refactor2

[Feature branch] JS: Migrate to shared dataflow library

.bazelrc

@@ -24,6 +24,5 @@ common --registry=file:///%workspace%/misc/bazel/registry
 common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-common --experimental_isolated_extension_usages
 
 try-import %workspace%/local.bazelrc

.bazelrc.internal

@@ -8,4 +8,3 @@ common --registry=https://bcr.bazel.build
 # its implementation packages without providing any code itself.
 # We either can depend on internal implementation details, or turn of strict deps.
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-common --experimental_isolated_extension_usages

.bazelversion

@@ -1 +1 @@
-5f5d70b6c4d2fb1a889479569107f1692239e8a7
+7.2.1

.github/labeler.yml

@@ -30,10 +30,6 @@ Ruby:
   - ruby/**/*
   - change-notes/**/*ruby*
 
-Rust:
-  - rust/**/*
-  - change-notes/**/*rust*
-
 Swift:
   - swift/**/*
   - change-notes/**/*swift*

.github/pull_request_template.md

@@ -1,14 +0,0 @@
-### Pull Request checklist
-
-#### All query authors
-
-- [ ] A change note is added if necessary. See [the documentation](https://github.com/github/codeql/blob/main/docs/change-notes.md) in this repository.
-- [ ] All new queries have appropriate `.qhelp`. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md) in this repository.
-- [ ] QL tests are added if necessary. See [Testing custom queries](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries) in the GitHub documentation.
-- [ ] New and changed queries have correct query metadata. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md) in this repository.
-
-#### Internal query authors only
-
-- [ ] Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to `.ql`, `.qll`, or `.qhelp` files. See [the documentation](https://github.com/github/codeql-team/blob/main/docs/best-practices/validating-autofix-for-query-changes.md) (internal access required).
-- [ ] Changes are validated [at scale](https://github.com/github/codeql-dca/) (internal access required).
-- [ ] Adding a new query? Consider also [adding the query to autofix](https://github.com/github/codeml-autofix/blob/main/docs/updating-query-support.md#adding-a-new-query-to-the-query-suite).

.github/workflows/buildifier.yml

@@ -24,5 +24,5 @@ jobs:
           extra_args: >
             buildifier --all-files 2>&1 ||
             (
-              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel/buildifier"; exit 1
+              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel:buildifier"; exit 1
             )

.github/workflows/check-change-note.yml

@@ -16,12 +16,11 @@ on:
       - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
-      - "!rust/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:
-    env:
+    env: 
       REPO: ${{ github.repository }}
       PULL_REQUEST_NUMBER: ${{ github.event.number }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -34,7 +33,7 @@ jobs:
           !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
         run: |
           change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
-
+          
           if [ -z "$change_note_files" ]; then
             echo "No change note found. Either add one, or add the 'no-change-note-required' label."
             exit 1

.github/workflows/cpp-swift-analysis.yml

@@ -37,7 +37,7 @@ jobs:
       with:
         languages: cpp
         config-file: ./.github/codeql/codeql-config.yml
-
+  
     - name: "[Ubuntu] Remove GCC 13 from runner image"
       shell: bash
       run: |
@@ -48,7 +48,7 @@ jobs:
     - name: "Build Swift extractor using Bazel"
       run: |
         bazel clean --expunge
-        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local
+        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
         bazel shutdown
 
     - name: Perform CodeQL Analysis

.github/workflows/csharp-qltest.yml

@@ -29,6 +29,45 @@ permissions:
   contents: read
 
 jobs:
+  qlupgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check DB upgrade scripts
+        run: |
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
+      - name: Check DB downgrade scripts
+        run: |
+          echo >empty.trap
+          rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
+           --dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
+           xargs codeql execute upgrades testdb
+          diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
+  qltest:
+    if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        slice: ["1/2", "2/2"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: csharp-qltest-${{ matrix.slice }}
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
     strategy:
       matrix:

.github/workflows/go-tests.yml

@@ -3,7 +3,6 @@ on:
   push:
     paths:
       - "go/**"
-      - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
@@ -13,7 +12,6 @@ on:
   pull_request:
     paths:
       - "go/**"
-      - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml

.github/workflows/ruby-build.yml

@@ -65,8 +65,8 @@ jobs:
         id: cache-extractor
         with:
           path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
+            ruby/extractor/target/release/codeql-extractor-ruby
+            ruby/extractor/target/release/codeql-extractor-ruby.exe
             ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
       - uses: actions/cache@v3
@@ -75,7 +75,7 @@ jobs:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
-            target
+            ruby/target
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
       - name: Check formatting
         if: steps.cache-extractor.outputs.cache-hit != 'true'
@@ -91,7 +91,7 @@ jobs:
         run: cd extractor && cargo build --release
       - name: Generate dbscheme
         if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
-        run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+        run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
       - uses: actions/upload-artifact@v3
         if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
@@ -106,8 +106,8 @@ jobs:
         with:
           name: extractor-${{ matrix.os }}
           path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
+            ruby/extractor/target/release/codeql-extractor-ruby
+            ruby/extractor/target/release/codeql-extractor-ruby.exe
           retention-days: 1
   compile-queries:
     if: github.repository_owner == 'github'
@@ -140,7 +140,6 @@ jobs:
           path: |
             ${{ runner.temp }}/query-packs/*
           retention-days: 1
-          include-hidden-files: true
 
   package:
     runs-on: ubuntu-latest
@@ -177,7 +176,6 @@ jobs:
           name: codeql-ruby-pack
           path: ruby/codeql-ruby.zip
           retention-days: 1
-          include-hidden-files: true
       - uses: actions/download-artifact@v3
         with:
           name: codeql-ruby-queries
@@ -195,7 +193,6 @@ jobs:
           name: codeql-ruby-bundle
           path: ruby/codeql-ruby-bundle.zip
           retention-days: 1
-          include-hidden-files: true
 
   test:
     defaults:

.github/workflows/rust.yml

@@ -1,58 +0,0 @@
-name: "Rust"
-
-on:
-  pull_request:
-    paths:
-      - "rust/**"
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "shared/**"
-      - "MODULE.bazel"
-      - .github/workflows/rust.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - "!**/*.md"
-      - "!**/*.qhelp"
-    branches:
-      - rust-experiment
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  rust-code:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Format
-        working-directory: rust/extractor
-        shell: bash
-        run: |
-          cargo fmt --check
-      - name: Compilation
-        working-directory: rust/extractor
-        shell: bash
-        run: cargo check
-      - name: Clippy
-        working-directory: rust/extractor
-        shell: bash
-        run: |
-          cargo clippy --fix
-          git diff --exit-code
-  rust-codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install CodeQL
-        uses: ./.github/actions/fetch-codeql
-      - name: Code generation
-        shell: bash
-        run: |
-          bazel run //rust/codegen
-          git add .
-          git diff --exit-code HEAD

.gitignore

@@ -7,8 +7,8 @@
 .cache
 
 # qltest projects and artifacts
-*.actual
 */ql/test/**/*.testproj
+*/ql/test/**/*.actual
 */ql/test/**/go.sum
 
 # Visual studio temporaries, except a file used by QL4VS
@@ -65,9 +65,3 @@ node_modules/
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
-
-# Jetbrains IDE files
-.idea
-
-# cargo build directory
-/target

.pre-commit-config.yaml

@@ -5,9 +5,9 @@ repos:
     rev: v3.2.0
     hooks:
       - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
       - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6
@@ -15,7 +15,7 @@ repos:
       - id: clang-format
 
   - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v2.0.4
+    rev: v1.6.0
     hooks:
       - id: autopep8
         files: ^misc/codegen/.*\.py
@@ -26,7 +26,7 @@ repos:
         name: Format bazel files
         files: \.(bazel|bzl)
         language: system
-        entry: bazel run //misc/bazel/buildifier
+        entry: bazel run //misc/bazel:buildifier
         pass_filenames: false
 
 #      DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
@@ -45,7 +45,7 @@ repos:
 
       - id: sync-files
         name: Fix files required to be identical
-        files: \.(qll?|qhelp|swift|toml)$|^config/identical-files\.json$
+        files: \.(qll?|qhelp|swift)$|^config/identical-files\.json$
         language: system
         entry: python3 config/sync-files.py --latest
         pass_filenames: false
@@ -58,7 +58,7 @@ repos:
 
       - id: swift-codegen
         name: Run Swift checked in code generation
-        files: ^misc/codegen/|^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
+        files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
         language: system
         entry: bazel run //swift/codegen -- --quiet
         pass_filenames: false
@@ -69,17 +69,3 @@ repos:
         language: system
         entry: bazel test //misc/codegen/test
         pass_filenames: false
-
-      - id: rust-codegen
-        name: Run Rust checked in code generation
-        files: ^misc/codegen/|^rust/(schema.py$|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
-        language: system
-        entry: bazel run //rust/codegen -- --quiet
-        pass_filenames: false
-
-      - id: rust-lint
-        name: Run fmt and clippy on Rust code
-        files: ^rust/extractor/(.*rs|Cargo.toml)$
-        language: system
-        entry: python3 rust/lint.py
-        pass_filenames: false

Cargo.toml

@@ -1,16 +0,0 @@
-# This is the shared workspace file for extractor using shared/tree-sitter/extractor
-[workspace]
-
-resolver = "2"
-members = [
-    "shared/tree-sitter-extractor",
-    "ruby/extractor",
-    "rust/extractor",
-    "rust/extractor/macros",
-    "rust/generate-schema",
-]
-
-[patch.crates-io]
-# patch for build script bug preventing bazel build
-# see https://github.com/rust-lang/rustc_apfloat/pull/17
-rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }

MODULE.bazel

@@ -1,7 +1,6 @@
 module(
-    name = "ql",
+    name = "codeql",
     version = "0.0",
-    repo_name = "codeql",
 )
 
 # this points to our internal repository when `codeql` is checked out as a submodule thereof
@@ -15,29 +14,27 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.50.0")
-bazel_dep(name = "rules_pkg", version = "1.0.1")
+bazel_dep(name = "rules_go", version = "0.48.0")
+bazel_dep(name = "rules_pkg", version = "0.10.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.35.0")
+bazel_dep(name = "rules_python", version = "0.32.2")
 bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
-bazel_dep(name = "gazelle", version = "0.38.0")
+bazel_dep(name = "gazelle", version = "0.37.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.50.0")
+bazel_dep(name = "rules_rust", version = "0.46.0")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
-# crate_py but shortened due to Windows file path considerations
-cp = use_extension(
+crate = use_extension(
     "@rules_rust//crate_universe:extension.bzl",
     "crate",
-    isolate = True,
 )
-cp.from_cargo(
+crate.from_cargo(
     name = "py_deps",
     cargo_lockfile = "//python/extractor/tsg-python:Cargo.lock",
     manifests = [
@@ -45,27 +42,15 @@ cp.from_cargo(
         "//python/extractor/tsg-python/tsp:Cargo.toml",
     ],
 )
-use_repo(cp, "py_deps")
-
-# deps for ruby+rust, but shortened due to windows file paths
-r = use_extension(
-    "@rules_rust//crate_universe:extension.bzl",
-    "crate",
-    isolate = True,
-)
-r.from_cargo(
-    name = "r",
-    cargo_lockfile = "//:Cargo.lock",
+crate.from_cargo(
+    name = "ruby_deps",
+    cargo_lockfile = "//ruby/extractor:Cargo.lock",
     manifests = [
-        "//:Cargo.toml",
         "//ruby/extractor:Cargo.toml",
-        "//rust/extractor:Cargo.toml",
-        "//rust/extractor/macros:Cargo.toml",
-        "//rust/generate-schema:Cargo.toml",
-        "//shared/tree-sitter-extractor:Cargo.toml",
+        "//ruby/extractor/codeql-extractor-fake-crate:Cargo.toml",
     ],
 )
-use_repo(r, tree_sitter_extractors_deps = "r")
+use_repo(crate, "py_deps", "ruby_deps")
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
 dotnet.toolchain(dotnet_version = "8.0.101")
@@ -128,7 +113,6 @@ use_repo(
     "kotlin-compiler-1.9.20-Beta",
     "kotlin-compiler-2.0.0-RC1",
     "kotlin-compiler-2.0.20-Beta2",
-    "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-embeddable-1.5.0",
     "kotlin-compiler-embeddable-1.5.10",
     "kotlin-compiler-embeddable-1.5.20",
@@ -142,7 +126,6 @@ use_repo(
     "kotlin-compiler-embeddable-1.9.20-Beta",
     "kotlin-compiler-embeddable-2.0.0-RC1",
     "kotlin-compiler-embeddable-2.0.20-Beta2",
-    "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-stdlib-1.5.0",
     "kotlin-stdlib-1.5.10",
     "kotlin-stdlib-1.5.20",
@@ -156,11 +139,10 @@ use_repo(
     "kotlin-stdlib-1.9.20-Beta",
     "kotlin-stdlib-2.0.0-RC1",
     "kotlin-stdlib-2.0.20-Beta2",
-    "kotlin-stdlib-2.1.0-Beta1",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.23.1")
+go_sdk.download(version = "1.22.2")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

codeql-workspace.yml

@@ -1,5 +1,4 @@
 provide:
-  - "*/ql/base/qlpack.yml"
   - "*/ql/src/qlpack.yml"
   - "*/ql/lib/qlpack.yml"
   - "*/ql/test*/qlpack.yml"

config/identical-files.json

@@ -57,6 +57,10 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
+  "Model as Data Generation Java/C# - CaptureModels": [
+    "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
+    "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
+  ],
   "Sign Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
@@ -352,8 +356,8 @@
     "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
   ],
-  "Diagnostics.qll": [
-    "ruby/ql/lib/codeql/ruby/Diagnostics.qll",
-    "rust/ql/lib/codeql/rust/Diagnostics.qll"
+  "shared tree-sitter extractor cargo.toml": [
+    "shared/tree-sitter-extractor/Cargo.toml",
+    "ruby/extractor/codeql-extractor-fake-crate/Cargo.toml"
   ]
 }

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/exprs.ql

@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 385 <= kind and kind <= 388)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/sizeof_bind.ql

@@ -1,14 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-from Expr expr, Type type, int kind
-where
-  sizeof_bind(expr, type) and
-  exprs(expr, kind, _) and
-  (kind = 93 or kind = 94)
-select expr, type

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/upgrade.properties

@@ -1,4 +0,0 @@
-description: Add new builtin operations
-compatibility: partial
-exprs.rel: run exprs.qlo
-sizeof_bind.rel: run sizeof_bind.qlo

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/downgrades.ql

@@ -1,32 +0,0 @@
-/*
- * Approach: replace conversion expressions of kind 389 (= @c11_generic) by
- * conversion expressions of kind 12 (= @parexpr), i.e., a `ParenthesisExpr`,
- * and drop the relation which its child expressions, which are just syntactic
- * sugar. Parenthesis expressions are equally benign as C11 _Generic expressions,
- * and behave similarly in the context of the IR.
- */
-
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location {
-  string toString() { none() }
-}
-
-class ExprParent extends @exprparent {
-  string toString() { none() }
-}
-
-query predicate new_exprs(Expr expr, int new_kind, Location loc) {
-  exists(int kind | exprs(expr, kind, loc) | if kind = 389 then new_kind = 12 else new_kind = kind)
-}
-
-query predicate new_exprparents(Expr expr, int index, ExprParent expr_parent) {
-  exprparents(expr, index, expr_parent) and
-  (
-    not expr_parent instanceof @expr
-    or
-    exists(int kind | exprs(expr_parent.(Expr), kind, _) | kind != 389)
-  )
-}

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties

@@ -1,4 +0,0 @@
-description: Expose C11 _Generics
-compatibility: partial
-exprs.rel: run downgrades.ql new_exprs
-exprparents.rel: run downgrades.ql new_exprparents

cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/upgrade.properties

@@ -1,3 +0,0 @@
-description: description: Support explicit(bool) specifiers
-compatibility: full
-explicit_specifier_exprs.rel: delete

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/coroutine.ql

@@ -1,18 +0,0 @@
-class Function extends @function {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-class Variable extends @variable {
-  string toString() { none() }
-}
-
-from Function func, Type traits, Variable handle, Variable promise
-where
-  coroutine(func, traits) and
-  coroutine_placeholder_variable(handle, 1, func) and
-  coroutine_placeholder_variable(promise, 2, func)
-select func, traits, handle, promise

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties

@@ -1,4 +0,0 @@
-description: Improve handling of coroutine placeholder variables
-compatibility: full
-coroutine.rel: run coroutine.qlo
-coroutine_placeholder_variable.rel: delete

cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add relation between deduction guides and class templates
-compatibility: full
-deduction_guide_for_class.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,54 +1,3 @@
-## 2.0.1
-
-No user-facing changes.
-
-## 2.0.0
-
-### Breaking Changes
-
-* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
-* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
-* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
-* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
-* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
-* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
-* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
-
-### New Features
-
-* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
-* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
-* Added a subclass of `Expr` for `__datasizeof` expressions.
-
-### Minor Analysis Improvements
-
-* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
-* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.
-
-## 1.4.2
-
-No user-facing changes.
-
-## 1.4.1
-
-No user-facing changes.
-
-## 1.4.0
-
-### New Features
-
-* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
-* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
-* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
-* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
-
-### Minor Analysis Improvements
-
-* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
-* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
-* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.
-
 ## 1.3.0
 
 ### New Features

cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration copy.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 

cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.

cpp/ql/lib/change-notes/2024-07-25-alias-analysis-perf.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.

cpp/ql/lib/change-notes/2024-07-31-constexpr-if.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.

cpp/ql/lib/change-notes/released/1.4.0.md

@@ -1,14 +0,0 @@
-## 1.4.0
-
-### New Features
-
-* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
-* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
-* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
-* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
-
-### Minor Analysis Improvements
-
-* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
-* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
-* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.

cpp/ql/lib/change-notes/released/1.4.1.md

@@ -1,3 +0,0 @@
-## 1.4.1
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/1.4.2.md

@@ -1,3 +0,0 @@
-## 1.4.2
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/2.0.0.md

@@ -1,23 +0,0 @@
-## 2.0.0
-
-### Breaking Changes
-
-* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
-* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
-* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
-* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
-* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
-* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
-* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
-
-### New Features
-
-* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
-* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
-* Added a subclass of `Expr` for `__datasizeof` expressions.
-
-### Minor Analysis Improvements
-
-* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
-* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.

cpp/ql/lib/change-notes/released/2.0.1.md

@@ -1,3 +0,0 @@
-## 2.0.1
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.0.1
+lastReleaseVersion: 1.3.0

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -36,6 +36,16 @@ module PrivateCleartextWrite {
     }
   }
 
+  deprecated class WriteConfig extends TaintTracking::Configuration {
+    WriteConfig() { this = "Write configuration" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+  }
+
   private module WriteConfig implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) { source instanceof Source }
 

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 2.0.2-dev
+version: 1.3.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -60,6 +60,18 @@ class Declaration extends Locatable, @declaration {
    */
   string getQualifiedName() { result = underlyingElement(this).(Q::Declaration).getQualifiedName() }
 
+  /**
+   * DEPRECATED: Prefer `hasGlobalName` or the 2-argument or 3-argument
+   * `hasQualifiedName` predicates. To get the exact same results as this
+   * predicate in all edge cases, use `getQualifiedName()`.
+   *
+   * Holds if this declaration has the fully-qualified name `qualifiedName`.
+   * See `getQualifiedName`.
+   */
+  deprecated predicate hasQualifiedName(string qualifiedName) {
+    this.getQualifiedName() = qualifiedName
+  }
+
   /**
    * Holds if this declaration has a fully-qualified name with a name-space
    * component of `namespaceQualifier`, a declaring type of `typeQualifier`,
@@ -173,6 +185,9 @@ class Declaration extends Locatable, @declaration {
   /** Holds if the declaration has a definition. */
   predicate hasDefinition() { exists(this.getDefinition()) }
 
+  /** DEPRECATED: Use `hasDefinition` instead. */
+  deprecated predicate isDefined() { this.hasDefinition() }
+
   /** Gets the preferred location of this declaration, if any. */
   override Location getLocation() { none() }
 

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -30,6 +30,46 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
 
   override string getName() { functions(underlyingElement(this), result, _) }
 
+  /**
+   * DEPRECATED: Use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+   * Gets the full signature of this function, including return type, parameter
+   * types, and template arguments.
+   *
+   * For example, in the following code:
+   * ```
+   * template<typename T> T min(T x, T y);
+   * int z = min(5, 7);
+   * ```
+   * The full signature of the function called on the last line would be
+   * `min<int>(int, int) -> int`, and the full signature of the uninstantiated
+   * template on the first line would be `min<T>(T, T) -> T`.
+   */
+  deprecated string getFullSignature() {
+    exists(string name, string templateArgs, string args |
+      result = name + templateArgs + args + " -> " + this.getType().toString() and
+      name = this.getQualifiedName() and
+      (
+        if exists(this.getATemplateArgument())
+        then
+          templateArgs =
+            "<" +
+              concat(int i |
+                exists(this.getTemplateArgument(i))
+              |
+                this.getTemplateArgument(i).toString(), ", " order by i
+              ) + ">"
+        else templateArgs = ""
+      ) and
+      args =
+        "(" +
+          concat(int i |
+            exists(this.getParameter(i))
+          |
+            this.getParameter(i).getType().toString(), ", " order by i
+          ) + ")"
+    )
+  }
+
   /** Gets a specifier of this function. */
   override Specifier getASpecifier() {
     funspecifiers(underlyingElement(this), unresolveElement(result)) or
@@ -118,26 +158,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   predicate isConsteval() { this.hasSpecifier("is_consteval") }
 
-  /**
-   * Holds if this function is declared to be `explicit`.
-   */
-  predicate isExplicit() { this.hasSpecifier("explicit") }
-
-  /**
-   * Gets the constant expression that determines whether the function is explicit.
-   *
-   * For example, for the following code the result is the expression `sizeof(T) == 1`:
-   * ```
-   * template<typename T> struct C {
-   *   explicit(sizeof(T) == 1)
-   *   C(const T);
-   * };
-   * ```
-   */
-  Expr getExplicitExpr() {
-    explicit_specifier_exprs(underlyingElement(this), unresolveElement(result))
-  }
-
   /**
    * Holds if this function is declared with `__attribute__((naked))` or
    * `__declspec(naked)`.
@@ -500,17 +520,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Gets the nearest enclosing AccessHolder.
    */
   override AccessHolder getEnclosingAccessHolder() { result = this.getDeclaringType() }
-
-  /**
-   * Holds if this function has extraction errors that create an `ErrorExpr`.
-   */
-  predicate hasErrors() {
-    exists(ErrorExpr e |
-      e.getEnclosingFunction() = this and
-      // Exclude the first allocator call argument because it is always extracted as `ErrorExpr`.
-      not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
-    )
-  }
 }
 
 pragma[noinline]
@@ -662,8 +671,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
 
   /**
    * Holds if this declaration is an implicit function declaration, that is,
-   * where a function is used before it is declared (under older C standards,
-   * or when there were parse errors).
+   * where a function is used before it is declared (under older C standards).
    */
   predicate isImplicit() { fun_implicit(underlyingElement(this)) }
 
@@ -890,11 +898,4 @@ class UserDefinedLiteral extends Function {
  */
 class DeductionGuide extends Function {
   DeductionGuide() { functions(underlyingElement(this), _, 8) }
-
-  /**
-   * Gets the class template for which this is a deduction guide.
-   */
-  TemplateClass getTemplateClass() {
-    deduction_guide_for_class(underlyingElement(this), unresolveElement(result))
-  }
 }

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -286,6 +286,9 @@ abstract class BaseAstNode extends PrintAstNode {
    * Gets the AST represented by this node.
    */
   final Locatable getAst() { result = ast }
+
+  /** DEPRECATED: Alias for getAst */
+  deprecated Locatable getAST() { result = this.getAst() }
 }
 
 /**
@@ -382,21 +385,6 @@ class CastNode extends ConversionNode {
   }
 }
 
-/**
- * A node representing a `C11GenericExpr`.
- */
-class C11GenericNode extends ConversionNode {
-  C11GenericExpr generic;
-
-  C11GenericNode() { generic = conv }
-
-  override AstNode getChildInternal(int childIndex) {
-    result = super.getChildInternal(childIndex - count(generic.getAChild()))
-    or
-    result.getAst() = generic.getChild(childIndex)
-  }
-}
-
 /**
  * A node representing a `StmtExpr`.
  */
@@ -872,15 +860,6 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(BuiltInVarArgsStart).getLastNamedParameter() = ele and pred = "getLastNamedParameter()"
     or
-    expr.(C11GenericExpr).getControllingExpr() = ele and pred = "getControllingExpr()"
-    or
-    exists(int n |
-      expr.(C11GenericExpr).getAssociationType(n) = ele.(TypeName).getType() and
-      pred = "getAssociationType(" + n + ")"
-      or
-      expr.(C11GenericExpr).getAssociationExpr(n) = ele and pred = "getAssociationExpr(" + n + ")"
-    )
-    or
     expr.(Call).getQualifier() = ele and pred = "getQualifier()"
     or
     exists(int n | expr.(Call).getArgument(n) = ele and pred = "getArgument(" + n.toString() + ")")

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -39,8 +39,8 @@ class Type extends Locatable, @type {
 
   /**
    * Gets a specifier of this type, recursively looking through `typedef` and
-   * `decltype`. For example, in the context of `typedef const int *restrict t`,
-   * the type `volatile t` has specifiers `volatile` and `restrict` but not
+   * `decltype`. For example, in the context of `typedef const int *restrict
+   * t`, the type `volatile t` has specifiers `volatile` and `restrict` but not
    * `const` since the `const` is attached to the type being pointed to rather
    * than the pointer itself.
    */

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -409,18 +409,11 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
     exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
     or
     orphaned_variables(underlyingElement(this), unresolveElement(result))
-    or
-    coroutine_placeholder_variable(underlyingElement(this), _, unresolveElement(result))
   }
 
   override predicate isStatic() {
     super.isStatic() or orphaned_variables(underlyingElement(this), _)
   }
-
-  override predicate isCompilerGenerated() {
-    super.isCompilerGenerated() or
-    coroutine_placeholder_variable(underlyingElement(this), _, _)
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll

@@ -7,6 +7,15 @@ import semmle.code.cpp.models.interfaces.Deallocation
  */
 predicate freeFunction(Function f, int argNum) { argNum = f.(DeallocationFunction).getFreedArg() }
 
+/**
+ * A call to a library routine that frees memory.
+ *
+ * DEPRECATED: Use `DeallocationExpr` instead (this also includes `delete` expressions).
+ */
+deprecated predicate freeCall(FunctionCall fc, Expr arg) {
+  arg = fc.(DeallocationExpr).getFreedExpr()
+}
+
 /**
  * Is e some kind of allocation or deallocation (`new`, `alloc`, `realloc`, `delete`, `free` etc)?
  */

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -57,7 +57,7 @@ private int isSource(Expr bufferExpr, Element why) {
   exists(Type bufferType |
     // buffer is the address of a variable
     why = bufferExpr.(AddressOfExpr).getAddressable() and
-    bufferType = why.(Variable).getUnspecifiedType() and
+    bufferType = why.(Variable).getType() and
     result = bufferType.getSize() and
     not bufferType instanceof ReferenceType and
     not any(Union u).getAMemberVariable() = why

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -953,3 +953,21 @@ private class SummarizedCallableAdapter extends SummarizedCallable {
     interpretSummary(this, _, _, _, provenance, _)
   }
 }
+
+// adapter class for converting Mad neutrals to `NeutralCallable`s
+private class NeutralCallableAdapter extends NeutralCallable {
+  string kind;
+  string provenance_;
+
+  NeutralCallableAdapter() {
+    // Neutral models have not been implemented for CPP.
+    none() and
+    exists(this) and
+    exists(kind) and
+    exists(provenance_)
+  }
+
+  override string getKind() { result = kind }
+
+  override predicate hasProvenance(Provenance provenance) { provenance = provenance_ }
+}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -1885,59 +1885,3 @@ class BuiltInOperationIsWinInterface extends BuiltInOperation, @iswininterface {
 
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinInterface" }
 }
-
-/**
- * A C++ `__is_trivially_equality_comparable` built-in operation.
- *
- * Returns `true` if comparing two objects of type `_Tp` is equivalent to
- * comparing their object representations.
- *
- * ```
- * template<typename _Tp>
- *   struct is_trivially_equality_comparable
- *   : public integral_constant<bool, __is_trivially_equality_comparable(_Tp)>
- *   {};
- * ```
- */
-class BuiltInOperationIsTriviallyEqualityComparable extends BuiltInOperation,
-  @istriviallyequalitycomparable
-{
-  override string toString() { result = "__is_trivially_equality_comparable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyEqualityComparable" }
-}
-
-/**
- * A C++ `__is_scoped_enum` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is a scoped enum.
- * ```
- * template<typename _Tp>
- * constexpr bool is_scoped_enum = __is_scoped_enum(_Tp);
- * ```
- */
-class BuiltInOperationIsScopedEnum extends BuiltInOperation, @isscopedenum {
-  override string toString() { result = "__is_scoped_enum" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsScopedEnum" }
-}
-
-/**
- * A C++ `__is_trivially_relocatable` built-in operation.
- *
- * Returns `true` if moving an object of type `_Tp` is equivalent to
- * copying the underlying bytes.
- *
- * ```
- * template<typename _Tp>
- *   struct is_trivially_relocatable
- *   : public integral_constant<bool, __is_trivially_relocatable(_Tp)>
- *   {};
- * ```
- */
-class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istriviallyrelocatable {
-  override string toString() { result = "__is_trivially_relocatable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
-}

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -791,53 +791,6 @@ class AlignofTypeOperator extends AlignofOperator {
   override string toString() { result = "alignof(" + this.getTypeOperand().getName() + ")" }
 }
 
-/**
- * A C++ `__datasizeof` expression (used by some implementations
- * of the `<type_traits>` header).
- *
- * The `__datasizeof` expression behaves identically to `sizeof` except
- * that the result ignores tail padding.
- */
-class DatasizeofOperator extends Expr, @datasizeof {
-  override int getPrecedence() { result = 16 }
-}
-
-/**
- * A C++ `__datasizeof` expression whose operand is an expression.
- */
-class DatasizeofExprOperator extends DatasizeofOperator {
-  DatasizeofExprOperator() { exists(this.getChild(0)) }
-
-  override string getAPrimaryQlClass() { result = "DatasizeofExprOperator" }
-
-  /** Gets the contained expression. */
-  Expr getExprOperand() { result = this.getChild(0) }
-
-  override string toString() { result = "__datasizeof(<expr>)" }
-
-  override predicate mayBeImpure() { this.getExprOperand().mayBeImpure() }
-
-  override predicate mayBeGloballyImpure() { this.getExprOperand().mayBeGloballyImpure() }
-}
-
-/**
- * A C++ `__datasizeof` expression whose operand is a type name.
- */
-class DatasizeofTypeOperator extends DatasizeofOperator {
-  DatasizeofTypeOperator() { sizeof_bind(underlyingElement(this), _) }
-
-  override string getAPrimaryQlClass() { result = "DatasizeofTypeOperator" }
-
-  /** Gets the contained type. */
-  Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
-
-  override string toString() { result = "__datasizeof(" + this.getTypeOperand().getName() + ")" }
-
-  override predicate mayBeImpure() { none() }
-
-  override predicate mayBeGloballyImpure() { none() }
-}
-
 /**
  * A C/C++ array to pointer conversion.
  *

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -304,8 +304,6 @@ class Expr extends StmtParent, @expr {
       e instanceof NoExceptExpr
       or
       e instanceof AlignofOperator
-      or
-      e instanceof DatasizeofOperator
     )
     or
     exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
@@ -632,106 +630,6 @@ class ParenthesisExpr extends Conversion, @parexpr {
   override string getAPrimaryQlClass() { result = "ParenthesisExpr" }
 }
 
-/**
- * A node representing a C11 `_Generic` selection expression.
- *
- * For example:
- * ```
- * _Generic(e, int: "int", default: "unknown")
- * ```
- */
-class C11GenericExpr extends Conversion, @c11_generic {
-  int associationCount;
-
-  C11GenericExpr() { associationCount = (count(this.getAChild()) - 1) / 2 }
-
-  override string toString() { result = "_Generic" }
-
-  override string getAPrimaryQlClass() { result = "C11GenericExpr" }
-
-  /**
-   * Gets the controlling expression of the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the result is `e`.
-   */
-  Expr getControllingExpr() { result = this.getChild(0) }
-
-  /**
-   * Gets the type of the `n`th element in the association list of the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the type of the 0th element is `int`. In the case of the default element the
-   * type will an instance of `VoidType`.
-   */
-  Type getAssociationType(int n) {
-    n in [0 .. associationCount - 1] and
-    result = this.getChild(n * 2 + 1).(TypeName).getType()
-  }
-
-  /**
-   * Gets the type of an element in the association list of the generic selection.
-   */
-  Type getAnAssociationType() { result = this.getAssociationType(_) }
-
-  /**
-   * Gets the expression of the `n`th element in the association list of
-   * the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the expression for 0th element is `"a"`, and the expression for the
-   * 1st element is `"b"`. For the selected expression, this predicate
-   * will yield a `ReuseExpr`, such that
-   * ```
-   * this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
-   * ```
-   */
-  Expr getAssociationExpr(int n) {
-    n in [0 .. associationCount - 1] and
-    result = this.getChild(n * 2 + 2)
-  }
-
-  /**
-   * Gets the expression of an element in the association list of the generic selection.
-   */
-  Expr getAnAssociationExpr() { result = this.getAssociationExpr(_) }
-
-  /**
-   * Holds if the `n`th element of the association list of the generic selection is the
-   * default element.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * this holds for 1.
-   */
-  predicate isDefaultAssociation(int n) { this.getAssociationType(n) instanceof VoidType }
-
-  /**
-   * Holds if the `n`th element of the association list of the generic selection is the
-   * one whose expression was selected.
-   *
-   * For example, with `e` of type `int` and
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * this holds for 0.
-   */
-  predicate isSelectedAssociation(int n) {
-    this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
-  }
-}
-
 /**
  * A C/C++ expression that could not be resolved, or that can no longer be
  * represented due to a database upgrade or downgrade.
@@ -768,8 +666,6 @@ class AssumeExpr extends Expr, @assume {
 
 /**
  * A C/C++ comma expression.
- *
- * For example:
  * ```
  * int c = compute1(), compute2(), resulting_value;
  * ```

cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll

@@ -195,6 +195,17 @@ class ClassAggregateLiteral extends AggregateLiteral {
    */
   Expr getAFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
 
+  /**
+   * DEPRECATED: Use `getAFieldExpr` instead.
+   *
+   * Gets the expression within the aggregate literal that is used to initialize
+   * field `field`, if present.
+   *
+   * This predicate may have multiple results since a field can be initialized
+   * multiple times in the same initializer.
+   */
+  deprecated Expr getFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
+
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * field `field`, if present. The expression is the `position`'th entry in the
@@ -289,6 +300,17 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
    */
   Expr getAnElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
 
+  /**
+   * DEPRECATED: Use `getAnElementExpr` instead.
+   *
+   * Gets the expression within the aggregate literal that is used to initialize
+   * element `elementIndex`, if present.
+   *
+   * This predicate may have multiple results since an element can be initialized
+   * multiple times in the same initializer.
+   */
+  deprecated Expr getElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
+
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * element `elementIndex`, if present. The expression is the `position`'th entry

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll

@@ -546,7 +546,7 @@ module ProductFlow {
       Flow1::PathGraph::edges(pred1, succ1, _, _) and
       exists(ReturnKindExt returnKind |
         succ1.getNode() = returnKind.getAnOutNode(call) and
-        returnKind = getParamReturnPosition(_, pred1.asParameterReturnNode()).getKind()
+        paramReturnNode(_, pred1.asParameterReturnNode(), _, returnKind)
       )
     }
 
@@ -574,7 +574,7 @@ module ProductFlow {
       Flow2::PathGraph::edges(pred2, succ2, _, _) and
       exists(ReturnKindExt returnKind |
         succ2.getNode() = returnKind.getAnOutNode(call) and
-        returnKind = getParamReturnPosition(_, pred2.asParameterReturnNode()).getKind()
+        paramReturnNode(_, pred2.asParameterReturnNode(), _, returnKind)
       )
     }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -50,6 +50,9 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Language::AST getAST() { result = this.getAst() }
+
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -93,6 +96,9 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -157,6 +163,9 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -285,6 +285,9 @@ abstract private class MemoryLocation0 extends TMemoryLocation {
   predicate isAlwaysAllocatedOnStack() { none() }
 
   final predicate canReuseSsa() { none() }
+
+  /** DEPRECATED: Alias for canReuseSsa */
+  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll

@@ -50,6 +50,9 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Language::AST getAST() { result = this.getAst() }
+
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -93,6 +96,9 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -157,6 +163,9 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll

@@ -216,6 +216,9 @@ abstract class TranslatedSideEffects extends TranslatedElement {
 
   final override Locatable getAst() { result = this.getExpr() }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Declaration getFunction() { result = getEnclosingDeclaration(this.getExpr()) }
 
   final override TranslatedElement getChild(int i) {
@@ -613,6 +616,9 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,
 
   final override Locatable getAst() { result = arg }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Type getIndirectionType() {
     result = arg.getUnspecifiedType().(DerivedType).getBaseType()
     or
@@ -645,6 +651,9 @@ class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect
 
   final override Locatable getAst() { result = call }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }
 
   final override string getArgString() { result = "this" }
@@ -666,6 +675,9 @@ class TranslatedCallSideEffect extends TranslatedSideEffect, TTranslatedCallSide
 
   override Locatable getAst() { result = expr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Expr getPrimaryExpr() { result = expr }
 
   override predicate sortOrder(int group, int indexInGroup) {
@@ -704,6 +716,9 @@ class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAl
 
   override Locatable getAst() { result = expr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Expr getPrimaryExpr() { result = expr }
 
   override predicate sortOrder(int group, int indexInGroup) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll

@@ -29,6 +29,9 @@ abstract class TranslatedCondition extends TranslatedElement {
 
   final override Locatable getAst() { result = expr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final ConditionContext getConditionContext() { result = this.getParent() }
 
   final Expr getExpr() { result = expr }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll

@@ -45,6 +45,9 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated
   final override string toString() { result = entry.toString() }
 
   final override Locatable getAst() { result = entry.getAst() }
+
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
 }
 
 /**
@@ -245,6 +248,9 @@ class TranslatedStaticLocalVariableInitialization extends TranslatedElement,
 
   final override Locatable getAst() { result = entry.getAst() }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override LocalVariable getVariable() { result = var }
 
   final override Declaration getFunction() { result = var.getFunction() }
@@ -271,6 +277,9 @@ class TranslatedConditionDecl extends TranslatedLocalVariableDeclaration, TTrans
 
   override Locatable getAst() { result = conditionDeclExpr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Declaration getFunction() { result = getEnclosingFunction(conditionDeclExpr) }
 
   override LocalVariable getVariable() { result = conditionDeclExpr.getVariable() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -128,9 +128,6 @@ private predicate ignoreExprAndDescendants(Expr expr) {
     vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
   )
   or
-  // The children of C11 _Generic expressions are just surface syntax.
-  exists(C11GenericExpr generic | generic.getAChild() = expr)
-  or
   // Do not translate implicit destructor calls for unnamed temporary variables that are
   // conditionally constructed (until we have a mechanism for calling these only when the
   // temporary's constructor was run)
@@ -435,9 +432,6 @@ predicate ignoreLoad(Expr expr) {
     // The load is duplicated from the right operand.
     isExtractorFrontendVersion65OrHigher() and expr instanceof CommaExpr
     or
-    // The load is duplicated from the chosen expression.
-    expr instanceof C11GenericExpr
-    or
     expr.(PointerDereferenceExpr).getOperand().getFullyConverted().getType().getUnspecifiedType()
       instanceof FunctionPointerType
     or
@@ -767,10 +761,7 @@ newtype TTranslatedElement =
   } or
   // A statement
   TTranslatedStmt(Stmt stmt) { translateStmt(stmt) } or
-  // The `__except` block of a `__try __except` statement
   TTranslatedMicrosoftTryExceptHandler(MicrosoftTryExceptStmt stmt) or
-  // The `__finally` block of a `__try __finally` statement
-  TTranslatedMicrosoftTryFinallyHandler(MicrosoftTryFinallyStmt stmt) or
   // A function
   TTranslatedFunction(Function func) { translateFunction(func) } or
   // A constructor init list
@@ -929,6 +920,9 @@ abstract class TranslatedElement extends TTranslatedElement {
    */
   abstract Locatable getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Locatable getAST() { result = this.getAst() }
+
   /** Gets the location of this element. */
   Location getLocation() { result = this.getAst().getLocation() }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -893,8 +893,7 @@ class TranslatedTransparentConversion extends TranslatedTransparentExpr {
     (
       expr instanceof ParenthesisExpr or
       expr instanceof ReferenceDereferenceExpr or
-      expr instanceof ReferenceToExpr or
-      expr instanceof C11GenericExpr
+      expr instanceof ReferenceToExpr
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -67,6 +67,9 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
 
   final override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   /**
    * Gets the function being translated.
    */
@@ -209,13 +212,8 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
       (
         // Only generate the `Unwind` instruction if there is any exception
         // handling present in the function.
-        exists(TryOrMicrosoftTryStmt try | try.getEnclosingFunction() = func)
-        or
+        exists(TryStmt try | try.getEnclosingFunction() = func) or
         exists(ThrowExpr throw | throw.getEnclosingFunction() = func)
-        or
-        exists(FunctionCall call | call.getEnclosingFunction() = func |
-          getTranslatedExpr(call).(TranslatedCallExpr).mayThrowException()
-        )
       )
       or
       tag = AliasedUseTag() and
@@ -485,6 +483,9 @@ class TranslatedThisParameter extends TranslatedParameter, TTranslatedThisParame
 
   final override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Function getFunction() { result = func }
 
   final override predicate hasIndirection() { any() }
@@ -517,6 +518,9 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara
 
   final override Locatable getAst() { result = param }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Function getFunction() {
     result = param.getFunction() or
     result = param.getCatchBlock().getEnclosingFunction()
@@ -554,6 +558,9 @@ class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllips
 
   final override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Function getFunction() { result = func }
 
   final override predicate hasIndirection() { any() }
@@ -590,6 +597,9 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
 
   override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override TranslatedElement getChild(int id) {
     exists(ConstructorFieldInit fieldInit |
       fieldInit = func.(Constructor).getInitializer(id) and
@@ -667,6 +677,9 @@ class TranslatedDestructorDestructionList extends TranslatedElement,
 
   override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override TranslatedElement getChild(int id) {
     exists(DestructorFieldDestruction fieldDestruction |
       fieldDestruction = func.(Destructor).getDestruction(id) and
@@ -720,6 +733,9 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {
 
   override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Function getFunction() { result = func }
 
   override string toString() { result = "read effects: " + func.toString() }
@@ -823,6 +839,9 @@ class TranslatedThisReadEffect extends TranslatedReadEffect, TTranslatedThisRead
 
   override Locatable getAst() { result = func }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override Function getFunction() { result = func }
 
   override string toString() { result = "read effect: this" }
@@ -846,6 +865,9 @@ class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedPar
 
   override Locatable getAst() { result = param }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   override string toString() { result = "read effect: " + param.toString() }
 
   override Function getFunction() { result = param.getFunction() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -153,6 +153,9 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn
 
   final override Locatable getAst() { result = expr }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   /**
    * Gets the expression that is doing the initialization.
    */
@@ -525,6 +528,9 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
 
   final override Locatable getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Declaration getFunction() {
     result = getEnclosingFunction(ast) or
     result = getEnclosingVariable(ast).(GlobalOrNamespaceVariable) or
@@ -695,6 +701,9 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
 
   final override Locatable getAst() { result = initList }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Declaration getFunction() {
     result = getEnclosingFunction(initList)
     or
@@ -903,6 +912,9 @@ abstract class TranslatedStructorCallFromStructor extends TranslatedElement, Str
 
   final override Locatable getAst() { result = call }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override TranslatedElement getChild(int id) {
     id = 0 and
     result = this.getStructorCall()
@@ -1046,6 +1058,9 @@ class TranslatedConstructorBareInit extends TranslatedElement, TTranslatedConstr
 
   override Locatable getAst() { result = init }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override string toString() { result = "construct base (no constructor)" }
 
   override Instruction getFirstInstruction(EdgeKind kind) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -79,6 +79,11 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
     tag = TryExceptCompareOneBranch() and
     opcode instanceof Opcode::ConditionalBranch and
     resultType = getVoidType()
+    or
+    // unwind stack
+    tag = UnwindTag() and
+    opcode instanceof Opcode::Unwind and
+    resultType = getVoidType()
   }
 
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
@@ -151,7 +156,7 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
       // TODO: This is not really correct. The semantics of `EXCEPTION_CONTINUE_EXECUTION` is that
       // we should continue execution at the point where the exception occurred. But we don't have
       // any instruction to model this behavior.
-      result = this.getExceptionSuccessorInstruction(any(GotoEdge edge))
+      result = this.getInstruction(UnwindTag())
       or
       kind instanceof FalseEdge and
       result = this.getInstruction(TryExceptGenerateZero())
@@ -171,7 +176,7 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
     tag = TryExceptCompareZeroBranch() and
     (
       kind instanceof TrueEdge and
-      result = this.getExceptionSuccessorInstruction(any(GotoEdge edge))
+      result = this.getInstruction(UnwindTag())
       or
       kind instanceof FalseEdge and
       result = this.getInstruction(TryExceptGenerateOne())
@@ -191,6 +196,10 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
     tag = TryExceptCompareOneBranch() and
     kind instanceof TrueEdge and
     result = this.getTranslatedHandler().getFirstInstruction(any(GotoEdge edge))
+    or
+    // Unwind -> Parent
+    tag = UnwindTag() and
+    result = this.getParent().getChildSuccessor(this, kind)
   }
 
   override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
@@ -206,6 +215,8 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
 
   override Instruction getALastInstructionInternal() {
     result = this.getTranslatedHandler().getALastInstruction()
+    or
+    result = this.getInstruction(UnwindTag())
   }
 
   private TranslatedExpr getTranslatedCondition() {
@@ -225,68 +236,6 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
   }
 
   final override Function getFunction() { result = tryExcept.getEnclosingFunction() }
-
-  override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
-    // A throw from within a `__except` block flows to the handler for the parent of
-    // the `__try`.
-    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind)
-  }
-}
-
-TranslatedMicrosoftTryFinallyHandler getTranslatedMicrosoftTryFinallyHandler(
-  MicrosoftTryFinallyStmt tryFinally
-) {
-  result.getAst() = tryFinally.getFinally()
-}
-
-class TranslatedMicrosoftTryFinallyHandler extends TranslatedElement,
-  TTranslatedMicrosoftTryFinallyHandler
-{
-  MicrosoftTryFinallyStmt tryFinally;
-
-  TranslatedMicrosoftTryFinallyHandler() {
-    this = TTranslatedMicrosoftTryFinallyHandler(tryFinally)
-  }
-
-  final override string toString() { result = tryFinally.toString() }
-
-  final override Locatable getAst() { result = tryFinally.getFinally() }
-
-  override Instruction getFirstInstruction(EdgeKind kind) {
-    result = this.getTranslatedFinally().getFirstInstruction(kind)
-  }
-
-  override Instruction getALastInstructionInternal() {
-    result = this.getTranslatedFinally().getALastInstruction()
-  }
-
-  override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
-    child = this.getTranslatedFinally() and
-    result = this.getParent().getChildSuccessor(this, kind)
-  }
-
-  override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) { none() }
-
-  override TranslatedElement getChild(int id) {
-    id = 0 and
-    result = this.getTranslatedFinally()
-  }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    none()
-  }
-
-  final override Function getFunction() { result = tryFinally.getEnclosingFunction() }
-
-  private TranslatedStmt getTranslatedFinally() {
-    result = getTranslatedStmt(tryFinally.getFinally())
-  }
-
-  override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
-    // A throw from within a `__finally` block flows to the handler for the parent of
-    // the `__try`.
-    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind)
-  }
 }
 
 abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
@@ -319,6 +268,9 @@ abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
 
   final override Locatable getAst() { result = stmt }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Locatable getAST() { result = this.getAst() }
+
   final override Function getFunction() { result = stmt.getEnclosingFunction() }
 }
 
@@ -634,7 +586,7 @@ class TranslatedNoValueReturnStmt extends TranslatedReturnStmt, TranslatedVariab
 /**
  * A C/C++ `try` statement, or a `__try __except` or `__try __finally` statement.
  */
-class TryOrMicrosoftTryStmt extends Stmt {
+private class TryOrMicrosoftTryStmt extends Stmt {
   TryOrMicrosoftTryStmt() {
     this instanceof TryStmt or
     this instanceof MicrosoftTryStmt
@@ -667,9 +619,7 @@ class TryOrMicrosoftTryStmt extends Stmt {
   }
 
   /** Gets the `finally` statement (usually a BlockStmt), if any. */
-  TranslatedElement getTranslatedFinally() {
-    result = getTranslatedMicrosoftTryFinallyHandler(this)
-  }
+  Stmt getFinally() { result = this.(MicrosoftTryFinallyStmt).getFinally() }
 }
 
 /**
@@ -739,14 +689,11 @@ class TranslatedTryStmt extends TranslatedStmt {
 
   final override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
     result = this.getHandler(0).getFirstInstruction(kind)
-    or
-    not exists(this.getHandler(_)) and
-    result = this.getFinally().getFirstInstruction(kind)
   }
 
   private TranslatedElement getHandler(int index) { result = stmt.getTranslatedHandler(index) }
 
-  private TranslatedElement getFinally() { result = stmt.getTranslatedFinally() }
+  private TranslatedStmt getFinally() { result = getTranslatedStmt(stmt.getFinally()) }
 
   private TranslatedStmt getBody() { result = getTranslatedStmt(stmt.getStmt()) }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll

@@ -50,6 +50,9 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Language::AST getAST() { result = this.getAst() }
+
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -93,6 +96,9 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -157,6 +163,9 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll

@@ -71,6 +71,9 @@ class MemoryLocation extends TMemoryLocation {
   final string getUniqueId() { result = var.getUniqueId() }
 
   final predicate canReuseSsa() { canReuseSsaForVariable(var) }
+
+  /** DEPRECATED: Alias for canReuseSsa */
+  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }
 
 predicate canReuseSsaForOldResult(Instruction instr) { none() }

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -42,7 +42,6 @@ private import implementations.Accept
 private import implementations.Poll
 private import implementations.Select
 private import implementations.MySql
-private import implementations.NoexceptFunction
 private import implementations.ODBC
 private import implementations.SqLite3
 private import implementations.PostgreSql

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -5,13 +5,13 @@
  */
 
 import semmle.code.cpp.models.interfaces.Allocation
-import semmle.code.cpp.models.interfaces.DataFlow
+import semmle.code.cpp.models.interfaces.Taint
 
 /**
  * An allocation function (such as `realloc`) that has an argument for the size
  * in bytes, and an argument for an existing pointer that is to be reallocated.
  */
-private class ReallocAllocationFunction extends AllocationFunction, DataFlowFunction {
+private class ReallocAllocationFunction extends AllocationFunction, TaintFunction {
   int sizeArg;
   int reallocArg;
 
@@ -44,7 +44,7 @@ private class ReallocAllocationFunction extends AllocationFunction, DataFlowFunc
 
   override int getReallocPtrArg() { result = reallocArg }
 
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(this.getReallocPtrArg()) and output.isReturnValueDeref()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll

@@ -9,14 +9,13 @@ import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.Taint
-import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard functions `memcpy`, `memmove` and `bcopy`; and the gcc variant
  * `__builtin___memcpy_chk`.
  */
 private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction,
-  AliasFunction, NonThrowingFunction
+  AliasFunction
 {
   MemcpyFunction() {
     // memcpy(dest, src, num)

cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll

@@ -8,10 +8,9 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.NonThrowing
 
 private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,
-  SideEffectFunction, NonThrowingFunction
+  SideEffectFunction
 {
   MemsetFunctionModel() {
     this.hasGlobalOrStdOrBslName("memset")

cpp/ql/lib/semmle/code/cpp/models/implementations/NoexceptFunction.qll

@@ -1,11 +0,0 @@
-import semmle.code.cpp.models.interfaces.NonThrowing
-
-/**
- * A function that is annotated with a `noexcept` specifier (or the equivalent
- * `throw()` specifier) guaranteeing that the function can not throw exceptions.
- *
- * Note: The `throw` specifier was deprecated in C++11 and removed in C++17.
- */
-class NoexceptFunction extends NonThrowingFunction {
-  NoexceptFunction() { this.isNoExcept() or this.isNoThrow() }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -8,12 +8,11 @@
 import semmle.code.cpp.models.interfaces.FormattingFunction
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard functions `printf`, `wprintf` and their glib variants.
  */
-private class Printf extends FormattingFunction, AliasFunction, NonThrowingFunction {
+private class Printf extends FormattingFunction, AliasFunction {
   Printf() {
     this instanceof TopLevelFunction and
     (
@@ -37,7 +36,7 @@ private class Printf extends FormattingFunction, AliasFunction, NonThrowingFunct
 /**
  * The standard functions `fprintf`, `fwprintf` and their glib variants.
  */
-private class Fprintf extends FormattingFunction, NonThrowingFunction {
+private class Fprintf extends FormattingFunction {
   Fprintf() {
     this instanceof TopLevelFunction and
     (
@@ -55,7 +54,7 @@ private class Fprintf extends FormattingFunction, NonThrowingFunction {
 /**
  * The standard function `sprintf` and its Microsoft and glib variants.
  */
-private class Sprintf extends FormattingFunction, NonThrowingFunction {
+private class Sprintf extends FormattingFunction {
   Sprintf() {
     this instanceof TopLevelFunction and
     (
@@ -98,7 +97,7 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
 /**
  * Implements `Snprintf`.
  */
-private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction, NonThrowingFunction {
+private class SnprintfImpl extends Snprintf, AliasFunction, SideEffectFunction {
   SnprintfImpl() {
     this instanceof TopLevelFunction and
     (
@@ -205,7 +204,7 @@ private class StringCchPrintf extends FormattingFunction {
 /**
  * The standard function `syslog`.
  */
-private class Syslog extends FormattingFunction, NonThrowingFunction {
+private class Syslog extends FormattingFunction {
   Syslog() {
     this instanceof TopLevelFunction and
     this.hasGlobalName("syslog") and

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll

@@ -7,16 +7,13 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard function `strcat` and its wide, sized, and Microsoft variants.
  *
  * Does not include `strlcat`, which is covered by `StrlcatFunction`
  */
-class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction,
-  NonThrowingFunction
-{
+class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
   StrcatFunction() {
     this.hasGlobalOrStdOrBslName([
         "strcat", // strcat(dst, src)

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll

@@ -7,14 +7,11 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.NonThrowing
 
 /**
  * The standard function `strcpy` and its wide, sized, and Microsoft variants.
  */
-class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, SideEffectFunction,
-  NonThrowingFunction
-{
+class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, SideEffectFunction {
   StrcpyFunction() {
     this.hasGlobalOrStdOrBslName([
         "strcpy", // strcpy(dst, src)

cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll

@@ -26,7 +26,7 @@ private class Swap extends DataFlowFunction {
  * obj1.swap(obj2)
  * ```
  */
-private class MemberSwap extends DataFlowFunction, MemberFunction, AliasFunction {
+private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
   MemberSwap() {
     this.hasName("swap") and
     this.getNumberOfParameters() = 1 and
@@ -34,7 +34,7 @@ private class MemberSwap extends DataFlowFunction, MemberFunction, AliasFunction
       this.getDeclaringType()
   }
 
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and
     output.isParameterDeref(0)
     or

cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll

@@ -118,34 +118,19 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
 
   /**
    * Gets the position of the first format argument, corresponding with
-   * the first format specifier in the format string. We ignore all
-   * implicit function definitions.
+   * the first format specifier in the format string.
    */
   int getFirstFormatArgumentIndex() {
-    // The formatting function either has a definition in the snapshot, or all
+    result = this.getNumberOfParameters() and
+    // the formatting function either has a definition in the snapshot, or all
     // `DeclarationEntry`s agree on the number of parameters (otherwise we don't
     // really know the correct number)
-    if this.hasDefinition()
-    then result = this.getDefinition().getNumberOfParameters()
-    else result = this.getNumberOfExplicitParameters()
-  }
-
-  /**
-   * Gets a non-implicit function declaration entry.
-   */
-  private FunctionDeclarationEntry getAnExplicitDeclarationEntry() {
-    result = this.getADeclarationEntry() and
-    not result.isImplicit()
-  }
-
-  /**
-   * Gets the number of parameters, excluding any parameters that have been defined
-   * from implicit function declarations. If there is some inconsistency in the number
-   * of parameters, then don't return anything.
-   */
-  private int getNumberOfExplicitParameters() {
-    forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
-      result = fde.getNumberOfParameters()
+    (
+      this.hasDefinition()
+      or
+      forall(FunctionDeclarationEntry fde | fde = this.getADeclarationEntry() |
+        result = fde.getNumberOfParameters()
+      )
     )
   }
 

cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll

@@ -1,11 +0,0 @@
-/**
- * Provides an abstract class for modeling functions that never throw.
- */
-
-import semmle.code.cpp.Function
-import semmle.code.cpp.models.Models
-
-/**
- * A function that is guaranteed to never throw.
- */
-abstract class NonThrowingFunction extends Function { }

cpp/ql/lib/semmle/code/cpp/security/BufferAccess.qll

@@ -14,11 +14,7 @@ int getPointedSize(Type t) {
  * BufferWrite differ.
  */
 abstract class BufferAccess extends Expr {
-  BufferAccess() {
-    not this.isUnevaluated() and
-    //A buffer access must be reachable (not in dead code)
-    reachable(this)
-  }
+  BufferAccess() { not this.isUnevaluated() }
 
   abstract string getName();
 
@@ -30,8 +26,6 @@ abstract class BufferAccess extends Expr {
    * - 1 = buffer range [0, getSize) is accessed entirely.
    * - 2 = buffer range [0, getSize) may be accessed partially or entirely.
    * - 3 = buffer is accessed at offset getSize - 1.
-   * - 4 = buffer is accessed with null terminator read protections
-   *       (does not read past null terminator, regardless of access size)
    */
   abstract Expr getBuffer(string bufferDesc, int accessType);
 
@@ -134,7 +128,7 @@ class StrncpyBA extends BufferAccess {
     or
     result = this.(FunctionCall).getArgument(1) and
     bufferDesc = "source buffer" and
-    accessType = 4
+    accessType = 2
   }
 
   override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

@@ -160,26 +160,6 @@ private module InvalidPointerToDerefBarrier {
   }
 }
 
-/**
- * BEWARE: This configuration uses an unrestricted sink, so accessing its full
- * flow computation or any stages beyond the first 2 will likely diverge.
- * Stage 1 will still be fast and we use it to restrict the subsequent sink
- * computation.
- */
-private module InvalidPointerReachesConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { invalidPointerToDerefSource(_, _, source) }
-
-  predicate isSink(DataFlow::Node sink) { any() }
-
-  predicate isBarrier(DataFlow::Node node) { InvalidPointerToDerefConfig::isBarrier(node) }
-
-  int fieldFlowBranchLimit() { result = invalidPointerToDereferenceFieldFlowBranchLimit() }
-}
-
-private module InvalidPointerReachesFlow = DataFlow::Global<InvalidPointerReachesConfig>;
-
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
-
 /**
  * A configuration to track flow from a pointer-arithmetic operation found
  * by `AllocToInvalidPointerConfig` to a dereference of the pointer.
@@ -193,13 +173,8 @@ private module InvalidPointerToDerefConfig implements DataFlow::StateConfigSig {
     invalidPointerToDerefSource(_, pai, source)
   }
 
-  predicate isSink(DataFlow::Node sink) {
-    exists(DataFlowImplCommon::NodeEx n |
-      InvalidPointerReachesFlow::Stages::Stage1::sinkNode(n, _) and
-      n.asNode() = sink and
-      isInvalidPointerDerefSink(sink, _, _, _, _)
-    )
-  }
+  pragma[inline]
+  predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _, _, _) }
 
   predicate isSink(DataFlow::Node sink, FlowState pai) { none() }
 

cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll

@@ -353,6 +353,22 @@ module BoostorgAsio {
   }
 
   //////////////////////// Dataflow /////////////////////
+  /**
+   * Abstract class for flows of protocol values to the first argument of a context
+   * constructor.
+   */
+  abstract deprecated class SslContextCallAbstractConfig extends DataFlow::Configuration {
+    bindingset[this]
+    SslContextCallAbstractConfig() { any() }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(ConstructorCall cc, SslContextClass c, Expr e | e = sink.asExpr() |
+        c.getAContructorCall() = cc and
+        cc.getArgument(0) = e
+      )
+    }
+  }
+
   /**
    * Signature for flows of protocol values to the first argument of a context
    * constructor.
@@ -386,6 +402,20 @@ module BoostorgAsio {
     import DataFlow::Global<C>
   }
 
+  /**
+   * Any protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallConfig extends SslContextCallAbstractConfig {
+    SslContextCallConfig() { this = "SslContextCallConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%")
+      )
+    }
+  }
+
   /**
    * Any protocol value that flows to the first argument of a context constructor.
    */
@@ -400,6 +430,21 @@ module BoostorgAsio {
 
   module SslContextCallFlow = SslContextCallGlobal<SslContextCallConfig>;
 
+  /**
+   * A banned protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallBannedProtocolConfig extends SslContextCallAbstractConfig {
+    SslContextCallBannedProtocolConfig() { this = "SslContextCallBannedProtocolConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
+        isExprBannedBoostProtocol(e)
+      )
+    }
+  }
+
   /**
    * A banned protocol value that flows to the first argument of a context constructor.
    */
@@ -416,6 +461,21 @@ module BoostorgAsio {
   module SslContextCallBannedProtocolFlow =
     SslContextCallGlobal<SslContextCallBannedProtocolConfig>;
 
+  /**
+   * A TLS 1.2 protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallTls12ProtocolConfig extends SslContextCallAbstractConfig {
+    SslContextCallTls12ProtocolConfig() { this = "SslContextCallTls12ProtocolConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
+        isExprTls12BoostProtocol(e)
+      )
+    }
+  }
+
   /**
    * A TLS 1.2 protocol value that flows to the first argument of a context constructor.
    */
@@ -431,6 +491,21 @@ module BoostorgAsio {
 
   module SslContextCallTls12ProtocolFlow = SslContextCallGlobal<SslContextCallTls12ProtocolConfig>;
 
+  /**
+   * A TLS 1.3 protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallTls13ProtocolConfig extends SslContextCallAbstractConfig {
+    SslContextCallTls13ProtocolConfig() { this = "SslContextCallTls12ProtocolConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
+        isExprTls13BoostProtocol(e)
+      )
+    }
+  }
+
   /**
    * A TLS 1.3 protocol value that flows to the first argument of a context constructor.
    */
@@ -446,6 +521,21 @@ module BoostorgAsio {
 
   module SslContextCallTls13ProtocolFlow = SslContextCallGlobal<SslContextCallTls13ProtocolConfig>;
 
+  /**
+   * A generic TLS protocol value that flows to the first argument of a context constructor.
+   */
+  deprecated class SslContextCallTlsProtocolConfig extends SslContextCallAbstractConfig {
+    SslContextCallTlsProtocolConfig() { this = "SslContextCallTlsProtocolConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%") and
+        isExprTlsBoostProtocol(e)
+      )
+    }
+  }
+
   /**
    * A generic TLS protocol value that flows to the first argument of a context constructor.
    */
@@ -461,6 +551,30 @@ module BoostorgAsio {
 
   module SslContextCallTlsProtocolFlow = SslContextCallGlobal<SslContextCallTlsProtocolConfig>;
 
+  /**
+   * A context constructor call that flows to a call to `SetOptions()`.
+   */
+  deprecated class SslContextFlowsToSetOptionConfig extends DataFlow::Configuration {
+    SslContextFlowsToSetOptionConfig() { this = "SslContextFlowsToSetOptionConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(SslContextClass c, ConstructorCall cc |
+        cc = source.asExpr() and
+        c.getAContructorCall() = cc
+      )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(FunctionCall fc, SslSetOptionsFunction f, Variable v, VariableAccess va |
+        va = sink.asExpr()
+      |
+        f.getACallToThisFunction() = fc and
+        v.getAnAccess() = va and
+        va = fc.getQualifier()
+      )
+    }
+  }
+
   /**
    * A context constructor call that flows to a call to `SetOptions()`.
    */
@@ -485,6 +599,28 @@ module BoostorgAsio {
 
   module SslContextFlowsToSetOptionFlow = DataFlow::Global<SslContextFlowsToSetOptionConfig>;
 
+  /**
+   * An option value that flows to the first parameter of a call to `SetOptions()`.
+   */
+  deprecated class SslOptionConfig extends DataFlow::Configuration {
+    SslOptionConfig() { this = "SslOptionConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(Expr e | e = source.asExpr() |
+        e.fromSource() and
+        not e.getLocation().getFile().toString().matches("%/boost/asio/%")
+      )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      exists(SslSetOptionsFunction f, FunctionCall call |
+        sink.asExpr() = call.getArgument(0) and
+        f.getACallToThisFunction() = call and
+        not sink.getLocation().getFile().toString().matches("%/boost/asio/%")
+      )
+    }
+  }
+
   /**
    * An option value that flows to the first parameter of a call to `SetOptions()`.
    */