Java: update @id of experimental ExecTainted.ql query

This reverts commit 0b59e408ba.

.codeqlmanifest.json

@@ -1,6 +1,4 @@
-{ "provide": [ "ruby/.codeqlmanifest.json",
-                "*/ql/src/qlpack.yml",
-               "*/ql/lib/qlpack.yml",
+{ "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/test/qlpack.yml",
                "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",

.devcontainer/devcontainer.json

@@ -1,14 +1,9 @@
 {
   "extensions": [
-    "rust-lang.rust",
-    "bungcip.better-toml",
     "github.vscode-codeql",
     "slevesque.vscode-zipexplorer"
   ],
   "settings": {
-    "files.watcherExclude": {
-      "**/target/**": true
-    },
     "codeQL.runningQueries.memory": 2048
   }
 }

.gitattributes

@@ -48,6 +48,3 @@
 *.gif -text
 *.dll -text
 *.pdb -text
-
-java/ql/test/stubs/**/*.java linguist-generated=true
-java/ql/test/experimental/stubs/**/*.java linguist-generated=true

.github/actions/fetch-codeql/action.yml

@@ -1,14 +0,0 @@
-name: Fetch CodeQL
-description: Fetches the latest version of CodeQL
-runs:
-  using: composite
-  steps:
-    - name: Fetch CodeQL
-      shell: bash
-      run: |
-        LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
-        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
-        unzip -q codeql-linux64.zip
-        echo "${{ github.workspace }}/codeql" >> $GITHUB_PATH
-      env:
-        GITHUB_TOKEN: ${{ github.token }}

.github/dependabot.yml

@@ -1,18 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "cargo"
-    directory: "ruby/node-types"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/generator"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/extractor"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/autobuilder"
-    schedule:
-      interval: "daily"

.github/workflows/codeql-analysis.yml

@@ -11,8 +11,6 @@ on:
       - 'rc/*'
     paths:
       - 'csharp/**'
-      - '.github/codeql/**'
-      - '.github/workflows/codeql-analysis.yml'
   schedule:
     - cron: '0 9 * * 1'
 
@@ -40,8 +38,8 @@ jobs:
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
-    #- name: Autobuild
-    #  uses: github/codeql-action/autobuild@main
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@main
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -50,8 +48,9 @@ jobs:
     #    and modify them (or add more) to build your code if your project
     #    uses a compiled language
 
-    - run: |
-       dotnet build csharp
+    #- run: |
+    #   make bootstrap
+    #   make release
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@main

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -49,23 +49,19 @@ jobs:
          gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
     - name: Unzip CodeQL CLI
       run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Generate CSV files on merge commit of the PR
+    - name: Generate CSV files on merge and base of the PR
       run: |
         echo "Running generator on merge"
         PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
         mkdir out_merge
         cp framework-coverage-*.csv out_merge/
         cp framework-coverage-*.rst out_merge/
-    - name: Generate CSV files on base commit of the PR
-      run: |
+
         echo "Running generator on base"
         PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
         mkdir out_base
         cp framework-coverage-*.csv out_base/
         cp framework-coverage-*.rst out_base/
-    - name: Generate diff of coverage reports
-      run: |
-        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
     - name: Upload CSV package list
       uses: actions/upload-artifact@v2
       with:
@@ -80,12 +76,6 @@ jobs:
         path: |
           out_base/framework-coverage-*.csv
           out_base/framework-coverage-*.rst
-    - name: Upload comparison results
-      uses: actions/upload-artifact@v2
-      with:
-        name: comparison
-        path: |
-          comparison.md
     - name: Save PR number
       run: |
         mkdir -p pr

.github/workflows/csv-coverage-pr-comment.yml

@@ -26,9 +26,40 @@ jobs:
       with:
         python-version: 3.8
 
-    - name: Check coverage difference file and comment
+    # download artifacts from the PR job:
+
+    - name: Download artifact - MERGE
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         RUN_ID: ${{ github.event.workflow_run.id }}
       run: |
-        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"
+        gh run download --name "csv-framework-coverage-merge" --dir "out_merge" "$RUN_ID"
+
+    - name: Download artifact - BASE
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        gh run download --name "csv-framework-coverage-base" --dir "out_base" "$RUN_ID"
+
+    - name: Download artifact - PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        gh run download --name "pr" --dir "pr" "$RUN_ID"
+
+    - name: Check coverage files
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        PR=$(cat "pr/NR")
+        python misc/scripts/library-coverage/compare-files-comment-pr.py \
+          out_base out_merge comparison.md "$GITHUB_REPOSITORY" "$PR" "$RUN_ID"
+    - name: Upload comparison results
+      uses: actions/upload-artifact@v2
+      with:
+        name: comparison
+        path: |
+          comparison.md

.github/workflows/csv-coverage-update.yml

@@ -1,44 +0,0 @@
-name: Update framework coverage reports
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * *"
-
-jobs:
-  update:
-    name: Update framework coverage report
-    if: github.repository == 'github/codeql'
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
-      run: echo "$GITHUB_CONTEXT"
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: ql
-        fetch-depth: 0
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-
-    - name: Generate coverage files
-      run: |
-        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
-
-    - name: Create pull request with changes
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"

.github/workflows/qhelp-pr-preview.yml

@@ -1,39 +0,0 @@
-name: Query help preview
-
-on:
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - "ruby/**/*.qhelp"
-
-jobs:
-  qhelp:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 2
-      - name: Determine changed files
-        id: changes
-        run: |
-          echo -n "::set-output name=qhelp_files::"
-          (git diff --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep .qhelp$ | grep -v .inc.qhelp;
-           git diff --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep .inc.qhelp$ | xargs -d '\n' -rn1 basename | xargs -d '\n' -rn1 git grep -l) |
-           sort -u | xargs -d '\n' -n1 printf "'%s' "
-
-      - uses: ./.github/actions/fetch-codeql
-
-      - name: QHelp preview
-        if: ${{ steps.changes.outputs.qhelp_files }}
-        run: |
-          ( echo "QHelp previews:";
-          for path in ${{ steps.changes.outputs.qhelp_files }} ; do
-            echo "<details> <summary>${path}</summary>"
-            echo
-            codeql generate query-help --format=markdown ${path}
-            echo "</details>"
-          done) | gh pr comment "${{ github.event.pull_request.number }}" -F -
-        env:
-          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-build.yml

@@ -1,232 +0,0 @@
-name: "Ruby: Build"
-
-on:
-  push:
-    paths:
-      - 'ruby/**'
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    paths:
-      - 'ruby/**'
-    branches:
-      - main
-      - 'rc/*'
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "Version tag to create"
-        required: false
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-
-    runs-on: ${{ matrix.os }}
-
-    steps:
-      - uses: actions/checkout@v2
-      - name: Install GNU tar
-        if: runner.os == 'macOS'
-        run: |
-          brew install gnu-tar
-          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - uses: actions/cache@v2
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ruby/target
-          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - name: Check formatting
-        run: cargo fmt --all -- --check
-      - name: Build
-        run: cargo build --verbose
-      - name: Run tests
-        run: cargo test --verbose
-      - name: Release build
-        run: cargo build --release
-      - name: Generate dbscheme
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        run: target/release/ruby-generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v2
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        with:
-          name: ruby.dbscheme
-          path: ruby/ql/lib/ruby.dbscheme
-      - uses: actions/upload-artifact@v2
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        with:
-          name: TreeSitter.qll
-          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v2
-        with:
-          name: extractor-${{ matrix.os }}
-          path: |
-            ruby/target/release/ruby-autobuilder
-            ruby/target/release/ruby-autobuilder.exe
-            ruby/target/release/ruby-extractor
-            ruby/target/release/ruby-extractor.exe
-          retention-days: 1
-  compile-queries:
-    runs-on: ubuntu-latest
-    env:
-      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
-    steps:
-      - uses: actions/checkout@v2
-      - name: Fetch CodeQL
-        run: |
-          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
-          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
-          unzip -q codeql-linux64.zip
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-      - name: Build Query Pack
-        run: |
-          codeql/codeql pack create ql/lib --output target/packs
-          codeql/codeql pack install ql/src
-          codeql/codeql pack create ql/src --output target/packs
-          PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
-          codeql/codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
-          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
-      - name: Compile with previous CodeQL versions
-        run: |
-          for version in  $(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | tail -3 | head -2); do
-            rm -f codeql-linux64.zip
-            gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$version"
-            rm -rf codeql; unzip -q codeql-linux64.zip
-            codeql/codeql query compile target/packs/*
-          done
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-ruby-queries
-          path: |
-            ruby/target/packs/*
-          retention-days: 1
-
-  package:
-    runs-on: ubuntu-latest
-    needs: [build, compile-queries]
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/download-artifact@v2
-        with:
-          name: ruby.dbscheme
-          path: ruby/ruby
-      - uses: actions/download-artifact@v2
-        with:
-          name: extractor-ubuntu-latest
-          path: ruby/linux64
-      - uses: actions/download-artifact@v2
-        with:
-          name: extractor-windows-latest
-          path: ruby/win64
-      - uses: actions/download-artifact@v2
-        with:
-          name: extractor-macos-latest
-          path: ruby/osx64
-      - run: |
-          mkdir -p ruby
-          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
-          mkdir -p ruby/tools/{linux64,osx64,win64}
-          cp linux64/ruby-autobuilder ruby/tools/linux64/autobuilder
-          cp osx64/ruby-autobuilder ruby/tools/osx64/autobuilder
-          cp win64/ruby-autobuilder.exe ruby/tools/win64/autobuilder.exe
-          cp linux64/ruby-extractor ruby/tools/linux64/extractor
-          cp osx64/ruby-extractor ruby/tools/osx64/extractor
-          cp win64/ruby-extractor.exe ruby/tools/win64/extractor.exe
-          chmod +x ruby/tools/{linux64,osx64}/{autobuilder,extractor}
-          zip -rq codeql-ruby.zip ruby
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-ruby-pack
-          path: ruby/codeql-ruby.zip
-          retention-days: 1
-      - uses: actions/download-artifact@v2
-        with:
-          name: codeql-ruby-queries
-          path: ruby/qlpacks
-      - run: |
-          echo '{
-            "provide": [
-            "ruby/codeql-extractor.yml",
-            "qlpacks/*/*/*/qlpack.yml"
-            ]
-          }' > .codeqlmanifest.json
-          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-ruby-bundle
-          path: ruby/codeql-ruby-bundle.zip
-          retention-days: 1
-
-  test:
-    defaults:
-      run:
-        working-directory: ${{ github.workspace }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-
-    runs-on: ${{ matrix.os }}
-    needs: [package]
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          repository: Shopify/example-ruby-app
-          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
-      - name: Fetch CodeQL
-        shell: bash
-        run: |
-          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
-          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql.zip "$LATEST"
-          unzip -q codeql.zip
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        working-directory: ${{ runner.temp }}
-      - name: Download Ruby bundle
-        uses: actions/download-artifact@v2
-        with:
-          name: codeql-ruby-bundle
-          path: ${{ runner.temp }}
-      - name: Unzip Ruby bundle
-        shell: bash
-        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
-      - name: Prepare test files
-        shell: bash
-        run: |
-          echo "import ruby select count(File f)" > "test.ql"
-          echo "| 4 |" > "test.expected"
-          echo 'name: sample-tests
-          version: 0.0.0
-          dependencies:
-            codeql/ruby-all: 0.0.1
-          extractor: ruby
-          tests: .
-          ' > qlpack.yml
-      - name: Run QL test
-        shell: bash
-        run: |
-          "${{ runner.temp }}/codeql/codeql" test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
-      - name: Create database
-        shell: bash
-        run: |
-          "${{ runner.temp }}/codeql/codeql" database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
-      - name: Analyze database
-        shell: bash
-        run: |
-          "${{ runner.temp }}/codeql/codeql" database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls

.github/workflows/ruby-dataset-measure.yml

@@ -1,71 +0,0 @@
-name: "Ruby: Collect database stats"
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - ruby/ql/lib/ruby.dbscheme
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - ruby/ql/lib/ruby.dbscheme
-  workflow_dispatch:
-
-jobs:
-  measure:
-    env:
-      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
-    strategy:
-      fail-fast: false
-      matrix:
-        repo: [rails/rails, discourse/discourse, spree/spree]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - uses: ./.github/actions/fetch-codeql
-
-      - uses: ./ruby/actions/create-extractor-pack
-
-      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v2
-        with:
-          repository: ${{ matrix.repo }}
-          path: ${{ github.workspace }}/repo
-      - name: Create database
-        run: |
-          codeql database create \
-            --search-path "${{ github.workspace }}/ruby" \
-            --threads 4 \
-            --language ruby --source-root "${{ github.workspace }}/repo" \
-            "${{ runner.temp }}/database"
-      - name: Measure database
-        run: |
-          mkdir -p "stats/${{ matrix.repo }}"
-          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
-      - uses: actions/upload-artifact@v2
-        with:
-          name: measurements
-          path: stats
-          retention-days: 1
-
-  merge:
-    runs-on: ubuntu-latest
-    needs: measure
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/download-artifact@v2
-        with:
-          name: measurements
-          path: stats
-      - run: |
-          python -m pip install --user lxml
-          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
-      - uses: actions/upload-artifact@v2
-        with:
-          name: ruby.dbscheme.stats
-          path: ruby/ql/lib/ruby.dbscheme.stats

.github/workflows/ruby-qltest.yml

@@ -1,48 +0,0 @@
-name: "Ruby: Run QL Tests"
-
-on:
-  push:
-    paths:
-      - 'ruby/**'
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    paths:
-      - 'ruby/**'
-    branches:
-      - main
-      - 'rc/*'
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-jobs:
-  qltest:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: ./.github/actions/fetch-codeql
-      - uses: ./ruby/actions/create-extractor-pack
-      - name: Run QL tests
-        run: |
-          codeql test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}"  --consistency-queries ql/consistency-queries ql/test
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-      - name: Check QL formatting
-        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
-      - name: Check QL compilation
-        run: |
-          codeql query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}" "ql/src" "ql/examples"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-      - name: Check DB upgrade scripts
-        run: |
-          echo >empty.trap
-          codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
-          codeql dataset upgrade testdb --additional-packs ql/lib/upgrades
-          diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme

.github/workflows/sync-files.yml

@@ -1,20 +0,0 @@
-name: Check synchronized files
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Check synchronized files
-        run: python config/sync-files.py
-

CODEOWNERS

@@ -3,7 +3,6 @@
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
-/ruby/ @github/codeql-ruby
 
 # Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
 /cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
@@ -11,7 +10,6 @@
 /java/**/experimental/**/* @github/codeql-java @xcorail
 /javascript/**/experimental/**/* @github/codeql-javascript @xcorail
 /python/**/experimental/**/* @github/codeql-python @xcorail
-/ruby/**/experimental/**/* @github/codeql-ruby @xcorail
 
 # Notify members of codeql-go about PRs to the shared data-flow library files
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
@@ -19,9 +17,3 @@
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
-
-# CodeQL tools and associated docs
-/docs/codeql-cli/ @github/codeql-cli-reviewers
-/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
-/docs/ql-language-reference/ @github/codeql-frontend-reviewers
-/docs/query-*-style-guide.md @github/codeql-analysis-reviewers

config/identical-files.json

@@ -1,338 +1,332 @@
 {
   "DataFlow Java/C++/C#/Python": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
   ],
   "DataFlow Java/C# Flow Summaries": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
   ],
   "SsaReadPosition Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
   "Sign Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
   ],
   "SignAnalysis Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
   "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
+    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
   ],
   "ModulusAnalysis Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
   ],
   "C++ SubBasicBlocks": [
-    "cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
+    "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
   ],
   "IR Instruction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
   ],
   "IR IRBlock": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
   ],
   "IR IRVariable": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
   ],
   "IR IRFunction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
   ],
   "IR Operand": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
   ],
   "IR IRType": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
     "csharp/ql/src/experimental/ir/implementation/IRType.qll"
   ],
   "IR IRConfiguration": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
     "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
   ],
   "IR UseSoundEscapeAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
   ],
   "IR IRFunctionBase": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
   ],
   "IR Operand Tag": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
   ],
   "IR TInstruction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
   ],
   "IR TIRVariable": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
   ],
   "IR IR": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
   ],
   "IR IRConsistency": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
   ],
   "IR PrintIR": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
   ],
   "IR IntegerConstant": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerConstant.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
   ],
   "IR IntegerInteval": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerInterval.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
   ],
   "IR IntegerPartial": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
   ],
   "IR Overlap": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
     "csharp/ql/src/experimental/ir/internal/Overlap.qll"
   ],
   "IR EdgeKind": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
     "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
   ],
   "IR MemoryAccessKind": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
     "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
   ],
   "IR TempVariableTag": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
     "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
   ],
   "IR Opcode": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
     "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
   ],
   "IR SSAConsistency": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
   ],
   "C++ IR InstructionImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
   ],
   "C++ IR IRImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
   ],
   "C++ IR IRBlockImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
   ],
   "C++ IR IRFunctionImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
   ],
   "C++ IR IRVariableImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
   ],
   "C++ IR OperandImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
   ],
   "C++ IR PrintIRImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
   ],
   "C++ SSA SSAConstructionImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
   ],
   "SSA AliasAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
   "SSA PrintAliasAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
   ],
   "C++ SSA AliasAnalysisImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
   ],
   "C++ IR ValueNumberingImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "IR SSA SimpleSSA": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
   ],
   "IR AliasConfiguration (unaliased_ssa)": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
   ],
   "IR SSA SSAConstruction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
   ],
   "IR SSA PrintSSA": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
   ],
   "IR ValueNumberInternal": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
   ],
   "C++ IR ValueNumber": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR PrintValueNumbering": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
   ],
   "C++ IR PrintConstantAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
   ],
   "C++ IR ReachableBlock": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
   ],
   "C++ IR PrintReachableBlock": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
   ],
   "C++ IR Dominance": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
   ],
   "C++ IR PrintDominance": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
   "C# IR InstructionImports": [
     "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
@@ -367,14 +361,13 @@
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "C# ControlFlowReachability": [
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
   ],
   "Inline Test Expectations": [
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll"
+    "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
   ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
@@ -385,11 +378,11 @@
     "cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
   ],
   "XML": [
-    "cpp/ql/lib/semmle/code/cpp/XML.qll",
-    "csharp/ql/lib/semmle/code/csharp/XML.qll",
-    "java/ql/lib/semmle/code/xml/XML.qll",
-    "javascript/ql/lib/semmle/javascript/XML.qll",
-    "python/ql/lib/semmle/python/xml/XML.qll"
+    "cpp/ql/src/semmle/code/cpp/XML.qll",
+    "csharp/ql/src/semmle/code/csharp/XML.qll",
+    "java/ql/src/semmle/code/xml/XML.qll",
+    "javascript/ql/src/semmle/javascript/XML.qll",
+    "python/ql/src/semmle/python/xml/XML.qll"
   ],
   "DuplicationProblems.inc.qhelp": [
     "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
@@ -443,39 +436,17 @@
     "python/ql/src/analysis/IDEContextual.qll"
   ],
   "SSA C#": [
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
+    "csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
   ],
   "CryptoAlgorithms Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll"
+    "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
+    "python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
   ],
   "SensitiveDataHeuristics Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
-    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll"
-  ],
-  "ReDoS Util Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
-    "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll"
-  ],
-  "ReDoS Exponential Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll"
-  ],
-  "ReDoS Polynomial Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll",
-    "ruby/ql/lib/codeql/ruby/regexp/SuperlinearBackTracking.qll"
-  ],
-  "CFG": [
-    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
-    "ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll"
-  ],
-  "TypeTracker": [
-    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
-    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
+    "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
+    "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
   ]
 }

cpp/change-notes/2021-06-22-sql-tainted.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Uncontrolled data in SQL query' (cpp/sql-injection) query now supports the `libpqxx` library.

cpp/change-notes/2021-06-24-dataflow-implicit-reads.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.

cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md

@@ -1,2 +0,0 @@
-lgtm
-* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.

cpp/change-notes/2021-06-30-wrong-type-format-argument.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms.  There are now fewer false positive results.

cpp/change-notes/2021-07-13-cleartext-storage-file.md

@@ -1,3 +0,0 @@
-lgtm,codescanning
-* The "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file) query now uses dataflow to produce additional results.
-* Heuristics in the SensitiveExprs.qll library have been improved, making the "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file), "Cleartext storage of sensitive information in buffer" (cpp/cleartext-storage-buffer) and "Cleartext storage of sensitive information in an SQLite" (cpp/cleartext-storage-database) queries more accurate.

cpp/change-notes/2021-07-20-toctou-race-condition.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* Improvements have been made to the `cpp/toctou-race-condition` query, both to find more correct results and fewer false positive results.

cpp/change-notes/2021-07-27-uncontrolled-arithmetic.md

@@ -1,2 +0,0 @@
-lgtm
-* Improvements made to the (`cpp/uncontrolled-arithmetic`) query, reducing the frequency of false positive results.

cpp/change-notes/2021-07-29-virtual-function-declaration-specifiers.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* Virtual function specifiers are now accessible via the new predicates on `Function` (`.isDeclaredVirtual`, `.isOverride`, and `.isFinal`).

cpp/change-notes/2021-08-10-has-trailing-return-type.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* Added `Function.hasTrailingReturnType` predicate to check whether a function was declared with a trailing return type.

cpp/change-notes/2021-08-17-has-c-linkage.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* Added `RoutineType.hasCLinkage` predicate to check whether a function type has "C" language linkage.

cpp/change-notes/2021-08-23-ctime-weaken-claims.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* Lowered the precision of `cpp/potentially-dangerous-function` so it is run but not displayed on LGTM by default and so it's only run and displayed on Code Scanning if a broader suite like `cpp-security-extended` is opted into.

cpp/change-notes/2021-08-23-getPrimaryQlClasses.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* Added `Element.getPrimaryQlClasses()` predicate, which gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.

cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The query `cpp/implicit-bitfield-downcast` now accounts for C++ reference types, which leads to more true positive results.

cpp/change-notes/2021-08-31-range-analysis-upper-bound.md

@@ -1,4 +0,0 @@
-lgtm,codescanning
-* The `SimpleRangeAnalysis` library includes information from the
-  immediate guard for determining the upper bound of a stack
-  variable for improved accuracy.

cpp/change-notes/2021-09-13-overflow-static.md

@@ -1,4 +0,0 @@
-lgtm,codescanning
-* The `memberMayBeVarSize` predicate considers more fields to be variable size.
-  As a result, the "Static buffer overflow" query (cpp/static-buffer-overflow)
-  produces fewer false positives.

cpp/ql/examples/qlpack.lock.yml

@@ -1,4 +0,0 @@
----
-dependencies: {}
-compiled: false
-lockVersion: 1.0.0

cpp/ql/examples/qlpack.yml

@@ -1,4 +1,3 @@
-name: codeql/cpp-examples
-version: 0.0.2
-dependencies:
-  codeql/cpp-all: "*"
+name: codeql-cpp-examples
+version: 0.0.0
+libraryPathDependencies: codeql-cpp

cpp/ql/lib/qlpack.lock.yml

@@ -1,4 +0,0 @@
----
-dependencies: {}
-compiled: false
-lockVersion: 1.0.0

cpp/ql/lib/qlpack.yml

@@ -1,7 +0,0 @@
-name: codeql/cpp-all
-version: 0.0.2
-dbscheme: semmlecode.cpp.dbscheme
-extractor: cpp
-library: true
-dependencies:
-  codeql/cpp-upgrades: 0.0.2

cpp/ql/lib/semmle/code/cpp/Element.qll

@@ -1,297 +0,0 @@
-/**
- * Provides the `Element` class, which is the base class for all classes representing C or C++
- * program elements.
- */
-
-import semmle.code.cpp.Location
-private import semmle.code.cpp.Enclosing
-private import semmle.code.cpp.internal.ResolveClass
-
-/**
- * Get the `Element` that represents this `@element`.
- * Normally this will simply be a cast of `e`, but sometimes it is not.
- * For example, for an incomplete struct `e` the result may be a
- * complete struct with the same name.
- */
-pragma[inline]
-Element mkElement(@element e) { unresolveElement(result) = e }
-
-/**
- * INTERNAL: Do not use.
- *
- * Gets an `@element` that resolves to the `Element`. This should
- * normally only be called from member predicates, where `e` is not
- * `this` and you need the result for an argument to a database
- * extensional.
- * See `underlyingElement` for when `e` is `this`.
- */
-pragma[inline]
-@element unresolveElement(Element e) {
-  not result instanceof @usertype and
-  result = e
-  or
-  e = resolveClass(result)
-}
-
-/**
- * INTERNAL: Do not use.
- *
- * Gets the `@element` that this `Element` extends. This should normally
- * only be called from member predicates, where `e` is `this` and you
- * need the result for an argument to a database extensional.
- * See `unresolveElement` for when `e` is not `this`.
- */
-@element underlyingElement(Element e) { result = e }
-
-/**
- * A C/C++ element with no member predicates other than `toString`. Not for
- * general use. This class does not define a location, so classes wanting to
- * change their location without affecting other classes can extend
- * `ElementBase` instead of `Element` to create a new rootdef for `getURL`,
- * `getLocation`, or `hasLocationInfo`.
- */
-class ElementBase extends @element {
-  /** Gets a textual representation of this element. */
-  cached
-  string toString() { none() }
-
-  /** DEPRECATED: use `getAPrimaryQlClass` instead. */
-  deprecated string getCanonicalQLClass() { result = this.getAPrimaryQlClass() }
-
-  /**
-   * Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
-   */
-  final string getPrimaryQlClasses() { result = concat(getAPrimaryQlClass(), ",") }
-
-  /**
-   * Gets the name of a primary CodeQL class to which this element belongs.
-   *
-   * For most elements, this is simply the most precise syntactic category to
-   * which they belong; for example, `AddExpr` is a primary class, but
-   * `BinaryOperation` is not.
-   *
-   * This predicate can have multiple results if multiple primary classes match.
-   * For some elements, this predicate may not have a result.
-   */
-  string getAPrimaryQlClass() { none() }
-}
-
-/**
- * A C/C++ element. This class is the base class for all C/C++
- * elements, such as functions, classes, expressions, and so on.
- */
-class Element extends ElementBase {
-  /** Gets the primary file where this element occurs. */
-  File getFile() { result = this.getLocation().getFile() }
-
-  /**
-   * Holds if this element may be from source. This predicate holds for all
-   * elements, except for those in the dummy file, whose name is the empty string.
-   * The dummy file contains declarations that are built directly into the compiler.
-   */
-  predicate fromSource() { this.getFile().fromSource() }
-
-  /**
-   * Holds if this element may be from a library.
-   *
-   * DEPRECATED: always true.
-   */
-  deprecated predicate fromLibrary() { this.getFile().fromLibrary() }
-
-  /** Gets the primary location of this element. */
-  Location getLocation() { none() }
-
-  /**
-   * Gets the source of this element: either itself or a macro that expanded
-   * to this element.
-   *
-   * If the element is not in a macro expansion, then the "root" is just
-   * the element itself. Otherwise, it is the definition of the innermost
-   * macro whose expansion the element is in.
-   *
-   * This method is useful for filtering macro results in checks: simply
-   * blame `e.findRootCause` rather than `e`. This will report only bugs
-   * that are not in macros, and in addition report macros that (somewhere)
-   * expand to a bug.
-   */
-  Element findRootCause() {
-    if exists(MacroInvocation mi | this = mi.getAGeneratedElement())
-    then
-      exists(MacroInvocation mi |
-        this = mi.getAGeneratedElement() and
-        not exists(MacroInvocation closer |
-          this = closer.getAGeneratedElement() and
-          mi = closer.getParentInvocation+()
-        ) and
-        result = mi.getMacro()
-      )
-    else result = this
-  }
-
-  /**
-   * Gets the parent scope of this `Element`, if any.
-   * A scope is a `Type` (`Class` / `Enum`), a `Namespace`, a `BlockStmt`, a `Function`,
-   * or certain kinds of `Statement`.
-   */
-  Element getParentScope() {
-    // result instanceof class
-    exists(Declaration m |
-      m = this and
-      result = m.getDeclaringType() and
-      not this instanceof EnumConstant
-    )
-    or
-    exists(TemplateClass tc | this = tc.getATemplateArgument() and result = tc)
-    or
-    // result instanceof namespace
-    exists(Namespace n | result = n and n.getADeclaration() = this)
-    or
-    exists(FriendDecl d, Namespace n | this = d and n.getADeclaration() = d and result = n)
-    or
-    exists(Namespace n | this = n and result = n.getParentNamespace())
-    or
-    // result instanceof stmt
-    exists(LocalVariable v |
-      this = v and
-      exists(DeclStmt ds | ds.getADeclaration() = v and result = ds.getParent())
-    )
-    or
-    exists(Parameter p | this = p and result = p.getFunction())
-    or
-    exists(GlobalVariable g, Namespace n | this = g and n.getADeclaration() = g and result = n)
-    or
-    exists(EnumConstant e | this = e and result = e.getDeclaringEnum())
-    or
-    // result instanceof block|function
-    exists(BlockStmt b | this = b and blockscope(unresolveElement(b), unresolveElement(result)))
-    or
-    exists(TemplateFunction tf | this = tf.getATemplateArgument() and result = tf)
-    or
-    // result instanceof stmt
-    exists(ControlStructure s | this = s and result = s.getParent())
-    or
-    using_container(unresolveElement(result), underlyingElement(this))
-  }
-
-  /**
-   * Holds if this element comes from a macro expansion. Only elements that
-   * are entirely generated by a macro are included - for elements that
-   * partially come from a macro, see `isAffectedByMacro`.
-   */
-  predicate isInMacroExpansion() { inMacroExpansion(this) }
-
-  /**
-   * Holds if this element is affected in any way by a macro. All elements
-   * that are totally or partially generated by a macro are included, so
-   * this is a super-set of `isInMacroExpansion`.
-   */
-  predicate isAffectedByMacro() { affectedByMacro(this) }
-
-  private Element getEnclosingElementPref() {
-    enclosingfunction(underlyingElement(this), unresolveElement(result)) or
-    result.(Function) = stmtEnclosingElement(this) or
-    this.(LocalScopeVariable).getFunction() = result or
-    enumconstants(underlyingElement(this), unresolveElement(result), _, _, _, _) or
-    derivations(underlyingElement(this), unresolveElement(result), _, _, _) or
-    stmtparents(underlyingElement(this), _, unresolveElement(result)) or
-    exprparents(underlyingElement(this), _, unresolveElement(result)) or
-    namequalifiers(underlyingElement(this), unresolveElement(result), _, _) or
-    initialisers(underlyingElement(this), unresolveElement(result), _, _) or
-    exprconv(unresolveElement(result), underlyingElement(this)) or
-    param_decl_bind(underlyingElement(this), _, unresolveElement(result)) or
-    using_container(unresolveElement(result), underlyingElement(this)) or
-    static_asserts(unresolveElement(this), _, _, _, underlyingElement(result))
-  }
-
-  /** Gets the closest `Element` enclosing this one. */
-  cached
-  Element getEnclosingElement() {
-    result = getEnclosingElementPref()
-    or
-    not exists(getEnclosingElementPref()) and
-    (
-      this = result.(Class).getAMember()
-      or
-      result = exprEnclosingElement(this)
-      or
-      var_decls(underlyingElement(this), unresolveElement(result), _, _, _)
-    )
-  }
-
-  /**
-   * Holds if this `Element` is a part of a template instantiation (but not
-   * the template itself).
-   */
-  predicate isFromTemplateInstantiation(Element instantiation) {
-    exists(Element e | isFromTemplateInstantiationRec(e, instantiation) |
-      this = e or
-      this.(DeclarationEntry).getDeclaration() = e
-    )
-  }
-
-  /**
-   * Holds if this `Element` is part of a template `template` (not if it is
-   * part of an instantiation of `template`). This means it is represented in
-   * the database purely as syntax and without guarantees on the presence or
-   * correctness of type-based operations such as implicit conversions.
-   *
-   * If an element is nested within several templates, this predicate holds with
-   * a value of `template` for each containing template.
-   */
-  predicate isFromUninstantiatedTemplate(Element template) {
-    exists(Element e | isFromUninstantiatedTemplateRec(e, template) |
-      this = e or
-      this.(DeclarationEntry).getDeclaration() = e
-    )
-  }
-}
-
-private predicate isFromTemplateInstantiationRec(Element e, Element instantiation) {
-  instantiation.(Function).isConstructedFrom(_) and
-  e = instantiation
-  or
-  instantiation.(Class).isConstructedFrom(_) and
-  e = instantiation
-  or
-  instantiation.(Variable).isConstructedFrom(_) and
-  e = instantiation
-  or
-  isFromTemplateInstantiationRec(e.getEnclosingElement(), instantiation)
-}
-
-private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
-  is_class_template(unresolveElement(template)) and
-  e = template
-  or
-  is_function_template(unresolveElement(template)) and
-  e = template
-  or
-  is_variable_template(unresolveElement(template)) and
-  e = template
-  or
-  isFromUninstantiatedTemplateRec(e.getEnclosingElement(), template)
-}
-
-/**
- * A C++11 `static_assert` or C11 `_Static_assert` construct. For example each
- * line in the following example contains a static assert:
- * ```
- * static_assert(sizeof(MyStruct) <= 4096);
- * static_assert(sizeof(MyStruct) <= 4096, "MyStruct is too big!");
- * ```
- */
-class StaticAssert extends Locatable, @static_assert {
-  override string toString() { result = "static_assert(..., \"" + getMessage() + "\")" }
-
-  /**
-   * Gets the expression which this static assertion ensures is true.
-   */
-  Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _, _) }
-
-  /**
-   * Gets the message which will be reported by the compiler if this static assertion fails.
-   */
-  string getMessage() { static_asserts(underlyingElement(this), _, result, _, _) }
-
-  override Location getLocation() { static_asserts(underlyingElement(this), _, _, result, _) }
-}

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -1,448 +0,0 @@
-/**
- * Provides classes representing files and folders.
- */
-
-import semmle.code.cpp.Element
-import semmle.code.cpp.Declaration
-import semmle.code.cpp.metrics.MetricFile
-
-/** A file or folder. */
-class Container extends Locatable, @container {
-  /**
-   * Gets the absolute, canonical path of this container, using forward slashes
-   * as path separator.
-   *
-   * The path starts with a _root prefix_ followed by zero or more _path
-   * segments_ separated by forward slashes.
-   *
-   * The root prefix is of one of the following forms:
-   *
-   *   1. A single forward slash `/` (Unix-style)
-   *   2. An upper-case drive letter followed by a colon and a forward slash,
-   *      such as `C:/` (Windows-style)
-   *   3. Two forward slashes, a computer name, and then another forward slash,
-   *      such as `//FileServer/` (UNC-style)
-   *
-   * Path segments are never empty (that is, absolute paths never contain two
-   * contiguous slashes, except as part of a UNC-style root prefix). Also, path
-   * segments never contain forward slashes, and no path segment is of the
-   * form `.` (one dot) or `..` (two dots).
-   *
-   * Note that an absolute path never ends with a forward slash, except if it is
-   * a bare root prefix, that is, the path has no path segments. A container
-   * whose absolute path has no segments is always a `Folder`, not a `File`.
-   */
-  string getAbsolutePath() { none() } // overridden by subclasses
-
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets a URL representing the location of this container.
-   *
-   * For more information see [Providing URLs](https://help.semmle.com/QL/learn-ql/ql/locations.html#providing-urls).
-   */
-  deprecated string getURL() { none() } // overridden by subclasses
-
-  /**
-   * Gets the relative path of this file or folder from the root folder of the
-   * analyzed source location. The relative path of the root folder itself is
-   * the empty string.
-   *
-   * This has no result if the container is outside the source root, that is,
-   * if the root folder is not a reflexive, transitive parent of this container.
-   */
-  string getRelativePath() {
-    exists(string absPath, string pref |
-      absPath = getAbsolutePath() and sourceLocationPrefix(pref)
-    |
-      absPath = pref and result = ""
-      or
-      absPath = pref.regexpReplaceAll("/$", "") + "/" + result and
-      not result.matches("/%")
-    )
-  }
-
-  /**
-   * Gets the base name of this container including extension, that is, the last
-   * segment of its absolute path, or the empty string if it has no segments.
-   *
-   * Here are some examples of absolute paths and the corresponding base names
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Base name</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"tst.js"</td></tr>
-   * <tr><td>"C:/Program Files (x86)"</td><td>"Program Files (x86)"</td></tr>
-   * <tr><td>"/"</td><td>""</td></tr>
-   * <tr><td>"C:/"</td><td>""</td></tr>
-   * <tr><td>"D:/"</td><td>""</td></tr>
-   * <tr><td>"//FileServer/"</td><td>""</td></tr>
-   * </table>
-   */
-  string getBaseName() {
-    result = getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1)
-  }
-
-  /**
-   * Gets the extension of this container, that is, the suffix of its base name
-   * after the last dot character, if any.
-   *
-   * In particular,
-   *
-   *  - if the name does not include a dot, there is no extension, so this
-   *    predicate has no result;
-   *  - if the name ends in a dot, the extension is the empty string;
-   *  - if the name contains multiple dots, the extension follows the last dot.
-   *
-   * Here are some examples of absolute paths and the corresponding extensions
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Extension</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"js"</td></tr>
-   * <tr><td>"/tmp/.classpath"</td><td>"classpath"</td></tr>
-   * <tr><td>"/bin/bash"</td><td>not defined</td></tr>
-   * <tr><td>"/tmp/tst2."</td><td>""</td></tr>
-   * <tr><td>"/tmp/x.tar.gz"</td><td>"gz"</td></tr>
-   * </table>
-   */
-  string getExtension() { result = getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3) }
-
-  /**
-   * Gets the stem of this container, that is, the prefix of its base name up to
-   * (but not including) the last dot character if there is one, or the entire
-   * base name if there is not.
-   *
-   * Here are some examples of absolute paths and the corresponding stems
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Stem</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"tst"</td></tr>
-   * <tr><td>"/tmp/.classpath"</td><td>""</td></tr>
-   * <tr><td>"/bin/bash"</td><td>"bash"</td></tr>
-   * <tr><td>"/tmp/tst2."</td><td>"tst2"</td></tr>
-   * <tr><td>"/tmp/x.tar.gz"</td><td>"x.tar"</td></tr>
-   * </table>
-   */
-  string getStem() { result = getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1) }
-
-  /** Gets the parent container of this file or folder, if any. */
-  Container getParentContainer() {
-    containerparent(unresolveElement(result), underlyingElement(this))
-  }
-
-  /** Gets a file or sub-folder in this container. */
-  Container getAChildContainer() { this = result.getParentContainer() }
-
-  /** Gets a file in this container. */
-  File getAFile() { result = getAChildContainer() }
-
-  /** Gets the file in this container that has the given `baseName`, if any. */
-  File getFile(string baseName) {
-    result = getAFile() and
-    result.getBaseName() = baseName
-  }
-
-  /** Gets a sub-folder in this container. */
-  Folder getAFolder() { result = getAChildContainer() }
-
-  /** Gets the sub-folder in this container that has the given `baseName`, if any. */
-  Folder getFolder(string baseName) {
-    result = getAFolder() and
-    result.getBaseName() = baseName
-  }
-
-  /**
-   * Gets a textual representation of the path of this container.
-   *
-   * This is the absolute path of the container.
-   */
-  override string toString() { result = getAbsolutePath() }
-}
-
-/**
- * A folder that was observed on disk during the build process.
- *
- * For the example folder name of "/usr/home/me", the path decomposes to:
- *
- *  1. "/usr/home" - see `getParentContainer`.
- *  2. "me" - see `getBaseName`.
- *
- * To get the full path, use `getAbsolutePath`.
- */
-class Folder extends Container, @folder {
-  override string getAbsolutePath() { folders(underlyingElement(this), result) }
-
-  override Location getLocation() {
-    result.getContainer() = this and
-    result.hasLocationInfo(_, 0, 0, 0, 0)
-  }
-
-  override string getAPrimaryQlClass() { result = "Folder" }
-
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets the URL of this folder.
-   */
-  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
-
-  /**
-   * DEPRECATED: use `getAbsolutePath` instead.
-   * Gets the name of this folder.
-   */
-  deprecated string getName() { folders(underlyingElement(this), result) }
-
-  /**
-   * DEPRECATED: use `getAbsolutePath` instead.
-   * Holds if this element is named `name`.
-   */
-  deprecated predicate hasName(string name) { name = this.getName() }
-
-  /**
-   * DEPRECATED: use `getAbsolutePath` instead.
-   * Gets the full name of this folder.
-   */
-  deprecated string getFullName() { result = this.getName() }
-
-  /**
-   * DEPRECATED: use `getBaseName` instead.
-   * Gets the last part of the folder name.
-   */
-  deprecated string getShortName() { result = this.getBaseName() }
-
-  /**
-   * DEPRECATED: use `getParentContainer` instead.
-   * Gets the parent folder.
-   */
-  deprecated Folder getParent() {
-    containerparent(unresolveElement(result), underlyingElement(this))
-  }
-}
-
-/**
- * A file that was observed on disk during the build process.
- *
- * For the example filename of "/usr/home/me/myprogram.c", the filename
- * decomposes to:
- *
- *  1. "/usr/home/me" - see `getParentContainer`.
- *  2. "myprogram.c" - see `getBaseName`.
- *
- * The base name further decomposes into the _stem_ and _extension_ -- see
- * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
- */
-class File extends Container, @file {
-  override string getAbsolutePath() { files(underlyingElement(this), result) }
-
-  override string toString() { result = Container.super.toString() }
-
-  override string getAPrimaryQlClass() { result = "File" }
-
-  override Location getLocation() {
-    result.getContainer() = this and
-    result.hasLocationInfo(_, 0, 0, 0, 0)
-  }
-
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets the URL of this file.
-   */
-  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
-
-  /** Holds if this file was compiled as C (at any point). */
-  predicate compiledAsC() { fileannotations(underlyingElement(this), 1, "compiled as c", "1") }
-
-  /** Holds if this file was compiled as C++ (at any point). */
-  predicate compiledAsCpp() { fileannotations(underlyingElement(this), 1, "compiled as c++", "1") }
-
-  /**
-   * Holds if this file was compiled by a Microsoft compiler (at any point).
-   *
-   * Note: currently unreliable - on some projects only some of the files that
-   * are compiled by a Microsoft compiler are detected by this predicate.
-   */
-  predicate compiledAsMicrosoft() {
-    exists(File f, Compilation c |
-      c.getAFileCompiled() = f and
-      (
-        c.getAnArgument() = "--microsoft" or
-        c.getAnArgument()
-            .toLowerCase()
-            .replaceAll("\\", "/")
-            .matches(["%/cl.exe", "%/clang-cl.exe"])
-      ) and
-      f.getAnIncludedFile*() = this
-    )
-  }
-
-  /** Gets a top-level element declared in this file. */
-  Declaration getATopLevelDeclaration() { result.getAFile() = this and result.isTopLevel() }
-
-  /** Gets a declaration in this file. */
-  Declaration getADeclaration() { result.getAFile() = this }
-
-  /** Holds if this file uses the given macro. */
-  predicate usesMacro(Macro m) {
-    exists(MacroInvocation mi |
-      mi.getFile() = this and
-      mi.getMacro() = m
-    )
-  }
-
-  /**
-   * Gets a file that is directly included from this file (using a
-   * pre-processor directive like `#include`).
-   */
-  File getAnIncludedFile() {
-    exists(Include i | i.getFile() = this and i.getIncludedFile() = result)
-  }
-
-  /**
-   * Holds if this file may be from source. This predicate holds for all files
-   * except the dummy file, whose name is the empty string, which contains
-   * declarations that are built into the compiler.
-   */
-  override predicate fromSource() { numlines(underlyingElement(this), _, _, _) }
-
-  /**
-   * Holds if this file may be from a library.
-   *
-   * DEPRECATED: For historical reasons this is true for any file.
-   */
-  deprecated override predicate fromLibrary() { any() }
-
-  /** Gets the metric file. */
-  MetricFile getMetrics() { result = this }
-
-  /**
-   * Gets the remainder of the base name after the first dot character. Note
-   * that the name of this predicate is in plural form, unlike `getExtension`,
-   * which gets the remainder of the base name after the _last_ dot character.
-   *
-   * Predicates `getStem` and `getExtension` should be preferred over
-   * `getShortName` and `getExtensions` since the former pair is compatible
-   * with the file libraries of other languages.
-   * Note the slight difference between this predicate and `getStem`:
-   * for example, for "file.tar.gz", this predicate will have the result
-   * "tar.gz", while `getExtension` will have the result "gz".
-   */
-  string getExtensions() {
-    exists(string name, int firstDotPos |
-      name = this.getBaseName() and
-      firstDotPos = min([name.indexOf("."), name.length() - 1]) and
-      result = name.suffix(firstDotPos + 1)
-    )
-  }
-
-  /**
-   * Gets the short name of this file, that is, the prefix of its base name up
-   * to (but not including) the first dot character if there is one, or the
-   * entire base name if there is not. For example, if the full name is
-   * "/path/to/filename.a.bcd" then the short name is "filename".
-   *
-   * Predicates `getStem` and `getExtension` should be preferred over
-   * `getShortName` and `getExtensions` since the former pair is compatible
-   * with the file libraries of other languages.
-   * Note the slight difference between this predicate and `getStem`:
-   * for example, for "file.tar.gz", this predicate will have the result
-   * "file", while `getStem` will have the result "file.tar".
-   */
-  string getShortName() {
-    exists(string name, int firstDotPos |
-      name = this.getBaseName() and
-      firstDotPos = min([name.indexOf("."), name.length()]) and
-      result = name.prefix(firstDotPos)
-    )
-    or
-    this.getAbsolutePath() = "" and
-    result = ""
-  }
-}
-
-/**
- * Holds if any file was compiled by a Microsoft compiler.
- */
-predicate anyFileCompiledAsMicrosoft() { any(File f).compiledAsMicrosoft() }
-
-/**
- * A C/C++ header file, as determined (mainly) by file extension.
- *
- * For the related notion of whether a file is included anywhere (using a
- * pre-processor directive like `#include`), use `Include.getIncludedFile`.
- */
-class HeaderFile extends File {
-  HeaderFile() {
-    this.getExtension().toLowerCase() =
-      ["h", "r", "hpp", "hxx", "h++", "hh", "hp", "tcc", "tpp", "txx", "t++"]
-    or
-    not exists(this.getExtension()) and
-    exists(Include i | i.getIncludedFile() = this)
-  }
-
-  override string getAPrimaryQlClass() { result = "HeaderFile" }
-
-  /**
-   * Holds if this header file does not contain any declaration entries or top level
-   * declarations.  For example it might be:
-   *  - a file containing only preprocessor directives and/or comments
-   *  - an empty file
-   *  - a file that contains non-top level code or data that's included in an
-   *    unusual way
-   */
-  predicate noTopLevelCode() {
-    not exists(DeclarationEntry de | de.getFile() = this) and
-    not exists(Declaration d | d.getFile() = this and d.isTopLevel()) and
-    not exists(UsingEntry ue | ue.getFile() = this)
-  }
-}
-
-/**
- * A C source file, as determined by file extension.
- *
- * For the related notion of whether a file is compiled as C code, use
- * `File.compiledAsC`.
- */
-class CFile extends File {
-  CFile() { this.getExtension().toLowerCase() = ["c", "i"] }
-
-  override string getAPrimaryQlClass() { result = "CFile" }
-}
-
-/**
- * A C++ source file, as determined by file extension.
- *
- * For the related notion of whether a file is compiled as C++ code, use
- * `File.compiledAsCpp`.
- */
-class CppFile extends File {
-  CppFile() {
-    this.getExtension().toLowerCase() =
-      ["cpp", "cxx", "c++", "cc", "cp", "icc", "ipp", "ixx", "i++", "ii"]
-    // Note: .C files are indistinguishable from .c files on some
-    // file systems, so we just treat them as CFile's.
-  }
-
-  override string getAPrimaryQlClass() { result = "CppFile" }
-}
-
-/**
- * DEPRECATED: Objective-C is no longer supported.
- * An Objective C source file, as determined by file extension.
- *
- * For the related notion of whether a file is compiled as Objective C
- * code, use `File.compiledAsObjC`.
- */
-deprecated class ObjCFile extends File {
-  ObjCFile() { none() }
-}
-
-/**
- * DEPRECATED: Objective-C is no longer supported.
- * An Objective C++ source file, as determined by file extension.
- *
- * For the related notion of whether a file is compiled as Objective C++
- * code, use `File.compiledAsObjCpp`.
- */
-deprecated class ObjCppFile extends File {
-  ObjCppFile() { none() }
-}

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -1,608 +0,0 @@
-/**
- * Provides classes for modeling variables and their declarations.
- */
-
-import semmle.code.cpp.Element
-import semmle.code.cpp.exprs.Access
-import semmle.code.cpp.Initializer
-private import semmle.code.cpp.internal.ResolveClass
-
-/**
- * A C/C++ variable. For example, in the following code there are four
- * variables, `a`, `b`, `c` and `d`:
- * ```
- * extern int a;
- * int a;
- *
- * void myFunction(int b) {
- *   int c;
- * }
- *
- * namespace N {
- *   extern int d;
- *   int d = 1;
- * }
- * ```
- *
- * For local variables, there is a one-to-one correspondence between
- * `Variable` and `VariableDeclarationEntry`.
- *
- * For other types of variable, there is a one-to-many relationship between
- * `Variable` and `VariableDeclarationEntry`. For example, a `Parameter`
- * can have multiple declarations.
- */
-class Variable extends Declaration, @variable {
-  override string getAPrimaryQlClass() { result = "Variable" }
-
-  /** Gets the initializer of this variable, if any. */
-  Initializer getInitializer() { result.getDeclaration() = this }
-
-  /** Holds if this variable has an initializer. */
-  predicate hasInitializer() { exists(this.getInitializer()) }
-
-  /** Gets an access to this variable. */
-  VariableAccess getAnAccess() { result.getTarget() = this }
-
-  /**
-   * Gets a specifier of this variable. This includes `extern`, `static`,
-   * `auto`, `private`, `protected`, `public`. Specifiers of the *type* of
-   * this variable, such as `const` and `volatile`, are instead accessed
-   * through `this.getType().getASpecifier()`.
-   */
-  override Specifier getASpecifier() {
-    varspecifiers(underlyingElement(this), unresolveElement(result))
-  }
-
-  /** Gets an attribute of this variable. */
-  Attribute getAnAttribute() { varattributes(underlyingElement(this), unresolveElement(result)) }
-
-  /** Holds if this variable is `const`. */
-  predicate isConst() { this.getType().isConst() }
-
-  /** Holds if this variable is `volatile`. */
-  predicate isVolatile() { this.getType().isVolatile() }
-
-  /** Gets the name of this variable. */
-  override string getName() { none() }
-
-  /** Gets the type of this variable. */
-  Type getType() { none() }
-
-  /** Gets the type of this variable, after typedefs have been resolved. */
-  Type getUnderlyingType() { result = this.getType().getUnderlyingType() }
-
-  /**
-   * Gets the type of this variable, after specifiers have been deeply
-   * stripped and typedefs have been resolved.
-   */
-  Type getUnspecifiedType() { result = this.getType().getUnspecifiedType() }
-
-  /**
-   * Gets the type of this variable prior to deduction caused by the C++11
-   * `auto` keyword.
-   *
-   * If the type of this variable was not declared with the C++11 `auto`
-   * keyword, then this predicate does not hold.
-   *
-   * If the type of this variable is completely `auto`, then `result` is an
-   * instance of `AutoType`. For example:
-   *
-   *   `auto four = 4;`
-   *
-   * If the type of this variable is partially `auto`, then a descendant of
-   * `result` is an instance of `AutoType`. For example:
-   *
-   *   `const auto& c = container;`
-   */
-  Type getTypeWithAuto() { autoderivation(underlyingElement(this), unresolveElement(result)) }
-
-  /**
-   * Holds if the type of this variable is declared using the C++ `auto`
-   * keyword.
-   */
-  predicate declaredUsingAutoType() { autoderivation(underlyingElement(this), _) }
-
-  override VariableDeclarationEntry getADeclarationEntry() { result.getDeclaration() = this }
-
-  override Location getADeclarationLocation() { result = getADeclarationEntry().getLocation() }
-
-  override VariableDeclarationEntry getDefinition() {
-    result = getADeclarationEntry() and
-    result.isDefinition()
-  }
-
-  override Location getDefinitionLocation() { result = getDefinition().getLocation() }
-
-  override Location getLocation() {
-    if exists(getDefinition())
-    then result = this.getDefinitionLocation()
-    else result = this.getADeclarationLocation()
-  }
-
-  /**
-   * Gets an expression that is assigned to this variable somewhere in the
-   * program.
-   */
-  Expr getAnAssignedValue() {
-    result = this.getInitializer().getExpr()
-    or
-    exists(ConstructorFieldInit cfi | cfi.getTarget() = this and result = cfi.getExpr())
-    or
-    exists(AssignExpr ae | ae.getLValue().(Access).getTarget() = this and result = ae.getRValue())
-    or
-    exists(ClassAggregateLiteral l | result = l.getFieldExpr(this))
-  }
-
-  /**
-   * Gets an assignment expression that assigns to this variable.
-   * For example: `x=...` or `x+=...`.
-   *
-   * This does _not_ include the initialization of the variable. Use
-   * `Variable.getInitializer()` to get the variable's initializer,
-   * or use `Variable.getAnAssignedValue()` to get an expression that
-   * is the right-hand side of an assignment or an initialization of
-   * the varible.
-   */
-  Assignment getAnAssignment() { result.getLValue() = this.getAnAccess() }
-
-  /**
-   * Holds if this variable is `constexpr`.
-   */
-  predicate isConstexpr() { this.hasSpecifier("is_constexpr") }
-
-  /**
-   * Holds if this variable is declared `constinit`.
-   */
-  predicate isConstinit() { this.hasSpecifier("declared_constinit") }
-
-  /**
-   * Holds if this variable is `thread_local`.
-   */
-  predicate isThreadLocal() { this.hasSpecifier("is_thread_local") }
-
-  /**
-   * Holds if this variable is constructed from `v` as a result
-   * of template instantiation. If so, it originates either from a template
-   * variable or from a variable nested in a template class.
-   */
-  predicate isConstructedFrom(Variable v) {
-    variable_instantiation(underlyingElement(this), unresolveElement(v))
-  }
-
-  /**
-   * Holds if this is a compiler-generated variable. For example, a
-   * [range-based for loop](http://en.cppreference.com/w/cpp/language/range-for)
-   * typically has three compiler-generated variables, named `__range`,
-   * `__begin`, and `__end`:
-   *
-   *    `for (char c : str) { ... }`
-   */
-  predicate isCompilerGenerated() { compgenerated(underlyingElement(this)) }
-}
-
-/**
- * A particular declaration or definition of a C/C++ variable. For example, in
- * the following code there are six variable declaration entries - two each for
- * `a` and `d`, and one each for `b` and `c`:
- * ```
- * extern int a;
- * int a;
- *
- * void myFunction(int b) {
- *   int c;
- * }
- *
- * namespace N {
- *   extern int d;
- *   int d = 1;
- * }
- * ```
- */
-class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
-  override Variable getDeclaration() { result = getVariable() }
-
-  override string getAPrimaryQlClass() { result = "VariableDeclarationEntry" }
-
-  /**
-   * Gets the variable which is being declared or defined.
-   */
-  Variable getVariable() { var_decls(underlyingElement(this), unresolveElement(result), _, _, _) }
-
-  /**
-   * Gets the name, if any, used for the variable at this declaration or
-   * definition.
-   *
-   * In most cases, this will be the name of the variable itself. The only
-   * case in which it can differ is in a parameter declaration entry,
-   * because the parameter may have a different name in the declaration
-   * than in the definition. For example:
-   *
-   * ```
-   * // Declaration. Parameter is named "x".
-   * int f(int x);
-   *
-   * // Definition. Parameter is named "y".
-   * int f(int y) { return y; }
-   * ```
-   */
-  override string getName() { var_decls(underlyingElement(this), _, _, result, _) and result != "" }
-
-  /**
-   * Gets the type of the variable which is being declared or defined.
-   */
-  override Type getType() { var_decls(underlyingElement(this), _, unresolveElement(result), _, _) }
-
-  override Location getLocation() { var_decls(underlyingElement(this), _, _, _, result) }
-
-  /**
-   * Holds if this is a definition of a variable.
-   *
-   * This always holds for local variables and member variables, but need
-   * not hold for global variables. In the case of function parameters,
-   * this holds precisely when the enclosing `FunctionDeclarationEntry` is
-   * a definition.
-   */
-  override predicate isDefinition() { var_def(underlyingElement(this)) }
-
-  override string getASpecifier() { var_decl_specifiers(underlyingElement(this), result) }
-}
-
-/**
- * A parameter as described within a particular declaration or definition
- * of a C/C++ function. For example the declaration of `a` in the following
- * code:
- * ```
- * void myFunction(int a) {
- *   int b;
- * }
- * ```
- */
-class ParameterDeclarationEntry extends VariableDeclarationEntry {
-  ParameterDeclarationEntry() { param_decl_bind(underlyingElement(this), _, _) }
-
-  override string getAPrimaryQlClass() { result = "ParameterDeclarationEntry" }
-
-  /**
-   * Gets the function declaration or definition which this parameter
-   * description is part of.
-   */
-  FunctionDeclarationEntry getFunctionDeclarationEntry() {
-    param_decl_bind(underlyingElement(this), _, unresolveElement(result))
-  }
-
-  /**
-   * Gets the zero-based index of this parameter.
-   */
-  int getIndex() { param_decl_bind(underlyingElement(this), result, _) }
-
-  private string getAnonymousParameterDescription() {
-    not exists(getName()) and
-    exists(string idx |
-      idx =
-        ((getIndex() + 1).toString() + "th")
-            .replaceAll("1th", "1st")
-            .replaceAll("2th", "2nd")
-            .replaceAll("3th", "3rd")
-            .replaceAll("11st", "11th")
-            .replaceAll("12nd", "12th")
-            .replaceAll("13rd", "13th") and
-      if exists(getCanonicalName())
-      then result = "declaration of " + getCanonicalName() + " as anonymous " + idx + " parameter"
-      else result = "declaration of " + idx + " parameter"
-    )
-  }
-
-  override string toString() {
-    isDefinition() and
-    result = "definition of " + getName()
-    or
-    not isDefinition() and
-    if getName() = getCanonicalName()
-    then result = "declaration of " + getName()
-    else result = "declaration of " + getCanonicalName() + " as " + getName()
-    or
-    result = getAnonymousParameterDescription()
-  }
-
-  /**
-   * Gets the name of this `ParameterDeclarationEntry` including it's type.
-   *
-   * For example: "int p".
-   */
-  string getTypedName() {
-    exists(string typeString, string nameString |
-      (if exists(getType().getName()) then typeString = getType().getName() else typeString = "") and
-      (if exists(getName()) then nameString = getName() else nameString = "") and
-      if typeString != "" and nameString != ""
-      then result = typeString + " " + nameString
-      else result = typeString + nameString
-    )
-  }
-}
-
-/**
- * A C/C++ variable with block scope [N4140 3.3.3]. In other words, a local
- * variable or a function parameter. For example, the variables `a`, `b` and
- * `c` in the following code:
- * ```
- * void myFunction(int a) {
- *   int b;
- *   static int c;
- * }
- * ```
- *
- * See also `StackVariable`, which is the class of local-scope variables
- * without statics and thread-locals.
- */
-class LocalScopeVariable extends Variable, @localscopevariable {
-  /** Gets the function to which this variable belongs. */
-  Function getFunction() { none() } // overridden in subclasses
-}
-
-/**
- * A C/C++ variable with _automatic storage duration_. In other words, a
- * function parameter or a local variable that is not static or thread-local.
- * For example, the variables `a` and `b` in the following code.
- * ```
- * void myFunction(int a) {
- *   int b;
- *   static int c;
- * }
- * ```
- */
-class StackVariable extends LocalScopeVariable {
-  StackVariable() {
-    not this.isStatic() and
-    not this.isThreadLocal()
-  }
-}
-
-/**
- * A C/C++ local variable. In other words, any variable that has block
- * scope [N4140 3.3.3], but is not a parameter of a `Function` or `CatchBlock`.
- * For example the variables `b` and `c` in the following code:
- * ```
- * void myFunction(int a) {
- *   int b;
- *   static int c;
- * }
- * ```
- *
- * Local variables can be static; use the `isStatic` member predicate to detect
- * those.
- *
- * A local variable can be declared by a `DeclStmt` or a `ConditionDeclExpr`.
- */
-class LocalVariable extends LocalScopeVariable, @localvariable {
-  override string getAPrimaryQlClass() { result = "LocalVariable" }
-
-  override string getName() { localvariables(underlyingElement(this), _, result) }
-
-  override Type getType() { localvariables(underlyingElement(this), unresolveElement(result), _) }
-
-  override Function getFunction() {
-    exists(DeclStmt s | s.getADeclaration() = this and s.getEnclosingFunction() = result)
-    or
-    exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
-  }
-}
-
-/**
- * A variable whose contents always have static storage duration. This can be a
- * global variable, a namespace variable, a static local variable, or a static
- * member variable.
- */
-class StaticStorageDurationVariable extends Variable {
-  StaticStorageDurationVariable() {
-    this instanceof GlobalOrNamespaceVariable
-    or
-    this.(LocalVariable).isStatic()
-    or
-    this.(MemberVariable).isStatic()
-  }
-
-  /**
-   * Holds if the initializer for this variable is evaluated at runtime.
-   */
-  predicate hasDynamicInitialization() {
-    runtimeExprInStaticInitializer(this.getInitializer().getExpr())
-  }
-}
-
-/**
- * Holds if `e` is an expression in a static initializer that must be evaluated
- * at run time. This predicate computes "is non-const" instead of "is const"
- * since computing "is const" for an aggregate literal with many children would
- * either involve recursion through `forall` on those children or an iteration
- * through the rank numbers of the children, both of which can be slow.
- */
-private predicate runtimeExprInStaticInitializer(Expr e) {
-  inStaticInitializer(e) and
-  if e instanceof AggregateLiteral // in sync with the cast in `inStaticInitializer`
-  then runtimeExprInStaticInitializer(e.getAChild())
-  else not e.getFullyConverted().isConstant()
-}
-
-/**
- * Holds if `e` is the initializer of a `StaticStorageDurationVariable`, either
- * directly or below some top-level `AggregateLiteral`s.
- */
-private predicate inStaticInitializer(Expr e) {
-  exists(StaticStorageDurationVariable var | e = var.getInitializer().getExpr())
-  or
-  // The cast to `AggregateLiteral` ensures we only compute what'll later be
-  // needed by `runtimeExprInStaticInitializer`.
-  inStaticInitializer(e.getParent().(AggregateLiteral))
-}
-
-/**
- * A C++ local variable declared as `static`.
- */
-class StaticLocalVariable extends LocalVariable, StaticStorageDurationVariable { }
-
-/**
- * A C/C++ variable which has global scope or namespace scope. For example the
- * variables `a` and `b` in the following code:
- * ```
- * int a;
- *
- * namespace N {
- *   int b;
- * }
- * ```
- */
-class GlobalOrNamespaceVariable extends Variable, @globalvariable {
-  override string getName() { globalvariables(underlyingElement(this), _, result) }
-
-  override Type getType() { globalvariables(underlyingElement(this), unresolveElement(result), _) }
-
-  override Element getEnclosingElement() { none() }
-}
-
-/**
- * A C/C++ variable which has namespace scope. For example the variable `b`
- * in the following code:
- * ```
- * int a;
- *
- * namespace N {
- *   int b;
- * }
- * ```
- */
-class NamespaceVariable extends GlobalOrNamespaceVariable {
-  NamespaceVariable() {
-    exists(Namespace n | namespacembrs(unresolveElement(n), underlyingElement(this)))
-  }
-
-  override string getAPrimaryQlClass() { result = "NamespaceVariable" }
-}
-
-/**
- * A C/C++ variable which has global scope. For example the variable `a`
- * in the following code:
- * ```
- * int a;
- *
- * namespace N {
- *   int b;
- * }
- * ```
- *
- * Note that variables declared in anonymous namespaces have namespace scope,
- * even though they are accessed in the same manner as variables declared in
- * the enclosing scope of said namespace (which may be the global scope).
- */
-class GlobalVariable extends GlobalOrNamespaceVariable {
-  GlobalVariable() { not this instanceof NamespaceVariable }
-
-  override string getAPrimaryQlClass() { result = "GlobalVariable" }
-}
-
-/**
- * A C structure member or C++ member variable. For example the member
- * variables `m` and `s` in the following code:
- * ```
- * class MyClass {
- * public:
- *   int m;
- *   static int s;
- * };
- * ```
- *
- * This includes static member variables in C++. To exclude static member
- * variables, use `Field` instead of `MemberVariable`.
- */
-class MemberVariable extends Variable, @membervariable {
-  MemberVariable() { this.isMember() }
-
-  override string getAPrimaryQlClass() { result = "MemberVariable" }
-
-  /** Holds if this member is private. */
-  predicate isPrivate() { this.hasSpecifier("private") }
-
-  /** Holds if this member is protected. */
-  predicate isProtected() { this.hasSpecifier("protected") }
-
-  /** Holds if this member is public. */
-  predicate isPublic() { this.hasSpecifier("public") }
-
-  override string getName() { membervariables(underlyingElement(this), _, result) }
-
-  override Type getType() {
-    if strictcount(this.getAType()) = 1
-    then result = this.getAType()
-    else
-      // In rare situations a member variable may have multiple types in
-      // different translation units. In that case, we return the unspecified
-      // type.
-      result = this.getAType().getUnspecifiedType()
-  }
-
-  /** Holds if this member is mutable. */
-  predicate isMutable() { getADeclarationEntry().hasSpecifier("mutable") }
-
-  private Type getAType() { membervariables(underlyingElement(this), unresolveElement(result), _) }
-}
-
-/**
- * A C/C++ function pointer variable.
- *
- * DEPRECATED: use `Variable.getType() instanceof FunctionPointerType` instead.
- */
-deprecated class FunctionPointerVariable extends Variable {
-  FunctionPointerVariable() { this.getType() instanceof FunctionPointerType }
-}
-
-/**
- * A C/C++ function pointer member variable.
- *
- * DEPRECATED: use `MemberVariable.getType() instanceof FunctionPointerType` instead.
- */
-deprecated class FunctionPointerMemberVariable extends MemberVariable {
-  FunctionPointerMemberVariable() { this instanceof FunctionPointerVariable }
-}
-
-/**
- * A C++14 variable template. For example, in the following code the variable
- * template `v` defines a family of variables:
- * ```
- * template<class T>
- * T v;
- * ```
- */
-class TemplateVariable extends Variable {
-  TemplateVariable() { is_variable_template(underlyingElement(this)) }
-
-  /**
-   * Gets an instantiation of this variable template.
-   */
-  Variable getAnInstantiation() { result.isConstructedFrom(this) }
-}
-
-/**
- * A non-static local variable or parameter that is not part of an
- * uninstantiated template. Uninstantiated templates are purely syntax, and
- * only on instantiation will they be complete with information about types,
- * conversions, call targets, etc. For example in the following code, the
- * variables `a` in `myFunction` and `b` in the instantiation
- * `myTemplateFunction<int>`, but not `b` in the template
- * `myTemplateFunction<T>`:
- * ```
- * void myFunction() {
- *   float a;
- * }
- *
- * template<typename T>
- * void myTemplateFunction() {
- *   T b;
- * }
- *
- * ...
- *
- * myTemplateFunction<int>();
- * ```
- */
-class SemanticStackVariable extends StackVariable {
-  SemanticStackVariable() { not this.isFromUninstantiatedTemplate(_) }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -1,285 +0,0 @@
-private import cpp
-private import DataFlowUtil
-private import DataFlowDispatch
-private import FlowVar
-
-/** Gets the instance argument of a non-static call. */
-private Node getInstanceArgument(Call call) {
-  result.asExpr() = call.getQualifier()
-  or
-  result.(PreObjectInitializerNode).getExpr().(ConstructorCall) = call
-  // This does not include the implicit `this` argument on auto-generated
-  // base class destructor calls as those do not have an AST element.
-}
-
-/** An argument to a call. */
-private class Argument extends Expr {
-  Call call;
-  int pos;
-
-  Argument() { call.getArgument(pos) = this }
-
-  /** Gets the call that has this argument. */
-  Call getCall() { result = call }
-
-  /** Gets the position of this argument. */
-  int getPosition() { result = pos }
-}
-
-/**
- * A data flow node that occurs as the argument of a call and is passed as-is
- * to the callable. Arguments that are wrapped in an implicit varargs array
- * creation are not included, but the implicitly created array is.
- * Instance arguments are also included.
- */
-class ArgumentNode extends Node {
-  ArgumentNode() {
-    exists(Argument arg | this.asExpr() = arg) or
-    this = getInstanceArgument(_)
-  }
-
-  /**
-   * Holds if this argument occurs at the given position in the given call.
-   * The instance argument is considered to have index `-1`.
-   */
-  predicate argumentOf(DataFlowCall call, int pos) {
-    exists(Argument arg | this.asExpr() = arg | call = arg.getCall() and pos = arg.getPosition())
-    or
-    pos = -1 and this = getInstanceArgument(call)
-  }
-
-  /** Gets the call in which this node is an argument. */
-  DataFlowCall getCall() { this.argumentOf(result, _) }
-}
-
-private newtype TReturnKind =
-  TNormalReturnKind() or
-  TRefReturnKind(int i) { exists(Parameter parameter | i = parameter.getIndex()) }
-
-/**
- * A return kind. A return kind describes how a value can be returned
- * from a callable. For C++, this is simply a function return.
- */
-class ReturnKind extends TReturnKind {
-  /** Gets a textual representation of this return kind. */
-  string toString() {
-    this instanceof TNormalReturnKind and
-    result = "return"
-    or
-    this instanceof TRefReturnKind and
-    result = "ref"
-  }
-}
-
-/** A data flow node that represents a returned value in the called function. */
-abstract class ReturnNode extends Node {
-  /** Gets the kind of this returned value. */
-  abstract ReturnKind getKind();
-}
-
-/** A `ReturnNode` that occurs as the result of a `ReturnStmt`. */
-private class NormalReturnNode extends ReturnNode, ExprNode {
-  NormalReturnNode() { exists(ReturnStmt ret | this.getExpr() = ret.getExpr()) }
-
-  /** Gets the kind of this returned value. */
-  override ReturnKind getKind() { result = TNormalReturnKind() }
-}
-
-/**
- * A `ReturnNode` that occurs as a result of a definition of a reference
- * parameter reaching the end of a function body.
- */
-private class RefReturnNode extends ReturnNode, RefParameterFinalValueNode {
-  /** Gets the kind of this returned value. */
-  override ReturnKind getKind() { result = TRefReturnKind(this.getParameter().getIndex()) }
-}
-
-/** A data flow node that represents the output of a call at the call site. */
-abstract class OutNode extends Node {
-  /** Gets the underlying call. */
-  abstract DataFlowCall getCall();
-}
-
-private class ExprOutNode extends OutNode, ExprNode {
-  ExprOutNode() { this.getExpr() instanceof Call }
-
-  /** Gets the underlying call. */
-  override DataFlowCall getCall() { result = this.getExpr() }
-}
-
-private class RefOutNode extends OutNode, DefinitionByReferenceOrIteratorNode {
-  /** Gets the underlying call. */
-  override DataFlowCall getCall() { result = this.getArgument().getParent() }
-}
-
-/**
- * Gets a node that can read the value returned from `call` with return kind
- * `kind`.
- */
-OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
-  result = call.getNode() and
-  kind = TNormalReturnKind()
-  or
-  exists(int i |
-    result.(DefinitionByReferenceOrIteratorNode).getArgument() = call.getArgument(i) and
-    kind = TRefReturnKind(i)
-  )
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` in a way that loses the
- * calling context. For example, this would happen with flow through a
- * global or static variable.
- */
-predicate jumpStep(Node n1, Node n2) { none() }
-
-/**
- * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
- * Thus, `node2` references an object with a field `f` that contains the
- * value of `node1`.
- */
-predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
-  exists(ClassAggregateLiteral aggr, Field field |
-    // The following line requires `node2` to be both an `ExprNode` and a
-    // `PostUpdateNode`, which means it must be an `ObjectInitializerNode`.
-    node2.asExpr() = aggr and
-    f.(FieldContent).getField() = field and
-    aggr.getFieldExpr(field) = node1.asExpr()
-  )
-  or
-  exists(FieldAccess fa |
-    exists(Assignment a |
-      node1.asExpr() = a and
-      a.getLValue() = fa
-    ) and
-    node2.getPreUpdateNode().asExpr() = fa.getQualifier() and
-    f.(FieldContent).getField() = fa.getTarget()
-  )
-  or
-  exists(ConstructorFieldInit cfi |
-    node2.getPreUpdateNode().(PreConstructorInitThis).getConstructorFieldInit() = cfi and
-    f.(FieldContent).getField() = cfi.getTarget() and
-    node1.asExpr() = cfi.getExpr()
-  )
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` via a read of `f`.
- * Thus, `node1` references an object with a field `f` whose value ends up in
- * `node2`.
- */
-predicate readStep(Node node1, Content f, Node node2) {
-  exists(FieldAccess fr |
-    node1.asExpr() = fr.getQualifier() and
-    fr.getTarget() = f.(FieldContent).getField() and
-    fr = node2.asExpr() and
-    not fr = any(AssignExpr a).getLValue()
-  )
-}
-
-/**
- * Holds if values stored inside content `c` are cleared at node `n`.
- */
-predicate clearsContent(Node n, Content c) {
-  none() // stub implementation
-}
-
-/** Gets the type of `n` used for type pruning. */
-Type getNodeType(Node n) {
-  suppressUnusedNode(n) and
-  result instanceof VoidType // stub implementation
-}
-
-/** Gets a string representation of a type returned by `getNodeType`. */
-string ppReprType(Type t) { none() } // stub implementation
-
-/**
- * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
- * a node of type `t1` to a node of type `t2`.
- */
-pragma[inline]
-predicate compatibleTypes(Type t1, Type t2) {
-  any() // stub implementation
-}
-
-private predicate suppressUnusedNode(Node n) { any() }
-
-//////////////////////////////////////////////////////////////////////////////
-// Java QL library compatibility wrappers
-//////////////////////////////////////////////////////////////////////////////
-/** A node that performs a type cast. */
-class CastNode extends Node {
-  CastNode() { none() } // stub implementation
-}
-
-class DataFlowCallable = Function;
-
-class DataFlowExpr = Expr;
-
-class DataFlowType = Type;
-
-/** A function call relevant for data flow. */
-class DataFlowCall extends Expr {
-  DataFlowCall() { this instanceof Call }
-
-  /**
-   * Gets the nth argument for this call.
-   *
-   * The range of `n` is from `0` to `getNumberOfArguments() - 1`.
-   */
-  Expr getArgument(int n) { result = this.(Call).getArgument(n) }
-
-  /** Gets the data flow node corresponding to this call. */
-  ExprNode getNode() { result.getExpr() = this }
-
-  /** Gets the enclosing callable of this call. */
-  Function getEnclosingCallable() { result = this.getEnclosingFunction() }
-}
-
-predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
-
-int accessPathLimit() { result = 5 }
-
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
-/**
- * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
- * modified or its modification cannot be observed, for example if it is a
- * freshly created object that is not saved in a variable.
- *
- * This predicate is only used for consistency checks.
- */
-predicate isImmutableOrUnobservable(Node n) {
-  // Is the null pointer (or something that's not really a pointer)
-  exists(n.asExpr().getValue())
-  or
-  // Isn't a pointer or is a pointer to const
-  forall(DerivedType dt | dt = n.asExpr().getActualType() |
-    dt.getBaseType().isConst()
-    or
-    dt.getBaseType() instanceof RoutineType
-  )
-  // The above list of cases isn't exhaustive, but it narrows down the
-  // consistency alerts enough that most of them are interesting.
-}
-
-/** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) { none() }
-
-class LambdaCallKind = Unit;
-
-/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
-predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() }
-
-/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
-predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
-
-/** Extra data-flow steps needed for lambda flow analysis. */
-predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -1,841 +0,0 @@
-/**
- * Provides C++-specific definitions for use in the data flow library.
- */
-
-private import cpp
-private import semmle.code.cpp.dataflow.internal.FlowVar
-private import semmle.code.cpp.models.interfaces.DataFlow
-private import semmle.code.cpp.controlflow.Guards
-private import semmle.code.cpp.dataflow.internal.AddressFlow
-
-cached
-private newtype TNode =
-  TExprNode(Expr e) or
-  TPartialDefinitionNode(PartialDefinition pd) or
-  TPreObjectInitializerNode(Expr e) {
-    e instanceof ConstructorCall
-    or
-    e instanceof ClassAggregateLiteral
-  } or
-  TExplicitParameterNode(Parameter p) { exists(p.getFunction().getBlock()) } or
-  TInstanceParameterNode(MemberFunction f) { exists(f.getBlock()) and not f.isStatic() } or
-  TPreConstructorInitThis(ConstructorFieldInit cfi) or
-  TPostConstructorInitThis(ConstructorFieldInit cfi) or
-  TInnerPartialDefinitionNode(Expr e) {
-    exists(PartialDefinition def, Expr outer |
-      def.definesExpressions(e, outer) and
-      // This condition ensures that we don't get two post-update nodes sharing
-      // the same pre-update node.
-      e != outer
-    )
-  } or
-  TUninitializedNode(LocalVariable v) { not v.hasInitializer() } or
-  TRefParameterFinalValueNode(Parameter p) { exists(FlowVar var | var.reachesRefParameter(p)) }
-
-/**
- * A node in a data flow graph.
- *
- * A node can be either an expression, a parameter, or an uninitialized local
- * variable. Such nodes are created with `DataFlow::exprNode`,
- * `DataFlow::parameterNode`, and `DataFlow::uninitializedNode` respectively.
- */
-class Node extends TNode {
-  /** Gets the function to which this node belongs. */
-  Function getFunction() { none() } // overridden in subclasses
-
-  /**
-   * INTERNAL: Do not use. Alternative name for `getFunction`.
-   */
-  final Function getEnclosingCallable() { result = this.getFunction() }
-
-  /** Gets the type of this node. */
-  Type getType() { none() } // overridden in subclasses
-
-  /**
-   * Gets the expression corresponding to this node, if any. This predicate
-   * only has a result on nodes that represent the value of evaluating the
-   * expression. For data flowing _out of_ an expression, like when an
-   * argument is passed by reference, use `asDefiningArgument` instead of
-   * `asExpr`.
-   */
-  Expr asExpr() { result = this.(ExprNode).getExpr() }
-
-  /** Gets the parameter corresponding to this node, if any. */
-  Parameter asParameter() { result = this.(ExplicitParameterNode).getParameter() }
-
-  /**
-   * Gets the argument that defines this `DefinitionByReferenceNode`, if any.
-   * This predicate should be used instead of `asExpr` when referring to the
-   * value of a reference argument _after_ the call has returned. For example,
-   * in `f(&x)`, this predicate will have `&x` as its result for the `Node`
-   * that represents the new value of `x`.
-   */
-  Expr asDefiningArgument() { result = this.(DefinitionByReferenceNode).getArgument() }
-
-  /**
-   * Gets the expression that is partially defined by this node, if any.
-   *
-   * Partial definitions are created for field stores (`x.y = taint();` is a partial
-   * definition of `x`), and for calls that may change the value of an object (so
-   * `x.set(taint())` is a partial definition of `x`, and `transfer(&x, taint())` is
-   * a partial definition of `&x`).
-   */
-  Expr asPartialDefinition() {
-    this.(PartialDefinitionNode).getPartialDefinition().definesExpressions(_, result)
-  }
-
-  /**
-   * Gets the uninitialized local variable corresponding to this node, if
-   * any.
-   */
-  LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }
-
-  /** Gets a textual representation of this element. */
-  string toString() { none() } // overridden by subclasses
-
-  /** Gets the location of this element. */
-  Location getLocation() { none() } // overridden by subclasses
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /**
-   * Gets an upper bound on the type of this node.
-   */
-  Type getTypeBound() { result = getType() }
-}
-
-/**
- * An expression, viewed as a node in a data flow graph.
- */
-class ExprNode extends Node, TExprNode {
-  Expr expr;
-
-  ExprNode() { this = TExprNode(expr) }
-
-  override Function getFunction() { result = expr.getEnclosingFunction() }
-
-  override Type getType() { result = expr.getType() }
-
-  override string toString() { result = expr.toString() }
-
-  override Location getLocation() { result = expr.getLocation() }
-
-  /** Gets the expression corresponding to this node. */
-  Expr getExpr() { result = expr }
-}
-
-abstract class ParameterNode extends Node, TNode {
-  /**
-   * Holds if this node is the parameter of `c` at the specified (zero-based)
-   * position. The implicit `this` parameter is considered to have index `-1`.
-   */
-  abstract predicate isParameterOf(Function f, int i);
-}
-
-/**
- * The value of a parameter at function entry, viewed as a node in a data
- * flow graph.
- */
-class ExplicitParameterNode extends ParameterNode, TExplicitParameterNode {
-  Parameter param;
-
-  ExplicitParameterNode() { this = TExplicitParameterNode(param) }
-
-  override Function getFunction() { result = param.getFunction() }
-
-  override Type getType() { result = param.getType() }
-
-  override string toString() { result = param.toString() }
-
-  override Location getLocation() { result = param.getLocation() }
-
-  /** Gets the parameter corresponding to this node. */
-  Parameter getParameter() { result = param }
-
-  override predicate isParameterOf(Function f, int i) { f.getParameter(i) = param }
-}
-
-class ImplicitParameterNode extends ParameterNode, TInstanceParameterNode {
-  MemberFunction f;
-
-  ImplicitParameterNode() { this = TInstanceParameterNode(f) }
-
-  override Function getFunction() { result = f }
-
-  override Type getType() { result = f.getDeclaringType() }
-
-  override string toString() { result = "this" }
-
-  override Location getLocation() { result = f.getLocation() }
-
-  override predicate isParameterOf(Function fun, int i) { f = fun and i = -1 }
-}
-
-/**
- * INTERNAL: do not use.
- *
- * A node that represents the value of a variable after a function call that
- * may have changed the variable because it's passed by reference or because an
- * iterator for it was passed by value or by reference.
- */
-class DefinitionByReferenceOrIteratorNode extends PartialDefinitionNode {
-  Expr inner;
-  Expr argument;
-
-  DefinitionByReferenceOrIteratorNode() {
-    this.getPartialDefinition().definesExpressions(inner, argument) and
-    (
-      this.getPartialDefinition() instanceof DefinitionByReference
-      or
-      this.getPartialDefinition() instanceof DefinitionByIterator
-    )
-  }
-
-  override Function getFunction() { result = inner.getEnclosingFunction() }
-
-  override Type getType() { result = inner.getType() }
-
-  override Location getLocation() { result = argument.getLocation() }
-
-  override ExprNode getPreUpdateNode() { result.getExpr() = argument }
-
-  /** Gets the argument corresponding to this node. */
-  Expr getArgument() { result = argument }
-
-  /** Gets the parameter through which this value is assigned. */
-  Parameter getParameter() {
-    exists(FunctionCall call, int i |
-      argument = call.getArgument(i) and
-      result = call.getTarget().getParameter(i)
-    )
-  }
-}
-
-/**
- * A node that represents the value of a variable after a function call that
- * may have changed the variable because it's passed by reference.
- *
- * A typical example would be a call `f(&x)`. Firstly, there will be flow into
- * `x` from previous definitions of `x`. Secondly, there will be a
- * `DefinitionByReferenceNode` to represent the value of `x` after the call has
- * returned. This node will have its `getArgument()` equal to `&x`.
- */
-class DefinitionByReferenceNode extends DefinitionByReferenceOrIteratorNode {
-  override VariablePartialDefinition pd;
-
-  override string toString() { result = "ref arg " + argument.toString() }
-}
-
-/**
- * The value of an uninitialized local variable, viewed as a node in a data
- * flow graph.
- */
-class UninitializedNode extends Node, TUninitializedNode {
-  LocalVariable v;
-
-  UninitializedNode() { this = TUninitializedNode(v) }
-
-  override Function getFunction() { result = v.getFunction() }
-
-  override Type getType() { result = v.getType() }
-
-  override string toString() { result = v.toString() }
-
-  override Location getLocation() { result = v.getLocation() }
-
-  /** Gets the uninitialized local variable corresponding to this node. */
-  LocalVariable getLocalVariable() { result = v }
-}
-
-/** INTERNAL: do not use. The final value of a non-const ref parameter. */
-class RefParameterFinalValueNode extends Node, TRefParameterFinalValueNode {
-  Parameter p;
-
-  RefParameterFinalValueNode() { this = TRefParameterFinalValueNode(p) }
-
-  override Function getFunction() { result = p.getFunction() }
-
-  override Type getType() { result = p.getType() }
-
-  override string toString() { result = p.toString() }
-
-  override Location getLocation() { result = p.getLocation() }
-
-  Parameter getParameter() { result = p }
-}
-
-/**
- * A node associated with an object after an operation that might have
- * changed its state.
- *
- * This can be either the argument to a callable after the callable returns
- * (which might have mutated the argument), or the qualifier of a field after
- * an update to the field.
- *
- * Nodes corresponding to AST elements, for example `ExprNode`, usually refer
- * to the value before the update with the exception of `ClassInstanceExpr`,
- * which represents the value after the constructor has run.
- */
-abstract class PostUpdateNode extends Node {
-  /**
-   * Gets the node before the state update.
-   */
-  abstract Node getPreUpdateNode();
-
-  override Function getFunction() { result = getPreUpdateNode().getFunction() }
-
-  override Type getType() { result = getPreUpdateNode().getType() }
-
-  override Location getLocation() { result = getPreUpdateNode().getLocation() }
-}
-
-abstract private class PartialDefinitionNode extends PostUpdateNode, TPartialDefinitionNode {
-  PartialDefinition pd;
-
-  PartialDefinitionNode() { this = TPartialDefinitionNode(pd) }
-
-  override Location getLocation() { result = pd.getActualLocation() }
-
-  PartialDefinition getPartialDefinition() { result = pd }
-
-  override string toString() { result = getPreUpdateNode().toString() + " [post update]" }
-}
-
-private class VariablePartialDefinitionNode extends PartialDefinitionNode {
-  override VariablePartialDefinition pd;
-
-  override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
-}
-
-/**
- * INTERNAL: do not use.
- *
- * A synthetic data flow node used for flow into a collection when an iterator
- * write occurs in a callee.
- */
-private class IteratorPartialDefinitionNode extends PartialDefinitionNode {
-  override IteratorPartialDefinition pd;
-
-  override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
-}
-
-/**
- * A post-update node on the `e->f` in `f(&e->f)` (and other forms).
- */
-private class InnerPartialDefinitionNode extends TInnerPartialDefinitionNode, PostUpdateNode {
-  Expr e;
-
-  InnerPartialDefinitionNode() { this = TInnerPartialDefinitionNode(e) }
-
-  override ExprNode getPreUpdateNode() { result.getExpr() = e }
-
-  override Function getFunction() { result = e.getEnclosingFunction() }
-
-  override Type getType() { result = e.getType() }
-
-  override string toString() { result = e.toString() + " [inner post update]" }
-
-  override Location getLocation() { result = e.getLocation() }
-}
-
-/**
- * A node representing the temporary value of an object that was just
- * constructed by a constructor call or an aggregate initializer. This is only
- * for objects, not for pointers to objects.
- *
- * These expressions are their own post-update nodes but instead have synthetic
- * pre-update nodes.
- */
-private class ObjectInitializerNode extends PostUpdateNode, TExprNode {
-  PreObjectInitializerNode pre;
-
-  ObjectInitializerNode() {
-    // If a `Node` is associated with a `PreObjectInitializerNode`, then it's
-    // an `ObjectInitializerNode`.
-    pre.getExpr() = this.asExpr()
-  }
-
-  override PreObjectInitializerNode getPreUpdateNode() { result = pre }
-  // No override of `toString` since these nodes already have a `toString` from
-  // their overlap with `ExprNode`.
-}
-
-/**
- * INTERNAL: do not use.
- *
- * A synthetic data-flow node that plays the role of a temporary object that
- * has not yet been initialized.
- */
-class PreObjectInitializerNode extends Node, TPreObjectInitializerNode {
-  Expr getExpr() { this = TPreObjectInitializerNode(result) }
-
-  override Function getFunction() { result = getExpr().getEnclosingFunction() }
-
-  override Type getType() { result = getExpr().getType() }
-
-  override Location getLocation() { result = getExpr().getLocation() }
-
-  override string toString() { result = getExpr().toString() + " [pre init]" }
-}
-
-/**
- * A synthetic data-flow node that plays the role of the post-update `this`
- * pointer in a `ConstructorFieldInit`. For example, the `x(1)` in
- * `C() : x(1) { }` is roughly equivalent to `this.x = 1`, and this node is
- * equivalent to the `this` _after_ the field has been assigned.
- */
-private class PostConstructorInitThis extends PostUpdateNode, TPostConstructorInitThis {
-  override PreConstructorInitThis getPreUpdateNode() {
-    this = TPostConstructorInitThis(result.getConstructorFieldInit())
-  }
-
-  override string toString() {
-    result = getPreUpdateNode().getConstructorFieldInit().toString() + " [post-this]"
-  }
-}
-
-/**
- * INTERNAL: do not use.
- *
- * A synthetic data-flow node that plays the role of the pre-update `this`
- * pointer in a `ConstructorFieldInit`. For example, the `x(1)` in
- * `C() : x(1) { }` is roughly equivalent to `this.x = 1`, and this node is
- * equivalent to the `this` _before_ the field has been assigned.
- */
-class PreConstructorInitThis extends Node, TPreConstructorInitThis {
-  ConstructorFieldInit getConstructorFieldInit() { this = TPreConstructorInitThis(result) }
-
-  override Constructor getFunction() { result = getConstructorFieldInit().getEnclosingFunction() }
-
-  override PointerType getType() {
-    result.getBaseType() = getConstructorFieldInit().getEnclosingFunction().getDeclaringType()
-  }
-
-  override Location getLocation() { result = getConstructorFieldInit().getLocation() }
-
-  override string toString() { result = getConstructorFieldInit().toString() + " [pre-this]" }
-}
-
-/**
- * Gets the `Node` corresponding to the value of evaluating `e`. For data
- * flowing _out of_ an expression, like when an argument is passed by
- * reference, use `definitionByReferenceNodeFromArgument` instead.
- */
-ExprNode exprNode(Expr e) { result.getExpr() = e }
-
-/**
- * Gets the `Node` corresponding to the value of `p` at function entry.
- */
-ParameterNode parameterNode(Parameter p) { result.(ExplicitParameterNode).getParameter() = p }
-
-/**
- * Gets the `Node` corresponding to a definition by reference of the variable
- * that is passed as `argument` of a call.
- */
-DefinitionByReferenceNode definitionByReferenceNodeFromArgument(Expr argument) {
-  result.getArgument() = argument
-}
-
-/**
- * Gets the `Node` corresponding to the value of an uninitialized local
- * variable `v`.
- */
-UninitializedNode uninitializedNode(LocalVariable v) { result.getLocalVariable() = v }
-
-private module ThisFlow {
-  /**
-   * Gets the 0-based index of `thisNode` in `b`, where `thisNode` is an access
-   * to `this` that may or may not have an associated `PostUpdateNode`. To make
-   * room for synthetic nodes that access `this`, the index may not correspond
-   * to an actual `ControlFlowNode`.
-   */
-  private int basicBlockThisIndex(BasicBlock b, Node thisNode) {
-    // The implicit `this` parameter node is given a very negative offset to
-    // make space for any `ConstructorFieldInit`s there may be between it and
-    // the block contents.
-    thisNode.(ImplicitParameterNode).getFunction().getBlock() = b and
-    result = -2147483648
-    or
-    // Place the synthetic `this` node for a `ConstructorFieldInit` at a
-    // negative offset in the first basic block, between the
-    // `ImplicitParameterNode` and the first statement.
-    exists(Constructor constructor, int i |
-      thisNode.(PreConstructorInitThis).getConstructorFieldInit() = constructor.getInitializer(i) and
-      result = -2147483648 + 1 + i and
-      b = thisNode.getFunction().getBlock()
-    )
-    or
-    b.getNode(result) = thisNode.asExpr().(ThisExpr)
-  }
-
-  private int thisRank(BasicBlock b, Node thisNode) {
-    thisNode = rank[result](Node n, int i | i = basicBlockThisIndex(b, n) | n order by i)
-  }
-
-  private int lastThisRank(BasicBlock b) { result = max(thisRank(b, _)) }
-
-  private predicate thisAccessBlockReaches(BasicBlock b1, BasicBlock b2) {
-    exists(basicBlockThisIndex(b1, _)) and b2 = b1.getASuccessor()
-    or
-    exists(BasicBlock mid |
-      thisAccessBlockReaches(b1, mid) and
-      b2 = mid.getASuccessor() and
-      not exists(basicBlockThisIndex(mid, _))
-    )
-  }
-
-  predicate adjacentThisRefs(Node n1, Node n2) {
-    exists(BasicBlock b | thisRank(b, n1) + 1 = thisRank(b, n2))
-    or
-    exists(BasicBlock b1, BasicBlock b2 |
-      lastThisRank(b1) = thisRank(b1, n1) and
-      thisAccessBlockReaches(b1, b2) and
-      thisRank(b2, n2) = 1
-    )
-  }
-}
-
-/**
- * Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step.
- */
-cached
-predicate localFlowStep(Node nodeFrom, Node nodeTo) {
-  simpleLocalFlowStep(nodeFrom, nodeTo)
-  or
-  // Field flow is not strictly a "step" but covers the whole function
-  // transitively. There's no way to get a step-like relation out of the global
-  // data flow library, so we just have to accept some big steps here.
-  FieldFlow::fieldFlow(nodeFrom, nodeTo)
-}
-
-/**
- * INTERNAL: do not use.
- *
- * This is the local flow predicate that's used as a building block in global
- * data flow. It may have less flow than the `localFlowStep` predicate.
- */
-predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
-  // Expr -> Expr
-  exprToExprStep_nocfg(nodeFrom.asExpr(), nodeTo.asExpr())
-  or
-  // Assignment -> LValue post-update node
-  //
-  // This is used for assignments whose left-hand side is not a variable
-  // assignment or a storeStep but is still modeled by other means. It could be
-  // a call to `operator*` or `operator[]` where taint should flow to the
-  // post-update node of the qualifier.
-  exists(AssignExpr assign |
-    nodeFrom.asExpr() = assign and
-    nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getLValue()
-  )
-  or
-  // Node -> FlowVar -> VariableAccess
-  exists(FlowVar var |
-    (
-      exprToVarStep(nodeFrom.asExpr(), var)
-      or
-      varSourceBaseCase(var, nodeFrom.asParameter())
-      or
-      varSourceBaseCase(var, nodeFrom.asUninitialized())
-      or
-      var.definedPartiallyAt(nodeFrom.asPartialDefinition())
-    ) and
-    varToNodeStep(var, nodeTo)
-  )
-  or
-  // Expr -> DefinitionByReferenceNode
-  exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
-  or
-  // `this` -> adjacent-`this`
-  ThisFlow::adjacentThisRefs(nodeFrom, nodeTo)
-  or
-  // post-update-`this` -> following-`this`-ref
-  ThisFlow::adjacentThisRefs(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
-  or
-  // In `f(&x->a)`, this step provides the flow from post-`&` to post-`x->a`,
-  // from which there is field flow to `x` via reverse read.
-  exists(PartialDefinition def, Expr inner, Expr outer |
-    def.definesExpressions(inner, outer) and
-    inner = nodeTo.(InnerPartialDefinitionNode).getPreUpdateNode().asExpr() and
-    outer = nodeFrom.(PartialDefinitionNode).getPreUpdateNode().asExpr()
-  )
-  or
-  // Reverse flow: data that flows from the post-update node of a reference
-  // returned by a function call, back into the qualifier of that function.
-  // This allows data to flow 'in' through references returned by a modeled
-  // function such as `operator[]`.
-  exists(DataFlowFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
-    call.getTarget() = f and
-    inModel.isReturnValueDeref() and
-    outModel.isQualifierObject() and
-    f.hasDataFlow(inModel, outModel) and
-    nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
-    nodeTo.asDefiningArgument() = call.getQualifier()
-  )
-}
-
-/**
- * Holds if data flows from `source` to `sink` in zero or more local
- * (intra-procedural) steps.
- */
-predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
-
-/**
- * Holds if data can flow from `e1` to `e2` in zero or more
- * local (intra-procedural) steps.
- */
-predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
-
-/**
- * Holds if the initial value of `v`, if it is a source, flows to `var`.
- */
-private predicate varSourceBaseCase(FlowVar var, Variable v) { var.definedByInitialValue(v) }
-
-/**
- * Holds if `var` is defined by an assignment-like operation that causes flow
- * directly from `assignedExpr` to `var`, _and_ `assignedExpr` evaluates to
- * the same value as what is assigned to `var`.
- */
-private predicate exprToVarStep(Expr assignedExpr, FlowVar var) {
-  exists(ControlFlowNode operation |
-    var.definedByExpr(assignedExpr, operation) and
-    not operation instanceof PostfixCrementOperation
-  )
-}
-
-/**
- * Holds if the node `n` is an access of the variable `var`.
- */
-private predicate varToNodeStep(FlowVar var, Node n) {
-  n.asExpr() = var.getAnAccess()
-  or
-  var.reachesRefParameter(n.(RefParameterFinalValueNode).getParameter())
-}
-
-/**
- * Holds if data flows from `fromExpr` to `toExpr` directly, in the case
- * where `toExpr` is the immediate AST parent of `fromExpr`. For example,
- * data flows from `x` and `y` to `b ? x : y`.
- */
-private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
-  toExpr = any(ConditionalExpr cond | fromExpr = cond.getThen() or fromExpr = cond.getElse())
-  or
-  toExpr = any(AssignExpr assign | fromExpr = assign.getRValue())
-  or
-  toExpr = any(CommaExpr comma | fromExpr = comma.getRightOperand())
-  or
-  toExpr = any(PostfixCrementOperation op | fromExpr = op.getOperand())
-  or
-  toExpr = any(StmtExpr stmtExpr | fromExpr = stmtExpr.getResultExpr())
-  or
-  toExpr.(AddressOfExpr).getOperand() = fromExpr
-  or
-  // This rule enables flow from an array to its elements. Example: `a` to
-  // `a[i]` or `*a`, where `a` is an array type. It does not enable flow from a
-  // pointer to its indirection as in `p[i]` where `p` is a pointer type.
-  exists(Expr toConverted |
-    variablePartiallyAccessed(fromExpr, toConverted) and
-    toExpr = toConverted.getUnconverted() and
-    not toExpr = fromExpr
-  )
-  or
-  toExpr.(BuiltInOperationBuiltInAddressOf).getOperand() = fromExpr
-  or
-  // The following case is needed to track the qualifier object for flow
-  // through fields. It gives flow from `T(x)` to `new T(x)`. That's not
-  // strictly _data_ flow but _taint_ flow because the type of `fromExpr` is
-  // `T` while the type of `toExpr` is `T*`.
-  //
-  // This discrepancy is an artifact of how `new`-expressions are represented
-  // in the database in a way that slightly varies from what the standard
-  // specifies. In the C++ standard, there is no constructor call expression
-  // `T(x)` after `new`. Instead there is a type `T` and an optional
-  // initializer `(x)`.
-  toExpr.(NewExpr).getInitializer() = fromExpr
-  or
-  // A lambda expression (`[captures](params){body}`) is just a thin wrapper
-  // around the desugared closure creation in the form of a
-  // `ClassAggregateLiteral` (`{ capture1, ..., captureN }`).
-  toExpr.(LambdaExpression).getInitializer() = fromExpr
-  or
-  // Data flow through a function model.
-  toExpr =
-    any(Call call |
-      exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel |
-        f.hasDataFlow(inModel, outModel) and
-        (
-          exists(int iIn |
-            inModel.isParameterDeref(iIn) and
-            call.passesByReference(iIn, fromExpr)
-          )
-          or
-          exists(int iIn |
-            inModel.isParameter(iIn) and
-            fromExpr = call.getArgument(iIn)
-          )
-          or
-          inModel.isQualifierObject() and
-          fromExpr = call.getQualifier()
-          or
-          inModel.isQualifierAddress() and
-          fromExpr = call.getQualifier()
-        ) and
-        call.getTarget() = f and
-        // AST dataflow treats a reference as if it were the referred-to object, while the dataflow
-        // models treat references as pointers. If the return type of the call is a reference, then
-        // look for data flow the the referred-to object, rather than the reference itself.
-        if call.getType().getUnspecifiedType() instanceof ReferenceType
-        then outModel.isReturnValueDeref()
-        else outModel.isReturnValue()
-      )
-    )
-}
-
-private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
-  exists(DataFlowFunction f, Call call, FunctionOutput outModel, int argOutIndex |
-    call.getTarget() = f and
-    argOut = call.getArgument(argOutIndex) and
-    outModel.isParameterDeref(argOutIndex) and
-    exists(int argInIndex, FunctionInput inModel | f.hasDataFlow(inModel, outModel) |
-      inModel.isParameterDeref(argInIndex) and
-      call.passesByReference(argInIndex, exprIn)
-      or
-      inModel.isParameter(argInIndex) and
-      exprIn = call.getArgument(argInIndex)
-    )
-  )
-}
-
-private module FieldFlow {
-  private import DataFlowImplCommon
-  private import DataFlowImplLocal
-  private import DataFlowPrivate
-
-  /**
-   * A configuration for finding local-only flow through fields. This uses the
-   * `Configuration` class in the dedicated `DataFlowImplLocal` copy of the
-   * shared library that's not user-exposed directly.
-   *
-   * To keep the flow local to a single function, we put barriers on parameters
-   * and return statements. Sources and sinks are the values that go into and
-   * out of fields, respectively.
-   */
-  private class FieldConfiguration extends Configuration {
-    FieldConfiguration() { this = "FieldConfiguration" }
-
-    override predicate isSource(Node source) {
-      storeStep(source, _, _)
-      or
-      // Also mark `foo(a.b);` as a source when `a.b` may be overwritten by `foo`.
-      readStep(_, _, any(Node node | node.asExpr() = source.asDefiningArgument()))
-    }
-
-    override predicate isSink(Node sink) { readStep(_, _, sink) }
-
-    override predicate isBarrier(Node node) { node instanceof ParameterNode }
-
-    override predicate isBarrierOut(Node node) {
-      node.asExpr().getParent() instanceof ReturnStmt
-      or
-      node.asExpr().getParent() instanceof ThrowExpr
-    }
-  }
-
-  predicate fieldFlow(Node node1, Node node2) {
-    exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and
-    // This configuration should not be able to cross function boundaries, but
-    // we double-check here just to be sure.
-    getNodeEnclosingCallable(node1) = getNodeEnclosingCallable(node2)
-  }
-}
-
-VariableAccess getAnAccessToAssignedVariable(Expr assign) {
-  (
-    assign instanceof Assignment
-    or
-    assign instanceof CrementOperation
-  ) and
-  exists(FlowVar var |
-    var.definedByExpr(_, assign) and
-    result = var.getAnAccess()
-  )
-}
-
-private newtype TContent =
-  TFieldContent(Field f) or
-  TCollectionContent() or
-  TArrayContent()
-
-/**
- * A description of the way data may be stored inside an object. Examples
- * include instance fields, the contents of a collection object, or the contents
- * of an array.
- */
-class Content extends TContent {
-  /** Gets a textual representation of this element. */
-  abstract string toString();
-
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
-  }
-}
-
-/** A reference through an instance field. */
-class FieldContent extends Content, TFieldContent {
-  Field f;
-
-  FieldContent() { this = TFieldContent(f) }
-
-  Field getField() { result = f }
-
-  override string toString() { result = f.toString() }
-
-  override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    f.getLocation().hasLocationInfo(path, sl, sc, el, ec)
-  }
-}
-
-/** A reference through an array. */
-private class ArrayContent extends Content, TArrayContent {
-  override string toString() { result = "[]" }
-}
-
-/** A reference through the contents of some collection-like container. */
-private class CollectionContent extends Content, TCollectionContent {
-  override string toString() { result = "<element>" }
-}
-
-/**
- * A guard that validates some expression.
- *
- * To use this in a configuration, extend the class and provide a
- * characteristic predicate precisely specifying the guard, and override
- * `checks` to specify what is being validated and in which branch.
- *
- * It is important that all extending classes in scope are disjoint.
- */
-class BarrierGuard extends GuardCondition {
-  /** Override this predicate to hold if this guard validates `e` upon evaluating to `b`. */
-  abstract predicate checks(Expr e, boolean b);
-
-  /** Gets a node guarded by this guard. */
-  final ExprNode getAGuardedNode() {
-    exists(SsaDefinition def, Variable v, boolean branch |
-      result.getExpr() = def.getAUse(v) and
-      this.checks(def.getAUse(v), branch) and
-      this.controls(result.getExpr().getBasicBlock(), branch)
-    )
-  }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

@@ -1,279 +0,0 @@
-/**
- * Provides classes for performing local (intra-procedural) and
- * global (inter-procedural) taint-tracking analyses.
- *
- * We define _taint propagation_ informally to mean that a substantial part of
- * the information from the source is preserved at the sink. For example, taint
- * propagates from `x` to `x + 100`, but it does not propagate from `x` to `x >
- * 100` since we consider a single bit of information to be too little.
- */
-
-private import semmle.code.cpp.models.interfaces.DataFlow
-private import semmle.code.cpp.models.interfaces.Taint
-private import semmle.code.cpp.models.interfaces.Iterator
-private import semmle.code.cpp.models.interfaces.PointerWrapper
-
-private module DataFlow {
-  import semmle.code.cpp.dataflow.internal.DataFlowUtil
-}
-
-/**
- * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step.
- */
-predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  DataFlow::localFlowStep(src, sink) or
-  localAdditionalTaintStep(src, sink)
-}
-
-/**
- * Holds if the additional step from `src` to `sink` should be included in all
- * global taint flow configurations.
- */
-predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  localAdditionalTaintStep(src, sink)
-}
-
-/**
- * Holds if default `TaintTracking::Configuration`s should allow implicit reads
- * of `c` at sinks and inputs to additional taint steps.
- */
-bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
-
-/**
- * Holds if `node` should be a sanitizer in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
-
-/**
- * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
- * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
- * different objects.
- */
-cached
-predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  // Taint can flow through expressions that alter the value but preserve
-  // more than one bit of it _or_ expressions that follow data through
-  // pointer indirections.
-  exists(Expr exprFrom, Expr exprTo |
-    exprFrom = nodeFrom.asExpr() and
-    exprTo = nodeTo.asExpr()
-  |
-    exprFrom = exprTo.getAChild() and
-    not noParentExprFlow(exprFrom, exprTo) and
-    not noFlowFromChildExpr(exprTo)
-    or
-    // Taint can flow from the `x` variable in `x++` to all subsequent
-    // accesses to the unmodified `x` variable.
-    //
-    // `DataFlow` without taint specifies flow from `++x` and `x += 1` into the
-    // variable `x` and thus into subsequent accesses because those expressions
-    // compute the same value as `x`. This is not the case for `x++`, which
-    // computes a different value, so we have to add that ourselves for taint
-    // tracking. The flow from expression `x` into `x++` etc. is handled in the
-    // case above.
-    exprTo = DataFlow::getAnAccessToAssignedVariable(exprFrom.(PostfixCrementOperation))
-    or
-    // In `for (char c : s) { ... c ... }`, this rule propagates taint from `s`
-    // to `c`.
-    exists(RangeBasedForStmt rbf |
-      exprFrom = rbf.getRange() and
-      // It's guaranteed up to at least C++20 that the range-based for loop
-      // desugars to a variable with an initializer.
-      exprTo = rbf.getVariable().getInitializer().getExpr()
-    )
-  )
-  or
-  // Taint can flow through modeled functions
-  exprToExprStep(nodeFrom.asExpr(), nodeTo.asExpr())
-  or
-  exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
-  or
-  exprToPartialDefinitionStep(nodeFrom.asExpr(), nodeTo.asPartialDefinition())
-  or
-  // Reverse taint: taint that flows from the post-update node of a reference
-  // returned by a function call, back into the qualifier of that function.
-  // This allows taint to flow 'in' through references returned by a modeled
-  // function such as `operator[]`.
-  exists(TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
-    call.getTarget() = f and
-    inModel.isReturnValueDeref() and
-    nodeFrom.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = call and
-    f.hasTaintFlow(inModel, outModel) and
-    (
-      outModel.isQualifierObject() and
-      nodeTo.asDefiningArgument() = call.getQualifier()
-      or
-      exists(int argOutIndex |
-        outModel.isParameterDeref(argOutIndex) and
-        nodeTo.asDefiningArgument() = call.getArgument(argOutIndex)
-      )
-    )
-  )
-}
-
-/**
- * Holds if taint may propagate from `source` to `sink` in zero or more local
- * (intra-procedural) steps.
- */
-predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
-
-/**
- * Holds if taint can flow from `e1` to `e2` in zero or more
- * local (intra-procedural) steps.
- */
-predicate localExprTaint(Expr e1, Expr e2) {
-  localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
-}
-
-/**
- * Holds if we do not propagate taint from `fromExpr` to `toExpr`
- * even though `toExpr` is the AST parent of `fromExpr`.
- */
-private predicate noParentExprFlow(Expr fromExpr, Expr toExpr) {
-  fromExpr = toExpr.(ConditionalExpr).getCondition()
-  or
-  fromExpr = toExpr.(CommaExpr).getLeftOperand()
-  or
-  fromExpr = toExpr.(AssignExpr).getLValue() // LHS of `=`
-}
-
-/**
- * Holds if we do not propagate taint from a child of `e` to `e` itself.
- */
-private predicate noFlowFromChildExpr(Expr e) {
-  e instanceof ComparisonOperation
-  or
-  e instanceof LogicalAndExpr
-  or
-  e instanceof LogicalOrExpr
-  or
-  // Allow taint from `operator*` on smart pointers.
-  exists(Call call | e = call |
-    not call.getTarget() = any(PointerWrapper wrapper).getAnUnwrapperFunction()
-  )
-  or
-  e instanceof SizeofOperator
-  or
-  e instanceof AlignofOperator
-  or
-  e instanceof ClassAggregateLiteral
-  or
-  e instanceof FieldAccess
-}
-
-private predicate exprToExprStep(Expr exprIn, Expr exprOut) {
-  exists(DataFlowFunction f, Call call, FunctionOutput outModel |
-    call.getTarget() = f and
-    exprOut = call and
-    outModel.isReturnValueDeref() and
-    exists(int argInIndex, FunctionInput inModel | f.hasDataFlow(inModel, outModel) |
-      // Taint flows from a pointer to a dereference, which DataFlow does not handle
-      // dest_ptr = strdup(tainted_ptr)
-      inModel.isParameterDeref(argInIndex) and
-      exprIn = call.getArgument(argInIndex)
-      or
-      inModel.isParameter(argInIndex) and
-      exprIn = call.getArgument(argInIndex)
-    )
-  )
-  or
-  exists(TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
-    call.getTarget() = f and
-    (
-      exprOut = call and
-      outModel.isReturnValueDeref()
-      or
-      exprOut = call and
-      outModel.isReturnValue()
-    ) and
-    f.hasTaintFlow(inModel, outModel) and
-    (
-      exists(int argInIndex |
-        inModel.isParameterDeref(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-        or
-        inModel.isParameterDeref(argInIndex) and
-        call.passesByReference(argInIndex, exprIn)
-        or
-        inModel.isParameter(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-      )
-      or
-      inModel.isQualifierObject() and
-      exprIn = call.getQualifier()
-    )
-  )
-}
-
-private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
-  exists(DataFlowFunction f, Call call, FunctionOutput outModel, int argOutIndex |
-    call.getTarget() = f and
-    argOut = call.getArgument(argOutIndex) and
-    outModel.isParameterDeref(argOutIndex) and
-    exists(int argInIndex, FunctionInput inModel | f.hasDataFlow(inModel, outModel) |
-      // Taint flows from a pointer to a dereference, which DataFlow does not handle
-      // memcpy(&dest_var, tainted_ptr, len)
-      inModel.isParameterDeref(argInIndex) and
-      exprIn = call.getArgument(argInIndex)
-      or
-      inModel.isParameter(argInIndex) and
-      exprIn = call.getArgument(argInIndex)
-    )
-  )
-  or
-  exists(
-    TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel, int argOutIndex
-  |
-    call.getTarget() = f and
-    argOut = call.getArgument(argOutIndex) and
-    outModel.isParameterDeref(argOutIndex) and
-    f.hasTaintFlow(inModel, outModel) and
-    (
-      exists(int argInIndex |
-        inModel.isParameterDeref(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-        or
-        inModel.isParameterDeref(argInIndex) and
-        call.passesByReference(argInIndex, exprIn)
-        or
-        inModel.isParameter(argInIndex) and
-        exprIn = call.getArgument(argInIndex)
-      )
-      or
-      inModel.isQualifierObject() and
-      exprIn = call.getQualifier()
-    )
-  )
-}
-
-private predicate exprToPartialDefinitionStep(Expr exprIn, Expr exprOut) {
-  exists(TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
-    call.getTarget() = f and
-    (
-      exprOut = call.getQualifier() and
-      outModel.isQualifierObject()
-    ) and
-    f.hasTaintFlow(inModel, outModel) and
-    exists(int argInIndex |
-      inModel.isParameterDeref(argInIndex) and
-      exprIn = call.getArgument(argInIndex)
-      or
-      inModel.isParameterDeref(argInIndex) and
-      call.passesByReference(argInIndex, exprIn)
-      or
-      inModel.isParameter(argInIndex) and
-      exprIn = call.getArgument(argInIndex)
-    )
-  )
-  or
-  exists(Assignment a |
-    iteratorDereference(exprOut) and
-    a.getLValue() = exprOut and
-    a.getRValue() = exprIn
-  )
-}
-
-private predicate iteratorDereference(Call c) { c.getTarget() instanceof IteratorReferenceFunction }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,120 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
-
-  /**
-   * Holds if `sink` is a relevant taint sink.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
-
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
-
-  /**
-   * Holds if the additional taint propagation step from `node1` to `node2`
-   * must be taken into account in the analysis.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,120 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
-
-  /**
-   * Holds if `sink` is a relevant taint sink.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
-
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
-
-  /**
-   * Holds if the additional taint propagation step from `node1` to `node2`
-   * must be taken into account in the analysis.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -1,265 +0,0 @@
-private import cpp
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import DataFlowImplCommon as DataFlowImplCommon
-
-/**
- * Gets a function that might be called by `call`.
- */
-cached
-Function viableCallable(CallInstruction call) {
-  DataFlowImplCommon::forceCachingInSameStage() and
-  result = call.getStaticCallTarget()
-  or
-  // If the target of the call does not have a body in the snapshot, it might
-  // be because the target is just a header declaration, and the real target
-  // will be determined at run time when the caller and callee are linked
-  // together by the operating system's dynamic linker. In case a _unique_
-  // function with the right signature is present in the database, we return
-  // that as a potential callee.
-  exists(string qualifiedName, int nparams |
-    callSignatureWithoutBody(qualifiedName, nparams, call) and
-    functionSignatureWithBody(qualifiedName, nparams, result) and
-    strictcount(Function other | functionSignatureWithBody(qualifiedName, nparams, other)) = 1
-  )
-  or
-  // Virtual dispatch
-  result = call.(VirtualDispatch::DataSensitiveCall).resolve()
-}
-
-/**
- * Provides virtual dispatch support compatible with the original
- * implementation of `semmle.code.cpp.security.TaintTracking`.
- */
-private module VirtualDispatch {
-  /** A call that may dispatch differently depending on the qualifier value. */
-  abstract class DataSensitiveCall extends DataFlowCall {
-    /**
-     * Gets the node whose value determines the target of this call. This node
-     * could be the qualifier of a virtual dispatch or the function-pointer
-     * expression in a call to a function pointer. What they have in common is
-     * that we need to find out which data flows there, and then it's up to the
-     * `resolve` predicate to stitch that information together and resolve the
-     * call.
-     */
-    abstract DataFlow::Node getDispatchValue();
-
-    /** Gets a candidate target for this call. */
-    abstract Function resolve();
-
-    /**
-     * Whether `src` can flow to this call.
-     *
-     * Searches backwards from `getDispatchValue()` to `src`. The `allowFromArg`
-     * parameter is true when the search is allowed to continue backwards into
-     * a parameter; non-recursive callers should pass `_` for `allowFromArg`.
-     */
-    predicate flowsFrom(DataFlow::Node src, boolean allowFromArg) {
-      src = this.getDispatchValue() and allowFromArg = true
-      or
-      exists(DataFlow::Node other, boolean allowOtherFromArg |
-        this.flowsFrom(other, allowOtherFromArg)
-      |
-        // Call argument
-        exists(DataFlowCall call, int i |
-          other.(DataFlow::ParameterNode).isParameterOf(call.getStaticCallTarget(), i) and
-          src.(ArgumentNode).argumentOf(call, i)
-        ) and
-        allowOtherFromArg = true and
-        allowFromArg = true
-        or
-        // Call return
-        exists(DataFlowCall call, ReturnKind returnKind |
-          other = getAnOutNode(call, returnKind) and
-          returnNodeWithKindAndEnclosingCallable(src, returnKind, call.getStaticCallTarget())
-        ) and
-        allowFromArg = false
-        or
-        // Local flow
-        DataFlow::localFlowStep(src, other) and
-        allowFromArg = allowOtherFromArg
-        or
-        // Flow from global variable to load.
-        exists(LoadInstruction load, GlobalOrNamespaceVariable var |
-          var = src.asVariable() and
-          other.asInstruction() = load and
-          addressOfGlobal(load.getSourceAddress(), var) and
-          // The `allowFromArg` concept doesn't play a role when `src` is a
-          // global variable, so we just set it to a single arbitrary value for
-          // performance.
-          allowFromArg = true
-        )
-        or
-        // Flow from store to global variable.
-        exists(StoreInstruction store, GlobalOrNamespaceVariable var |
-          var = other.asVariable() and
-          store = src.asInstruction() and
-          storeIntoGlobal(store, var) and
-          // Setting `allowFromArg` to `true` like in the base case means we
-          // treat a store to a global variable like the dispatch itself: flow
-          // may come from anywhere.
-          allowFromArg = true
-        )
-      )
-    }
-  }
-
-  pragma[noinline]
-  private predicate storeIntoGlobal(StoreInstruction store, GlobalOrNamespaceVariable var) {
-    addressOfGlobal(store.getDestinationAddress(), var)
-  }
-
-  /** Holds if `addressInstr` is an instruction that produces the address of `var`. */
-  private predicate addressOfGlobal(Instruction addressInstr, GlobalOrNamespaceVariable var) {
-    // Access directly to the global variable
-    addressInstr.(VariableAddressInstruction).getASTVariable() = var
-    or
-    // Access to a field on a global union
-    exists(FieldAddressInstruction fa |
-      fa = addressInstr and
-      fa.getObjectAddress().(VariableAddressInstruction).getASTVariable() = var and
-      fa.getField().getDeclaringType() instanceof Union
-    )
-  }
-
-  /**
-   * A ReturnNode with its ReturnKind and its enclosing callable.
-   *
-   * Used to fix a join ordering issue in flowsFrom.
-   */
-  private predicate returnNodeWithKindAndEnclosingCallable(
-    ReturnNode node, ReturnKind kind, DataFlowCallable callable
-  ) {
-    node.getKind() = kind and
-    node.getEnclosingCallable() = callable
-  }
-
-  /** Call through a function pointer. */
-  private class DataSensitiveExprCall extends DataSensitiveCall {
-    DataSensitiveExprCall() { not exists(this.getStaticCallTarget()) }
-
-    override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getCallTarget() }
-
-    override Function resolve() {
-      exists(FunctionInstruction fi |
-        this.flowsFrom(DataFlow::instructionNode(fi), _) and
-        result = fi.getFunctionSymbol()
-      ) and
-      (
-        this.getNumberOfArguments() <= result.getEffectiveNumberOfParameters() and
-        this.getNumberOfArguments() >= result.getEffectiveNumberOfParameters()
-        or
-        result.isVarargs()
-      )
-    }
-  }
-
-  /** Call to a virtual function. */
-  private class DataSensitiveOverriddenFunctionCall extends DataSensitiveCall {
-    DataSensitiveOverriddenFunctionCall() {
-      exists(this.getStaticCallTarget().(VirtualFunction).getAnOverridingFunction())
-    }
-
-    override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getThisArgument() }
-
-    override MemberFunction resolve() {
-      exists(Class overridingClass |
-        this.overrideMayAffectCall(overridingClass, result) and
-        this.hasFlowFromCastFrom(overridingClass)
-      )
-    }
-
-    /**
-     * Holds if `this` is a virtual function call whose static target is
-     * overridden by `overridingFunction` in `overridingClass`.
-     */
-    pragma[noinline]
-    private predicate overrideMayAffectCall(Class overridingClass, MemberFunction overridingFunction) {
-      overridingFunction.getAnOverriddenFunction+() = this.getStaticCallTarget().(VirtualFunction) and
-      overridingFunction.getDeclaringType() = overridingClass
-    }
-
-    /**
-     * Holds if the qualifier of `this` has flow from an upcast from
-     * `derivedClass`.
-     */
-    pragma[noinline]
-    private predicate hasFlowFromCastFrom(Class derivedClass) {
-      exists(ConvertToBaseInstruction toBase |
-        this.flowsFrom(DataFlow::instructionNode(toBase), _) and
-        derivedClass = toBase.getDerivedClass()
-      )
-    }
-  }
-}
-
-/**
- * Holds if `f` is a function with a body that has name `qualifiedName` and
- * `nparams` parameter count. See `functionSignature`.
- */
-private predicate functionSignatureWithBody(string qualifiedName, int nparams, Function f) {
-  functionSignature(f, qualifiedName, nparams) and
-  exists(f.getBlock())
-}
-
-/**
- * Holds if the target of `call` is a function _with no definition_ that has
- * name `qualifiedName` and `nparams` parameter count. See `functionSignature`.
- */
-pragma[noinline]
-private predicate callSignatureWithoutBody(string qualifiedName, int nparams, CallInstruction call) {
-  exists(Function target |
-    target = call.getStaticCallTarget() and
-    not exists(target.getBlock()) and
-    functionSignature(target, qualifiedName, nparams)
-  )
-}
-
-/**
- * Holds if `f` has name `qualifiedName` and `nparams` parameter count. This is
- * an approximation of its signature for the purpose of matching functions that
- * might be the same across link targets.
- */
-private predicate functionSignature(Function f, string qualifiedName, int nparams) {
-  qualifiedName = f.getQualifiedName() and
-  nparams = f.getNumberOfParameters() and
-  not f.isStatic()
-}
-
-/**
- * Holds if the set of viable implementations that can be called by `call`
- * might be improved by knowing the call context.
- */
-predicate mayBenefitFromCallContext(CallInstruction call, Function f) {
-  mayBenefitFromCallContext(call, f, _)
-}
-
-/**
- * Holds if `call` is a call through a function pointer, and the pointer
- * value is given as the `arg`'th argument to `f`.
- */
-private predicate mayBenefitFromCallContext(
-  VirtualDispatch::DataSensitiveCall call, Function f, int arg
-) {
-  f = pragma[only_bind_out](call).getEnclosingCallable() and
-  exists(InitializeParameterInstruction init |
-    not exists(call.getStaticCallTarget()) and
-    init.getEnclosingFunction() = f and
-    call.flowsFrom(DataFlow::instructionNode(init), _) and
-    init.getParameter().getIndex() = arg
-  )
-}
-
-/**
- * Gets a viable dispatch target of `call` in the context `ctx`. This is
- * restricted to those `call`s for which a context might make a difference.
- */
-Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
-  result = viableCallable(call) and
-  exists(int i, Function f |
-    mayBenefitFromCallContext(pragma[only_bind_into](call), f, i) and
-    f = ctx.getStaticCallTarget() and
-    result = ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget()
-  )
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1,503 +0,0 @@
-private import cpp
-private import DataFlowUtil
-private import semmle.code.cpp.ir.IR
-private import DataFlowDispatch
-
-/**
- * A data flow node that occurs as the argument of a call and is passed as-is
- * to the callable. Instance arguments (`this` pointer) and read side effects
- * on parameters are also included.
- */
-abstract class ArgumentNode extends OperandNode {
-  /**
-   * Holds if this argument occurs at the given position in the given call.
-   * The instance argument is considered to have index `-1`.
-   */
-  abstract predicate argumentOf(DataFlowCall call, int pos);
-
-  /** Gets the call in which this node is an argument. */
-  DataFlowCall getCall() { this.argumentOf(result, _) }
-}
-
-/**
- * A data flow node that occurs as the argument to a call, or an
- * implicit `this` pointer argument.
- */
-private class PrimaryArgumentNode extends ArgumentNode {
-  override ArgumentOperand op;
-
-  PrimaryArgumentNode() { exists(CallInstruction call | op = call.getAnArgumentOperand()) }
-
-  override predicate argumentOf(DataFlowCall call, int pos) { op = call.getArgumentOperand(pos) }
-
-  override string toString() {
-    exists(Expr unconverted |
-      unconverted = op.getDef().getUnconvertedResultExpression() and
-      result = unconverted.toString()
-    )
-    or
-    // Certain instructions don't map to an unconverted result expression. For these cases
-    // we fall back to a simpler naming scheme. This can happen in IR-generated constructors.
-    not exists(op.getDef().getUnconvertedResultExpression()) and
-    (
-      result = "Argument " + op.(PositionalArgumentOperand).getIndex()
-      or
-      op instanceof ThisArgumentOperand and result = "Argument this"
-    )
-  }
-}
-
-/**
- * A data flow node representing the read side effect of a call on a
- * specific parameter.
- */
-private class SideEffectArgumentNode extends ArgumentNode {
-  override SideEffectOperand op;
-  ReadSideEffectInstruction read;
-
-  SideEffectArgumentNode() { op = read.getSideEffectOperand() }
-
-  override predicate argumentOf(DataFlowCall call, int pos) {
-    read.getPrimaryInstruction() = call and
-    pos = getArgumentPosOfSideEffect(read.getIndex())
-  }
-
-  override string toString() {
-    result = read.getArgumentDef().getUnconvertedResultExpression().toString() + " indirection"
-    or
-    // Some instructions don't map to an unconverted result expression. For these cases
-    // we fall back to a simpler naming scheme. This can happen in IR-generated constructors.
-    not exists(read.getArgumentDef().getUnconvertedResultExpression()) and
-    (
-      if read.getIndex() = -1
-      then result = "Argument this indirection"
-      else result = "Argument " + read.getIndex() + " indirection"
-    )
-  }
-}
-
-private newtype TReturnKind =
-  TNormalReturnKind() or
-  TIndirectReturnKind(ParameterIndex index)
-
-/**
- * A return kind. A return kind describes how a value can be returned
- * from a callable. For C++, this is simply a function return.
- */
-class ReturnKind extends TReturnKind {
-  /** Gets a textual representation of this return kind. */
-  abstract string toString();
-}
-
-private class NormalReturnKind extends ReturnKind, TNormalReturnKind {
-  override string toString() { result = "return" }
-}
-
-private class IndirectReturnKind extends ReturnKind, TIndirectReturnKind {
-  ParameterIndex index;
-
-  IndirectReturnKind() { this = TIndirectReturnKind(index) }
-
-  override string toString() { result = "outparam[" + index.toString() + "]" }
-}
-
-/** A data flow node that occurs as the result of a `ReturnStmt`. */
-class ReturnNode extends InstructionNode {
-  Instruction primary;
-
-  ReturnNode() {
-    exists(ReturnValueInstruction ret | instr = ret.getReturnValue() and primary = ret)
-    or
-    exists(ReturnIndirectionInstruction rii |
-      instr = rii.getSideEffectOperand().getAnyDef() and primary = rii
-    )
-  }
-
-  /** Gets the kind of this returned value. */
-  abstract ReturnKind getKind();
-}
-
-class ReturnValueNode extends ReturnNode {
-  override ReturnValueInstruction primary;
-
-  override ReturnKind getKind() { result = TNormalReturnKind() }
-}
-
-class ReturnIndirectionNode extends ReturnNode {
-  override ReturnIndirectionInstruction primary;
-
-  override ReturnKind getKind() {
-    exists(int index |
-      primary.hasIndex(index) and
-      result = TIndirectReturnKind(index)
-    )
-  }
-}
-
-/** A data flow node that represents the output of a call. */
-class OutNode extends InstructionNode {
-  OutNode() {
-    instr instanceof CallInstruction or
-    instr instanceof WriteSideEffectInstruction
-  }
-
-  /** Gets the underlying call. */
-  abstract DataFlowCall getCall();
-
-  abstract ReturnKind getReturnKind();
-}
-
-private class CallOutNode extends OutNode {
-  override CallInstruction instr;
-
-  override DataFlowCall getCall() { result = instr }
-
-  override ReturnKind getReturnKind() { result instanceof NormalReturnKind }
-}
-
-private class SideEffectOutNode extends OutNode {
-  override WriteSideEffectInstruction instr;
-
-  override DataFlowCall getCall() { result = instr.getPrimaryInstruction() }
-
-  override ReturnKind getReturnKind() { result = TIndirectReturnKind(instr.getIndex()) }
-}
-
-/**
- * Gets a node that can read the value returned from `call` with return kind
- * `kind`.
- */
-OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
-  // There should be only one `OutNode` for a given `(call, kind)` pair. Showing the optimizer that
-  // this is true helps it make better decisions downstream, especially in virtual dispatch.
-  result =
-    unique(OutNode outNode |
-      outNode.getCall() = call and
-      outNode.getReturnKind() = kind
-    )
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` in a way that loses the
- * calling context. For example, this would happen with flow through a
- * global or static variable.
- */
-predicate jumpStep(Node n1, Node n2) { none() }
-
-private predicate fieldStoreStepNoChi(Node node1, FieldContent f, PostUpdateNode node2) {
-  exists(StoreInstruction store, Class c |
-    store = node2.asInstruction() and
-    store.getSourceValueOperand() = node1.asOperand() and
-    getWrittenField(store, f.(FieldContent).getAField(), c) and
-    f.hasOffset(c, _, _)
-  )
-}
-
-private FieldAddressInstruction getFieldInstruction(Instruction instr) {
-  result = instr or
-  result = instr.(CopyValueInstruction).getUnary()
-}
-
-pragma[noinline]
-private predicate getWrittenField(Instruction instr, Field f, Class c) {
-  exists(FieldAddressInstruction fa |
-    fa =
-      getFieldInstruction([
-          instr.(StoreInstruction).getDestinationAddress(),
-          instr.(WriteSideEffectInstruction).getDestinationAddress()
-        ]) and
-    f = fa.getField() and
-    c = f.getDeclaringType()
-  )
-}
-
-private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode node2) {
-  exists(ChiPartialOperand operand, ChiInstruction chi |
-    chi.getPartialOperand() = operand and
-    node1.asOperand() = operand and
-    node2.asInstruction() = chi and
-    exists(Class c |
-      c = chi.getResultType() and
-      exists(int startBit, int endBit |
-        chi.getUpdatedInterval(startBit, endBit) and
-        f.hasOffset(c, startBit, endBit)
-      )
-      or
-      getWrittenField(operand.getDef(), f.getAField(), c) and
-      f.hasOffset(c, _, _)
-    )
-  )
-}
-
-private predicate arrayStoreStepChi(Node node1, ArrayContent a, PostUpdateNode node2) {
-  exists(a) and
-  exists(ChiPartialOperand operand, ChiInstruction chi, StoreInstruction store |
-    chi.getPartialOperand() = operand and
-    store = operand.getDef() and
-    node1.asOperand() = operand and
-    // This `ChiInstruction` will always have a non-conflated result because both `ArrayStoreNode`
-    // and `PointerStoreNode` require it in their characteristic predicates.
-    node2.asInstruction() = chi and
-    (
-      // `x[i] = taint()`
-      // This matches the characteristic predicate in `ArrayStoreNode`.
-      store.getDestinationAddress() instanceof PointerAddInstruction
-      or
-      // `*p = taint()`
-      // This matches the characteristic predicate in `PointerStoreNode`.
-      store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
-    )
-  )
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
- * Thus, `node2` references an object with a field `f` that contains the
- * value of `node1`.
- */
-predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
-  fieldStoreStepNoChi(node1, f, node2) or
-  fieldStoreStepChi(node1, f, node2) or
-  arrayStoreStepChi(node1, f, node2) or
-  fieldStoreStepAfterArraySuppression(node1, f, node2)
-}
-
-// This predicate pushes the correct `FieldContent` onto the access path when the
-// `suppressArrayRead` predicate has popped off an `ArrayContent`.
-private predicate fieldStoreStepAfterArraySuppression(
-  Node node1, FieldContent f, PostUpdateNode node2
-) {
-  exists(WriteSideEffectInstruction write, ChiInstruction chi, Class c |
-    not chi.isResultConflated() and
-    node1.asInstruction() = chi and
-    node2.asInstruction() = chi and
-    chi.getPartial() = write and
-    getWrittenField(write, f.getAField(), c) and
-    f.hasOffset(c, _, _)
-  )
-}
-
-bindingset[result, i]
-private int unbindInt(int i) { i <= result and i >= result }
-
-pragma[noinline]
-private predicate getLoadedField(LoadInstruction load, Field f, Class c) {
-  exists(FieldAddressInstruction fa |
-    fa = load.getSourceAddress() and
-    f = fa.getField() and
-    c = f.getDeclaringType()
-  )
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` via a read of `f`.
- * Thus, `node1` references an object with a field `f` whose value ends up in
- * `node2`.
- */
-private predicate fieldReadStep(Node node1, FieldContent f, Node node2) {
-  exists(LoadOperand operand |
-    node2.asOperand() = operand and
-    node1.asInstruction() = operand.getAnyDef() and
-    exists(Class c |
-      c = operand.getAnyDef().getResultType() and
-      exists(int startBit, int endBit |
-        operand.getUsedInterval(unbindInt(startBit), unbindInt(endBit)) and
-        f.hasOffset(c, startBit, endBit)
-      )
-      or
-      getLoadedField(operand.getUse(), f.getAField(), c) and
-      f.hasOffset(c, _, _)
-    )
-  )
-}
-
-/**
- * When a store step happens in a function that looks like an array write such as:
- * ```cpp
- * void f(int* pa) {
- *   pa = source();
- * }
- * ```
- * it can be a write to an array, but it can also happen that `f` is called as `f(&a.x)`. If that is
- * the case, the `ArrayContent` that was written by the call to `f` should be popped off the access
- * path, and a `FieldContent` containing `x` should be pushed instead.
- * So this case pops `ArrayContent` off the access path, and the `fieldStoreStepAfterArraySuppression`
- * predicate in `storeStep` ensures that we push the right `FieldContent` onto the access path.
- */
-predicate suppressArrayRead(Node node1, ArrayContent a, Node node2) {
-  exists(a) and
-  exists(WriteSideEffectInstruction write, ChiInstruction chi |
-    node1.asInstruction() = write and
-    node2.asInstruction() = chi and
-    chi.getPartial() = write and
-    getWrittenField(write, _, _)
-  )
-}
-
-private class ArrayToPointerConvertInstruction extends ConvertInstruction {
-  ArrayToPointerConvertInstruction() {
-    this.getUnary().getResultType() instanceof ArrayType and
-    this.getResultType() instanceof PointerType
-  }
-}
-
-private Instruction skipOneCopyValueInstructionRec(CopyValueInstruction copy) {
-  copy.getUnary() = result and not result instanceof CopyValueInstruction
-  or
-  result = skipOneCopyValueInstructionRec(copy.getUnary())
-}
-
-private Instruction skipCopyValueInstructions(Operand op) {
-  not result instanceof CopyValueInstruction and result = op.getDef()
-  or
-  result = skipOneCopyValueInstructionRec(op.getDef())
-}
-
-private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) {
-  exists(a) and
-  // Explicit dereferences such as `*p` or `p[i]` where `p` is a pointer or array.
-  exists(LoadOperand operand, Instruction address |
-    operand.isDefinitionInexact() and
-    node1.asInstruction() = operand.getAnyDef() and
-    operand = node2.asOperand() and
-    address = skipCopyValueInstructions(operand.getAddressOperand()) and
-    (
-      address instanceof LoadInstruction or
-      address instanceof ArrayToPointerConvertInstruction or
-      address instanceof PointerOffsetInstruction
-    )
-  )
-}
-
-/**
- * In cases such as:
- * ```cpp
- * void f(int* pa) {
- *   *pa = source();
- * }
- * ...
- * int x;
- * f(&x);
- * use(x);
- * ```
- * the load on `x` in `use(x)` will exactly overlap with its definition (in this case the definition
- * is a `WriteSideEffect`). This predicate pops the `ArrayContent` (pushed by the store in `f`)
- * from the access path.
- */
-private predicate exactReadStep(Node node1, ArrayContent a, Node node2) {
-  exists(a) and
-  exists(WriteSideEffectInstruction write, ChiInstruction chi |
-    not chi.isResultConflated() and
-    chi.getPartial() = write and
-    node1.asInstruction() = write and
-    node2.asInstruction() = chi and
-    // To distinquish this case from the `arrayReadStep` case we require that the entire variable was
-    // overwritten by the `WriteSideEffectInstruction` (i.e., there is a load that reads the
-    // entire variable).
-    exists(LoadInstruction load | load.getSourceValue() = chi)
-  )
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` via a read of `f`.
- * Thus, `node1` references an object with a field `f` whose value ends up in
- * `node2`.
- */
-predicate readStep(Node node1, Content f, Node node2) {
-  fieldReadStep(node1, f, node2) or
-  arrayReadStep(node1, f, node2) or
-  exactReadStep(node1, f, node2) or
-  suppressArrayRead(node1, f, node2)
-}
-
-/**
- * Holds if values stored inside content `c` are cleared at node `n`.
- */
-predicate clearsContent(Node n, Content c) {
-  none() // stub implementation
-}
-
-/** Gets the type of `n` used for type pruning. */
-IRType getNodeType(Node n) {
-  suppressUnusedNode(n) and
-  result instanceof IRVoidType // stub implementation
-}
-
-/** Gets a string representation of a type returned by `getNodeType`. */
-string ppReprType(IRType t) { none() } // stub implementation
-
-/**
- * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
- * a node of type `t1` to a node of type `t2`.
- */
-pragma[inline]
-predicate compatibleTypes(IRType t1, IRType t2) {
-  any() // stub implementation
-}
-
-private predicate suppressUnusedNode(Node n) { any() }
-
-//////////////////////////////////////////////////////////////////////////////
-// Java QL library compatibility wrappers
-//////////////////////////////////////////////////////////////////////////////
-/** A node that performs a type cast. */
-class CastNode extends InstructionNode {
-  CastNode() { none() } // stub implementation
-}
-
-/**
- * A function that may contain code or a variable that may contain itself. When
- * flow crosses from one _enclosing callable_ to another, the interprocedural
- * data-flow library discards call contexts and inserts a node in the big-step
- * relation used for human-readable path explanations.
- */
-class DataFlowCallable = Declaration;
-
-class DataFlowExpr = Expr;
-
-class DataFlowType = IRType;
-
-/** A function call relevant for data flow. */
-class DataFlowCall extends CallInstruction {
-  Function getEnclosingCallable() { result = this.getEnclosingFunction() }
-}
-
-predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub implementation
-
-int accessPathLimit() { result = 5 }
-
-/** The unit type. */
-private newtype TUnit = TMkUnit()
-
-/** The trivial type with a single element. */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  string toString() { result = "unit" }
-}
-
-/**
- * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
- * modified or its modification cannot be observed, for example if it is a
- * freshly created object that is not saved in a variable.
- *
- * This predicate is only used for consistency checks.
- */
-predicate isImmutableOrUnobservable(Node n) {
-  // The rules for whether an IR argument gets a post-update node are too
-  // complex to model here.
-  any()
-}
-
-/** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) { n instanceof OperandNode and not n instanceof ArgumentNode }
-
-class LambdaCallKind = Unit;
-
-/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
-predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() }
-
-/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
-predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
-
-/** Extra data-flow steps needed for lambda flow analysis. */
-predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -1,879 +0,0 @@
-/**
- * Provides C++-specific definitions for use in the data flow library.
- */
-
-private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.controlflow.IRGuards
-private import semmle.code.cpp.models.interfaces.DataFlow
-
-cached
-private module Cached {
-  cached
-  newtype TIRDataFlowNode =
-    TInstructionNode(Instruction i) or
-    TOperandNode(Operand op) or
-    TVariableNode(Variable var)
-
-  cached
-  predicate localFlowStepCached(Node nodeFrom, Node nodeTo) {
-    simpleLocalFlowStep(nodeFrom, nodeTo)
-  }
-}
-
-private import Cached
-
-/**
- * A node in a data flow graph.
- *
- * A node can be either an expression, a parameter, or an uninitialized local
- * variable. Such nodes are created with `DataFlow::exprNode`,
- * `DataFlow::parameterNode`, and `DataFlow::uninitializedNode` respectively.
- */
-class Node extends TIRDataFlowNode {
-  /**
-   * INTERNAL: Do not use.
-   */
-  Declaration getEnclosingCallable() { none() } // overridden in subclasses
-
-  /** Gets the function to which this node belongs, if any. */
-  Function getFunction() { none() } // overridden in subclasses
-
-  /** Gets the type of this node. */
-  IRType getType() { none() } // overridden in subclasses
-
-  /** Gets the instruction corresponding to this node, if any. */
-  Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
-
-  /** Gets the operands corresponding to this node, if any. */
-  Operand asOperand() { result = this.(OperandNode).getOperand() }
-
-  /**
-   * Gets the non-conversion expression corresponding to this node, if any.
-   * This predicate only has a result on nodes that represent the value of
-   * evaluating the expression. For data flowing _out of_ an expression, like
-   * when an argument is passed by reference, use `asDefiningArgument` instead
-   * of `asExpr`.
-   *
-   * If this node strictly (in the sense of `asConvertedExpr`) corresponds to
-   * a `Conversion`, then the result is the underlying non-`Conversion` base
-   * expression.
-   */
-  Expr asExpr() { result = this.(ExprNode).getExpr() }
-
-  /**
-   * Gets the expression corresponding to this node, if any. The returned
-   * expression may be a `Conversion`.
-   */
-  Expr asConvertedExpr() { result = this.(ExprNode).getConvertedExpr() }
-
-  /**
-   * Gets the argument that defines this `DefinitionByReferenceNode`, if any.
-   * This predicate should be used instead of `asExpr` when referring to the
-   * value of a reference argument _after_ the call has returned. For example,
-   * in `f(&x)`, this predicate will have `&x` as its result for the `Node`
-   * that represents the new value of `x`.
-   */
-  Expr asDefiningArgument() { result = this.(DefinitionByReferenceNode).getArgument() }
-
-  /** Gets the positional parameter corresponding to this node, if any. */
-  Parameter asParameter() { result = this.(ExplicitParameterNode).getParameter() }
-
-  /**
-   * Gets the variable corresponding to this node, if any. This can be used for
-   * modeling flow in and out of global variables.
-   */
-  Variable asVariable() { result = this.(VariableNode).getVariable() }
-
-  /**
-   * Gets the expression that is partially defined by this node, if any.
-   *
-   * Partial definitions are created for field stores (`x.y = taint();` is a partial
-   * definition of `x`), and for calls that may change the value of an object (so
-   * `x.set(taint())` is a partial definition of `x`, and `transfer(&x, taint())` is
-   * a partial definition of `&x`).
-   */
-  Expr asPartialDefinition() { result = this.(PartialDefinitionNode).getDefinedExpr() }
-
-  /**
-   * DEPRECATED: See UninitializedNode.
-   *
-   * Gets the uninitialized local variable corresponding to this node, if
-   * any.
-   */
-  deprecated LocalVariable asUninitialized() { none() }
-
-  /**
-   * Gets an upper bound on the type of this node.
-   */
-  IRType getTypeBound() { result = getType() }
-
-  /** Gets the location of this element. */
-  Location getLocation() { none() } // overridden by subclasses
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
-  /** Gets a textual representation of this element. */
-  string toString() { none() } // overridden by subclasses
-}
-
-/**
- * An instruction, viewed as a node in a data flow graph.
- */
-class InstructionNode extends Node, TInstructionNode {
-  Instruction instr;
-
-  InstructionNode() { this = TInstructionNode(instr) }
-
-  /** Gets the instruction corresponding to this node. */
-  Instruction getInstruction() { result = instr }
-
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-  override Function getFunction() { result = instr.getEnclosingFunction() }
-
-  override IRType getType() { result = instr.getResultIRType() }
-
-  override Location getLocation() { result = instr.getLocation() }
-
-  override string toString() {
-    // This predicate is overridden in subclasses. This default implementation
-    // does not use `Instruction.toString` because that's expensive to compute.
-    result = this.getInstruction().getOpcode().toString()
-  }
-}
-
-/**
- * An operand, viewed as a node in a data flow graph.
- */
-class OperandNode extends Node, TOperandNode {
-  Operand op;
-
-  OperandNode() { this = TOperandNode(op) }
-
-  /** Gets the operand corresponding to this node. */
-  Operand getOperand() { result = op }
-
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-  override Function getFunction() { result = op.getUse().getEnclosingFunction() }
-
-  override IRType getType() { result = op.getIRType() }
-
-  override Location getLocation() { result = op.getLocation() }
-
-  override string toString() { result = this.getOperand().toString() }
-}
-
-/**
- * An expression, viewed as a node in a data flow graph.
- */
-class ExprNode extends InstructionNode {
-  ExprNode() { exists(instr.getConvertedResultExpression()) }
-
-  /**
-   * Gets the non-conversion expression corresponding to this node, if any. If
-   * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
-   * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
-   * expression.
-   */
-  Expr getExpr() { result = instr.getUnconvertedResultExpression() }
-
-  /**
-   * Gets the expression corresponding to this node, if any. The returned
-   * expression may be a `Conversion`.
-   */
-  Expr getConvertedExpr() { result = instr.getConvertedResultExpression() }
-
-  override string toString() { result = this.asConvertedExpr().toString() }
-}
-
-/**
- * INTERNAL: do not use. Translates a parameter/argument index into a negative
- * number that denotes the index of its side effect (pointer indirection).
- */
-bindingset[index]
-int getArgumentPosOfSideEffect(int index) {
-  // -1 -> -2
-  //  0 -> -3
-  //  1 -> -4
-  // ...
-  result = -3 - index
-}
-
-/**
- * The value of a parameter at function entry, viewed as a node in a data
- * flow graph. This includes both explicit parameters such as `x` in `f(x)`
- * and implicit parameters such as `this` in `x.f()`.
- *
- * To match a specific kind of parameter, consider using one of the subclasses
- * `ExplicitParameterNode`, `ThisParameterNode`, or
- * `ParameterIndirectionNode`.
- */
-class ParameterNode extends InstructionNode {
-  ParameterNode() {
-    // To avoid making this class abstract, we enumerate its values here
-    instr instanceof InitializeParameterInstruction
-    or
-    instr instanceof InitializeIndirectionInstruction
-  }
-
-  /**
-   * Holds if this node is the parameter of `f` at the specified position. The
-   * implicit `this` parameter is considered to have position `-1`, and
-   * pointer-indirection parameters are at further negative positions.
-   */
-  predicate isParameterOf(Function f, int pos) { none() } // overridden by subclasses
-}
-
-/** An explicit positional parameter, not including `this` or `...`. */
-private class ExplicitParameterNode extends ParameterNode {
-  override InitializeParameterInstruction instr;
-
-  ExplicitParameterNode() { exists(instr.getParameter()) }
-
-  override predicate isParameterOf(Function f, int pos) {
-    f.getParameter(pos) = instr.getParameter()
-  }
-
-  /** Gets the `Parameter` associated with this node. */
-  Parameter getParameter() { result = instr.getParameter() }
-
-  override string toString() { result = instr.getParameter().toString() }
-}
-
-/** An implicit `this` parameter. */
-class ThisParameterNode extends ParameterNode {
-  override InitializeParameterInstruction instr;
-
-  ThisParameterNode() { instr.getIRVariable() instanceof IRThisVariable }
-
-  override predicate isParameterOf(Function f, int pos) {
-    pos = -1 and instr.getEnclosingFunction() = f
-  }
-
-  override string toString() { result = "this" }
-}
-
-/** A synthetic parameter to model the pointed-to object of a pointer parameter. */
-class ParameterIndirectionNode extends ParameterNode {
-  override InitializeIndirectionInstruction instr;
-
-  override predicate isParameterOf(Function f, int pos) {
-    exists(int index |
-      instr.getEnclosingFunction() = f and
-      instr.hasIndex(index)
-    |
-      pos = getArgumentPosOfSideEffect(index)
-    )
-  }
-
-  override string toString() { result = "*" + instr.getIRVariable().toString() }
-}
-
-/**
- * DEPRECATED: Data flow was never an accurate way to determine what
- * expressions might be uninitialized. It errs on the side of saying that
- * everything is uninitialized, and this is even worse in the IR because the IR
- * doesn't use syntactic hints to rule out variables that are definitely
- * initialized.
- *
- * The value of an uninitialized local variable, viewed as a node in a data
- * flow graph.
- */
-deprecated class UninitializedNode extends Node {
-  UninitializedNode() { none() }
-
-  LocalVariable getLocalVariable() { none() }
-}
-
-/**
- * A node associated with an object after an operation that might have
- * changed its state.
- *
- * This can be either the argument to a callable after the callable returns
- * (which might have mutated the argument), or the qualifier of a field after
- * an update to the field.
- *
- * Nodes corresponding to AST elements, for example `ExprNode`, usually refer
- * to the value before the update with the exception of `ClassInstanceExpr`,
- * which represents the value after the constructor has run.
- *
- * This class exists to match the interface used by Java. There are currently no non-abstract
- * classes that extend it. When we implement field flow, we can revisit this.
- */
-abstract class PostUpdateNode extends InstructionNode {
-  /**
-   * Gets the node before the state update.
-   */
-  abstract Node getPreUpdateNode();
-}
-
-/**
- * The base class for nodes that perform "partial definitions".
- *
- * In contrast to a normal "definition", which provides a new value for
- * something, a partial definition is an expression that may affect a
- * value, but does not necessarily replace it entirely. For example:
- * ```
- * x.y = 1; // a partial definition of the object `x`.
- * x.y.z = 1; // a partial definition of the object `x.y`.
- * x.setY(1); // a partial definition of the object `x`.
- * setY(&x); // a partial definition of the object `x`.
- * ```
- */
-abstract private class PartialDefinitionNode extends PostUpdateNode {
-  abstract Expr getDefinedExpr();
-}
-
-private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
-  override ChiInstruction instr;
-  StoreInstruction store;
-
-  ExplicitFieldStoreQualifierNode() {
-    not instr.isResultConflated() and
-    instr.getPartial() = store and
-    (
-      instr.getUpdatedInterval(_, _) or
-      store.getDestinationAddress() instanceof FieldAddressInstruction
-    )
-  }
-
-  // By using an operand as the result of this predicate we avoid the dataflow inconsistency errors
-  // caused by having multiple nodes sharing the same pre update node. This inconsistency error can cause
-  // a tuple explosion in the big step dataflow relation since it can make many nodes be the entry node
-  // into a big step.
-  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
-
-  override Expr getDefinedExpr() {
-    result =
-      store
-          .getDestinationAddress()
-          .(FieldAddressInstruction)
-          .getObjectAddress()
-          .getUnconvertedResultExpression()
-  }
-}
-
-/**
- * Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
- * For instance, an update to a field of a struct containing only one field. Even if the store does
- * have a chi instruction, a subsequent use of the result of the store may be linked directly to the
- * result of the store as an inexact definition if the store totally overlaps the use. For these
- * cases we attach the PostUpdateNode to the store instruction. There's no obvious pre update node
- * for this case (as the entire memory is updated), so `getPreUpdateNode` is implemented as
- * `none()`.
- */
-private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
-  override StoreInstruction instr;
-
-  ExplicitSingleFieldStoreQualifierNode() {
-    (
-      instr.getAUse().isDefinitionInexact()
-      or
-      not exists(ChiInstruction chi | chi.getPartial() = instr)
-    ) and
-    // Without this condition any store would create a `PostUpdateNode`.
-    instr.getDestinationAddress() instanceof FieldAddressInstruction
-  }
-
-  override Node getPreUpdateNode() { none() }
-
-  override Expr getDefinedExpr() {
-    result =
-      instr
-          .getDestinationAddress()
-          .(FieldAddressInstruction)
-          .getObjectAddress()
-          .getUnconvertedResultExpression()
-  }
-}
-
-private FieldAddressInstruction getFieldInstruction(Instruction instr) {
-  result = instr or
-  result = instr.(CopyValueInstruction).getUnary()
-}
-
-/**
- * The target of a `fieldStoreStepAfterArraySuppression` store step, which is used to convert
- * an `ArrayContent` to a `FieldContent` when the `WriteSideEffect` instruction stores
- * into a field. See the QLDoc for `suppressArrayRead` for an example of where such a conversion
- * is inserted.
- */
-private class WriteSideEffectFieldStoreQualifierNode extends PartialDefinitionNode {
-  override ChiInstruction instr;
-  WriteSideEffectInstruction write;
-  FieldAddressInstruction field;
-
-  WriteSideEffectFieldStoreQualifierNode() {
-    not instr.isResultConflated() and
-    instr.getPartial() = write and
-    field = getFieldInstruction(write.getDestinationAddress())
-  }
-
-  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
-
-  override Expr getDefinedExpr() {
-    result = field.getObjectAddress().getUnconvertedResultExpression()
-  }
-}
-
-/**
- * The `PostUpdateNode` that is the target of a `arrayStoreStepChi` store step. The overriden
- * `ChiInstruction` corresponds to the instruction represented by `node2` in `arrayStoreStepChi`.
- */
-private class ArrayStoreNode extends PartialDefinitionNode {
-  override ChiInstruction instr;
-  PointerAddInstruction add;
-
-  ArrayStoreNode() {
-    not instr.isResultConflated() and
-    exists(StoreInstruction store |
-      instr.getPartial() = store and
-      add = store.getDestinationAddress()
-    )
-  }
-
-  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
-
-  override Expr getDefinedExpr() { result = add.getLeft().getUnconvertedResultExpression() }
-}
-
-/**
- * The `PostUpdateNode` that is the target of a `arrayStoreStepChi` store step. The overriden
- * `ChiInstruction` corresponds to the instruction represented by `node2` in `arrayStoreStepChi`.
- */
-private class PointerStoreNode extends PostUpdateNode {
-  override ChiInstruction instr;
-
-  PointerStoreNode() {
-    not instr.isResultConflated() and
-    exists(StoreInstruction store |
-      instr.getPartial() = store and
-      store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
-    )
-  }
-
-  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
-}
-
-/**
- * A node that represents the value of a variable after a function call that
- * may have changed the variable because it's passed by reference.
- *
- * A typical example would be a call `f(&x)`. Firstly, there will be flow into
- * `x` from previous definitions of `x`. Secondly, there will be a
- * `DefinitionByReferenceNode` to represent the value of `x` after the call has
- * returned. This node will have its `getArgument()` equal to `&x` and its
- * `getVariableAccess()` equal to `x`.
- */
-class DefinitionByReferenceNode extends InstructionNode {
-  override WriteSideEffectInstruction instr;
-
-  /** Gets the unconverted argument corresponding to this node. */
-  Expr getArgument() {
-    result =
-      instr
-          .getPrimaryInstruction()
-          .(CallInstruction)
-          .getArgument(instr.getIndex())
-          .getUnconvertedResultExpression()
-  }
-
-  /** Gets the parameter through which this value is assigned. */
-  Parameter getParameter() {
-    exists(CallInstruction ci | result = ci.getStaticCallTarget().getParameter(instr.getIndex()))
-  }
-
-  override string toString() {
-    // This string should be unique enough to be helpful but common enough to
-    // avoid storing too many different strings.
-    result =
-      instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget().getName() +
-        " output argument"
-    or
-    not exists(instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget()) and
-    result = "output argument"
-  }
-}
-
-/**
- * A `Node` corresponding to a variable in the program, as opposed to the
- * value of that variable at some particular point. This can be used for
- * modeling flow in and out of global variables.
- */
-class VariableNode extends Node, TVariableNode {
-  Variable v;
-
-  VariableNode() { this = TVariableNode(v) }
-
-  /** Gets the variable corresponding to this node. */
-  Variable getVariable() { result = v }
-
-  override Function getFunction() { none() }
-
-  override Declaration getEnclosingCallable() {
-    // When flow crosses from one _enclosing callable_ to another, the
-    // interprocedural data-flow library discards call contexts and inserts a
-    // node in the big-step relation used for human-readable path explanations.
-    // Therefore we want a distinct enclosing callable for each `VariableNode`,
-    // and that can be the `Variable` itself.
-    result = v
-  }
-
-  override IRType getType() { result.getCanonicalLanguageType().hasUnspecifiedType(v.getType(), _) }
-
-  override Location getLocation() { result = v.getLocation() }
-
-  override string toString() { result = v.toString() }
-}
-
-/**
- * Gets the node corresponding to `instr`.
- */
-InstructionNode instructionNode(Instruction instr) { result.getInstruction() = instr }
-
-/**
- * DEPRECATED: use `definitionByReferenceNodeFromArgument` instead.
- *
- * Gets the `Node` corresponding to a definition by reference of the variable
- * that is passed as `argument` of a call.
- */
-deprecated DefinitionByReferenceNode definitionByReferenceNode(Expr e) { result.getArgument() = e }
-
-/**
- * Gets the `Node` corresponding to the value of evaluating `e` or any of its
- * conversions. There is no result if `e` is a `Conversion`. For data flowing
- * _out of_ an expression, like when an argument is passed by reference, use
- * `definitionByReferenceNodeFromArgument` instead.
- */
-ExprNode exprNode(Expr e) { result.getExpr() = e }
-
-/**
- * Gets the `Node` corresponding to the value of evaluating `e`. Here, `e` may
- * be a `Conversion`. For data flowing _out of_ an expression, like when an
- * argument is passed by reference, use
- * `definitionByReferenceNodeFromArgument` instead.
- */
-ExprNode convertedExprNode(Expr e) { result.getConvertedExpr() = e }
-
-/**
- * Gets the `Node` corresponding to the value of `p` at function entry.
- */
-ExplicitParameterNode parameterNode(Parameter p) { result.getParameter() = p }
-
-/**
- * Gets the `Node` corresponding to a definition by reference of the variable
- * that is passed as unconverted `argument` of a call.
- */
-DefinitionByReferenceNode definitionByReferenceNodeFromArgument(Expr argument) {
-  result.getArgument() = argument
-}
-
-/** Gets the `VariableNode` corresponding to the variable `v`. */
-VariableNode variableNode(Variable v) { result.getVariable() = v }
-
-/**
- * DEPRECATED: See UninitializedNode.
- *
- * Gets the `Node` corresponding to the value of an uninitialized local
- * variable `v`.
- */
-Node uninitializedNode(LocalVariable v) { none() }
-
-/**
- * Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step.
- */
-predicate localFlowStep = localFlowStepCached/2;
-
-/**
- * INTERNAL: do not use.
- *
- * This is the local flow predicate that's used as a building block in global
- * data flow. It may have less flow than the `localFlowStep` predicate.
- */
-predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
-  // Operand -> Instruction flow
-  simpleInstructionLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())
-  or
-  // Instruction -> Operand flow
-  simpleOperandLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asOperand())
-}
-
-pragma[noinline]
-private predicate getFieldSizeOfClass(Class c, Type type, int size) {
-  exists(Field f |
-    f.getDeclaringType() = c and
-    f.getUnderlyingType() = type and
-    type.getSize() = size
-  )
-}
-
-private predicate isSingleFieldClass(Type type, Operand op) {
-  exists(int size, Class c |
-    c = op.getType().getUnderlyingType() and
-    c.getSize() = size and
-    getFieldSizeOfClass(c, type, size)
-  )
-}
-
-private predicate simpleOperandLocalFlowStep(Instruction iFrom, Operand opTo) {
-  // Propagate flow from an instruction to its exact uses.
-  opTo.getDef() = iFrom
-  or
-  opTo = any(ReadSideEffectInstruction read).getSideEffectOperand() and
-  not iFrom.isResultConflated() and
-  iFrom = opTo.getAnyDef()
-  or
-  // Loading a single `int` from an `int *` parameter is not an exact load since
-  // the parameter may point to an entire array rather than a single `int`. The
-  // following rule ensures that any flow going into the
-  // `InitializeIndirectionInstruction`, even if it's for a different array
-  // element, will propagate to a load of the first element.
-  //
-  // Since we're linking `InitializeIndirectionInstruction` and
-  // `LoadInstruction` together directly, this rule will break if there's any
-  // reassignment of the parameter indirection, including a conditional one that
-  // leads to a phi node.
-  exists(InitializeIndirectionInstruction init |
-    iFrom = init and
-    opTo.(LoadOperand).getAnyDef() = init and
-    // Check that the types match. Otherwise we can get flow from an object to
-    // its fields, which leads to field conflation when there's flow from other
-    // fields to the object elsewhere.
-    init.getParameter().getType().getUnspecifiedType().(DerivedType).getBaseType() =
-      opTo.getType().getUnspecifiedType()
-  )
-  or
-  // Flow from stores to structs with a single field to a load of that field.
-  exists(LoadInstruction load |
-    load.getSourceValueOperand() = opTo and
-    opTo.getAnyDef() = iFrom and
-    isSingleFieldClass(pragma[only_bind_out](pragma[only_bind_out](iFrom).getResultType()), opTo)
-  )
-}
-
-private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
-  iTo.(CopyInstruction).getSourceValueOperand() = opFrom
-  or
-  iTo.(PhiInstruction).getAnInputOperand() = opFrom
-  or
-  // Treat all conversions as flow, even conversions between different numeric types.
-  iTo.(ConvertInstruction).getUnaryOperand() = opFrom
-  or
-  iTo.(CheckedConvertOrNullInstruction).getUnaryOperand() = opFrom
-  or
-  iTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom
-  or
-  // A chi instruction represents a point where a new value (the _partial_
-  // operand) may overwrite an old value (the _total_ operand), but the alias
-  // analysis couldn't determine that it surely will overwrite every bit of it or
-  // that it surely will overwrite no bit of it.
-  //
-  // By allowing flow through the total operand, we ensure that flow is not lost
-  // due to shortcomings of the alias analysis. We may get false flow in cases
-  // where the data is indeed overwritten.
-  //
-  // Flow through the partial operand belongs in the taint-tracking libraries
-  // for now.
-  iTo.getAnOperand().(ChiTotalOperand) = opFrom
-  or
-  // Add flow from write side-effects to non-conflated chi instructions through their
-  // partial operands. From there, a `readStep` will find subsequent reads of that field.
-  // Consider the following example:
-  // ```
-  // void setX(Point* p, int new_x) {
-  //   p->x = new_x;
-  // }
-  // ...
-  // setX(&p, taint());
-  // ```
-  // Here, a `WriteSideEffectInstruction` will provide a new definition for `p->x` after the call to
-  // `setX`, which will be melded into `p` through a chi instruction.
-  exists(ChiInstruction chi | chi = iTo |
-    opFrom.getAnyDef() instanceof WriteSideEffectInstruction and
-    chi.getPartialOperand() = opFrom and
-    not chi.isResultConflated() and
-    // In a call such as `set_value(&x->val);` we don't want the memory representing `x` to receive
-    // dataflow by a simple step. Instead, this is handled by field flow. If we add a simple step here
-    // we can get field-to-object flow.
-    not chi.isPartialUpdate()
-  )
-  or
-  // Flow through modeled functions
-  modelFlow(opFrom, iTo)
-}
-
-private predicate modelFlow(Operand opFrom, Instruction iTo) {
-  exists(
-    CallInstruction call, DataFlowFunction func, FunctionInput modelIn, FunctionOutput modelOut
-  |
-    call.getStaticCallTarget() = func and
-    func.hasDataFlow(modelIn, modelOut)
-  |
-    (
-      modelOut.isReturnValue() and
-      iTo = call
-      or
-      // TODO: Add write side effects for return values
-      modelOut.isReturnValueDeref() and
-      iTo = call
-      or
-      exists(int index, WriteSideEffectInstruction outNode |
-        modelOut.isParameterDerefOrQualifierObject(index) and
-        iTo = outNode and
-        outNode = getSideEffectFor(call, index)
-      )
-    ) and
-    (
-      exists(int index |
-        modelIn.isParameterOrQualifierAddress(index) and
-        opFrom = call.getArgumentOperand(index)
-      )
-      or
-      exists(int index, ReadSideEffectInstruction read |
-        modelIn.isParameterDerefOrQualifierObject(index) and
-        read = getSideEffectFor(call, index) and
-        opFrom = read.getSideEffectOperand()
-      )
-    )
-  )
-}
-
-/**
- * Holds if the result is a side effect for instruction `call` on argument
- * index `argument`. This helper predicate makes it easy to join on both of
- * these columns at once, avoiding pathological join orders in case the
- * argument index should get joined first.
- */
-pragma[noinline]
-SideEffectInstruction getSideEffectFor(CallInstruction call, int argument) {
-  call = result.getPrimaryInstruction() and
-  argument = result.(IndexedInstruction).getIndex()
-}
-
-/**
- * Holds if data flows from `source` to `sink` in zero or more local
- * (intra-procedural) steps.
- */
-predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
-
-/**
- * Holds if data can flow from `i1` to `i2` in zero or more
- * local (intra-procedural) steps.
- */
-predicate localInstructionFlow(Instruction e1, Instruction e2) {
-  localFlow(instructionNode(e1), instructionNode(e2))
-}
-
-/**
- * Holds if data can flow from `e1` to `e2` in zero or more
- * local (intra-procedural) steps.
- */
-predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
-
-/**
- * Gets a field corresponding to the bit range `[startBit..endBit)` of class `c`, if any.
- */
-private Field getAField(Class c, int startBit, int endBit) {
-  result.getDeclaringType() = c and
-  startBit = 8 * result.getByteOffset() and
-  endBit = 8 * result.getType().getSize() + startBit
-  or
-  exists(Field f, Class cInner |
-    f = c.getAField() and
-    cInner = f.getUnderlyingType() and
-    result = getAField(cInner, startBit - 8 * f.getByteOffset(), endBit - 8 * f.getByteOffset())
-  )
-}
-
-private newtype TContent =
-  TFieldContent(Class c, int startBit, int endBit) { exists(getAField(c, startBit, endBit)) } or
-  TCollectionContent() or
-  TArrayContent()
-
-/**
- * A description of the way data may be stored inside an object. Examples
- * include instance fields, the contents of a collection object, or the contents
- * of an array.
- */
-class Content extends TContent {
-  /** Gets a textual representation of this element. */
-  abstract string toString();
-
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    path = "" and sl = 0 and sc = 0 and el = 0 and ec = 0
-  }
-}
-
-/** A reference through an instance field. */
-class FieldContent extends Content, TFieldContent {
-  Class c;
-  int startBit;
-  int endBit;
-
-  FieldContent() { this = TFieldContent(c, startBit, endBit) }
-
-  // Ensure that there's just 1 result for `toString`.
-  override string toString() { result = min(Field f | f = getAField() | f.toString()) }
-
-  predicate hasOffset(Class cl, int start, int end) { cl = c and start = startBit and end = endBit }
-
-  Field getAField() { result = getAField(c, startBit, endBit) }
-}
-
-/** A reference through an array. */
-class ArrayContent extends Content, TArrayContent {
-  override string toString() { result = "[]" }
-}
-
-/** A reference through the contents of some collection-like container. */
-private class CollectionContent extends Content, TCollectionContent {
-  override string toString() { result = "<element>" }
-}
-
-/**
- * A guard that validates some instruction.
- *
- * To use this in a configuration, extend the class and provide a
- * characteristic predicate precisely specifying the guard, and override
- * `checks` to specify what is being validated and in which branch.
- *
- * It is important that all extending classes in scope are disjoint.
- */
-class BarrierGuard extends IRGuardCondition {
-  /** Override this predicate to hold if this guard validates `instr` upon evaluating to `b`. */
-  predicate checksInstr(Instruction instr, boolean b) { none() }
-
-  /** Override this predicate to hold if this guard validates `expr` upon evaluating to `b`. */
-  predicate checks(Expr e, boolean b) { none() }
-
-  /** Gets a node guarded by this guard. */
-  final Node getAGuardedNode() {
-    exists(ValueNumber value, boolean edge |
-      (
-        this.checksInstr(value.getAnInstruction(), edge)
-        or
-        this.checks(value.getAnInstruction().getConvertedResultExpression(), edge)
-      ) and
-      result.asInstruction() = value.getAnInstruction() and
-      this.controls(result.asInstruction().getBlock(), edge)
-    )
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -1,223 +0,0 @@
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import ModelUtil
-private import semmle.code.cpp.models.interfaces.DataFlow
-private import semmle.code.cpp.models.interfaces.SideEffect
-
-/**
- * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step.
- */
-predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  DataFlow::localFlowStep(nodeFrom, nodeTo)
-  or
-  localAdditionalTaintStep(nodeFrom, nodeTo)
-}
-
-/**
- * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
- * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
- * different objects.
- */
-cached
-predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  operandToInstructionTaintStep(nodeFrom.asOperand(), nodeTo.asInstruction())
-  or
-  instructionToOperandTaintStep(nodeFrom.asInstruction(), nodeTo.asOperand())
-}
-
-private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand toOperand) {
-  // Propagate flow from the definition of an operand to the operand, even when the overlap is inexact.
-  // We only do this in certain cases:
-  // 1. The instruction's result must not be conflated, and
-  // 2. The instruction's result type is one the types where we expect element-to-object flow. Currently
-  // this is array types and union types. This matches the other two cases of element-to-object flow in
-  // `DefaultTaintTracking`.
-  toOperand.getAnyDef() = fromInstr and
-  not fromInstr.isResultConflated() and
-  (
-    fromInstr.getResultType() instanceof ArrayType or
-    fromInstr.getResultType() instanceof Union
-  )
-  or
-  exists(ReadSideEffectInstruction readInstr |
-    fromInstr = readInstr.getArgumentDef() and
-    toOperand = readInstr.getSideEffectOperand()
-  )
-  or
-  toOperand.(LoadOperand).getAnyDef() = fromInstr
-}
-
-/**
- * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step.
- */
-private predicate operandToInstructionTaintStep(Operand opFrom, Instruction instrTo) {
-  // Taint can flow through expressions that alter the value but preserve
-  // more than one bit of it _or_ expressions that follow data through
-  // pointer indirections.
-  instrTo.getAnOperand() = opFrom and
-  (
-    instrTo instanceof ArithmeticInstruction
-    or
-    instrTo instanceof BitwiseInstruction
-    or
-    instrTo instanceof PointerArithmeticInstruction
-    or
-    // The `CopyInstruction` case is also present in non-taint data flow, but
-    // that uses `getDef` rather than `getAnyDef`. For taint, we want flow
-    // from a definition of `myStruct` to a `myStruct.myField` expression.
-    instrTo instanceof CopyInstruction
-  )
-  or
-  // Unary instructions tend to preserve enough information in practice that we
-  // want taint to flow through.
-  // The exception is `FieldAddressInstruction`. Together with the rules below for
-  // `LoadInstruction`s and `ChiInstruction`s, flow through `FieldAddressInstruction`
-  // could cause flow into one field to come out an unrelated field.
-  // This would happen across function boundaries, where the IR would not be able to
-  // match loads to stores.
-  instrTo.(UnaryInstruction).getUnaryOperand() = opFrom and
-  (
-    not instrTo instanceof FieldAddressInstruction
-    or
-    instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
-  )
-  or
-  instrTo.(LoadInstruction).getSourceAddressOperand() = opFrom
-  or
-  // Flow from an element to an array or union that contains it.
-  instrTo.(ChiInstruction).getPartialOperand() = opFrom and
-  not instrTo.isResultConflated() and
-  exists(Type t | instrTo.getResultLanguageType().hasType(t, false) |
-    t instanceof Union
-    or
-    t instanceof ArrayType
-  )
-  or
-  // Until we have flow through indirections across calls, we'll take flow out
-  // of the indirection and into the argument.
-  // When we get proper flow through indirections across calls, this code can be
-  // moved to `adjusedSink` or possibly into the `DataFlow::ExprNode` class.
-  exists(ReadSideEffectInstruction read |
-    read.getSideEffectOperand() = opFrom and
-    read.getArgumentDef() = instrTo
-  )
-  or
-  // Until we have from through indirections across calls, we'll take flow out
-  // of the parameter and into its indirection.
-  // `InitializeIndirectionInstruction` only has a single operand: the address of the
-  // value whose indirection we are initializing. When initializing an indirection of a parameter `p`,
-  // the IR looks like this:
-  // ```
-  // m1 = InitializeParameter[p] : &r1
-  // r2 = Load[p] : r2, m1
-  // m3 = InitializeIndirection[p] : &r2
-  // ```
-  // So by having flow from `r2` to `m3` we're enabling flow from `m1` to `m3`. This relies on the
-  // `LoadOperand`'s overlap being exact.
-  instrTo.(InitializeIndirectionInstruction).getAnOperand() = opFrom
-  or
-  modeledTaintStep(opFrom, instrTo)
-}
-
-/**
- * Holds if taint may propagate from `source` to `sink` in zero or more local
- * (intra-procedural) steps.
- */
-predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
-
-/**
- * Holds if taint can flow from `i1` to `i2` in zero or more
- * local (intra-procedural) steps.
- */
-predicate localInstructionTaint(Instruction i1, Instruction i2) {
-  localTaint(DataFlow::instructionNode(i1), DataFlow::instructionNode(i2))
-}
-
-/**
- * Holds if taint can flow from `e1` to `e2` in zero or more
- * local (intra-procedural) steps.
- */
-predicate localExprTaint(Expr e1, Expr e2) {
-  localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
-}
-
-/**
- * Holds if the additional step from `src` to `sink` should be included in all
- * global taint flow configurations.
- */
-predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  localAdditionalTaintStep(src, sink)
-}
-
-/**
- * Holds if default `TaintTracking::Configuration`s should allow implicit reads
- * of `c` at sinks and inputs to additional taint steps.
- */
-bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
-
-/**
- * Holds if `node` should be a sanitizer in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
-
-/**
- * Holds if taint can flow from `instrIn` to `instrOut` through a call to a
- * modeled function.
- */
-predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
-  exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
-    (
-      nodeIn = callInput(call, modelIn)
-      or
-      exists(int n |
-        modelIn.isParameterDerefOrQualifierObject(n) and
-        if n = -1
-        then nodeIn = callInput(call, any(InQualifierObject inQualifier))
-        else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
-      )
-    ) and
-    nodeOut = callOutput(call, modelOut) and
-    call.getStaticCallTarget() = func and
-    func.hasTaintFlow(modelIn, modelOut)
-  )
-  or
-  // Taint flow from one argument to another and data flow from an argument to a
-  // return value. This happens in functions like `strcat` and `memcpy`. We
-  // could model this flow in two separate steps, but that would add reverse
-  // flow from the write side-effect to the call instruction, which may not be
-  // desirable.
-  exists(
-    CallInstruction call, Function func, FunctionInput modelIn, OutParameterDeref modelMidOut,
-    int indexMid, InParameter modelMidIn, OutReturnValue modelOut
-  |
-    nodeIn = callInput(call, modelIn) and
-    nodeOut = callOutput(call, modelOut) and
-    call.getStaticCallTarget() = func and
-    func.(TaintFunction).hasTaintFlow(modelIn, modelMidOut) and
-    func.(DataFlowFunction).hasDataFlow(modelMidIn, modelOut) and
-    modelMidOut.isParameterDeref(indexMid) and
-    modelMidIn.isParameter(indexMid)
-  )
-  or
-  // Taint flow from a pointer argument to an output, when the model specifies flow from the deref
-  // to that output, but the deref is not modeled in the IR for the caller.
-  exists(
-    CallInstruction call, ReadSideEffectInstruction read, Function func, FunctionInput modelIn,
-    FunctionOutput modelOut
-  |
-    read.getSideEffectOperand() = callInput(call, modelIn) and
-    read.getArgumentDef() = nodeIn.getDef() and
-    not read.getSideEffect().isResultModeled() and
-    call.getStaticCallTarget() = func and
-    (
-      func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
-      or
-      func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
-    ) and
-    nodeOut = callOutput(call, modelOut)
-  )
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -1,120 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
-
-  /**
-   * Holds if `sink` is a relevant taint sink.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
-
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
-
-  /**
-   * Holds if the additional taint propagation step from `node1` to `node2`
-   * must be taken into account in the analysis.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -1,120 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
-
-  /**
-   * Holds if `sink` is a relevant taint sink.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
-
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
-
-  /**
-   * Holds if the additional taint propagation step from `node1` to `node2`
-   * must be taken into account in the analysis.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -1,120 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
-
-  /**
-   * Holds if `sink` is a relevant taint sink.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
-
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
-
-  /**
-   * Holds if the additional taint propagation step from `node1` to `node2`
-   * must be taken into account in the analysis.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll

@@ -1,527 +0,0 @@
-private import IR
-import InstructionConsistency // module is below
-import IRTypeConsistency // module is in IRType.qll
-
-module InstructionConsistency {
-  private import internal.InstructionImports as Imports
-  private import Imports::OperandTag
-  private import Imports::Overlap
-  private import internal.IRInternal
-
-  private newtype TOptionalIRFunction =
-    TPresentIRFunction(IRFunction irFunc) or
-    TMissingIRFunction()
-
-  /**
-   * An `IRFunction` that might not exist. This is used so that we can produce consistency failures
-   * for IR that also incorrectly lacks a `getEnclosingIRFunction()`.
-   */
-  abstract private class OptionalIRFunction extends TOptionalIRFunction {
-    abstract string toString();
-
-    abstract Language::Location getLocation();
-  }
-
-  private class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
-    private IRFunction irFunc;
-
-    PresentIRFunction() { this = TPresentIRFunction(irFunc) }
-
-    override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
-    }
-
-    override Language::Location getLocation() {
-      // To avoid an overwhelming number of results when the extractor merges functions with the
-      // same name, just pick a single location.
-      result =
-        min(Language::Location loc | loc = irFunc.getLocation() | loc order by loc.toString())
-    }
-  }
-
-  private class MissingIRFunction extends OptionalIRFunction, TMissingIRFunction {
-    override string toString() { result = "<Missing IRFunction>" }
-
-    override Language::Location getLocation() { result instanceof Language::UnknownDefaultLocation }
-  }
-
-  private OptionalIRFunction getInstructionIRFunction(Instruction instr) {
-    result = TPresentIRFunction(instr.getEnclosingIRFunction())
-    or
-    not exists(instr.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  pragma[inline]
-  private OptionalIRFunction getInstructionIRFunction(Instruction instr, string irFuncText) {
-    result = getInstructionIRFunction(instr) and
-    irFuncText = result.toString()
-  }
-
-  private OptionalIRFunction getOperandIRFunction(Operand operand) {
-    result = TPresentIRFunction(operand.getEnclosingIRFunction())
-    or
-    not exists(operand.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  pragma[inline]
-  private OptionalIRFunction getOperandIRFunction(Operand operand, string irFuncText) {
-    result = getOperandIRFunction(operand) and
-    irFuncText = result.toString()
-  }
-
-  private OptionalIRFunction getBlockIRFunction(IRBlock block) {
-    result = TPresentIRFunction(block.getEnclosingIRFunction())
-    or
-    not exists(block.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  /**
-   * Holds if instruction `instr` is missing an expected operand with tag `tag`.
-   */
-  query predicate missingOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag |
-      instr.getOpcode().hasOperand(tag) and
-      not exists(NonPhiOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getOperandTag() = tag
-      ) and
-      message =
-        "Instruction '" + instr.getOpcode().toString() +
-          "' is missing an expected operand with tag '" + tag.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` has an unexpected operand with tag `tag`.
-   */
-  query predicate unexpectedOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag |
-      exists(NonPhiOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getOperandTag() = tag
-      ) and
-      not instr.getOpcode().hasOperand(tag) and
-      not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-      not (
-        instr instanceof BuiltInOperationInstruction and tag instanceof PositionalArgumentOperandTag
-      ) and
-      not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag) and
-      message =
-        "Instruction '" + instr.toString() + "' has unexpected operand '" + tag.toString() +
-          "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` has multiple operands with tag `tag`.
-   */
-  query predicate duplicateOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag, int operandCount |
-      operandCount =
-        strictcount(NonPhiOperand operand |
-          operand = instr.getAnOperand() and
-          operand.getOperandTag() = tag
-        ) and
-      operandCount > 1 and
-      message =
-        "Instruction has " + operandCount + " operands with tag '" + tag.toString() + "'" +
-          " in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if `Phi` instruction `instr` is missing an operand corresponding to
-   * the predecessor block `pred`.
-   */
-  query predicate missingPhiOperand(
-    PhiInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRBlock pred |
-      pred = instr.getBlock().getAPredecessor() and
-      not exists(PhiInputOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getPredecessorBlock() = pred
-      ) and
-      message =
-        "Instruction '" + instr.toString() + "' is missing an operand for predecessor block '" +
-          pred.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  query predicate missingOperandType(
-    Operand operand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Instruction use |
-      not exists(operand.getType()) and
-      use = operand.getUse() and
-      message =
-        "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString() +
-          "' is missing a type in function '$@'." and
-      irFunc = getOperandIRFunction(operand, irFuncText)
-    )
-  }
-
-  query predicate duplicateChiOperand(
-    ChiInstruction chi, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    chi.getTotal() = chi.getPartial() and
-    message =
-      "Chi instruction for " + chi.getPartial().toString() +
-        " has duplicate operands in function '$@'." and
-    irFunc = getInstructionIRFunction(chi, irFuncText)
-  }
-
-  query predicate sideEffectWithoutPrimary(
-    SideEffectInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(instr.getPrimaryInstruction()) and
-    message =
-      "Side effect instruction '" + instr + "' is missing a primary instruction in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if an instruction, other than `ExitFunction`, has no successors.
-   */
-  query predicate instructionWithoutSuccessor(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(instr.getASuccessor()) and
-    not instr instanceof ExitFunctionInstruction and
-    // Phi instructions aren't linked into the instruction-level flow graph.
-    not instr instanceof PhiInstruction and
-    not instr instanceof UnreachedInstruction and
-    message = "Instruction '" + instr.toString() + "' has no successors in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if there are multiple edges of the same kind from `source`.
-   */
-  query predicate ambiguousSuccessors(
-    Instruction source, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(EdgeKind kind, int n |
-      n = strictcount(Instruction t | source.getSuccessor(kind) = t) and
-      n > 1 and
-      message =
-        "Instruction '" + source.toString() + "' has " + n.toString() + " successors of kind '" +
-          kind.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(source, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if `instr` is part of a loop even though the AST of `instr`'s enclosing function
-   * contains no element that can cause loops.
-   */
-  query predicate unexplainedLoop(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Language::Function f |
-      exists(IRBlock block |
-        instr.getBlock() = block and
-        block.getEnclosingFunction() = f and
-        block.getASuccessor+() = block
-      ) and
-      not Language::hasPotentialLoop(f) and
-      message =
-        "Instruction '" + instr.toString() + "' is part of an unexplained loop in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if a `Phi` instruction is present in a block with fewer than two
-   * predecessors.
-   */
-  query predicate unnecessaryPhiInstruction(
-    PhiInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int n |
-      n = count(instr.getBlock().getAPredecessor()) and
-      n < 2 and
-      message =
-        "Instruction '" + instr.toString() + "' is in a block with only " + n.toString() +
-          " predecessors in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if a memory operand is connected to a definition with an unmodeled result.
-   */
-  query predicate memoryOperandDefinitionIsUnmodeled(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(MemoryOperand operand, Instruction def |
-      operand = instr.getAnOperand() and
-      def = operand.getAnyDef() and
-      not def.isResultModeled() and
-      message =
-        "Memory operand definition on instruction '" + instr.toString() +
-          "' has unmodeled result in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if operand `operand` consumes a value that was defined in
-   * a different function.
-   */
-  query predicate operandAcrossFunctions(
-    Operand operand, string message, OptionalIRFunction useIRFunc, string useIRFuncText,
-    OptionalIRFunction defIRFunc, string defIRFuncText
-  ) {
-    exists(Instruction useInstr, Instruction defInstr |
-      operand.getUse() = useInstr and
-      operand.getAnyDef() = defInstr and
-      useIRFunc = getInstructionIRFunction(useInstr, useIRFuncText) and
-      defIRFunc = getInstructionIRFunction(defInstr, defIRFuncText) and
-      useIRFunc != defIRFunc and
-      message =
-        "Operand '" + operand.toString() + "' is used on instruction '" + useInstr.toString() +
-          "' in function '$@', but is defined on instruction '" + defInstr.toString() +
-          "' in function '$@'."
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` is not in exactly one block.
-   */
-  query predicate instructionWithoutUniqueBlock(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int blockCount |
-      blockCount = count(instr.getBlock()) and
-      blockCount != 1 and
-      message =
-        "Instruction '" + instr.toString() + "' is a member of " + blockCount.toString() +
-          " blocks in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  private predicate forwardEdge(IRBlock b1, IRBlock b2) {
-    b1.getASuccessor() = b2 and
-    not b1.getBackEdgeSuccessor(_) = b2
-  }
-
-  /**
-   * Holds if `f` contains a loop in which no edge is a back edge.
-   *
-   * This check ensures we don't have too _few_ back edges.
-   */
-  query predicate containsLoopOfForwardEdges(IRFunction f, string message) {
-    exists(IRBlock block |
-      forwardEdge+(block, block) and
-      block.getEnclosingIRFunction() = f and
-      message = "Function contains a loop consisting of only forward edges."
-    )
-  }
-
-  /**
-   * Holds if `block` is reachable from its function entry point but would not
-   * be reachable by traversing only forward edges. This check is skipped for
-   * functions containing `goto` statements as the property does not generally
-   * hold there.
-   *
-   * This check ensures we don't have too _many_ back edges.
-   */
-  query predicate lostReachability(
-    IRBlock block, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRFunction f, IRBlock entry |
-      entry = f.getEntryBlock() and
-      entry.getASuccessor+() = block and
-      not forwardEdge+(entry, block) and
-      not Language::hasGoto(f.getFunction()) and
-      message =
-        "Block '" + block.toString() +
-          "' is not reachable by traversing only forward edges in function '$@'." and
-      irFunc = TPresentIRFunction(f) and
-      irFuncText = irFunc.toString()
-    )
-  }
-
-  /**
-   * Holds if the number of back edges differs between the `Instruction` graph
-   * and the `IRBlock` graph.
-   */
-  query predicate backEdgeCountMismatch(OptionalIRFunction irFunc, string message) {
-    exists(int fromInstr, int fromBlock |
-      fromInstr =
-        count(Instruction i1, Instruction i2 |
-          getInstructionIRFunction(i1) = irFunc and i1.getBackEdgeSuccessor(_) = i2
-        ) and
-      fromBlock =
-        count(IRBlock b1, IRBlock b2 |
-          getBlockIRFunction(b1) = irFunc and b1.getBackEdgeSuccessor(_) = b2
-        ) and
-      fromInstr != fromBlock and
-      message =
-        "The instruction graph for function '" + irFunc.toString() + "' contains " +
-          fromInstr.toString() + " back edges, but the block graph contains " + fromBlock.toString()
-          + " back edges."
-    )
-  }
-
-  /**
-   * Gets the point in the function at which the specified operand is evaluated. For most operands,
-   * this is at the instruction that consumes the use. For a `PhiInputOperand`, the effective point
-   * of evaluation is at the end of the corresponding predecessor block.
-   */
-  private predicate pointOfEvaluation(Operand operand, IRBlock block, int index) {
-    block = operand.(PhiInputOperand).getPredecessorBlock() and
-    index = block.getInstructionCount()
-    or
-    exists(Instruction use |
-      use = operand.(NonPhiOperand).getUse() and
-      block.getInstruction(index) = use
-    )
-  }
-
-  /**
-   * Holds if `useOperand` has a definition that does not dominate the use.
-   */
-  query predicate useNotDominatedByDefinition(
-    Operand useOperand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
-      pointOfEvaluation(useOperand, useBlock, useIndex) and
-      defInstr = useOperand.getAnyDef() and
-      (
-        defInstr instanceof PhiInstruction and
-        defBlock = defInstr.getBlock() and
-        defIndex = -1
-        or
-        defBlock.getInstruction(defIndex) = defInstr
-      ) and
-      not (
-        defBlock.strictlyDominates(useBlock)
-        or
-        defBlock = useBlock and
-        defIndex < useIndex
-      ) and
-      message =
-        "Operand '" + useOperand.toString() +
-          "' is not dominated by its definition in function '$@'." and
-      irFunc = getOperandIRFunction(useOperand, irFuncText)
-    )
-  }
-
-  query predicate switchInstructionWithoutDefaultEdge(
-    SwitchInstruction switchInstr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(switchInstr.getDefaultSuccessor()) and
-    message =
-      "SwitchInstruction " + switchInstr.toString() + " without a DefaultEdge in function '$@'." and
-    irFunc = getInstructionIRFunction(switchInstr, irFuncText)
-  }
-
-  /**
-   * Holds if `instr` is on the chain of chi/phi instructions for all aliased
-   * memory.
-   */
-  private predicate isOnAliasedDefinitionChain(Instruction instr) {
-    instr instanceof AliasedDefinitionInstruction
-    or
-    isOnAliasedDefinitionChain(instr.(ChiInstruction).getTotal())
-    or
-    isOnAliasedDefinitionChain(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
-  }
-
-  private predicate shouldBeConflated(Instruction instr) {
-    isOnAliasedDefinitionChain(instr)
-    or
-    instr.getOpcode() instanceof Opcode::InitializeNonLocal
-  }
-
-  query predicate notMarkedAsConflated(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    shouldBeConflated(instr) and
-    not instr.isResultConflated() and
-    message =
-      "Instruction '" + instr.toString() +
-        "' should be marked as having a conflated result in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  query predicate wronglyMarkedAsConflated(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    instr.isResultConflated() and
-    not shouldBeConflated(instr) and
-    message =
-      "Instruction '" + instr.toString() +
-        "' should not be marked as having a conflated result in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  query predicate invalidOverlap(
-    MemoryOperand useOperand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Overlap overlap |
-      overlap = useOperand.getDefinitionOverlap() and
-      overlap instanceof MayPartiallyOverlap and
-      message =
-        "MemoryOperand '" + useOperand.toString() + "' has a `getDefinitionOverlap()` of '" +
-          overlap.toString() + "'." and
-      irFunc = getOperandIRFunction(useOperand, irFuncText)
-    )
-  }
-
-  query predicate nonUniqueEnclosingIRFunction(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int irFuncCount |
-      irFuncCount = count(instr.getEnclosingIRFunction()) and
-      irFuncCount != 1 and
-      message =
-        "Instruction '" + instr.toString() + "' has " + irFuncCount.toString() +
-          " results for `getEnclosingIRFunction()` in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if the object address operand for the given `FieldAddress` instruction does not have an
-   * address type.
-   */
-  query predicate fieldAddressOnNonPointer(
-    FieldAddressInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not instr.getObjectAddressOperand().getIRType() instanceof IRAddressType and
-    message =
-      "FieldAddress instruction '" + instr.toString() +
-        "' has an object address operand that is not an address, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if the `this` argument operand for the given `Call` instruction does not have an address
-   * type.
-   */
-  query predicate thisArgumentIsNonPointer(
-    CallInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(ThisArgumentOperand thisOperand | thisOperand = instr.getThisArgumentOperand() |
-      not thisOperand.getIRType() instanceof IRAddressType
-    ) and
-    message =
-      "Call instruction '" + instr.toString() +
-        "' has a `this` argument operand that is not an address, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll

@@ -1,527 +0,0 @@
-private import IR
-import InstructionConsistency // module is below
-import IRTypeConsistency // module is in IRType.qll
-
-module InstructionConsistency {
-  private import internal.InstructionImports as Imports
-  private import Imports::OperandTag
-  private import Imports::Overlap
-  private import internal.IRInternal
-
-  private newtype TOptionalIRFunction =
-    TPresentIRFunction(IRFunction irFunc) or
-    TMissingIRFunction()
-
-  /**
-   * An `IRFunction` that might not exist. This is used so that we can produce consistency failures
-   * for IR that also incorrectly lacks a `getEnclosingIRFunction()`.
-   */
-  abstract private class OptionalIRFunction extends TOptionalIRFunction {
-    abstract string toString();
-
-    abstract Language::Location getLocation();
-  }
-
-  private class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
-    private IRFunction irFunc;
-
-    PresentIRFunction() { this = TPresentIRFunction(irFunc) }
-
-    override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
-    }
-
-    override Language::Location getLocation() {
-      // To avoid an overwhelming number of results when the extractor merges functions with the
-      // same name, just pick a single location.
-      result =
-        min(Language::Location loc | loc = irFunc.getLocation() | loc order by loc.toString())
-    }
-  }
-
-  private class MissingIRFunction extends OptionalIRFunction, TMissingIRFunction {
-    override string toString() { result = "<Missing IRFunction>" }
-
-    override Language::Location getLocation() { result instanceof Language::UnknownDefaultLocation }
-  }
-
-  private OptionalIRFunction getInstructionIRFunction(Instruction instr) {
-    result = TPresentIRFunction(instr.getEnclosingIRFunction())
-    or
-    not exists(instr.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  pragma[inline]
-  private OptionalIRFunction getInstructionIRFunction(Instruction instr, string irFuncText) {
-    result = getInstructionIRFunction(instr) and
-    irFuncText = result.toString()
-  }
-
-  private OptionalIRFunction getOperandIRFunction(Operand operand) {
-    result = TPresentIRFunction(operand.getEnclosingIRFunction())
-    or
-    not exists(operand.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  pragma[inline]
-  private OptionalIRFunction getOperandIRFunction(Operand operand, string irFuncText) {
-    result = getOperandIRFunction(operand) and
-    irFuncText = result.toString()
-  }
-
-  private OptionalIRFunction getBlockIRFunction(IRBlock block) {
-    result = TPresentIRFunction(block.getEnclosingIRFunction())
-    or
-    not exists(block.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  /**
-   * Holds if instruction `instr` is missing an expected operand with tag `tag`.
-   */
-  query predicate missingOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag |
-      instr.getOpcode().hasOperand(tag) and
-      not exists(NonPhiOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getOperandTag() = tag
-      ) and
-      message =
-        "Instruction '" + instr.getOpcode().toString() +
-          "' is missing an expected operand with tag '" + tag.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` has an unexpected operand with tag `tag`.
-   */
-  query predicate unexpectedOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag |
-      exists(NonPhiOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getOperandTag() = tag
-      ) and
-      not instr.getOpcode().hasOperand(tag) and
-      not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-      not (
-        instr instanceof BuiltInOperationInstruction and tag instanceof PositionalArgumentOperandTag
-      ) and
-      not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag) and
-      message =
-        "Instruction '" + instr.toString() + "' has unexpected operand '" + tag.toString() +
-          "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` has multiple operands with tag `tag`.
-   */
-  query predicate duplicateOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag, int operandCount |
-      operandCount =
-        strictcount(NonPhiOperand operand |
-          operand = instr.getAnOperand() and
-          operand.getOperandTag() = tag
-        ) and
-      operandCount > 1 and
-      message =
-        "Instruction has " + operandCount + " operands with tag '" + tag.toString() + "'" +
-          " in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if `Phi` instruction `instr` is missing an operand corresponding to
-   * the predecessor block `pred`.
-   */
-  query predicate missingPhiOperand(
-    PhiInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRBlock pred |
-      pred = instr.getBlock().getAPredecessor() and
-      not exists(PhiInputOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getPredecessorBlock() = pred
-      ) and
-      message =
-        "Instruction '" + instr.toString() + "' is missing an operand for predecessor block '" +
-          pred.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  query predicate missingOperandType(
-    Operand operand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Instruction use |
-      not exists(operand.getType()) and
-      use = operand.getUse() and
-      message =
-        "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString() +
-          "' is missing a type in function '$@'." and
-      irFunc = getOperandIRFunction(operand, irFuncText)
-    )
-  }
-
-  query predicate duplicateChiOperand(
-    ChiInstruction chi, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    chi.getTotal() = chi.getPartial() and
-    message =
-      "Chi instruction for " + chi.getPartial().toString() +
-        " has duplicate operands in function '$@'." and
-    irFunc = getInstructionIRFunction(chi, irFuncText)
-  }
-
-  query predicate sideEffectWithoutPrimary(
-    SideEffectInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(instr.getPrimaryInstruction()) and
-    message =
-      "Side effect instruction '" + instr + "' is missing a primary instruction in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if an instruction, other than `ExitFunction`, has no successors.
-   */
-  query predicate instructionWithoutSuccessor(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(instr.getASuccessor()) and
-    not instr instanceof ExitFunctionInstruction and
-    // Phi instructions aren't linked into the instruction-level flow graph.
-    not instr instanceof PhiInstruction and
-    not instr instanceof UnreachedInstruction and
-    message = "Instruction '" + instr.toString() + "' has no successors in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if there are multiple edges of the same kind from `source`.
-   */
-  query predicate ambiguousSuccessors(
-    Instruction source, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(EdgeKind kind, int n |
-      n = strictcount(Instruction t | source.getSuccessor(kind) = t) and
-      n > 1 and
-      message =
-        "Instruction '" + source.toString() + "' has " + n.toString() + " successors of kind '" +
-          kind.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(source, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if `instr` is part of a loop even though the AST of `instr`'s enclosing function
-   * contains no element that can cause loops.
-   */
-  query predicate unexplainedLoop(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Language::Function f |
-      exists(IRBlock block |
-        instr.getBlock() = block and
-        block.getEnclosingFunction() = f and
-        block.getASuccessor+() = block
-      ) and
-      not Language::hasPotentialLoop(f) and
-      message =
-        "Instruction '" + instr.toString() + "' is part of an unexplained loop in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if a `Phi` instruction is present in a block with fewer than two
-   * predecessors.
-   */
-  query predicate unnecessaryPhiInstruction(
-    PhiInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int n |
-      n = count(instr.getBlock().getAPredecessor()) and
-      n < 2 and
-      message =
-        "Instruction '" + instr.toString() + "' is in a block with only " + n.toString() +
-          " predecessors in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if a memory operand is connected to a definition with an unmodeled result.
-   */
-  query predicate memoryOperandDefinitionIsUnmodeled(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(MemoryOperand operand, Instruction def |
-      operand = instr.getAnOperand() and
-      def = operand.getAnyDef() and
-      not def.isResultModeled() and
-      message =
-        "Memory operand definition on instruction '" + instr.toString() +
-          "' has unmodeled result in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if operand `operand` consumes a value that was defined in
-   * a different function.
-   */
-  query predicate operandAcrossFunctions(
-    Operand operand, string message, OptionalIRFunction useIRFunc, string useIRFuncText,
-    OptionalIRFunction defIRFunc, string defIRFuncText
-  ) {
-    exists(Instruction useInstr, Instruction defInstr |
-      operand.getUse() = useInstr and
-      operand.getAnyDef() = defInstr and
-      useIRFunc = getInstructionIRFunction(useInstr, useIRFuncText) and
-      defIRFunc = getInstructionIRFunction(defInstr, defIRFuncText) and
-      useIRFunc != defIRFunc and
-      message =
-        "Operand '" + operand.toString() + "' is used on instruction '" + useInstr.toString() +
-          "' in function '$@', but is defined on instruction '" + defInstr.toString() +
-          "' in function '$@'."
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` is not in exactly one block.
-   */
-  query predicate instructionWithoutUniqueBlock(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int blockCount |
-      blockCount = count(instr.getBlock()) and
-      blockCount != 1 and
-      message =
-        "Instruction '" + instr.toString() + "' is a member of " + blockCount.toString() +
-          " blocks in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  private predicate forwardEdge(IRBlock b1, IRBlock b2) {
-    b1.getASuccessor() = b2 and
-    not b1.getBackEdgeSuccessor(_) = b2
-  }
-
-  /**
-   * Holds if `f` contains a loop in which no edge is a back edge.
-   *
-   * This check ensures we don't have too _few_ back edges.
-   */
-  query predicate containsLoopOfForwardEdges(IRFunction f, string message) {
-    exists(IRBlock block |
-      forwardEdge+(block, block) and
-      block.getEnclosingIRFunction() = f and
-      message = "Function contains a loop consisting of only forward edges."
-    )
-  }
-
-  /**
-   * Holds if `block` is reachable from its function entry point but would not
-   * be reachable by traversing only forward edges. This check is skipped for
-   * functions containing `goto` statements as the property does not generally
-   * hold there.
-   *
-   * This check ensures we don't have too _many_ back edges.
-   */
-  query predicate lostReachability(
-    IRBlock block, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRFunction f, IRBlock entry |
-      entry = f.getEntryBlock() and
-      entry.getASuccessor+() = block and
-      not forwardEdge+(entry, block) and
-      not Language::hasGoto(f.getFunction()) and
-      message =
-        "Block '" + block.toString() +
-          "' is not reachable by traversing only forward edges in function '$@'." and
-      irFunc = TPresentIRFunction(f) and
-      irFuncText = irFunc.toString()
-    )
-  }
-
-  /**
-   * Holds if the number of back edges differs between the `Instruction` graph
-   * and the `IRBlock` graph.
-   */
-  query predicate backEdgeCountMismatch(OptionalIRFunction irFunc, string message) {
-    exists(int fromInstr, int fromBlock |
-      fromInstr =
-        count(Instruction i1, Instruction i2 |
-          getInstructionIRFunction(i1) = irFunc and i1.getBackEdgeSuccessor(_) = i2
-        ) and
-      fromBlock =
-        count(IRBlock b1, IRBlock b2 |
-          getBlockIRFunction(b1) = irFunc and b1.getBackEdgeSuccessor(_) = b2
-        ) and
-      fromInstr != fromBlock and
-      message =
-        "The instruction graph for function '" + irFunc.toString() + "' contains " +
-          fromInstr.toString() + " back edges, but the block graph contains " + fromBlock.toString()
-          + " back edges."
-    )
-  }
-
-  /**
-   * Gets the point in the function at which the specified operand is evaluated. For most operands,
-   * this is at the instruction that consumes the use. For a `PhiInputOperand`, the effective point
-   * of evaluation is at the end of the corresponding predecessor block.
-   */
-  private predicate pointOfEvaluation(Operand operand, IRBlock block, int index) {
-    block = operand.(PhiInputOperand).getPredecessorBlock() and
-    index = block.getInstructionCount()
-    or
-    exists(Instruction use |
-      use = operand.(NonPhiOperand).getUse() and
-      block.getInstruction(index) = use
-    )
-  }
-
-  /**
-   * Holds if `useOperand` has a definition that does not dominate the use.
-   */
-  query predicate useNotDominatedByDefinition(
-    Operand useOperand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
-      pointOfEvaluation(useOperand, useBlock, useIndex) and
-      defInstr = useOperand.getAnyDef() and
-      (
-        defInstr instanceof PhiInstruction and
-        defBlock = defInstr.getBlock() and
-        defIndex = -1
-        or
-        defBlock.getInstruction(defIndex) = defInstr
-      ) and
-      not (
-        defBlock.strictlyDominates(useBlock)
-        or
-        defBlock = useBlock and
-        defIndex < useIndex
-      ) and
-      message =
-        "Operand '" + useOperand.toString() +
-          "' is not dominated by its definition in function '$@'." and
-      irFunc = getOperandIRFunction(useOperand, irFuncText)
-    )
-  }
-
-  query predicate switchInstructionWithoutDefaultEdge(
-    SwitchInstruction switchInstr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(switchInstr.getDefaultSuccessor()) and
-    message =
-      "SwitchInstruction " + switchInstr.toString() + " without a DefaultEdge in function '$@'." and
-    irFunc = getInstructionIRFunction(switchInstr, irFuncText)
-  }
-
-  /**
-   * Holds if `instr` is on the chain of chi/phi instructions for all aliased
-   * memory.
-   */
-  private predicate isOnAliasedDefinitionChain(Instruction instr) {
-    instr instanceof AliasedDefinitionInstruction
-    or
-    isOnAliasedDefinitionChain(instr.(ChiInstruction).getTotal())
-    or
-    isOnAliasedDefinitionChain(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
-  }
-
-  private predicate shouldBeConflated(Instruction instr) {
-    isOnAliasedDefinitionChain(instr)
-    or
-    instr.getOpcode() instanceof Opcode::InitializeNonLocal
-  }
-
-  query predicate notMarkedAsConflated(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    shouldBeConflated(instr) and
-    not instr.isResultConflated() and
-    message =
-      "Instruction '" + instr.toString() +
-        "' should be marked as having a conflated result in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  query predicate wronglyMarkedAsConflated(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    instr.isResultConflated() and
-    not shouldBeConflated(instr) and
-    message =
-      "Instruction '" + instr.toString() +
-        "' should not be marked as having a conflated result in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  query predicate invalidOverlap(
-    MemoryOperand useOperand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Overlap overlap |
-      overlap = useOperand.getDefinitionOverlap() and
-      overlap instanceof MayPartiallyOverlap and
-      message =
-        "MemoryOperand '" + useOperand.toString() + "' has a `getDefinitionOverlap()` of '" +
-          overlap.toString() + "'." and
-      irFunc = getOperandIRFunction(useOperand, irFuncText)
-    )
-  }
-
-  query predicate nonUniqueEnclosingIRFunction(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int irFuncCount |
-      irFuncCount = count(instr.getEnclosingIRFunction()) and
-      irFuncCount != 1 and
-      message =
-        "Instruction '" + instr.toString() + "' has " + irFuncCount.toString() +
-          " results for `getEnclosingIRFunction()` in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if the object address operand for the given `FieldAddress` instruction does not have an
-   * address type.
-   */
-  query predicate fieldAddressOnNonPointer(
-    FieldAddressInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not instr.getObjectAddressOperand().getIRType() instanceof IRAddressType and
-    message =
-      "FieldAddress instruction '" + instr.toString() +
-        "' has an object address operand that is not an address, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if the `this` argument operand for the given `Call` instruction does not have an address
-   * type.
-   */
-  query predicate thisArgumentIsNonPointer(
-    CallInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(ThisArgumentOperand thisOperand | thisOperand = instr.getThisArgumentOperand() |
-      not thisOperand.getIRType() instanceof IRAddressType
-    ) and
-    message =
-      "Call instruction '" + instr.toString() +
-        "' has a `this` argument operand that is not an address, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll

@@ -1,527 +0,0 @@
-private import IR
-import InstructionConsistency // module is below
-import IRTypeConsistency // module is in IRType.qll
-
-module InstructionConsistency {
-  private import internal.InstructionImports as Imports
-  private import Imports::OperandTag
-  private import Imports::Overlap
-  private import internal.IRInternal
-
-  private newtype TOptionalIRFunction =
-    TPresentIRFunction(IRFunction irFunc) or
-    TMissingIRFunction()
-
-  /**
-   * An `IRFunction` that might not exist. This is used so that we can produce consistency failures
-   * for IR that also incorrectly lacks a `getEnclosingIRFunction()`.
-   */
-  abstract private class OptionalIRFunction extends TOptionalIRFunction {
-    abstract string toString();
-
-    abstract Language::Location getLocation();
-  }
-
-  private class PresentIRFunction extends OptionalIRFunction, TPresentIRFunction {
-    private IRFunction irFunc;
-
-    PresentIRFunction() { this = TPresentIRFunction(irFunc) }
-
-    override string toString() {
-      result = concat(Language::getIdentityString(irFunc.getFunction()), "; ")
-    }
-
-    override Language::Location getLocation() {
-      // To avoid an overwhelming number of results when the extractor merges functions with the
-      // same name, just pick a single location.
-      result =
-        min(Language::Location loc | loc = irFunc.getLocation() | loc order by loc.toString())
-    }
-  }
-
-  private class MissingIRFunction extends OptionalIRFunction, TMissingIRFunction {
-    override string toString() { result = "<Missing IRFunction>" }
-
-    override Language::Location getLocation() { result instanceof Language::UnknownDefaultLocation }
-  }
-
-  private OptionalIRFunction getInstructionIRFunction(Instruction instr) {
-    result = TPresentIRFunction(instr.getEnclosingIRFunction())
-    or
-    not exists(instr.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  pragma[inline]
-  private OptionalIRFunction getInstructionIRFunction(Instruction instr, string irFuncText) {
-    result = getInstructionIRFunction(instr) and
-    irFuncText = result.toString()
-  }
-
-  private OptionalIRFunction getOperandIRFunction(Operand operand) {
-    result = TPresentIRFunction(operand.getEnclosingIRFunction())
-    or
-    not exists(operand.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  pragma[inline]
-  private OptionalIRFunction getOperandIRFunction(Operand operand, string irFuncText) {
-    result = getOperandIRFunction(operand) and
-    irFuncText = result.toString()
-  }
-
-  private OptionalIRFunction getBlockIRFunction(IRBlock block) {
-    result = TPresentIRFunction(block.getEnclosingIRFunction())
-    or
-    not exists(block.getEnclosingIRFunction()) and result = TMissingIRFunction()
-  }
-
-  /**
-   * Holds if instruction `instr` is missing an expected operand with tag `tag`.
-   */
-  query predicate missingOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag |
-      instr.getOpcode().hasOperand(tag) and
-      not exists(NonPhiOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getOperandTag() = tag
-      ) and
-      message =
-        "Instruction '" + instr.getOpcode().toString() +
-          "' is missing an expected operand with tag '" + tag.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` has an unexpected operand with tag `tag`.
-   */
-  query predicate unexpectedOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag |
-      exists(NonPhiOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getOperandTag() = tag
-      ) and
-      not instr.getOpcode().hasOperand(tag) and
-      not (instr instanceof CallInstruction and tag instanceof ArgumentOperandTag) and
-      not (
-        instr instanceof BuiltInOperationInstruction and tag instanceof PositionalArgumentOperandTag
-      ) and
-      not (instr instanceof InlineAsmInstruction and tag instanceof AsmOperandTag) and
-      message =
-        "Instruction '" + instr.toString() + "' has unexpected operand '" + tag.toString() +
-          "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` has multiple operands with tag `tag`.
-   */
-  query predicate duplicateOperand(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(OperandTag tag, int operandCount |
-      operandCount =
-        strictcount(NonPhiOperand operand |
-          operand = instr.getAnOperand() and
-          operand.getOperandTag() = tag
-        ) and
-      operandCount > 1 and
-      message =
-        "Instruction has " + operandCount + " operands with tag '" + tag.toString() + "'" +
-          " in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if `Phi` instruction `instr` is missing an operand corresponding to
-   * the predecessor block `pred`.
-   */
-  query predicate missingPhiOperand(
-    PhiInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRBlock pred |
-      pred = instr.getBlock().getAPredecessor() and
-      not exists(PhiInputOperand operand |
-        operand = instr.getAnOperand() and
-        operand.getPredecessorBlock() = pred
-      ) and
-      message =
-        "Instruction '" + instr.toString() + "' is missing an operand for predecessor block '" +
-          pred.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  query predicate missingOperandType(
-    Operand operand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Instruction use |
-      not exists(operand.getType()) and
-      use = operand.getUse() and
-      message =
-        "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString() +
-          "' is missing a type in function '$@'." and
-      irFunc = getOperandIRFunction(operand, irFuncText)
-    )
-  }
-
-  query predicate duplicateChiOperand(
-    ChiInstruction chi, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    chi.getTotal() = chi.getPartial() and
-    message =
-      "Chi instruction for " + chi.getPartial().toString() +
-        " has duplicate operands in function '$@'." and
-    irFunc = getInstructionIRFunction(chi, irFuncText)
-  }
-
-  query predicate sideEffectWithoutPrimary(
-    SideEffectInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(instr.getPrimaryInstruction()) and
-    message =
-      "Side effect instruction '" + instr + "' is missing a primary instruction in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if an instruction, other than `ExitFunction`, has no successors.
-   */
-  query predicate instructionWithoutSuccessor(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(instr.getASuccessor()) and
-    not instr instanceof ExitFunctionInstruction and
-    // Phi instructions aren't linked into the instruction-level flow graph.
-    not instr instanceof PhiInstruction and
-    not instr instanceof UnreachedInstruction and
-    message = "Instruction '" + instr.toString() + "' has no successors in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if there are multiple edges of the same kind from `source`.
-   */
-  query predicate ambiguousSuccessors(
-    Instruction source, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(EdgeKind kind, int n |
-      n = strictcount(Instruction t | source.getSuccessor(kind) = t) and
-      n > 1 and
-      message =
-        "Instruction '" + source.toString() + "' has " + n.toString() + " successors of kind '" +
-          kind.toString() + "' in function '$@'." and
-      irFunc = getInstructionIRFunction(source, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if `instr` is part of a loop even though the AST of `instr`'s enclosing function
-   * contains no element that can cause loops.
-   */
-  query predicate unexplainedLoop(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Language::Function f |
-      exists(IRBlock block |
-        instr.getBlock() = block and
-        block.getEnclosingFunction() = f and
-        block.getASuccessor+() = block
-      ) and
-      not Language::hasPotentialLoop(f) and
-      message =
-        "Instruction '" + instr.toString() + "' is part of an unexplained loop in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if a `Phi` instruction is present in a block with fewer than two
-   * predecessors.
-   */
-  query predicate unnecessaryPhiInstruction(
-    PhiInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int n |
-      n = count(instr.getBlock().getAPredecessor()) and
-      n < 2 and
-      message =
-        "Instruction '" + instr.toString() + "' is in a block with only " + n.toString() +
-          " predecessors in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if a memory operand is connected to a definition with an unmodeled result.
-   */
-  query predicate memoryOperandDefinitionIsUnmodeled(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(MemoryOperand operand, Instruction def |
-      operand = instr.getAnOperand() and
-      def = operand.getAnyDef() and
-      not def.isResultModeled() and
-      message =
-        "Memory operand definition on instruction '" + instr.toString() +
-          "' has unmodeled result in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if operand `operand` consumes a value that was defined in
-   * a different function.
-   */
-  query predicate operandAcrossFunctions(
-    Operand operand, string message, OptionalIRFunction useIRFunc, string useIRFuncText,
-    OptionalIRFunction defIRFunc, string defIRFuncText
-  ) {
-    exists(Instruction useInstr, Instruction defInstr |
-      operand.getUse() = useInstr and
-      operand.getAnyDef() = defInstr and
-      useIRFunc = getInstructionIRFunction(useInstr, useIRFuncText) and
-      defIRFunc = getInstructionIRFunction(defInstr, defIRFuncText) and
-      useIRFunc != defIRFunc and
-      message =
-        "Operand '" + operand.toString() + "' is used on instruction '" + useInstr.toString() +
-          "' in function '$@', but is defined on instruction '" + defInstr.toString() +
-          "' in function '$@'."
-    )
-  }
-
-  /**
-   * Holds if instruction `instr` is not in exactly one block.
-   */
-  query predicate instructionWithoutUniqueBlock(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int blockCount |
-      blockCount = count(instr.getBlock()) and
-      blockCount != 1 and
-      message =
-        "Instruction '" + instr.toString() + "' is a member of " + blockCount.toString() +
-          " blocks in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  private predicate forwardEdge(IRBlock b1, IRBlock b2) {
-    b1.getASuccessor() = b2 and
-    not b1.getBackEdgeSuccessor(_) = b2
-  }
-
-  /**
-   * Holds if `f` contains a loop in which no edge is a back edge.
-   *
-   * This check ensures we don't have too _few_ back edges.
-   */
-  query predicate containsLoopOfForwardEdges(IRFunction f, string message) {
-    exists(IRBlock block |
-      forwardEdge+(block, block) and
-      block.getEnclosingIRFunction() = f and
-      message = "Function contains a loop consisting of only forward edges."
-    )
-  }
-
-  /**
-   * Holds if `block` is reachable from its function entry point but would not
-   * be reachable by traversing only forward edges. This check is skipped for
-   * functions containing `goto` statements as the property does not generally
-   * hold there.
-   *
-   * This check ensures we don't have too _many_ back edges.
-   */
-  query predicate lostReachability(
-    IRBlock block, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRFunction f, IRBlock entry |
-      entry = f.getEntryBlock() and
-      entry.getASuccessor+() = block and
-      not forwardEdge+(entry, block) and
-      not Language::hasGoto(f.getFunction()) and
-      message =
-        "Block '" + block.toString() +
-          "' is not reachable by traversing only forward edges in function '$@'." and
-      irFunc = TPresentIRFunction(f) and
-      irFuncText = irFunc.toString()
-    )
-  }
-
-  /**
-   * Holds if the number of back edges differs between the `Instruction` graph
-   * and the `IRBlock` graph.
-   */
-  query predicate backEdgeCountMismatch(OptionalIRFunction irFunc, string message) {
-    exists(int fromInstr, int fromBlock |
-      fromInstr =
-        count(Instruction i1, Instruction i2 |
-          getInstructionIRFunction(i1) = irFunc and i1.getBackEdgeSuccessor(_) = i2
-        ) and
-      fromBlock =
-        count(IRBlock b1, IRBlock b2 |
-          getBlockIRFunction(b1) = irFunc and b1.getBackEdgeSuccessor(_) = b2
-        ) and
-      fromInstr != fromBlock and
-      message =
-        "The instruction graph for function '" + irFunc.toString() + "' contains " +
-          fromInstr.toString() + " back edges, but the block graph contains " + fromBlock.toString()
-          + " back edges."
-    )
-  }
-
-  /**
-   * Gets the point in the function at which the specified operand is evaluated. For most operands,
-   * this is at the instruction that consumes the use. For a `PhiInputOperand`, the effective point
-   * of evaluation is at the end of the corresponding predecessor block.
-   */
-  private predicate pointOfEvaluation(Operand operand, IRBlock block, int index) {
-    block = operand.(PhiInputOperand).getPredecessorBlock() and
-    index = block.getInstructionCount()
-    or
-    exists(Instruction use |
-      use = operand.(NonPhiOperand).getUse() and
-      block.getInstruction(index) = use
-    )
-  }
-
-  /**
-   * Holds if `useOperand` has a definition that does not dominate the use.
-   */
-  query predicate useNotDominatedByDefinition(
-    Operand useOperand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex |
-      pointOfEvaluation(useOperand, useBlock, useIndex) and
-      defInstr = useOperand.getAnyDef() and
-      (
-        defInstr instanceof PhiInstruction and
-        defBlock = defInstr.getBlock() and
-        defIndex = -1
-        or
-        defBlock.getInstruction(defIndex) = defInstr
-      ) and
-      not (
-        defBlock.strictlyDominates(useBlock)
-        or
-        defBlock = useBlock and
-        defIndex < useIndex
-      ) and
-      message =
-        "Operand '" + useOperand.toString() +
-          "' is not dominated by its definition in function '$@'." and
-      irFunc = getOperandIRFunction(useOperand, irFuncText)
-    )
-  }
-
-  query predicate switchInstructionWithoutDefaultEdge(
-    SwitchInstruction switchInstr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not exists(switchInstr.getDefaultSuccessor()) and
-    message =
-      "SwitchInstruction " + switchInstr.toString() + " without a DefaultEdge in function '$@'." and
-    irFunc = getInstructionIRFunction(switchInstr, irFuncText)
-  }
-
-  /**
-   * Holds if `instr` is on the chain of chi/phi instructions for all aliased
-   * memory.
-   */
-  private predicate isOnAliasedDefinitionChain(Instruction instr) {
-    instr instanceof AliasedDefinitionInstruction
-    or
-    isOnAliasedDefinitionChain(instr.(ChiInstruction).getTotal())
-    or
-    isOnAliasedDefinitionChain(instr.(PhiInstruction).getAnInputOperand().getAnyDef())
-  }
-
-  private predicate shouldBeConflated(Instruction instr) {
-    isOnAliasedDefinitionChain(instr)
-    or
-    instr.getOpcode() instanceof Opcode::InitializeNonLocal
-  }
-
-  query predicate notMarkedAsConflated(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    shouldBeConflated(instr) and
-    not instr.isResultConflated() and
-    message =
-      "Instruction '" + instr.toString() +
-        "' should be marked as having a conflated result in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  query predicate wronglyMarkedAsConflated(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    instr.isResultConflated() and
-    not shouldBeConflated(instr) and
-    message =
-      "Instruction '" + instr.toString() +
-        "' should not be marked as having a conflated result in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  query predicate invalidOverlap(
-    MemoryOperand useOperand, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(Overlap overlap |
-      overlap = useOperand.getDefinitionOverlap() and
-      overlap instanceof MayPartiallyOverlap and
-      message =
-        "MemoryOperand '" + useOperand.toString() + "' has a `getDefinitionOverlap()` of '" +
-          overlap.toString() + "'." and
-      irFunc = getOperandIRFunction(useOperand, irFuncText)
-    )
-  }
-
-  query predicate nonUniqueEnclosingIRFunction(
-    Instruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(int irFuncCount |
-      irFuncCount = count(instr.getEnclosingIRFunction()) and
-      irFuncCount != 1 and
-      message =
-        "Instruction '" + instr.toString() + "' has " + irFuncCount.toString() +
-          " results for `getEnclosingIRFunction()` in function '$@'." and
-      irFunc = getInstructionIRFunction(instr, irFuncText)
-    )
-  }
-
-  /**
-   * Holds if the object address operand for the given `FieldAddress` instruction does not have an
-   * address type.
-   */
-  query predicate fieldAddressOnNonPointer(
-    FieldAddressInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    not instr.getObjectAddressOperand().getIRType() instanceof IRAddressType and
-    message =
-      "FieldAddress instruction '" + instr.toString() +
-        "' has an object address operand that is not an address, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-
-  /**
-   * Holds if the `this` argument operand for the given `Call` instruction does not have an address
-   * type.
-   */
-  query predicate thisArgumentIsNonPointer(
-    CallInstruction instr, string message, OptionalIRFunction irFunc, string irFuncText
-  ) {
-    exists(ThisArgumentOperand thisOperand | thisOperand = instr.getThisArgumentOperand() |
-      not thisOperand.getIRType() instanceof IRAddressType
-    ) and
-    message =
-      "Call instruction '" + instr.toString() +
-        "' has a `this` argument operand that is not an address, in function '$@'." and
-    irFunc = getInstructionIRFunction(instr, irFuncText)
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll

@@ -1,32 +0,0 @@
-/**
- * Provides implementation classes modeling the MySql C API.
- * See `semmle.code.cpp.models.Models` for usage information.
- */
-
-private import semmle.code.cpp.models.interfaces.Sql
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
-
-/**
- * The `mysql_query` family of functions from the MySQL C API.
- */
-private class MySqlExecutionFunction extends SqlExecutionFunction {
-  MySqlExecutionFunction() {
-    this.hasName(["mysql_query", "mysql_real_query", "mysql_real_query_nonblocking"])
-  }
-
-  override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
-}
-
-/**
- * The `mysql_real_escape_string` family of functions from the MySQL C API.
- */
-private class MySqlBarrierFunction extends SqlBarrierFunction {
-  MySqlBarrierFunction() {
-    this.hasName(["mysql_real_escape_string", "mysql_real_escape_string_quote"])
-  }
-
-  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(2) and
-    output.isParameterDeref(1)
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/PostgreSql.qll

@@ -1,94 +0,0 @@
-private import semmle.code.cpp.models.interfaces.Sql
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
-
-private predicate pqxxTransactionSqlArgument(string function, int arg) {
-  function = "exec" and arg = 0
-  or
-  function = "exec0" and arg = 0
-  or
-  function = "exec1" and arg = 0
-  or
-  function = "exec_n" and arg = 1
-  or
-  function = "exec_params" and arg = 0
-  or
-  function = "exec_params0" and arg = 0
-  or
-  function = "exec_params1" and arg = 0
-  or
-  function = "exec_params_n" and arg = 1
-  or
-  function = "query_value" and arg = 0
-  or
-  function = "stream" and arg = 0
-}
-
-private predicate pqxxConnectionSqlArgument(string function, int arg) {
-  function = "prepare" and arg = 1
-}
-
-private predicate pqxxTransationClassNames(string className, string namespace) {
-  namespace = "pqxx" and
-  className in [
-      "dbtransaction", "nontransaction", "basic_robusttransaction", "robusttransaction",
-      "subtransaction", "transaction", "basic_transaction", "transaction_base", "work"
-    ]
-}
-
-private predicate pqxxConnectionClassNames(string className, string namespace) {
-  namespace = "pqxx" and
-  className in ["connection_base", "basic_connection", "connection"]
-}
-
-private predicate pqxxEscapeArgument(string function, int arg) {
-  arg = 0 and
-  function in ["esc", "esc_raw", "quote", "quote_raw", "quote_name", "quote_table", "esc_like"]
-}
-
-private class PostgreSqlExecutionFunction extends SqlExecutionFunction {
-  PostgreSqlExecutionFunction() {
-    exists(Class c |
-      this.getDeclaringType() = c and
-      // transaction exec and connection prepare variations
-      (
-        pqxxTransationClassNames(c.getName(), c.getNamespace().getName()) and
-        pqxxTransactionSqlArgument(this.getName(), _)
-        or
-        pqxxConnectionSqlArgument(this.getName(), _) and
-        pqxxConnectionClassNames(c.getName(), c.getNamespace().getName())
-      )
-    )
-  }
-
-  override predicate hasSqlArgument(FunctionInput input) {
-    exists(int argIndex |
-      pqxxTransactionSqlArgument(this.getName(), argIndex)
-      or
-      pqxxConnectionSqlArgument(this.getName(), argIndex)
-    |
-      input.isParameterDeref(argIndex)
-    )
-  }
-}
-
-private class PostgreSqlBarrierFunction extends SqlBarrierFunction {
-  PostgreSqlBarrierFunction() {
-    exists(Class c |
-      this.getDeclaringType() = c and
-      // transaction and connection escape functions
-      (
-        pqxxTransationClassNames(c.getName(), c.getNamespace().getName()) or
-        pqxxConnectionClassNames(c.getName(), c.getNamespace().getName())
-      ) and
-      pqxxEscapeArgument(this.getName(), _)
-    )
-  }
-
-  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
-    exists(int argIndex |
-      input.isParameterDeref(argIndex) and
-      output.isReturnValueDeref() and
-      pqxxEscapeArgument(this.getName(), argIndex)
-    )
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/SqLite3.qll

@@ -1,21 +0,0 @@
-/**
- * Provides implementation classes modeling the SQLite C API.
- * See `semmle.code.cpp.models.Models` for usage information.
- */
-
-private import semmle.code.cpp.models.interfaces.Sql
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
-
-/**
- * The `sqlite3_exec` and `sqlite3_prepare` families of functions from the SQLite C API.
- */
-private class SqLite3ExecutionFunction extends SqlExecutionFunction {
-  SqLite3ExecutionFunction() {
-    this.hasName([
-        "sqlite3_exec", "sqlite3_prepare", "sqlite3_prepare_v2", "sqlite3_prepare_v3",
-        "sqlite3_prepare16", "sqlite3_prepare16_v2", "sqlite3_prepare16_v3"
-      ])
-  }
-
-  override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
-}

cpp/ql/lib/semmle/code/cpp/models/interfaces/Sql.qll

@@ -1,30 +0,0 @@
-/**
- * Provides abstract classes for modeling functions that execute and escape SQL query strings.
- * To extend this QL library, create a QL class extending `SqlExecutionFunction` or `SqlEscapeFunction`
- * with a characteristic predicate that selects the function or set of functions you are modeling.
- * Within that class, override the predicates provided by the class to match the way a
- * parameter flows into the function and, in the case of `SqlEscapeFunction`, out of the function.
- */
-
-private import cpp
-
-/**
- * An abstract class that represents a function that executes an SQL query.
- */
-abstract class SqlExecutionFunction extends Function {
-  /**
-   * Holds if `input` to this function represents SQL code to be executed.
-   */
-  abstract predicate hasSqlArgument(FunctionInput input);
-}
-
-/**
- * An abstract class that represents a function that is a barrier to an SQL query string.
- */
-abstract class SqlBarrierFunction extends Function {
-  /**
-   * Holds if the `output` is a barrier to the SQL input `input` such that is it safe to pass to
-   * an `SqlExecutionFunction`.
-   */
-  abstract predicate barrierSqlArgument(FunctionInput input, FunctionOutput output);
-}

cpp/ql/lib/semmle/code/cpp/security/SensitiveExprs.qll

@@ -1,55 +0,0 @@
-/**
- * Provides classes for heuristically identifying variables and functions that
- * might contain or return a password or other sensitive information.
- */
-
-import cpp
-
-/**
- * Holds if the name `s` suggests something might contain or return a password
- * or other sensitive information.
- */
-bindingset[s]
-private predicate suspicious(string s) {
-  (
-    s.matches("%password%") or
-    s.matches("%passwd%") or
-    s.matches("%trusted%")
-  ) and
-  not (
-    s.matches("%hash%") or
-    s.matches("%crypt%") or
-    s.matches("%file%") or
-    s.matches("%path%")
-  )
-}
-
-/**
- * A variable that might contain a password or other sensitive information.
- */
-class SensitiveVariable extends Variable {
-  SensitiveVariable() {
-    suspicious(getName().toLowerCase()) and
-    not this.getUnspecifiedType() instanceof IntegralType
-  }
-}
-
-/**
- * A function that might return a password or other sensitive information.
- */
-class SensitiveFunction extends Function {
-  SensitiveFunction() {
-    suspicious(getName().toLowerCase()) and
-    not this.getUnspecifiedType() instanceof IntegralType
-  }
-}
-
-/**
- * An expression whose value might be a password or other sensitive information.
- */
-class SensitiveExpr extends Expr {
-  SensitiveExpr() {
-    this.(VariableAccess).getTarget() instanceof SensitiveVariable or
-    this.(FunctionCall).getTarget() instanceof SensitiveFunction
-  }
-}

cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql

@@ -7,6 +7,10 @@
 
 import cpp
 
+class AnonymousCompilation extends Compilation {
+  override string toString() { result = "<compilation>" }
+}
+
 string describe(Compilation c) {
   if c.getArgument(1) = "--mimic"
   then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
@@ -15,4 +19,4 @@ string describe(Compilation c) {
 
 from Compilation c
 where not c.normalTermination()
-select "Extraction aborted for " + describe(c)
+select c, "Extraction aborted for " + describe(c), 2

cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql

@@ -13,15 +13,10 @@
 
 import cpp
 
-from BitField fi, VariableAccess va, Type fct
+from BitField fi, VariableAccess va
 where
-  (
-    if va.getFullyConverted().getType() instanceof ReferenceType
-    then fct = va.getFullyConverted().getType().(ReferenceType).getBaseType()
-    else fct = va.getFullyConverted().getType()
-  ) and
-  fi.getNumBits() > fct.getSize() * 8 and
-  va.getExplicitlyConverted().getType().getSize() > fct.getSize() and
+  fi.getNumBits() > va.getFullyConverted().getType().getSize() * 8 and
+  va.getExplicitlyConverted().getType().getSize() > va.getFullyConverted().getType().getSize() and
   va.getTarget() = fi and
-  not fct.getUnspecifiedType() instanceof BoolType
+  not va.getActualType() instanceof BoolType
 select va, "Implicit downcast of bitfield $@", fi, fi.toString()

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -19,32 +19,28 @@ import cpp
  * Holds if the argument corresponding to the `pos` conversion specifier
  * of `ffc` is expected to have type `expected`.
  */
+pragma[noopt]
 private predicate formattingFunctionCallExpectedType(
   FormattingFunctionCall ffc, int pos, Type expected
 ) {
-  ffc.getFormat().(FormatLiteral).getConversionType(pos) = expected
+  exists(FormattingFunction f, int i, FormatLiteral fl |
+    ffc instanceof FormattingFunctionCall and
+    ffc.getTarget() = f and
+    f.getFormatParameterIndex() = i and
+    ffc.getArgument(i) = fl and
+    fl.getConversionType(pos) = expected
+  )
 }
 
 /**
  * Holds if the argument corresponding to the `pos` conversion specifier
- * of `ffc` could alternatively have type `expected`, for example on a different
- * platform.
- */
-private predicate formattingFunctionCallAlternateType(
-  FormattingFunctionCall ffc, int pos, Type expected
-) {
-  ffc.getFormat().(FormatLiteral).getConversionTypeAlternate(pos) = expected
-}
-
-/**
- * Holds if the argument corresponding to the `pos` conversion specifier
- * of `ffc` is `arg` and has type `actual`.
+ * of `ffc` is expected to have type `expected` and the corresponding
+ * argument `arg` has type `actual`.
  */
 pragma[noopt]
-predicate formattingFunctionCallActualType(
-  FormattingFunctionCall ffc, int pos, Expr arg, Type actual
-) {
+predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
   exists(Expr argConverted |
+    formattingFunctionCallExpectedType(ffc, pos, expected) and
     ffc.getConversionArgument(pos) = arg and
     argConverted = arg.getFullyConverted() and
     actual = argConverted.getType()
@@ -76,8 +72,7 @@ class ExpectedType extends Type {
   ExpectedType() {
     exists(Type t |
       (
-        formattingFunctionCallExpectedType(_, _, t) or
-        formattingFunctionCallAlternateType(_, _, t) or
+        formatArgType(_, _, t, _, _) or
         formatOtherArgType(_, _, t, _, _)
       ) and
       this = t.getUnspecifiedType()
@@ -96,11 +91,7 @@ class ExpectedType extends Type {
  */
 predicate trivialConversion(ExpectedType expected, Type actual) {
   exists(Type exp, Type act |
-    (
-      formattingFunctionCallExpectedType(_, _, exp) or
-      formattingFunctionCallAlternateType(_, _, exp)
-    ) and
-    formattingFunctionCallActualType(_, _, _, act) and
+    formatArgType(_, _, exp, _, act) and
     expected = exp.getUnspecifiedType() and
     actual = act.getUnspecifiedType()
   ) and
@@ -155,13 +146,9 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
   (
-    formattingFunctionCallExpectedType(ffc, n, expected) and
-    formattingFunctionCallActualType(ffc, n, arg, actual) and
+    formatArgType(ffc, n, expected, arg, actual) and
     not exists(Type anyExpected |
-      (
-        formattingFunctionCallExpectedType(ffc, n, anyExpected) or
-        formattingFunctionCallAlternateType(ffc, n, anyExpected)
-      ) and
+      formatArgType(ffc, n, anyExpected, arg, actual) and
       trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
     )
     or

cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql

@@ -29,19 +29,11 @@ class ImproperNullTerminationReachability extends StackVariableReachabilityWithR
   override predicate isSourceActual(ControlFlowNode node, StackVariable v) {
     node = declWithNoInit(v)
     or
-    exists(Call c, int bufferArg, int sizeArg |
+    exists(Call c, VariableAccess va |
       c = node and
-      (
-        c.getTarget().hasName("readlink") and bufferArg = 1 and sizeArg = 2
-        or
-        c.getTarget().hasName("readlinkat") and bufferArg = 2 and sizeArg = 3
-      ) and
-      c.getArgument(bufferArg).(VariableAccess).getTarget() = v and
-      (
-        // buffer size parameter likely matches the full buffer size
-        c.getArgument(sizeArg) instanceof SizeofOperator or
-        c.getArgument(sizeArg).getValue().toInt() = v.getType().getSize()
-      )
+      c.getTarget().hasName("readlink") and
+      c.getArgument(1) = va and
+      va.getTarget() = v
     )
   }
 

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -41,7 +41,7 @@ DeclStmt declWithNoInit(LocalVariable v) {
   result.getADeclaration() = v and
   not exists(v.getInitializer()) and
   /* The type of the variable is not stack-allocated. */
-  exists(Type t | t = v.getType() | not allocatedType(t))
+  not allocatedType(v.getType())
 }
 
 class UninitialisedLocalReachability extends StackVariableReachability {

cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql

@@ -1,12 +0,0 @@
-/**
- * @name Sum of frontend and extractor time
- * @description The sum of elapsed frontend time, and the sum of elapsed extractor time.
- *              This query is for internal use only and may change without notice.
- * @kind table
- * @id cpp/frontend-and-extractor-time
- */
-
-import cpp
-
-select sum(Compilation c, float seconds | compilation_time(c, _, 2, seconds) | seconds) as sum_frontend_elapsed_seconds,
-  sum(Compilation c, float seconds | compilation_time(c, _, 4, seconds) | seconds) as sum_extractor_elapsed_seconds

cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql

@@ -9,6 +9,7 @@
  * @tags reliability
  *       external/cwe/cwe-573
  *       external/cwe/cwe-252
+ * @opaque-id SM02344
  * @microsoft.severity Important
  */
 

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -30,15 +30,7 @@ class Configuration extends TaintTrackingConfiguration {
   }
 
   override predicate isBarrier(Expr e) {
-    super.isBarrier(e)
-    or
-    e.getUnspecifiedType() instanceof IntegralType
-    or
-    exists(SqlBarrierFunction sql, int arg, FunctionInput input |
-      e = sql.getACallToThisFunction().getArgument(arg) and
-      input.isParameterDeref(arg) and
-      sql.barrierSqlArgument(input, _)
-    )
+    super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
   }
 }
 

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -15,122 +15,58 @@
 import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.FlowSources
-import semmle.code.cpp.ir.dataflow.TaintTracking
-import DataFlow::PathGraph
+import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 import Bounded
 
-/**
- * A function that outputs random data such as `std::rand`.
- */
-abstract class RandomFunction extends Function {
-  /**
-   * Gets the `FunctionOutput` that describes how this function returns the random data.
-   */
-  FunctionOutput getFunctionOutput() { result.isReturnValue() }
+predicate isUnboundedRandCall(FunctionCall fc) {
+  exists(Function func | func = fc.getTarget() |
+    func.hasGlobalOrStdOrBslName("rand") and
+    not bounded(fc) and
+    func.getNumberOfParameters() = 0
+  )
 }
 
-/**
- * The standard function `std::rand`.
- */
-private class StdRand extends RandomFunction {
-  StdRand() {
-    this.hasGlobalOrStdOrBslName("rand") and
-    this.getNumberOfParameters() = 0
-  }
+predicate isUnboundedRandCallOrParent(Expr e) {
+  isUnboundedRandCall(e)
+  or
+  isUnboundedRandCallOrParent(e.getAChild())
 }
 
-/**
- * The Unix function `rand_r`.
- */
-private class RandR extends RandomFunction {
-  RandR() {
-    this.hasGlobalName("rand_r") and
-    this.getNumberOfParameters() = 1
-  }
+predicate isUnboundedRandValue(Expr e) {
+  isUnboundedRandCall(e)
+  or
+  exists(MacroInvocation mi |
+    e = mi.getExpr() and
+    isUnboundedRandCallOrParent(e)
+  )
 }
 
-/**
- * The Unix function `random`.
- */
-private class Random extends RandomFunction {
-  Random() {
-    this.hasGlobalName("random") and
-    this.getNumberOfParameters() = 1
+class SecurityOptionsArith extends SecurityOptions {
+  override predicate isUserInput(Expr expr, string cause) {
+    isUnboundedRandValue(expr) and
+    cause = "rand"
   }
 }
 
-/**
- * The Windows `rand_s` function.
- */
-private class RandS extends RandomFunction {
-  RandS() {
-    this.hasGlobalName("rand_s") and
-    this.getNumberOfParameters() = 1
-  }
-
-  override FunctionOutput getFunctionOutput() { result.isParameterDeref(0) }
-}
-
 predicate missingGuard(VariableAccess va, string effect) {
   exists(Operation op | op.getAnOperand() = va |
-    // underflow - random numbers are usually non-negative, so underflow is
-    // only likely if the type is unsigned. Multiplication is also unlikely to
-    // cause underflow of a non-negative number.
-    missingGuardAgainstUnderflow(op, va) and
-    effect = "underflow" and
-    op.getUnspecifiedType().(IntegralType).isUnsigned() and
-    not op instanceof MulExpr
+    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
     or
-    // overflow
     missingGuardAgainstOverflow(op, va) and effect = "overflow"
   )
 }
 
-class UncontrolledArithConfiguration extends TaintTracking::Configuration {
-  UncontrolledArithConfiguration() { this = "UncontrolledArithConfiguration" }
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element e) { missingGuard(e, _) }
 
-  override predicate isSource(DataFlow::Node source) {
-    exists(RandomFunction rand, Call call | call.getTarget() = rand |
-      rand.getFunctionOutput().isReturnValue() and
-      source.asExpr() = call
-      or
-      exists(int n |
-        source.asDefiningArgument() = call.getArgument(n) and
-        rand.getFunctionOutput().isParameterDeref(n)
-      )
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) { missingGuard(sink.asExpr(), _) }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    bounded(node.asExpr())
-    or
-    // If this expression is part of bitwise 'and' or 'or' operation it's likely that the value is
-    // only used as a bit pattern.
-    node.asExpr() =
-      any(Operation op |
-        op instanceof BitwiseOrExpr or
-        op instanceof BitwiseAndExpr or
-        op instanceof ComplementExpr
-      ).getAnOperand*()
-    or
-    // block unintended flow to pointers
-    node.asExpr().getUnspecifiedType() instanceof PointerType
-  }
+  override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) }
 }
 
-/** Gets the expression that corresponds to `node`, if any. */
-Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
-
-from
-  UncontrolledArithConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  VariableAccess va, string effect
+from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
 where
-  config.hasFlowPath(source, sink) and
-  sink.getNode().asExpr() = va and
+  taintedWithPath(origin, va, sourceNode, sinkNode) and
   missingGuard(va, effect)
-select sink.getNode(), source, sink,
-  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  getExpr(source.getNode()), "Uncontrolled value"
+select va, sourceNode, sinkNode,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
+  "Uncontrolled value"

cpp/ql/src/Security/CWE/CWE-190/Bounded.qll

@@ -7,6 +7,25 @@ private import cpp
 private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 
+/**
+ * An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
+ * a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
+ */
+pragma[inline]
+private predicate boundedDiv(Expr e, Expr left) { e = left }
+
+/**
+ * An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
+ * an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
+ * when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
+ * allowed by the result type of `rem`.
+ */
+pragma[inline]
+private predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
+  e = left and
+  upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
+}
+
 /**
  * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
  * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
@@ -31,10 +50,19 @@ predicate bounded(Expr e) {
   ) and
   not convertedExprMightOverflow(e)
   or
-  // Optimitically assume that a remainder expression always yields a much smaller value.
-  e = any(RemExpr rem).getLeftOperand()
+  //  For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
+  //  maximum possible value of the result type of the operation.
+  //  For example, the function call `rand()` is considered bounded in the following program:
+  //  ```
+  //  int i = rand() % (UINT8_MAX + 1);
+  //  ```
+  //  but not in:
+  //  ```
+  //  unsigned char uc = rand() % (UINT8_MAX + 1);
+  //  ```
+  exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
   or
-  e = any(AssignRemExpr rem).getLValue()
+  exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
   or
   exists(BitwiseAndExpr andExpr |
     boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
@@ -45,11 +73,11 @@ predicate bounded(Expr e) {
   )
   or
   // Optimitically assume that a division always yields a much smaller value.
-  e = any(DivExpr div).getLeftOperand()
+  boundedDiv(e, any(DivExpr div).getLeftOperand())
   or
-  e = any(AssignDivExpr div).getLValue()
+  boundedDiv(e, any(AssignDivExpr div).getLValue())
   or
-  e = any(RShiftExpr shift).getLeftOperand()
+  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
   or
-  e = any(AssignRShiftExpr div).getLValue()
+  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
 }

cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.5
- * @precision high
+ * @precision medium
  * @id cpp/cleartext-storage-file
  * @tags security
  *       external/cwe/cwe-313
@@ -14,40 +14,10 @@
 import cpp
 import semmle.code.cpp.security.SensitiveExprs
 import semmle.code.cpp.security.FileWrite
-import semmle.code.cpp.dataflow.DataFlow
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-/**
- * An operation on a filename.
- */
-predicate filenameOperation(FunctionCall op, Expr path) {
-  exists(string name | name = op.getTarget().getName() |
-    name =
-      [
-        "remove", "unlink", "rmdir", "rename", "fopen", "open", "freopen", "_open", "_wopen",
-        "_wfopen", "_fsopen", "_wfsopen", "chmod", "chown", "stat", "lstat", "fstat", "access",
-        "_access", "_waccess", "_access_s", "_waccess_s"
-      ] and
-    path = op.getArgument(0)
-    or
-    name = ["fopen_s", "wfopen_s", "rename"] and
-    path = op.getArgument(1)
-  )
-}
-
-predicate isFileName(GVN gvn) {
-  exists(FunctionCall op, Expr path |
-    filenameOperation(op, path) and
-    gvn = globalValueNumber(path)
-  )
-}
-
-from FileWrite w, SensitiveExpr source, Expr mid, Expr dest
+from FileWrite w, SensitiveExpr source, Expr dest
 where
-  DataFlow::localFlow(DataFlow::exprNode(source), DataFlow::exprNode(mid)) and
-  mid = w.getASource() and
-  dest = w.getDest() and
-  not isFileName(globalValueNumber(source)) and // file names are not passwords
-  not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
+  source = w.getASource() and
+  dest = w.getDest()
 select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
   source, "this source."

cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.7
- * @precision high
+ * @precision medium
  * @id cpp/toctou-race-condition
  * @tags security
  *       external/cwe/cwe-367
@@ -16,60 +16,59 @@ import cpp
 import semmle.code.cpp.controlflow.Guards
 
 /**
- * An operation on a filename that is likely to modify the corresponding file
- * and may return an indication of success.
+ * An operation on a filename.
  *
- * Note: we're not interested in operations where the file is specified by a
- * descriptor, rather than a filename, as they are better behaved. We are
- * interested in functions that take a filename and return a file descriptor,
- * however.
+ * Note: we're not interested in operations on file descriptors, as they
+ * are better behaved.
  */
 FunctionCall filenameOperation(Expr path) {
   exists(string name | name = result.getTarget().getName() |
-    name =
-      [
-        "remove", "unlink", "rmdir", "rename", "fopen", "open", "freopen", "_open", "_wopen",
-        "_wfopen", "_fsopen", "_wfsopen"
-      ] and
+    (
+      name = "remove" or
+      name = "unlink" or
+      name = "rmdir" or
+      name = "rename" or
+      name = "chmod" or
+      name = "chown" or
+      name = "fopen" or
+      name = "open" or
+      name = "freopen" or
+      name = "_open" or
+      name = "_wopen" or
+      name = "_wfopen"
+    ) and
     result.getArgument(0) = path
     or
-    name = ["fopen_s", "wfopen_s", "rename"] and
+    (
+      name = "fopen_s" or
+      name = "wfopen_s"
+    ) and
     result.getArgument(1) = path
   )
-  or
-  result = sensitiveFilenameOperation(path)
 }
 
 /**
- * An operation on a filename that is likely to modify the security properties
- * of the corresponding file and may return an indication of success.
- */
-FunctionCall sensitiveFilenameOperation(Expr path) {
-  exists(string name | name = result.getTarget().getName() |
-    name = ["chmod", "chown"] and
-    result.getArgument(0) = path
-  )
-}
-
-/**
- * An operation on a filename that returns information in the return value but
- * does not modify the corresponding file.  For example, `access`.
+ * A use of `access` (or similar) on a filename.
  */
 FunctionCall accessCheck(Expr path) {
   exists(string name | name = result.getTarget().getName() |
-    name = ["access", "_access", "_waccess", "_access_s", "_waccess_s"]
+    name = "access" or
+    name = "_access" or
+    name = "_waccess" or
+    name = "_access_s" or
+    name = "_waccess_s"
   ) and
   path = result.getArgument(0)
 }
 
 /**
- * An operation on a filename that returns information via a pointer argument
- * and any return value, but does not modify the corresponding file.  For
- * example, `stat`.
+ * A use of `stat` (or similar) on a filename.
  */
 FunctionCall stat(Expr path, Expr buf) {
   exists(string name | name = result.getTarget().getName() |
-    name = ["stat", "lstat", "fstat"] or
+    name = "stat" or
+    name = "lstat" or
+    name = "fstat" or
     name.matches("\\_stat%") or
     name.matches("\\_wstat%")
   ) and
@@ -78,7 +77,7 @@ FunctionCall stat(Expr path, Expr buf) {
 }
 
 /**
- * Holds if `use` refers to `source`, either by being the same or by
+ * Holds if `use` points to `source`, either by being the same or by
  * one step of variable indirection.
  */
 predicate referenceTo(Expr source, Expr use) {
@@ -89,45 +88,36 @@ predicate referenceTo(Expr source, Expr use) {
   )
 }
 
-from Expr check, Expr checkPath, FunctionCall use, Expr usePath
+from FunctionCall fc, Expr check, Expr checkUse, Expr opUse
 where
-  // `check` looks like a check on a filename
+  // checkUse looks like a check on a filename
   (
-    (
-      // either:
-      // an access check
-      check = accessCheck(checkPath)
-      or
-      // a stat
-      check = stat(checkPath, _)
-      or
-      // access to a member variable on the stat buf
-      // (morally, this should be a use-use pair, but it seems unlikely
-      // that this variable will get reused in practice)
-      exists(Expr call, Expr e, Variable v |
-        call = stat(checkPath, e) and
-        e.getAChild*().(VariableAccess).getTarget() = v and
-        check.(VariableAccess).getTarget() = v and
-        not e.getAChild*() = check // the call that writes to the pointer is not where the pointer is checked.
-      )
-    ) and
-    // `op` looks like an operation on a filename
-    use = filenameOperation(usePath)
+    // either:
+    // an access check
+    check = accessCheck(checkUse)
+    or
+    // a stat
+    check = stat(checkUse, _)
     or
     // another filename operation (null pointers can indicate errors)
-    check = filenameOperation(checkPath) and
-    // `op` looks like a sensitive operation on a filename
-    use = sensitiveFilenameOperation(usePath)
+    check = filenameOperation(checkUse)
+    or
+    // access to a member variable on the stat buf
+    // (morally, this should be a use-use pair, but it seems unlikely
+    // that this variable will get reused in practice)
+    exists(Variable buf | exists(stat(checkUse, buf.getAnAccess())) |
+      check.(VariableAccess).getQualifier() = buf.getAnAccess()
+    )
   ) and
-  // `checkPath` and `usePath` refer to the same SSA variable
-  exists(SsaDefinition def, StackVariable v |
-    def.getAUse(v) = checkPath and def.getAUse(v) = usePath
-  ) and
-  // the return value of `check` is used (possibly with one step of
-  // variable indirection) in a guard which controls `use`
+  // checkUse and opUse refer to the same SSA variable
+  exists(SsaDefinition def, StackVariable v | def.getAUse(v) = checkUse and def.getAUse(v) = opUse) and
+  // opUse looks like an operation on a filename
+  fc = filenameOperation(opUse) and
+  // the return value of check is used (possibly with one step of
+  // variable indirection) in a guard which controls fc
   exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) |
-    guard.controls(use.(ControlFlowNode).getBasicBlock(), _)
+    guard.controls(fc.(ControlFlowNode).getBasicBlock(), _)
   )
-select use,
+select fc,
   "The $@ being operated upon was previously $@, but the underlying file may have been changed since then.",
-  usePath, "filename", check, "checked"
+  opUse, "filename", check, "checked"

cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql

@@ -6,6 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.8
+ * @opaque-id SM02313
  * @id cpp/conditionally-uninitialized-variable
  * @tags security
  *       external/cwe/cwe-457

cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql

@@ -182,7 +182,7 @@ class ThrowingAllocator extends Function {
       // 3. the allocator isn't marked with `throw()` or `noexcept`.
       not exists(this.getBlock()) and
       not exists(Parameter p | p = this.getAParameter() |
-        p.getUnspecifiedType().stripType() instanceof NoThrowType
+        p.getUnspecifiedType() instanceof NoThrowType
       ) and
       not this.isNoExcept() and
       not this.isNoThrow()

cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.qhelp

@@ -26,7 +26,7 @@ can use their own storage.</p>
 <p>Similarly replace calls to <code>localtime</code> with
 <code>localtime_r</code>, calls to <code>ctime</code> with
 <code>ctime_r</code> and calls to <code>asctime</code> with
-<code>asctime_r</code> (if those functions exist on your platform).</p>
+<code>asctime_r</code>.</p>
 
 </recommendation>
 <example>

cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 10.0
- * @precision medium
+ * @precision high
  * @id cpp/potentially-dangerous-function
  * @tags reliability
  *       security

cpp/ql/src/Summary/LinesOfCode.ql

@@ -4,6 +4,7 @@
  * @description The total number of lines of C/C++ code across all files, including system headers, libraries, and auto-generated files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
  * @kind metric
  * @tags summary
+ *       lines-of-code
  */
 
 import cpp

cpp/ql/src/codeql-suites/cpp-code-scanning.qls

@@ -1,6 +1,6 @@
 - description: Standard Code Scanning queries for C and C++
-- queries: .
+- qlpack: codeql-cpp
 - apply: code-scanning-selectors.yml
-  from: codeql/suite-helpers
+  from: codeql-suite-helpers
 - apply: codeql-suites/exclude-slow-queries.yml
-  from: codeql/cpp-queries
+  from: codeql-cpp

cpp/ql/src/codeql-suites/cpp-lgtm-full.qls

@@ -1,9 +1,9 @@
 - description: Standard LGTM queries for C/C++, including ones not displayed by default
-- queries: .
+- qlpack: codeql-cpp
 - apply: lgtm-selectors.yml
-  from: codeql/suite-helpers
+  from: codeql-suite-helpers
 - apply: codeql-suites/exclude-slow-queries.yml
-  from: codeql/cpp-queries
+  from: codeql-cpp 
 # These are only for IDE use.
 - exclude:
     tags contain:

cpp/ql/src/codeql-suites/cpp-lgtm.qls

@@ -1,4 +1,4 @@
 - description: Standard LGTM queries for C/C++
 - apply: codeql-suites/cpp-lgtm-full.qls
 - apply: lgtm-displayed-only.yml
-  from: codeql/suite-helpers
+  from: codeql-suite-helpers

cpp/ql/src/codeql-suites/cpp-security-and-quality.qls

@@ -1,6 +1,6 @@
 - description: Security-and-quality queries for C and C++
-- queries: .
+- qlpack: codeql-cpp
 - apply: security-and-quality-selectors.yml
-  from: codeql/suite-helpers
+  from: codeql-suite-helpers
 - apply: codeql-suites/exclude-slow-queries.yml
-  from: codeql/cpp-queries
+  from: codeql-cpp

cpp/ql/src/codeql-suites/cpp-security-extended.qls

@@ -1,6 +1,6 @@
 - description: Security-extended queries for C and C++
-- queries: .
+- qlpack: codeql-cpp
 - apply: security-extended-selectors.yml
-  from: codeql/suite-helpers
+  from: codeql-suite-helpers
 - apply: codeql-suites/exclude-slow-queries.yml
-  from: codeql/cpp-queries
+  from: codeql-cpp

cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.cpp

@@ -0,0 +1,28 @@
+#include <iostream>
+#include <stdexcept>
+#include <pqxx/pqxx>
+
+int main(int argc, char ** argv) {
+
+    if (argc != 2) { 
+        throw std::runtime_error("Give me a string!");
+    }
+    
+    pqxx::connection c;
+    pqxx::work w(c);
+
+    // BAD
+    char *userName = argv[1];
+    char query1[1000] = {0};
+    sprintf(query1, "SELECT UID FROM USERS where name = \"%s\"", userName);
+    pqxx::row r = w.exec1(query1);
+    w.commit();
+    std::cout << r[0].as<int>() << std::endl;
+
+    // GOOD
+    pqxx::result r2 = w.exec("SELECT " + w.quote(argv[1]));
+    w.commit();
+    std::cout << r2[0][0].c_str() << std::endl;
+
+    return 0;
+}

cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The code passes user input as part of a SQL query without escaping special elements. 
+It generates a SQL query to Postgres using <code>sprintf</code>,
+with the user-supplied data directly passed as an argument
+to <code>sprintf</code>. This leaves the code vulnerable to attack by SQL Injection.</p>
+
+</overview>
+<recommendation>
+
+<p>Use a library routine to escape characters in the user-supplied
+string before converting it to SQL. Use <code>esc</code> and <code>quote</code> pqxx library functions.</p>
+
+</recommendation>
+<example>
+<sample src="SqlPqxxTainted.cpp" />
+
+</example>
+<references>
+
+<li>MSDN Library: <a href="https://docs.microsoft.com/en-us/sql/relational-databases/security/sql-injection">SQL Injection</a>.</li>
+
+
+<!--  LocalWords:  SQL CWE
+ -->
+
+</references>
+</qhelp>