }

      override string toString() {
@@ -305,6 +309,8 @@ module ControlFlow {

      override BasicBlocks::ExitBlock getBasicBlock() { result = Node.super.getBasicBlock() }

+      override Callable getEnclosingCallable() { result = this.getCallable() }
+
      override Location getLocation() { result = scope.getLocation() }

      override string toString() { result = "exit " + scope }
@@ -321,7 +327,14 @@ module ControlFlow {
      private Splits splits;
      private ControlFlowElement cfe;

-      ElementNode() { this = TElementNode(_, cfe, splits) }
+      ElementNode() { this = TElementNode(cfe, splits) }
+
+      override Callable getEnclosingCallable() {
+        result = cfe.getEnclosingCallable()
+        or
+        result =
+          this.getASplit().(Splitting::InitializerSplitting::InitializerSplit).getConstructor()
+      }

      override ControlFlowElement getElement() { result = cfe }

--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll
@@ -342,7 +342,7 @@ private predicate succExitSplits(
  ControlFlowElement pred, Splits predSplits, CfgScope succ, SuccessorType t
 ) {
  exists(Reachability::SameSplitsBlock b, Completion c | pred = b.getAnElement() |
-    b.isReachable(succ, predSplits) and
+    b.isReachable(predSplits) and
    t = getAMatchingSuccessorType(c) and
    scopeLast(succ, pred, c) and
    forall(SplitImpl predSplit | predSplit = predSplits.getASplit() |
@@ -399,7 +399,7 @@ private module SuccSplits {
    ControlFlowElement succ, Completion c
  ) {
    pred = b.getAnElement() and
-    b.isReachable(_, predSplits) and
+    b.isReachable(predSplits) and
    succ(pred, succ, c)
  }

@@ -728,12 +728,12 @@ private module Reachability {
     * Holds if the elements of this block are reachable from a callable entry
     *  point, with the splits `splits`.
     */
-    predicate isReachable(CfgScope scope, Splits splits) {
+    predicate isReachable(Splits splits) {
      // Base case
-      succEntrySplits(scope, this, splits, _)
+      succEntrySplits(_, this, splits, _)
      or
      // Recursive case
-      exists(SameSplitsBlock pred, Splits predSplits | pred.isReachable(scope, predSplits) |
+      exists(SameSplitsBlock pred, Splits predSplits | pred.isReachable(predSplits) |
        this = pred.getASuccessor(predSplits, splits)
      )
    }
@@ -791,20 +791,18 @@ private module Cached {
  newtype TCfgNode =
    TEntryNode(CfgScope scope) { succEntrySplits(scope, _, _, _) } or
    TAnnotatedExitNode(CfgScope scope, boolean normal) {
-      exists(Reachability::SameSplitsBlock b, SuccessorType t | b.isReachable(scope, _) |
+      exists(Reachability::SameSplitsBlock b, SuccessorType t | b.isReachable(_) |
        succExitSplits(b.getAnElement(), _, scope, t) and
        if isAbnormalExitType(t) then normal = false else normal = true
      )
    } or
    TExitNode(CfgScope scope) {
-      exists(Reachability::SameSplitsBlock b | b.isReachable(scope, _) |
+      exists(Reachability::SameSplitsBlock b | b.isReachable(_) |
        succExitSplits(b.getAnElement(), _, scope, _)
      )
    } or
-    TElementNode(CfgScope scope, ControlFlowElement cfe, Splits splits) {
-      exists(Reachability::SameSplitsBlock b | b.isReachable(scope, splits) |
-        cfe = b.getAnElement()
-      )
+    TElementNode(ControlFlowElement cfe, Splits splits) {
+      exists(Reachability::SameSplitsBlock b | b.isReachable(splits) | cfe = b.getAnElement())
    }

  /** Gets a successor node of a given flow type, if any. */
@@ -812,24 +810,24 @@ private module Cached {
  TCfgNode getASuccessor(TCfgNode pred, SuccessorType t) {
    // Callable entry node -> callable body
    exists(ControlFlowElement succElement, Splits succSplits, CfgScope scope |
-      result = TElementNode(scope, succElement, succSplits) and
+      result = TElementNode(succElement, succSplits) and
      pred = TEntryNode(scope) and
      succEntrySplits(scope, succElement, succSplits, t)
    )
    or
-    exists(CfgScope scope, ControlFlowElement predElement, Splits predSplits |
-      pred = TElementNode(pragma[only_bind_into](scope), predElement, predSplits)
+    exists(ControlFlowElement predElement, Splits predSplits |
+      pred = TElementNode(predElement, predSplits)
    |
      // Element node -> callable exit (annotated)
-      exists(boolean normal |
-        result = TAnnotatedExitNode(pragma[only_bind_into](scope), normal) and
+      exists(CfgScope scope, boolean normal |
+        result = TAnnotatedExitNode(scope, normal) and
        succExitSplits(predElement, predSplits, scope, t) and
        if isAbnormalExitType(t) then normal = false else normal = true
      )
      or
      // Element node -> element node
      exists(ControlFlowElement succElement, Splits succSplits, Completion c |
-        result = TElementNode(pragma[only_bind_into](scope), succElement, succSplits)
+        result = TElementNode(succElement, succSplits)
      |
        succSplits(predElement, predSplits, succElement, succSplits, c) and
        t = getAMatchingSuccessorType(c)
@@ -855,23 +853,6 @@ private module Cached {
   */
  cached
  ControlFlowElement getAControlFlowExitNode(ControlFlowElement cfe) { last(cfe, result, _) }
-
-  /**
-   * Gets the CFG scope of node `n`. Unlike `getCfgScope`, this predicate
-   * is calculated based on reachability from an entry node, and it may
-   * yield different results for AST elements that are split into multiple
-   * scopes.
-   */
-  cached
-  CfgScope getNodeCfgScope(TCfgNode n) {
-    n = TEntryNode(result)
-    or
-    n = TAnnotatedExitNode(result, _)
-    or
-    n = TExitNode(result)
-    or
-    n = TElementNode(result, _, _)
-  }
 }

 import Cached
@@ -957,45 +938,14 @@ module Consistency {
    not split.hasEntry(pred, succ, c)
  }

-  private class SimpleSuccessorType extends SuccessorType {
-    SimpleSuccessorType() {
-      this = getAMatchingSuccessorType(any(Completion c | completionIsSimple(c)))
-    }
-  }
-
-  private class NormalSuccessorType extends SuccessorType {
-    NormalSuccessorType() {
-      this = getAMatchingSuccessorType(any(Completion c | completionIsNormal(c)))
-    }
-  }
-
  query predicate multipleSuccessors(Node node, SuccessorType t, Node successor) {
+    not node instanceof TEntryNode and
    strictcount(getASuccessor(node, t)) > 1 and
-    successor = getASuccessor(node, t) and
-    // allow for functions with multiple bodies
-    not (t instanceof SimpleSuccessorType and node instanceof TEntryNode)
-  }
-
-  query predicate simpleAndNormalSuccessors(
-    Node node, NormalSuccessorType t1, SimpleSuccessorType t2, Node succ1, Node succ2
-  ) {
-    t1 != t2 and
-    succ1 = getASuccessor(node, t1) and
-    succ2 = getASuccessor(node, t2)
+    successor = getASuccessor(node, t)
  }

  query predicate deadEnd(Node node) {
    not node instanceof TExitNode and
    not exists(getASuccessor(node, _))
  }
-
-  query predicate nonUniqueSplitKind(SplitImpl split, SplitKind sk) {
-    sk = split.getKind() and
-    strictcount(split.getKind()) > 1
-  }
-
-  query predicate nonUniqueListOrder(SplitKind sk, int ord) {
-    ord = sk.getListOrder() and
-    strictcount(sk.getListOrder()) > 1
-  }
 }
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/Splitting.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/Splitting.qll
@@ -179,7 +179,7 @@ module InitializerSplitting {
   *
   * respectively.
   */
-  private class InitializerSplit extends Split, TInitializerSplit {
+  class InitializerSplit extends Split, TInitializerSplit {
    private Constructor c;

    InitializerSplit() { this = TInitializerSplit(c) }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -78,7 +78,6 @@ private import internal.DataFlowPublic
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private::External
 private import internal.FlowSummaryImplSpecific
-private import semmle.code.csharp.dispatch.OverridableCallable

 /**
 * A module importing the frameworks that provide external flow data,
@@ -348,15 +347,12 @@ private class UnboundValueOrRefType extends ValueOrRefType {
  }
 }

-private class UnboundCallable extends Callable {
+private class UnboundCallable extends Callable, Virtualizable {
  UnboundCallable() { this.isUnboundDeclaration() }

  predicate overridesOrImplementsUnbound(UnboundCallable that) {
    exists(Callable c |
-      this.(Virtualizable).overridesOrImplementsOrEquals(c) or
-      this = c.(OverridableCallable).getAnUltimateImplementor() or
-      this = c.(OverridableCallable).getAnOverrider+()
-    |
+      this.overridesOrImplementsOrEquals(c) and
      this != c and
      that = c.getUnboundDeclaration()
    )
@@ -413,7 +409,7 @@ private Element interpretElement0(
  string namespace, string type, boolean subtypes, string name, string signature
 ) {
  exists(UnboundValueOrRefType t | elementSpec(namespace, type, subtypes, name, signature, _, t) |
-    exists(Declaration m |
+    exists(Member m |
      (
        result = m
        or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll
@@ -2,11 +2,7 @@

 import csharp
 private import internal.FlowSummaryImpl as Impl
-private import internal.DataFlowDispatch as DataFlowDispatch
-
-class ParameterPosition = DataFlowDispatch::ParameterPosition;
-
-class ArgumentPosition = DataFlowDispatch::ArgumentPosition;
+private import internal.DataFlowDispatch

 // import all instances below
 private module Summaries {
@@ -18,27 +14,7 @@ class SummaryComponent = Impl::Public::SummaryComponent;

 /** Provides predicates for constructing summary components. */
 module SummaryComponent {
-  private import Impl::Public::SummaryComponent as SummaryComponentInternal
-
-  predicate content = SummaryComponentInternal::content/1;
-
-  /** Gets a summary component for parameter `i`. */
-  SummaryComponent parameter(int i) {
-    exists(ArgumentPosition pos |
-      result = SummaryComponentInternal::parameter(pos) and
-      i = pos.getPosition()
-    )
-  }
-
-  /** Gets a summary component for argument `i`. */
-  SummaryComponent argument(int i) {
-    exists(ParameterPosition pos |
-      result = SummaryComponentInternal::argument(pos) and
-      i = pos.getPosition()
-    )
-  }
-
-  predicate return = SummaryComponentInternal::return/1;
+  import Impl::Public::SummaryComponent

  /** Gets a summary component that represents a qualifier. */
  SummaryComponent qualifier() { result = argument(-1) }
@@ -57,14 +33,14 @@ module SummaryComponent {
  }

  /** Gets a summary component that represents the return value of a call. */
-  SummaryComponent return() { result = return(any(DataFlowDispatch::NormalReturnKind rk)) }
+  SummaryComponent return() { result = return(any(NormalReturnKind rk)) }

  /** Gets a summary component that represents a jump to `c`. */
  SummaryComponent jump(Callable c) {
    result =
-      return(any(DataFlowDispatch::JumpReturnKind jrk |
+      return(any(JumpReturnKind jrk |
          jrk.getTarget() = c.getUnboundDeclaration() and
-          jrk.getTargetReturnKind() instanceof DataFlowDispatch::NormalReturnKind
+          jrk.getTargetReturnKind() instanceof NormalReturnKind
        ))
  }
 }
@@ -73,16 +49,7 @@ class SummaryComponentStack = Impl::Public::SummaryComponentStack;

 /** Provides predicates for constructing stacks of summary components. */
 module SummaryComponentStack {
-  private import Impl::Public::SummaryComponentStack as SummaryComponentStackInternal
-
-  predicate singleton = SummaryComponentStackInternal::singleton/1;
-
-  predicate push = SummaryComponentStackInternal::push/2;
-
-  /** Gets a singleton stack for argument `i`. */
-  SummaryComponentStack argument(int i) { result = singleton(SummaryComponent::argument(i)) }
-
-  predicate return = SummaryComponentStackInternal::return/1;
+  import Impl::Public::SummaryComponentStack

  /** Gets a singleton stack representing a qualifier. */
  SummaryComponentStack qualifier() { result = singleton(SummaryComponent::qualifier()) }
@@ -117,12 +84,12 @@ private class SummarizedCallableDefaultClearsContent extends Impl::Public::Summa
  }

  // By default, we assume that all stores into arguments are definite
-  override predicate clearsContent(ParameterPosition pos, DataFlow::Content content) {
+  override predicate clearsContent(int i, DataFlow::Content content) {
    exists(SummaryComponentStack output |
      this.propagatesFlow(_, output, _) and
      output.drop(_) =
        SummaryComponentStack::push(SummaryComponent::content(content),
-          SummaryComponentStack::argument(pos.getPosition())) and
+          SummaryComponentStack::argument(i)) and
      not content instanceof DataFlow::ElementContent
    )
  }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
@@ -102,11 +102,6 @@ module AccessPath {
    result = singleton(any(FieldContent c | c.getField() = f.getUnboundDeclaration()))
  }

-  /** Gets a singleton synthetic field access path. */
-  AccessPath synthetic(SyntheticField f) {
-    result = singleton(any(SyntheticFieldContent c | c.getField() = f))
-  }
-
  /** Gets an access path representing a property inside a collection. */
  AccessPath properties(Property p) { result = TConsAccessPath(any(ElementContent c), property(p)) }
 }
@@ -470,10 +465,10 @@ private module FrameworkDataFlowAdaptor {
      )
    }

-    override predicate clearsContent(ParameterPosition pos, Content content) {
+    override predicate clearsContent(int i, Content content) {
      exists(SummaryComponentStack input |
        ltdf.clearsContent(toCallableFlowSource(input), content, this) and
-        input = SummaryComponentStack::argument(pos.getPosition())
+        input = SummaryComponentStack::singleton(SummaryComponent::argument(i))
      )
    }
  }
@@ -504,6 +499,82 @@ private module FrameworkDataFlowAdaptor {
  }
 }

+/** Data flow for `System.Boolean`. */
+class SystemBooleanFlow extends LibraryTypeDataFlow, SystemBooleanStruct {
+  override predicate callableFlow(
+    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationCallable c,
+    boolean preservesValue
+  ) {
+    this.methodFlow(source, sink, c) and
+    preservesValue = false
+  }
+
+  private predicate methodFlow(
+    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationMethod m
+  ) {
+    m = this.getParseMethod() and
+    (
+      source = TCallableFlowSourceArg(0) and
+      sink = TCallableFlowSinkReturn()
+    )
+    or
+    m = this.getTryParseMethod() and
+    (
+      source = TCallableFlowSourceArg(0) and
+      (
+        sink = TCallableFlowSinkReturn()
+        or
+        sink = TCallableFlowSinkArg(any(int i | m.getParameter(i).isOutOrRef()))
+      )
+    )
+  }
+}
+
+/** Data flow for `System.Uri`. */
+class SystemUriFlow extends LibraryTypeDataFlow, SystemUriClass {
+  override predicate callableFlow(
+    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationCallable c,
+    boolean preservesValue
+  ) {
+    (
+      this.constructorFlow(source, sink, c)
+      or
+      this.methodFlow(source, sink, c)
+      or
+      exists(Property p |
+        this.propertyFlow(p) and
+        source = TCallableFlowSourceQualifier() and
+        sink = TCallableFlowSinkReturn() and
+        c = p.getGetter()
+      )
+    ) and
+    preservesValue = false
+  }
+
+  private predicate constructorFlow(CallableFlowSource source, CallableFlowSink sink, Constructor c) {
+    c = this.getAMember() and
+    c.getParameter(0).getType() instanceof StringType and
+    source = TCallableFlowSourceArg(0) and
+    sink = TCallableFlowSinkReturn()
+  }
+
+  private predicate methodFlow(
+    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationMethod m
+  ) {
+    m = this.getAMethod("ToString") and
+    source = TCallableFlowSourceQualifier() and
+    sink = TCallableFlowSinkReturn()
+  }
+
+  private predicate propertyFlow(Property p) {
+    p = this.getPathAndQueryProperty()
+    or
+    p = this.getQueryProperty()
+    or
+    p = this.getOriginalStringProperty()
+  }
+}
+
 /** Data flow for `System.IO.StringReader`. */
 class SystemIOStringReaderFlow extends LibraryTypeDataFlow, SystemIOStringReaderClass {
  override predicate callableFlow(
@@ -1973,7 +2044,9 @@ class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow, SystemThreading
    source = TCallableFlowSourceQualifier() and
    sourceAp = AccessPath::empty() and
    sink = TCallableFlowSinkReturn() and
-    sinkAp = AccessPath::synthetic(any(SyntheticTaskAwaiterUnderlyingTaskField s))
+    sinkAp =
+      AccessPath::field(any(SystemRuntimeCompilerServicesTaskAwaiterStruct s)
+            .getUnderlyingTaskField())
    or
    // var awaitable = task.ConfigureAwait(false);  // <-- new ConfiguredTaskAwaitable<>(task, false)
    //                                              //       m_configuredTaskAwaiter = new ConfiguredTaskAwaiter(task, false)
@@ -1985,40 +2058,21 @@ class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow, SystemThreading
    sourceAp = AccessPath::empty() and
    sink = TCallableFlowSinkReturn() and
    sinkAp =
-      AccessPath::cons(any(SyntheticFieldContent sfc |
-          sfc.getField() instanceof SyntheticConfiguredTaskAwaiterField
-        ), AccessPath::synthetic(any(SyntheticConfiguredTaskAwaitableUnderlyingTaskField s)))
+      AccessPath::cons(any(FieldContent fc |
+          fc.getField() =
+            any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTStruct t)
+                .getUnderlyingAwaiterField()
+        ),
+        AccessPath::field(any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTConfiguredTaskAwaiterStruct s
+          ).getUnderlyingTaskField()))
  }

  override predicate requiresAccessPath(Content head, AccessPath tail) {
-    head.(SyntheticFieldContent).getField() instanceof SyntheticConfiguredTaskAwaiterField and
-    tail = AccessPath::synthetic(any(SyntheticConfiguredTaskAwaitableUnderlyingTaskField s))
-  }
-}
-
-abstract private class SyntheticTaskField extends SyntheticField {
-  bindingset[this]
-  SyntheticTaskField() { any() }
-
-  override Type getType() { result instanceof SystemThreadingTasksTaskTClass }
-}
-
-private class SyntheticTaskAwaiterUnderlyingTaskField extends SyntheticTaskField {
-  SyntheticTaskAwaiterUnderlyingTaskField() { this = "m_task_task_awaiter" }
-}
-
-private class SyntheticConfiguredTaskAwaitableUnderlyingTaskField extends SyntheticTaskField {
-  SyntheticConfiguredTaskAwaitableUnderlyingTaskField() {
-    this = "m_task_configured_task_awaitable"
-  }
-}
-
-private class SyntheticConfiguredTaskAwaiterField extends SyntheticField {
-  SyntheticConfiguredTaskAwaiterField() { this = "m_configuredTaskAwaiter" }
-
-  override Type getType() {
-    result instanceof
-      SystemRuntimeCompilerServicesConfiguredTaskAwaitableTConfiguredTaskAwaiterStruct
+    head.(FieldContent).getField() =
+      any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTStruct t).getUnderlyingAwaiterField() and
+    tail =
+      AccessPath::field(any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTConfiguredTaskAwaiterStruct s
+        ).getUnderlyingTaskField())
  }
 }

@@ -2034,7 +2088,9 @@ private class SystemRuntimeCompilerServicesConfiguredTaskAwaitableTFlow extends
    // var result = awaiter.GetResult();
    c = this.getGetAwaiterMethod() and
    source = TCallableFlowSourceQualifier() and
-    sourceAp = AccessPath::synthetic(any(SyntheticConfiguredTaskAwaiterField s)) and
+    sourceAp =
+      AccessPath::field(any(SystemRuntimeCompilerServicesConfiguredTaskAwaitableTStruct s)
+            .getUnderlyingAwaiterField()) and
    sink = TCallableFlowSinkReturn() and
    sinkAp = AccessPath::empty() and
    preservesValue = true
@@ -2133,15 +2189,14 @@ class SystemRuntimeCompilerServicesTaskAwaiterFlow extends LibraryTypeDataFlow,
    c = this.getGetResultMethod() and
    source = TCallableFlowSourceQualifier() and
    sourceAp =
-      AccessPath::cons(any(SyntheticFieldContent sfc |
-          sfc.getField() instanceof SyntheticTaskAwaiterUnderlyingTaskField
-        ), AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
+      AccessPath::cons(any(FieldContent fc | fc.getField() = this.getUnderlyingTaskField()),
+        AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
    sink = TCallableFlowSinkReturn() and
    sinkAp = AccessPath::empty()
  }

  override predicate requiresAccessPath(Content head, AccessPath tail) {
-    head.(SyntheticFieldContent).getField() instanceof SyntheticTaskAwaiterUnderlyingTaskField and
+    head.(FieldContent).getField() = this.getUnderlyingTaskField() and
    tail = AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())
  }
 }
@@ -2160,16 +2215,14 @@ class SystemRuntimeCompilerServicesConfiguredTaskAwaitableTConfiguredTaskAwaiter
    c = this.getGetResultMethod() and
    source = TCallableFlowSourceQualifier() and
    sourceAp =
-      AccessPath::cons(any(SyntheticFieldContent sfc |
-          sfc.getField() instanceof SyntheticConfiguredTaskAwaitableUnderlyingTaskField
-        ), AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
+      AccessPath::cons(any(FieldContent fc | fc.getField() = this.getUnderlyingTaskField()),
+        AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())) and
    sink = TCallableFlowSinkReturn() and
    sinkAp = AccessPath::empty()
  }

  override predicate requiresAccessPath(Content head, AccessPath tail) {
-    head.(SyntheticFieldContent).getField() instanceof
-      SyntheticConfiguredTaskAwaitableUnderlyingTaskField and
+    head.(FieldContent).getField() = this.getUnderlyingTaskField() and
    tail = AccessPath::property(any(SystemThreadingTasksTaskTClass t).getResultProperty())
  }
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -5,7 +5,7 @@ private import DataFlowImplCommon as DataFlowImplCommon
 private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
-private import semmle.code.csharp.dataflow.FlowSummary as FlowSummary
+private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.dispatch.RuntimeCallable
@@ -13,7 +13,7 @@ private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.collections.Generic

 private predicate summarizedCallable(DataFlowCallable c) {
-  c instanceof FlowSummary::SummarizedCallable
+  c instanceof SummarizedCallable
  or
  FlowSummaryImpl::Private::summaryReturnNode(_, TJumpReturnKind(c, _))
  or
@@ -108,27 +108,13 @@ private module Cached {
      // No need to include calls that are compiled from source
      not call.getImplementation().getMethod().compiledFromSource()
    } or
-    TSummaryCall(FlowSummary::SummarizedCallable c, Node receiver) {
+    TSummaryCall(SummarizedCallable c, Node receiver) {
      FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
    }

  /** Gets a viable run-time target for the call `call`. */
  cached
  DataFlowCallable viableCallable(DataFlowCall call) { result = call.getARuntimeTarget() }
-
-  private int parameterPosition() {
-    result =
-      [
-        -1, any(Parameter p).getPosition(),
-        ImplicitCapturedParameterNodeImpl::getParameterPosition(_)
-      ]
-  }
-
-  cached
-  newtype TParameterPosition = MkParameterPosition(int i) { i = parameterPosition() }
-
-  cached
-  newtype TArgumentPosition = MkArgumentPosition(int i) { i = parameterPosition() }
 }

 import Cached
@@ -402,7 +388,7 @@ class CilDataFlowCall extends DataFlowCall, TCilCall {
 * the method `Select`.
 */
 class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
-  private FlowSummary::SummarizedCallable c;
+  private SummarizedCallable c;
  private Node receiver;

  SummaryCall() { this = TSummaryCall(c, receiver) }
@@ -424,37 +410,3 @@ class SummaryCall extends DelegateDataFlowCall, TSummaryCall {

  override Location getLocation() { result = c.getLocation() }
 }
-
-/** A parameter position represented by an integer. */
-class ParameterPosition extends MkParameterPosition {
-  private int i;
-
-  ParameterPosition() { this = MkParameterPosition(i) }
-
-  /** Gets the underlying integer. */
-  int getPosition() { result = i }
-
-  /** Gets a textual representation of this position. */
-  string toString() { result = i.toString() }
-}
-
-/** An argument position represented by an integer. */
-class ArgumentPosition extends MkArgumentPosition {
-  private int i;
-
-  ArgumentPosition() { this = MkArgumentPosition(i) }
-
-  /** Gets the underlying integer. */
-  int getPosition() { result = i }
-
-  /** Gets a textual representation of this position. */
-  string toString() { result = i.toString() }
-}
-
-/** Holds if arguments at position `apos` match parameters at position `ppos`. */
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
-  exists(int i |
-    ppos = MkParameterPosition(i) and
-    apos = MkArgumentPosition(i)
-  )
-}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,9 +1012,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,13 +1020,6 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1052,13 +1042,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1112,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1206,7 +1189,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1447,7 +1430,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2125,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2891,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2975,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3622,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3669,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3695,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4424,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4450,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4616,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4644,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -62,18 +62,6 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  tupleLimit = 1000
 }

-/**
- * Holds if `arg` is an argument of `call` with an argument position that matches
- * parameter position `ppos`.
- */
-pragma[noinline]
-predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
-  exists(ArgumentPosition apos |
-    arg.argumentOf(call, apos) and
-    parameterMatch(ppos, apos)
-  )
-}
-
 /**
 * Provides a simple data-flow analysis for resolving lambda calls. The analysis
 * currently excludes read-steps, store-steps, and flow-through.
@@ -83,27 +71,25 @@ predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPositio
 * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
 */
 private module LambdaFlow {
-  pragma[noinline]
-  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallable(call), ppos)
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallable(call), i)
  }

-  pragma[noinline]
-  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), ppos)
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), i)
  }

  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamNonLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamNonLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

@@ -336,7 +322,7 @@ private module Cached {
    or
    exists(ArgNode arg |
      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
    )
  }

@@ -344,7 +330,7 @@ private module Cached {
  predicate returnNodeExt(Node n, ReturnKindExt k) {
    k = TValueReturn(n.(ReturnNode).getKind())
    or
-    exists(ParamNode p, ParameterPosition pos |
+    exists(ParamNode p, int pos |
      parameterValueFlowsToPreUpdate(p, n) and
      p.isParameterOf(_, pos) and
      k = TParamUpdate(pos)
@@ -366,13 +352,11 @@ private module Cached {
  }

  cached
-  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
-    isParameterNode(p, c, pos)
-  }
+  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }

  cached
-  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
-    isArgumentNode(n, call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
  }

  /**
@@ -390,12 +374,12 @@ private module Cached {
  }

  /**
-   * Holds if `p` is the parameter of a viable dispatch target of `call`,
-   * and `p` has position `ppos`.
+   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
+   * The instance parameter is considered to have index `-1`.
   */
  pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), ppos)
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), i)
  }

  /**
@@ -404,9 +388,9 @@ private module Cached {
   */
  cached
  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParam(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos) and
+    exists(int i |
+      viableParam(call, i, p) and
+      arg.argumentOf(call, i) and
      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
    )
  }
@@ -878,7 +862,7 @@ private module Cached {
  cached
  newtype TReturnKindExt =
    TValueReturn(ReturnKind kind) or
-    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }

  cached
  newtype TBooleanOption =
@@ -1070,9 +1054,9 @@ class ParamNode extends Node {

  /**
   * Holds if this node is the parameter of callable `c` at the specified
-   * position.
+   * (zero-based) position.
   */
-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
 }

 /** A data-flow node that represents a call argument. */
@@ -1080,9 +1064,7 @@ class ArgNode extends Node {
  ArgNode() { argumentNode(this, _, _) }

  /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    argumentNode(this, call, pos)
-  }
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
 }

 /**
@@ -1128,14 +1110,11 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }

 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private ParameterPosition pos;
+  private int pos;

  ParamUpdateReturnKind() { this = TParamUpdate(pos) }

-  ParameterPosition getPosition() { result = pos }
-
-  pragma[nomagic]
-  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }
+  int getPosition() { result = pos }

  override string toString() { result = "param update " + pos }
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -6,7 +6,7 @@ private import DataFlowDispatch
 private import DataFlowImplCommon
 private import ControlFlowReachability
 private import FlowSummaryImpl as FlowSummaryImpl
-private import semmle.code.csharp.dataflow.FlowSummary as FlowSummary
+private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.Conversion
 private import semmle.code.csharp.dataflow.internal.SsaImpl as SsaImpl
 private import semmle.code.csharp.ExprOrStmtParent
@@ -22,14 +22,7 @@ private import semmle.code.csharp.frameworks.system.threading.Tasks
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-  exists(int i | pos = MkParameterPosition(i) and p.isParameterOf(c, i))
-}
-
-/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
-predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
-  exists(int i | pos = MkArgumentPosition(i) and arg.argumentOf(c, i))
-}
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }

 abstract class NodeImpl extends Node {
  /** Do not call: use `getEnclosingCallable()` instead. */
@@ -501,12 +494,9 @@ private predicate fieldOrPropertyStore(Expr e, Content c, Expr src, Expr q, bool
      f.isFieldLike() and
      f instanceof InstanceFieldOrProperty
      or
-      exists(
-        FlowSummary::SummarizedCallable callable,
-        FlowSummaryImpl::Public::SummaryComponentStack input
-      |
+      exists(SummarizedCallable callable, FlowSummaryImpl::Public::SummaryComponentStack input |
        callable.propagatesFlow(input, _, _) and
-        input.contains(FlowSummary::SummaryComponent::content(f.getContent()))
+        input.contains(SummaryComponent::content(f.getContent()))
      )
    )
  |
@@ -728,7 +718,7 @@ private module Cached {
        cfn.getElement() = fla.getQualifier()
      )
    } or
-    TSummaryNode(FlowSummary::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
+    TSummaryNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
      FlowSummaryImpl::Private::summaryNodeRange(c, state)
    } or
    TParamsArgumentNode(ControlFlow::Node callCfn) {
@@ -759,8 +749,7 @@ private module Cached {
  newtype TContent =
    TFieldContent(Field f) { f.isUnboundDeclaration() } or
    TPropertyContent(Property p) { p.isUnboundDeclaration() } or
-    TElementContent() or
-    TSyntheticFieldContent(SyntheticField f)
+    TElementContent()

  pragma[nomagic]
  private predicate commonSubTypeGeneral(DataFlowTypeOrUnifiable t1, RelevantDataFlowType t2) {
@@ -805,13 +794,11 @@ predicate nodeIsHidden(Node n) {
  exists(Parameter p | p = n.(ParameterNode).getParameter() |
    not p.fromSource()
    or
-    p.getCallable() instanceof FlowSummary::SummarizedCallable
+    p.getCallable() instanceof SummarizedCallable
  )
  or
  n =
-    TInstanceParameterNode(any(Callable c |
-        not c.fromSource() or c instanceof FlowSummary::SummarizedCallable
-      ))
+    TInstanceParameterNode(any(Callable c | not c.fromSource() or c instanceof SummarizedCallable))
  or
  n instanceof YieldReturnNode
  or
@@ -1144,10 +1131,7 @@ private module ArgumentNodes {
    SummaryArgumentNode() { FlowSummaryImpl::Private::summaryArgumentNode(_, this, _) }

    override predicate argumentOf(DataFlowCall call, int pos) {
-      exists(ArgumentPosition apos |
-        FlowSummaryImpl::Private::summaryArgumentNode(call, this, apos) and
-        apos.getPosition() = pos
-      )
+      FlowSummaryImpl::Private::summaryArgumentNode(call, this, pos)
    }
  }
 }
@@ -1437,7 +1421,7 @@ import OutNodes

 /** A data-flow node used to model flow summaries. */
 private class SummaryNode extends NodeImpl, TSummaryNode {
-  private FlowSummary::SummarizedCallable c;
+  private SummarizedCallable c;
  private FlowSummaryImpl::Private::SummaryNodeState state;

  SummaryNode() { this = TSummaryNode(c, state) }
@@ -1780,10 +1764,6 @@ private class DataFlowNullType extends DataFlowType {
  }
 }

-private class DataFlowUnknownType extends DataFlowType {
-  DataFlowUnknownType() { this = Gvn::getGlobalValueNumber(any(UnknownType ut)) }
-}
-
 /**
 * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
 * a node of type `t1` to a node of type `t2`.
@@ -1803,10 +1783,6 @@ predicate compatibleTypes(DataFlowType t1, DataFlowType t2) {
  t1 instanceof Gvn::TypeParameterGvnType
  or
  t2 instanceof Gvn::TypeParameterGvnType
-  or
-  t1 instanceof DataFlowUnknownType
-  or
-  t2 instanceof DataFlowUnknownType
 }

 /**
@@ -2047,12 +2023,3 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
 predicate allowParameterReturnInSelf(ParameterNode p) {
  FlowSummaryImpl::Private::summaryAllowParameterReturnInSelf(p)
 }
-
-/** A synthetic field. */
-abstract class SyntheticField extends string {
-  bindingset[this]
-  SyntheticField() { any() }
-
-  /** Gets the type of this synthetic field. */
-  Type getType() { result instanceof ObjectType }
-}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
@@ -224,18 +224,6 @@ class FieldContent extends Content, TFieldContent {
  deprecated override Gvn::GvnType getType() { result = Gvn::getGlobalValueNumber(f.getType()) }
 }

-/** A reference to a synthetic field. */
-class SyntheticFieldContent extends Content, TSyntheticFieldContent {
-  private SyntheticField f;
-
-  SyntheticFieldContent() { this = TSyntheticFieldContent(f) }
-
-  /** Gets the underlying synthetic field. */
-  SyntheticField getField() { result = f }
-
-  override string toString() { result = "synthetic " + f.toString() }
-}
-
 /** A reference to a property. */
 class PropertyContent extends Content, TPropertyContent {
  private Property p;
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DelegateDataFlow.qll
@@ -12,6 +12,7 @@ private import semmle.code.csharp.dataflow.CallContext
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
 private import semmle.code.csharp.dataflow.internal.DataFlowPublic
+private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.system.linq.Expressions

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -26,13 +26,9 @@ module Public {
    string toString() {
      exists(Content c | this = TContentSummaryComponent(c) and result = c.toString())
      or
-      exists(ArgumentPosition pos |
-        this = TParameterSummaryComponent(pos) and result = "parameter " + pos
-      )
+      exists(int i | this = TParameterSummaryComponent(i) and result = "parameter " + i)
      or
-      exists(ParameterPosition pos |
-        this = TArgumentSummaryComponent(pos) and result = "argument " + pos
-      )
+      exists(int i | this = TArgumentSummaryComponent(i) and result = "argument " + i)
      or
      exists(ReturnKind rk | this = TReturnSummaryComponent(rk) and result = "return (" + rk + ")")
    }
@@ -43,11 +39,11 @@ module Public {
    /** Gets a summary component for content `c`. */
    SummaryComponent content(Content c) { result = TContentSummaryComponent(c) }

-    /** Gets a summary component for a parameter at position `pos`. */
-    SummaryComponent parameter(ArgumentPosition pos) { result = TParameterSummaryComponent(pos) }
+    /** Gets a summary component for parameter `i`. */
+    SummaryComponent parameter(int i) { result = TParameterSummaryComponent(i) }

-    /** Gets a summary component for an argument at position `pos`. */
-    SummaryComponent argument(ParameterPosition pos) { result = TArgumentSummaryComponent(pos) }
+    /** Gets a summary component for argument `i`. */
+    SummaryComponent argument(int i) { result = TArgumentSummaryComponent(i) }

    /** Gets a summary component for a return of kind `rk`. */
    SummaryComponent return(ReturnKind rk) { result = TReturnSummaryComponent(rk) }
@@ -124,10 +120,8 @@ module Public {
      result = TConsSummaryComponentStack(head, tail)
    }

-    /** Gets a singleton stack for an argument at position `pos`. */
-    SummaryComponentStack argument(ParameterPosition pos) {
-      result = singleton(SummaryComponent::argument(pos))
-    }
+    /** Gets a singleton stack for argument `i`. */
+    SummaryComponentStack argument(int i) { result = singleton(SummaryComponent::argument(i)) }

    /** Gets a singleton stack representing a return of kind `rk`. */
    SummaryComponentStack return(ReturnKind rk) { result = singleton(SummaryComponent::return(rk)) }
@@ -143,15 +137,9 @@ module Public {
    or
    noComponentSpecificCsv(sc) and
    (
-      exists(ArgumentPosition pos |
-        sc = TParameterSummaryComponent(pos) and
-        result = "Parameter[" + getArgumentPositionCsv(pos) + "]"
-      )
+      exists(int i | sc = TParameterSummaryComponent(i) and result = "Parameter[" + i + "]")
      or
-      exists(ParameterPosition pos |
-        sc = TArgumentSummaryComponent(pos) and
-        result = "Argument[" + getParameterPositionCsv(pos) + "]"
-      )
+      exists(int i | sc = TArgumentSummaryComponent(i) and result = "Argument[" + i + "]")
      or
      sc = TReturnSummaryComponent(getReturnValueKind()) and result = "ReturnValue"
    )
@@ -213,10 +201,10 @@ module Public {

    /**
     * Holds if values stored inside `content` are cleared on objects passed as
-     * arguments at position `pos` to this callable.
+     * the `i`th argument to this callable.
     */
    pragma[nomagic]
-    predicate clearsContent(ParameterPosition pos, Content content) { none() }
+    predicate clearsContent(int i, Content content) { none() }
  }
 }

@@ -229,11 +217,11 @@ module Private {

  newtype TSummaryComponent =
    TContentSummaryComponent(Content c) or
-    TParameterSummaryComponent(ArgumentPosition pos) or
-    TArgumentSummaryComponent(ParameterPosition pos) or
+    TParameterSummaryComponent(int i) { parameterPosition(i) } or
+    TArgumentSummaryComponent(int i) { parameterPosition(i) } or
    TReturnSummaryComponent(ReturnKind rk)

-  private TParameterSummaryComponent thisParam() {
+  private TSummaryComponent thisParam() {
    result = TParameterSummaryComponent(instanceParameterPosition())
  }

@@ -297,9 +285,9 @@ module Private {

  /**
   * Holds if `c` has a flow summary from `input` to `arg`, where `arg`
-   * writes to (contents of) arguments at position `pos`, and `c` has a
-   * value-preserving flow summary from the arguments at position `pos`
-   * to a return value (`return`).
+   * writes to (contents of) the `i`th argument, and `c` has a
+   * value-preserving flow summary from the `i`th argument to a return value
+   * (`return`).
   *
   * In such a case, we derive flow from `input` to (contents of) the return
   * value.
@@ -314,10 +302,10 @@ module Private {
    SummarizedCallable c, SummaryComponentStack input, SummaryComponentStack arg,
    SummaryComponentStack return, boolean preservesValue
  ) {
-    exists(ParameterPosition pos |
+    exists(int i |
      summary(c, input, arg, preservesValue) and
-      isContentOfArgument(arg, pos) and
-      summary(c, SummaryComponentStack::argument(pos), return, true) and
+      isContentOfArgument(arg, i) and
+      summary(c, SummaryComponentStack::singleton(TArgumentSummaryComponent(i)), return, true) and
      return.bottom() = TReturnSummaryComponent(_)
    )
  }
@@ -342,10 +330,10 @@ module Private {
    s.head() = TParameterSummaryComponent(_) and exists(s.tail())
  }

-  private predicate isContentOfArgument(SummaryComponentStack s, ParameterPosition pos) {
-    s.head() = TContentSummaryComponent(_) and isContentOfArgument(s.tail(), pos)
+  private predicate isContentOfArgument(SummaryComponentStack s, int i) {
+    s.head() = TContentSummaryComponent(_) and isContentOfArgument(s.tail(), i)
    or
-    s = SummaryComponentStack::argument(pos)
+    s = TSingletonSummaryComponentStack(TArgumentSummaryComponent(i))
  }

  private predicate outputState(SummarizedCallable c, SummaryComponentStack s) {
@@ -376,8 +364,8 @@ module Private {
  private newtype TSummaryNodeState =
    TSummaryNodeInputState(SummaryComponentStack s) { inputState(_, s) } or
    TSummaryNodeOutputState(SummaryComponentStack s) { outputState(_, s) } or
-    TSummaryNodeClearsContentState(ParameterPosition pos, boolean post) {
-      any(SummarizedCallable sc).clearsContent(pos, _) and post in [false, true]
+    TSummaryNodeClearsContentState(int i, boolean post) {
+      any(SummarizedCallable sc).clearsContent(i, _) and post in [false, true]
    }

  /**
@@ -426,23 +414,21 @@ module Private {
        result = "to write: " + s
      )
      or
-      exists(ParameterPosition pos, boolean post, string postStr |
-        this = TSummaryNodeClearsContentState(pos, post) and
+      exists(int i, boolean post, string postStr |
+        this = TSummaryNodeClearsContentState(i, post) and
        (if post = true then postStr = " (post)" else postStr = "") and
-        result = "clear: " + pos + postStr
+        result = "clear: " + i + postStr
      )
    }
  }

  /**
-   * Holds if `state` represents having read from a parameter at position
-   * `pos` in `c`. In this case we are not synthesizing a data-flow node,
-   * but instead assume that a relevant parameter node already exists.
+   * Holds if `state` represents having read the `i`th argument for `c`. In this case
+   * we are not synthesizing a data-flow node, but instead assume that a relevant
+   * parameter node already exists.
   */
-  private predicate parameterReadState(
-    SummarizedCallable c, SummaryNodeState state, ParameterPosition pos
-  ) {
-    state.isInputState(c, SummaryComponentStack::argument(pos))
+  private predicate parameterReadState(SummarizedCallable c, SummaryNodeState state, int i) {
+    state.isInputState(c, SummaryComponentStack::argument(i))
  }

  /**
@@ -455,9 +441,9 @@ module Private {
    or
    state.isOutputState(c, _)
    or
-    exists(ParameterPosition pos |
-      c.clearsContent(pos, _) and
-      state = TSummaryNodeClearsContentState(pos, _)
+    exists(int i |
+      c.clearsContent(i, _) and
+      state = TSummaryNodeClearsContentState(i, _)
    )
  }

@@ -466,9 +452,9 @@ module Private {
    exists(SummaryNodeState state | state.isInputState(c, s) |
      result = summaryNode(c, state)
      or
-      exists(ParameterPosition pos |
-        parameterReadState(c, state, pos) and
-        result.(ParamNode).isParameterOf(c, pos)
+      exists(int i |
+        parameterReadState(c, state, i) and
+        result.(ParamNode).isParameterOf(c, i)
      )
    )
  }
@@ -482,20 +468,20 @@ module Private {
  }

  /**
-   * Holds if a write targets `post`, which is a post-update node for a
-   * parameter at position `pos` in `c`.
+   * Holds if a write targets `post`, which is a post-update node for the `i`th
+   * parameter of `c`.
   */
-  private predicate isParameterPostUpdate(Node post, SummarizedCallable c, ParameterPosition pos) {
-    post = summaryNodeOutputState(c, SummaryComponentStack::argument(pos))
+  private predicate isParameterPostUpdate(Node post, SummarizedCallable c, int i) {
+    post = summaryNodeOutputState(c, SummaryComponentStack::argument(i))
  }

-  /** Holds if a parameter node at position `pos` is required for `c`. */
-  predicate summaryParameterNodeRange(SummarizedCallable c, ParameterPosition pos) {
-    parameterReadState(c, _, pos)
+  /** Holds if a parameter node is required for the `i`th parameter of `c`. */
+  predicate summaryParameterNodeRange(SummarizedCallable c, int i) {
+    parameterReadState(c, _, i)
    or
-    isParameterPostUpdate(_, c, pos)
+    isParameterPostUpdate(_, c, i)
    or
-    c.clearsContent(pos, _)
+    c.clearsContent(i, _)
  }

  private predicate callbackOutput(
@@ -507,10 +493,10 @@ module Private {
  }

  private predicate callbackInput(
-    SummarizedCallable c, SummaryComponentStack s, Node receiver, ArgumentPosition pos
+    SummarizedCallable c, SummaryComponentStack s, Node receiver, int i
  ) {
    any(SummaryNodeState state).isOutputState(c, s) and
-    s.head() = TParameterSummaryComponent(pos) and
+    s.head() = TParameterSummaryComponent(i) and
    receiver = summaryNodeInputState(c, s.drop(1))
  }

@@ -561,17 +547,17 @@ module Private {
          result = getReturnType(c, rk)
        )
        or
-        exists(ArgumentPosition pos | head = TParameterSummaryComponent(pos) |
+        exists(int i | head = TParameterSummaryComponent(i) |
          result =
            getCallbackParameterType(getNodeType(summaryNodeInputState(pragma[only_bind_out](c),
-                  s.drop(1))), pos)
+                  s.drop(1))), i)
        )
      )
    )
    or
-    exists(SummarizedCallable c, ParameterPosition pos, ParamNode p |
-      n = summaryNode(c, TSummaryNodeClearsContentState(pos, false)) and
-      p.isParameterOf(c, pos) and
+    exists(SummarizedCallable c, int i, ParamNode p |
+      n = summaryNode(c, TSummaryNodeClearsContentState(i, false)) and
+      p.isParameterOf(c, i) and
      result = getNodeType(p)
    )
  }
@@ -585,10 +571,10 @@ module Private {
    )
  }

-  /** Holds if summary node `arg` is at position `pos` in the call `c`. */
-  predicate summaryArgumentNode(DataFlowCall c, Node arg, ArgumentPosition pos) {
+  /** Holds if summary node `arg` is the `i`th argument of call `c`. */
+  predicate summaryArgumentNode(DataFlowCall c, Node arg, int i) {
    exists(SummarizedCallable callable, SummaryComponentStack s, Node receiver |
-      callbackInput(callable, s, receiver, pos) and
+      callbackInput(callable, s, receiver, i) and
      arg = summaryNodeOutputState(callable, s) and
      c = summaryDataFlowCall(receiver)
    )
@@ -596,12 +582,12 @@ module Private {

  /** Holds if summary node `post` is a post-update node with pre-update node `pre`. */
  predicate summaryPostUpdateNode(Node post, Node pre) {
-    exists(SummarizedCallable c, ParameterPosition pos |
-      isParameterPostUpdate(post, c, pos) and
-      pre.(ParamNode).isParameterOf(c, pos)
+    exists(SummarizedCallable c, int i |
+      isParameterPostUpdate(post, c, i) and
+      pre.(ParamNode).isParameterOf(c, i)
      or
-      pre = summaryNode(c, TSummaryNodeClearsContentState(pos, false)) and
-      post = summaryNode(c, TSummaryNodeClearsContentState(pos, true))
+      pre = summaryNode(c, TSummaryNodeClearsContentState(i, false)) and
+      post = summaryNode(c, TSummaryNodeClearsContentState(i, true))
    )
    or
    exists(SummarizedCallable callable, SummaryComponentStack s |
@@ -624,13 +610,13 @@ module Private {
   * node, and back out to `p`.
   */
  predicate summaryAllowParameterReturnInSelf(ParamNode p) {
-    exists(SummarizedCallable c, ParameterPosition ppos | p.isParameterOf(c, ppos) |
-      c.clearsContent(ppos, _)
+    exists(SummarizedCallable c, int i | p.isParameterOf(c, i) |
+      c.clearsContent(i, _)
      or
      exists(SummaryComponentStack inputContents, SummaryComponentStack outputContents |
        summary(c, inputContents, outputContents, _) and
-        inputContents.bottom() = pragma[only_bind_into](TArgumentSummaryComponent(ppos)) and
-        outputContents.bottom() = pragma[only_bind_into](TArgumentSummaryComponent(ppos))
+        inputContents.bottom() = pragma[only_bind_into](TArgumentSummaryComponent(i)) and
+        outputContents.bottom() = pragma[only_bind_into](TArgumentSummaryComponent(i))
      )
    )
  }
@@ -655,9 +641,9 @@ module Private {
        preservesValue = false and not summary(c, inputContents, outputContents, true)
      )
      or
-      exists(SummarizedCallable c, ParameterPosition pos |
-        pred.(ParamNode).isParameterOf(c, pos) and
-        succ = summaryNode(c, TSummaryNodeClearsContentState(pos, _)) and
+      exists(SummarizedCallable c, int i |
+        pred.(ParamNode).isParameterOf(c, i) and
+        succ = summaryNode(c, TSummaryNodeClearsContentState(i, _)) and
        preservesValue = true
      )
    }
@@ -706,20 +692,12 @@ module Private {
     * node where field `b` is cleared).
     */
    predicate summaryClearsContent(Node n, Content c) {
-      exists(SummarizedCallable sc, ParameterPosition pos |
-        n = summaryNode(sc, TSummaryNodeClearsContentState(pos, true)) and
-        sc.clearsContent(pos, c)
+      exists(SummarizedCallable sc, int i |
+        n = summaryNode(sc, TSummaryNodeClearsContentState(i, true)) and
+        sc.clearsContent(i, c)
      )
    }

-    pragma[noinline]
-    private predicate viableParam(
-      DataFlowCall call, SummarizedCallable sc, ParameterPosition ppos, ParamNode p
-    ) {
-      p.isParameterOf(sc, ppos) and
-      sc = viableCallable(call)
-    }
-
    /**
     * Holds if values stored inside content `c` are cleared inside a
     * callable to which `arg` is an argument.
@@ -728,18 +706,18 @@ module Private {
     * `arg` (see comment for `summaryClearsContent`).
     */
    predicate summaryClearsContentArg(ArgNode arg, Content c) {
-      exists(DataFlowCall call, SummarizedCallable sc, ParameterPosition ppos |
-        argumentPositionMatch(call, arg, ppos) and
-        viableParam(call, sc, ppos, _) and
-        sc.clearsContent(ppos, c)
+      exists(DataFlowCall call, int i |
+        viableCallable(call).(SummarizedCallable).clearsContent(i, c) and
+        arg.argumentOf(call, i)
      )
    }

    pragma[nomagic]
    private ParamNode summaryArgParam(ArgNode arg, ReturnKindExt rk, OutNodeExt out) {
-      exists(DataFlowCall call, ParameterPosition ppos, SummarizedCallable sc |
-        argumentPositionMatch(call, arg, ppos) and
-        viableParam(call, sc, ppos, result) and
+      exists(DataFlowCall call, int pos, SummarizedCallable callable |
+        arg.argumentOf(call, pos) and
+        viableCallable(call) = callable and
+        result.isParameterOf(callable, pos) and
        out = rk.getAnOutNode(call)
      )
    }
@@ -817,33 +795,39 @@ module Private {
    }

    /** Holds if specification component `c` parses as parameter `n`. */
-    predicate parseParam(string c, ArgumentPosition pos) {
+    predicate parseParam(string c, int n) {
      specSplit(_, c, _) and
-      exists(string body |
-        body = c.regexpCapture("Parameter\\[([^\\]]*)\\]", 1) and
-        pos = parseParamBody(body)
+      (
+        c.regexpCapture("Parameter\\[([-0-9]+)\\]", 1).toInt() = n
+        or
+        exists(int n1, int n2 |
+          c.regexpCapture("Parameter\\[([-0-9]+)\\.\\.([0-9]+)\\]", 1).toInt() = n1 and
+          c.regexpCapture("Parameter\\[([-0-9]+)\\.\\.([0-9]+)\\]", 2).toInt() = n2 and
+          n = [n1 .. n2]
+        )
      )
    }

    /** Holds if specification component `c` parses as argument `n`. */
-    predicate parseArg(string c, ParameterPosition pos) {
+    predicate parseArg(string c, int n) {
      specSplit(_, c, _) and
-      exists(string body |
-        body = c.regexpCapture("Argument\\[([^\\]]*)\\]", 1) and
-        pos = parseArgBody(body)
+      (
+        c.regexpCapture("Argument\\[([-0-9]+)\\]", 1).toInt() = n
+        or
+        exists(int n1, int n2 |
+          c.regexpCapture("Argument\\[([-0-9]+)\\.\\.([0-9]+)\\]", 1).toInt() = n1 and
+          c.regexpCapture("Argument\\[([-0-9]+)\\.\\.([0-9]+)\\]", 2).toInt() = n2 and
+          n = [n1 .. n2]
+        )
      )
    }

    private SummaryComponent interpretComponent(string c) {
      specSplit(_, c, _) and
      (
-        exists(ParameterPosition pos |
-          parseArg(c, pos) and result = SummaryComponent::argument(pos)
-        )
+        exists(int pos | parseArg(c, pos) and result = SummaryComponent::argument(pos))
        or
-        exists(ArgumentPosition pos |
-          parseParam(c, pos) and result = SummaryComponent::parameter(pos)
-        )
+        exists(int pos | parseParam(c, pos) and result = SummaryComponent::parameter(pos))
        or
        c = "ReturnValue" and result = SummaryComponent::return(getReturnValueKind())
        or
@@ -950,18 +934,14 @@ module Private {
        interpretOutput(output, idx + 1, ref, mid) and
        specSplit(output, c, idx)
      |
-        exists(ArgumentPosition apos, ParameterPosition ppos |
-          node.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(mid.asCall(), apos) and
-          parameterMatch(ppos, apos)
+        exists(int pos |
+          node.asNode().(PostUpdateNode).getPreUpdateNode().(ArgNode).argumentOf(mid.asCall(), pos)
        |
-          c = "Argument" or parseArg(c, ppos)
+          c = "Argument" or parseArg(c, pos)
        )
        or
-        exists(ArgumentPosition apos, ParameterPosition ppos |
-          node.asNode().(ParamNode).isParameterOf(mid.asCallable(), ppos) and
-          parameterMatch(ppos, apos)
-        |
-          c = "Parameter" or parseParam(c, apos)
+        exists(int pos | node.asNode().(ParamNode).isParameterOf(mid.asCallable(), pos) |
+          c = "Parameter" or parseParam(c, pos)
        )
        or
        c = "ReturnValue" and
@@ -980,11 +960,8 @@ module Private {
        interpretInput(input, idx + 1, ref, mid) and
        specSplit(input, c, idx)
      |
-        exists(ArgumentPosition apos, ParameterPosition ppos |
-          node.asNode().(ArgNode).argumentOf(mid.asCall(), apos) and
-          parameterMatch(ppos, apos)
-        |
-          c = "Argument" or parseArg(c, ppos)
+        exists(int pos | node.asNode().(ArgNode).argumentOf(mid.asCall(), pos) |
+          c = "Argument" or parseArg(c, pos)
        )
        or
        exists(ReturnNodeExt ret |
@@ -1027,13 +1004,6 @@ module Private {
    abstract class RelevantSummarizedCallable extends SummarizedCallable {
      /** Gets the string representation of this callable used by `summary/1`. */
      abstract string getCallableCsv();
-
-      /** Holds if flow is propagated between `input` and `output`. */
-      predicate relevantSummary(
-        SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
-      ) {
-        this.propagatesFlow(input, output, preservesValue)
-      }
    }

    /** Render the kind in the format used in flow summaries. */
@@ -1053,7 +1023,7 @@ module Private {
        RelevantSummarizedCallable c, SummaryComponentStack input, SummaryComponentStack output,
        boolean preservesValue
      |
-        c.relevantSummary(input, output, preservesValue) and
+        c.propagatesFlow(input, output, preservesValue) and
        csv =
          c.getCallableCsv() + ";;" + getComponentStackCsv(input) + ";" +
            getComponentStackCsv(output) + ";" + renderKind(preservesValue)
@@ -1140,9 +1110,9 @@ module Private {
      b.asCall() = summaryDataFlowCall(a.asNode()) and
      value = "receiver"
      or
-      exists(ArgumentPosition pos |
-        summaryArgumentNode(b.asCall(), a.asNode(), pos) and
-        value = "argument (" + pos + ")"
+      exists(int i |
+        summaryArgumentNode(b.asCall(), a.asNode(), i) and
+        value = "argument (" + i + ")"
      )
    }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -13,8 +13,11 @@ private import FlowSummaryImpl::Public
 private import semmle.code.csharp.Unification
 private import semmle.code.csharp.dataflow.ExternalFlow

+/** Holds is `i` is a valid parameter position. */
+predicate parameterPosition(int i) { i in [-1 .. any(Parameter p).getPosition()] }
+
 /** Gets the parameter position of the instance parameter. */
-ArgumentPosition instanceParameterPosition() { none() } // disables implicit summary flow to `this` for callbacks
+int instanceParameterPosition() { none() } // disables implicit summary flow to `this` for callbacks

 /** Gets the synthesized summary data-flow node for the given values. */
 Node summaryNode(SummarizedCallable c, SummaryNodeState state) { result = TSummaryNode(c, state) }
@@ -29,8 +32,6 @@ DataFlowType getContentType(Content c) {
    or
    t = c.(PropertyContent).getProperty().getType()
    or
-    t = c.(SyntheticFieldContent).getField().getType()
-    or
    c instanceof ElementContent and
    t instanceof ObjectType // we don't know what the actual element type is
  )
@@ -60,14 +61,13 @@ DataFlowType getReturnType(SummarizedCallable c, ReturnKind rk) {
 }

 /**
- * Gets the type of the parameter matching arguments at position `pos` in a
- * synthesized call that targets a callback of type `t`.
+ * Gets the type of the `i`th parameter in a synthesized call that targets a
+ * callback of type `t`.
 */
-DataFlowType getCallbackParameterType(DataFlowType t, ArgumentPosition pos) {
+DataFlowType getCallbackParameterType(DataFlowType t, int i) {
  exists(SystemLinqExpressions::DelegateExtType dt |
    t = Gvn::getGlobalValueNumber(dt) and
-    result =
-      Gvn::getGlobalValueNumber(dt.getDelegateType().getParameter(pos.getPosition()).getType())
+    result = Gvn::getGlobalValueNumber(dt.getDelegateType().getParameter(i).getType())
  )
 }

@@ -136,11 +136,6 @@ SummaryComponent interpretComponentSpecific(string c) {
    c.regexpCapture("Property\\[(.+)\\]", 1) = p.getQualifiedName() and
    result = SummaryComponent::content(any(PropertyContent pc | pc.getProperty() = p))
  )
-  or
-  exists(SyntheticField f |
-    c.regexpCapture("SyntheticField\\[(.+)\\]", 1) = f and
-    result = SummaryComponent::content(any(SyntheticFieldContent sfc | sfc.getField() = f))
-  )
 }

 /** Gets the textual representation of the content in the format used for flow summaries. */
@@ -150,8 +145,6 @@ private string getContentSpecificCsv(Content c) {
  exists(Field f | c = TFieldContent(f) and result = "Field[" + f.getQualifiedName() + "]")
  or
  exists(Property p | c = TPropertyContent(p) and result = "Property[" + p.getQualifiedName() + "]")
-  or
-  exists(SyntheticField f | c = TSyntheticFieldContent(f) and result = "SyntheticField[" + f + "]")
 }

 /** Gets the textual representation of a summary component in the format used for flow summaries. */
@@ -165,12 +158,6 @@ string getComponentSpecificCsv(SummaryComponent sc) {
  )
 }

-/** Gets the textual representation of a parameter position in the format used for flow summaries. */
-string getParameterPositionCsv(ParameterPosition pos) { result = pos.toString() }
-
-/** Gets the textual representation of an argument position in the format used for flow summaries. */
-string getArgumentPositionCsv(ArgumentPosition pos) { result = pos.toString() }
-
 class SourceOrSinkElement = Element;

 /** Gets the return kind corresponding to specification `"ReturnValue"`. */
@@ -236,22 +223,3 @@ predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
    a.getUnboundDeclaration() = mid.asElement()
  )
 }
-
-bindingset[s]
-private int parsePosition(string s) {
-  result = s.regexpCapture("([-0-9]+)", 1).toInt()
-  or
-  exists(int n1, int n2 |
-    s.regexpCapture("([-0-9]+)\\.\\.([0-9]+)", 1).toInt() = n1 and
-    s.regexpCapture("([-0-9]+)\\.\\.([0-9]+)", 2).toInt() = n2 and
-    result in [n1 .. n2]
-  )
-}
-
-/** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
-bindingset[s]
-ArgumentPosition parseParamBody(string s) { result.getPosition() = parsePosition(s) }
-
-/** Gets the parameter position obtained by parsing `X` in `Argument[X]`. */
-bindingset[s]
-ParameterPosition parseArgBody(string s) { result.getPosition() = parsePosition(s) }
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll
@@ -153,14 +153,14 @@ module JsonNET {
      // Serialize
      c = this.getSerializeMethod() and
      preservesValue = false and
-      source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 1) and
-      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 0)
+      source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 0) and
+      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 1)
      or
      // Deserialize
      c = this.getDeserializeMethod() and
      preservesValue = false and
      source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 0) and
-      sink instanceof CallableFlowSinkReturn
+      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 1)
    }
  }

--- a/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
@@ -92,20 +92,6 @@ class SystemBooleanStruct extends BoolType {
  }
 }

-/** Data flow for `System.Boolean`. */
-private class SystemBooleanFlowModelCsv extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "System;Boolean;false;Parse;(System.String);;Argument[0];ReturnValue;taint",
-        "System;Boolean;false;TryParse;(System.String,System.Boolean);;Argument[0];Argument[1];taint",
-        "System;Boolean;false;TryParse;(System.String,System.Boolean);;Argument[0];ReturnValue;taint",
-        "System;Boolean;false;TryParse;(System.ReadOnlySpan<System.Char>,System.Boolean);;Element of Argument[0];Argument[1];taint",
-        "System;Boolean;false;TryParse;(System.ReadOnlySpan<System.Char>,System.Boolean);;Element of Argument[0];ReturnValue;taint",
-      ]
-  }
-}
-
 /** The `System.Convert` class. */
 class SystemConvertClass extends SystemClass {
  SystemConvertClass() { this.hasName("Convert") }
@@ -553,22 +539,6 @@ class SystemUriClass extends SystemClass {
  }
 }

-/** Data flow for `System.Uri`. */
-private class SystemUriFlowModelCsv extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "System;Uri;false;ToString;();;Argument[-1];ReturnValue;taint",
-        "System;Uri;false;Uri;(System.String);;Argument[0];ReturnValue;taint",
-        "System;Uri;false;Uri;(System.String,System.Boolean);;Argument[0];ReturnValue;taint",
-        "System;Uri;false;Uri;(System.String,System.UriKind);;Argument[0];ReturnValue;taint",
-        "System;Uri;false;get_OriginalString;();;Argument[-1];ReturnValue;taint",
-        "System;Uri;false;get_PathAndQuery;();;Argument[-1];ReturnValue;taint",
-        "System;Uri;false;get_Query;();;Argument[-1];ReturnValue;taint",
-      ]
-  }
-}
-
 /** The `System.ValueType` class. */
 class SystemValueTypeClass extends SystemClass {
  SystemValueTypeClass() { this.hasName("ValueType") }
--- a/csharp/ql/lib/semmle/code/csharp/internal/csharp.qll
+++ b/csharp/ql/lib/semmle/code/csharp/internal/csharp.qll
@@ -1,41 +0,0 @@
-/**
- * The default C# QL library.
- */
-
-import Customizations
-import semmle.code.csharp.Attribute
-import semmle.code.csharp.Callable
-import semmle.code.csharp.Comments
-import semmle.code.csharp.Element
-import semmle.code.csharp.Event
-import semmle.code.csharp.File
-import semmle.code.csharp.Generics
-import semmle.code.csharp.Location
-import semmle.code.csharp.Member
-import semmle.code.csharp.Namespace
-import semmle.code.csharp.AnnotatedType
-import semmle.code.csharp.Property
-import semmle.code.csharp.Stmt
-import semmle.code.csharp.Type
-import semmle.code.csharp.Using
-import semmle.code.csharp.Variable
-import semmle.code.csharp.XML
-import semmle.code.csharp.Preprocessor
-import semmle.code.csharp.exprs.Access
-import semmle.code.csharp.exprs.ArithmeticOperation
-import semmle.code.csharp.exprs.Assignment
-import semmle.code.csharp.exprs.BitwiseOperation
-import semmle.code.csharp.exprs.Call
-import semmle.code.csharp.exprs.ComparisonOperation
-import semmle.code.csharp.exprs.Creation
-import semmle.code.csharp.exprs.Dynamic
-import semmle.code.csharp.exprs.Expr
-import semmle.code.csharp.exprs.Literal
-import semmle.code.csharp.exprs.LogicalOperation
-import semmle.code.csharp.controlflow.ControlFlowGraph
-import semmle.code.csharp.dataflow.DataFlow
-import semmle.code.csharp.dataflow.TaintTracking
-import semmle.code.csharp.dataflow.SSA
-
-/** Whether the source was extracted without a build command. */
-predicate extractionIsStandalone() { exists(SourceFile f | f.extractedStandalone()) }
--- a/Abuse/UncheckedReturnValue.ql
+++ b/Abuse/UncheckedReturnValue.ql
@@ -103,11 +103,11 @@ class DiscardedMethodCall extends MethodCall {

  string query() {
    exists(Method m |
-      m = this.getTarget() and
+      m = getTarget() and
      not whitelist(m) and
      // Do not alert on "void wrapper methods", i.e., methods that are inserted
      // to deliberately ignore the returned value
-      not this.getEnclosingCallable().getStatementBody().getNumberOfStmts() = 1
+      not getEnclosingCallable().getStatementBody().getNumberOfStmts() = 1
    |
      important(m) and result = "should always be checked"
      or
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-295/SSLResultConflation.ql`
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-295/SSLResultNotChecked.ql`