C#: DO NOT MERGE YET! Disable the CLR tracer.

.codeqlmanifest.json

@@ -1,5 +1,4 @@
-{ "provide": [ "ruby/.codeqlmanifest.json",
-                "*/ql/src/qlpack.yml",
+{ "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/lib/qlpack.yml",
                "*/ql/test/qlpack.yml",
                "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",

.devcontainer/devcontainer.json

@@ -1,14 +1,9 @@
 {
   "extensions": [
-    "rust-lang.rust",
-    "bungcip.better-toml",
     "github.vscode-codeql",
     "slevesque.vscode-zipexplorer"
   ],
   "settings": {
-    "files.watcherExclude": {
-      "**/target/**": true
-    },
     "codeQL.runningQueries.memory": 2048
   }
 }

.github/actions/fetch-codeql/action.yml

@@ -1,14 +0,0 @@
-name: Fetch CodeQL
-description: Fetches the latest version of CodeQL
-runs:
-  using: composite
-  steps:
-    - name: Fetch CodeQL
-      shell: bash
-      run: |
-        LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
-        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
-        unzip -q codeql-linux64.zip
-        echo "${{ github.workspace }}/codeql" >> $GITHUB_PATH
-      env:
-        GITHUB_TOKEN: ${{ github.token }}

.github/dependabot.yml

@@ -1,18 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "cargo"
-    directory: "ruby/node-types"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/generator"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/extractor"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "cargo"
-    directory: "ruby/autobuilder"
-    schedule:
-      interval: "daily"

.github/workflows/codeql-analysis.yml

@@ -11,8 +11,6 @@ on:
       - 'rc/*'
     paths:
       - 'csharp/**'
-      - '.github/codeql/**'
-      - '.github/workflows/codeql-analysis.yml'
   schedule:
     - cron: '0 9 * * 1'
 
@@ -40,8 +38,8 @@ jobs:
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
-    #- name: Autobuild
-    #  uses: github/codeql-action/autobuild@main
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@main
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -50,8 +48,9 @@ jobs:
     #    and modify them (or add more) to build your code if your project
     #    uses a compiled language
 
-    - run: |
-       dotnet build csharp
+    #- run: |
+    #   make bootstrap
+    #   make release
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@main

.github/workflows/csv-coverage-update.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   update:
     name: Update framework coverage report
-    if: github.repository == 'github/codeql'
+    if: github.event.repository.fork == false
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/qhelp-pr-preview.yml

@@ -1,39 +0,0 @@
-name: Query help preview
-
-on:
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - "ruby/**/*.qhelp"
-
-jobs:
-  qhelp:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 2
-      - name: Determine changed files
-        id: changes
-        run: |
-          echo -n "::set-output name=qhelp_files::"
-          (git diff --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep .qhelp$ | grep -v .inc.qhelp;
-           git diff --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep .inc.qhelp$ | xargs -d '\n' -rn1 basename | xargs -d '\n' -rn1 git grep -l) |
-           sort -u | xargs -d '\n' -n1 printf "'%s' "
-
-      - uses: ./.github/actions/fetch-codeql
-
-      - name: QHelp preview
-        if: ${{ steps.changes.outputs.qhelp_files }}
-        run: |
-          ( echo "QHelp previews:";
-          for path in ${{ steps.changes.outputs.qhelp_files }} ; do
-            echo "<details> <summary>${path}</summary>"
-            echo
-            codeql generate query-help --format=markdown ${path}
-            echo "</details>"
-          done) | gh pr comment "${{ github.event.pull_request.number }}" -F -
-        env:
-          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-build.yml

@@ -1,232 +0,0 @@
-name: "Ruby: Build"
-
-on:
-  push:
-    paths:
-      - 'ruby/**'
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    paths:
-      - 'ruby/**'
-    branches:
-      - main
-      - 'rc/*'
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "Version tag to create"
-        required: false
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-
-    runs-on: ${{ matrix.os }}
-
-    steps:
-      - uses: actions/checkout@v2
-      - name: Install GNU tar
-        if: runner.os == 'macOS'
-        run: |
-          brew install gnu-tar
-          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - uses: actions/cache@v2
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ruby/target
-          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - name: Check formatting
-        run: cargo fmt --all -- --check
-      - name: Build
-        run: cargo build --verbose
-      - name: Run tests
-        run: cargo test --verbose
-      - name: Release build
-        run: cargo build --release
-      - name: Generate dbscheme
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        run: target/release/ruby-generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v2
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        with:
-          name: ruby.dbscheme
-          path: ruby/ql/lib/ruby.dbscheme
-      - uses: actions/upload-artifact@v2
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        with:
-          name: TreeSitter.qll
-          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v2
-        with:
-          name: extractor-${{ matrix.os }}
-          path: |
-            ruby/target/release/ruby-autobuilder
-            ruby/target/release/ruby-autobuilder.exe
-            ruby/target/release/ruby-extractor
-            ruby/target/release/ruby-extractor.exe
-          retention-days: 1
-  compile-queries:
-    runs-on: ubuntu-latest
-    env:
-      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
-    steps:
-      - uses: actions/checkout@v2
-      - name: Fetch CodeQL
-        run: |
-          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
-          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
-          unzip -q codeql-linux64.zip
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-      - name: Build Query Pack
-        run: |
-          codeql/codeql pack create ql/lib --output target/packs
-          codeql/codeql pack install ql/src
-          codeql/codeql pack create ql/src --output target/packs
-          PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
-          codeql/codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
-          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
-      - name: Compile with previous CodeQL versions
-        run: |
-          for version in  $(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | tail -3 | head -2); do
-            rm -f codeql-linux64.zip
-            gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$version"
-            rm -rf codeql; unzip -q codeql-linux64.zip
-            codeql/codeql query compile target/packs/*
-          done
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-ruby-queries
-          path: |
-            ruby/target/packs/*
-          retention-days: 1
-
-  package:
-    runs-on: ubuntu-latest
-    needs: [build, compile-queries]
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/download-artifact@v2
-        with:
-          name: ruby.dbscheme
-          path: ruby/ruby
-      - uses: actions/download-artifact@v2
-        with:
-          name: extractor-ubuntu-latest
-          path: ruby/linux64
-      - uses: actions/download-artifact@v2
-        with:
-          name: extractor-windows-latest
-          path: ruby/win64
-      - uses: actions/download-artifact@v2
-        with:
-          name: extractor-macos-latest
-          path: ruby/osx64
-      - run: |
-          mkdir -p ruby
-          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
-          mkdir -p ruby/tools/{linux64,osx64,win64}
-          cp linux64/ruby-autobuilder ruby/tools/linux64/autobuilder
-          cp osx64/ruby-autobuilder ruby/tools/osx64/autobuilder
-          cp win64/ruby-autobuilder.exe ruby/tools/win64/autobuilder.exe
-          cp linux64/ruby-extractor ruby/tools/linux64/extractor
-          cp osx64/ruby-extractor ruby/tools/osx64/extractor
-          cp win64/ruby-extractor.exe ruby/tools/win64/extractor.exe
-          chmod +x ruby/tools/{linux64,osx64}/{autobuilder,extractor}
-          zip -rq codeql-ruby.zip ruby
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-ruby-pack
-          path: ruby/codeql-ruby.zip
-          retention-days: 1
-      - uses: actions/download-artifact@v2
-        with:
-          name: codeql-ruby-queries
-          path: ruby/qlpacks
-      - run: |
-          echo '{
-            "provide": [
-            "ruby/codeql-extractor.yml",
-            "qlpacks/*/*/*/qlpack.yml"
-            ]
-          }' > .codeqlmanifest.json
-          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-ruby-bundle
-          path: ruby/codeql-ruby-bundle.zip
-          retention-days: 1
-
-  test:
-    defaults:
-      run:
-        working-directory: ${{ github.workspace }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-
-    runs-on: ${{ matrix.os }}
-    needs: [package]
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          repository: Shopify/example-ruby-app
-          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
-      - name: Fetch CodeQL
-        shell: bash
-        run: |
-          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
-          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql.zip "$LATEST"
-          unzip -q codeql.zip
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        working-directory: ${{ runner.temp }}
-      - name: Download Ruby bundle
-        uses: actions/download-artifact@v2
-        with:
-          name: codeql-ruby-bundle
-          path: ${{ runner.temp }}
-      - name: Unzip Ruby bundle
-        shell: bash
-        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
-      - name: Prepare test files
-        shell: bash
-        run: |
-          echo "import ruby select count(File f)" > "test.ql"
-          echo "| 4 |" > "test.expected"
-          echo 'name: sample-tests
-          version: 0.0.0
-          dependencies:
-            codeql/ruby-all: 0.0.1
-          extractor: ruby
-          tests: .
-          ' > qlpack.yml
-      - name: Run QL test
-        shell: bash
-        run: |
-          "${{ runner.temp }}/codeql/codeql" test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
-      - name: Create database
-        shell: bash
-        run: |
-          "${{ runner.temp }}/codeql/codeql" database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
-      - name: Analyze database
-        shell: bash
-        run: |
-          "${{ runner.temp }}/codeql/codeql" database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls

.github/workflows/ruby-dataset-measure.yml

@@ -1,71 +0,0 @@
-name: "Ruby: Collect database stats"
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - ruby/ql/lib/ruby.dbscheme
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - ruby/ql/lib/ruby.dbscheme
-  workflow_dispatch:
-
-jobs:
-  measure:
-    env:
-      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
-    strategy:
-      fail-fast: false
-      matrix:
-        repo: [rails/rails, discourse/discourse, spree/spree]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - uses: ./.github/actions/fetch-codeql
-
-      - uses: ./ruby/actions/create-extractor-pack
-
-      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v2
-        with:
-          repository: ${{ matrix.repo }}
-          path: ${{ github.workspace }}/repo
-      - name: Create database
-        run: |
-          codeql database create \
-            --search-path "${{ github.workspace }}/ruby" \
-            --threads 4 \
-            --language ruby --source-root "${{ github.workspace }}/repo" \
-            "${{ runner.temp }}/database"
-      - name: Measure database
-        run: |
-          mkdir -p "stats/${{ matrix.repo }}"
-          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
-      - uses: actions/upload-artifact@v2
-        with:
-          name: measurements
-          path: stats
-          retention-days: 1
-
-  merge:
-    runs-on: ubuntu-latest
-    needs: measure
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/download-artifact@v2
-        with:
-          name: measurements
-          path: stats
-      - run: |
-          python -m pip install --user lxml
-          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
-      - uses: actions/upload-artifact@v2
-        with:
-          name: ruby.dbscheme.stats
-          path: ruby/ql/lib/ruby.dbscheme.stats

.github/workflows/ruby-qltest.yml

@@ -1,48 +0,0 @@
-name: "Ruby: Run QL Tests"
-
-on:
-  push:
-    paths:
-      - 'ruby/**'
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    paths:
-      - 'ruby/**'
-    branches:
-      - main
-      - 'rc/*'
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-jobs:
-  qltest:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: ./.github/actions/fetch-codeql
-      - uses: ./ruby/actions/create-extractor-pack
-      - name: Run QL tests
-        run: |
-          codeql test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}"  --consistency-queries ql/consistency-queries ql/test
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-      - name: Check QL formatting
-        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
-      - name: Check QL compilation
-        run: |
-          codeql query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}" "ql/src" "ql/examples"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-      - name: Check DB upgrade scripts
-        run: |
-          echo >empty.trap
-          codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
-          codeql dataset upgrade testdb --additional-packs ql/lib/upgrades
-          diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme

.github/workflows/sync-files.yml

@@ -1,20 +0,0 @@
-name: Check synchronized files
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Check synchronized files
-        run: python config/sync-files.py
-

CODEOWNERS

@@ -3,7 +3,6 @@
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
-/ruby/ @github/codeql-ruby
 
 # Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
 /cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
@@ -11,7 +10,6 @@
 /java/**/experimental/**/* @github/codeql-java @xcorail
 /javascript/**/experimental/**/* @github/codeql-javascript @xcorail
 /python/**/experimental/**/* @github/codeql-python @xcorail
-/ruby/**/experimental/**/* @github/codeql-ruby @xcorail
 
 # Notify members of codeql-go about PRs to the shared data-flow library files
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
@@ -24,4 +22,4 @@
 /docs/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
 /docs/ql-language-reference/ @github/codeql-frontend-reviewers
-/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
+/docs/query-*-style-guide.md @github/codeql-analysis-reviewers

config/identical-files.json

@@ -24,16 +24,14 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll"
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll"
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
@@ -51,21 +49,18 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll"
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
   ],
   "DataFlow Java/C# Flow Summaries": [
     "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll"
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
   ],
   "SsaReadPosition Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
@@ -373,8 +368,7 @@
   "Inline Test Expectations": [
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll"
+    "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
   ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
@@ -446,8 +440,7 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll"
+    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll"
   ],
   "CryptoAlgorithms Python/JS": [
     "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
@@ -467,15 +460,6 @@
   ],
   "ReDoS Polynomial Python/JS": [
     "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll",
-    "ruby/ql/lib/codeql/ruby/regexp/SuperlinearBackTracking.qll"
-  ],
-  "CFG": [
-    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
-    "ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll"
-  ],
-  "TypeTracker": [
-    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
-    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
+    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll"
   ]
-}
+}

cpp/change-notes/2021-06-22-sql-tainted.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Uncontrolled data in SQL query' (cpp/sql-injection) query now supports the `libpqxx` library.

cpp/change-notes/2021-08-31-range-analysis-upper-bound.md

@@ -1,4 +0,0 @@
-lgtm,codescanning
-* The `SimpleRangeAnalysis` library includes information from the
-  immediate guard for determining the upper bound of a stack
-  variable for improved accuracy.

cpp/change-notes/2021-09-13-overflow-static.md

@@ -1,4 +0,0 @@
-lgtm,codescanning
-* The `memberMayBeVarSize` predicate considers more fields to be variable size.
-  As a result, the "Static buffer overflow" query (cpp/static-buffer-overflow)
-  produces fewer false positives.

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -171,7 +171,7 @@ class Container extends Locatable, @container {
  * To get the full path, use `getAbsolutePath`.
  */
 class Folder extends Container, @folder {
-  override string getAbsolutePath() { folders(underlyingElement(this), result) }
+  override string getAbsolutePath() { folders(underlyingElement(this), result, _) }
 
   override Location getLocation() {
     result.getContainer() = this and
@@ -190,7 +190,7 @@ class Folder extends Container, @folder {
    * DEPRECATED: use `getAbsolutePath` instead.
    * Gets the name of this folder.
    */
-  deprecated string getName() { folders(underlyingElement(this), result) }
+  deprecated string getName() { folders(underlyingElement(this), result, _) }
 
   /**
    * DEPRECATED: use `getAbsolutePath` instead.
@@ -208,7 +208,17 @@ class Folder extends Container, @folder {
    * DEPRECATED: use `getBaseName` instead.
    * Gets the last part of the folder name.
    */
-  deprecated string getShortName() { result = this.getBaseName() }
+  deprecated string getShortName() {
+    exists(string longnameRaw, string longname |
+      folders(underlyingElement(this), _, longnameRaw) and
+      longname = longnameRaw.replaceAll("\\", "/")
+    |
+      exists(int index |
+        result = longname.splitAt("/", index) and
+        not exists(longname.splitAt("/", index + 1))
+      )
+    )
+  }
 
   /**
    * DEPRECATED: use `getParentContainer` instead.
@@ -232,7 +242,7 @@ class Folder extends Container, @folder {
  * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
  */
 class File extends Container, @file {
-  override string getAbsolutePath() { files(underlyingElement(this), result) }
+  override string getAbsolutePath() { files(underlyingElement(this), result, _, _, _) }
 
   override string toString() { result = Container.super.toString() }
 
@@ -326,13 +336,7 @@ class File extends Container, @file {
    * for example, for "file.tar.gz", this predicate will have the result
    * "tar.gz", while `getExtension` will have the result "gz".
    */
-  string getExtensions() {
-    exists(string name, int firstDotPos |
-      name = this.getBaseName() and
-      firstDotPos = min([name.indexOf("."), name.length() - 1]) and
-      result = name.suffix(firstDotPos + 1)
-    )
-  }
+  string getExtensions() { files(underlyingElement(this), _, _, result, _) }
 
   /**
    * Gets the short name of this file, that is, the prefix of its base name up
@@ -347,16 +351,7 @@ class File extends Container, @file {
    * for example, for "file.tar.gz", this predicate will have the result
    * "file", while `getStem` will have the result "file.tar".
    */
-  string getShortName() {
-    exists(string name, int firstDotPos |
-      name = this.getBaseName() and
-      firstDotPos = min([name.indexOf("."), name.length()]) and
-      result = name.prefix(firstDotPos)
-    )
-    or
-    this.getAbsolutePath() = "" and
-    result = ""
-  }
+  string getShortName() { files(underlyingElement(this), _, result, _, _) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -2,18 +2,17 @@ import cpp
 import semmle.code.cpp.dataflow.DataFlow
 
 /**
- * Holds if `v` is a member variable of `c` that looks like it might be variable sized
- * in practice. For example:
+ * Holds if `v` is a member variable of `c` that looks like it might be variable sized in practice.  For
+ * example:
  * ```
  * struct myStruct { // c
  *   int amount;
  *   char data[1]; // v
  * };
  * ```
- * This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.
- * In addition, if the size of the structure is taken, there must be at least one instance
- * where a `c` pointer is allocated with additional space.
- * For example, holds for `c` if it occurs as
+ * This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.  In addition,
+ * there must be at least one instance where a `c` pointer is allocated with additional space.  For
+ * example, holds for `c` if it occurs as
  * ```
  * malloc(sizeof(c) + 100 * sizeof(char))
  * ```
@@ -28,25 +27,27 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {
     i = max(int j | c.getCanonicalMember(j) instanceof Field | j) and
     v = c.getCanonicalMember(i) and
     // v is an array of size at most 1
-    v.getUnspecifiedType().(ArrayType).getArraySize() <= 1 and
-    not c instanceof Union
+    v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
   ) and
-  // If the size is taken, then arithmetic is performed on the result at least once
   (
-    // `sizeof(c)` is not taken
-    not exists(SizeofOperator so |
-      so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
-      so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
-    )
-    or
-    // or `sizeof(c)` is taken
     exists(SizeofOperator so |
+      // `sizeof(c)` is taken
       so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
       so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
     |
-      // and arithmetic is performed on the result
+      // arithmetic is performed on the result
       so.getParent*() instanceof AddExpr
     )
+    or
+    exists(AddressOfExpr aoe |
+      // `&(c.v)` is taken
+      aoe.getAddressable() = v
+    )
+    or
+    exists(BuiltInOperationBuiltInOffsetOf oo |
+      // `offsetof(c, v)` using a builtin
+      oo.getAChild().(VariableAccess).getTarget() = v
+    )
   )
 }
 
@@ -60,10 +61,6 @@ int getBufferSize(Expr bufferExpr, Element why) {
     result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
     why = bufferVar and
     not memberMayBeVarSize(_, bufferVar) and
-    not exists(Union bufferType |
-      bufferType.getAMemberVariable() = why and
-      bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1
-    ) and
     not result = 0 // zero sized arrays are likely to have special usage, for example
     or
     // behaving a bit like a 'union' overlapping other fields.
@@ -85,13 +82,6 @@ int getBufferSize(Expr bufferExpr, Element why) {
       parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
       result = getBufferSize(parentPtr, _) + bufferVar.getType().getSize() - parentClass.getSize()
     )
-    or
-    exists(Union bufferType |
-      bufferType.getAMemberVariable() = why and
-      why = bufferVar and
-      bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1 and
-      result = bufferType.getSize()
-    )
   )
   or
   // buffer is a fixed size dynamic allocation

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -786,18 +786,13 @@ private module Cached {
   }
 
   /**
-   * Holds if the call context `call` improves virtual dispatch in `callable`.
+   * Holds if the call context `call` either improves virtual dispatch in
+   * `callable` or if it allows us to prune unreachable nodes in `callable`.
    */
   cached
-  predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) {
+  predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
     reducedViableImplInCallContext(_, callable, call)
-  }
-
-  /**
-   * Holds if the call context `call` allows us to prune unreachable nodes in `callable`.
-   */
-  cached
-  predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) {
+    or
     exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
@@ -851,15 +846,6 @@ private module Cached {
     TAccessPathFrontSome(AccessPathFront apf)
 }
 
-/**
- * Holds if the call context `call` either improves virtual dispatch in
- * `callable` or if it allows us to prune unreachable nodes in `callable`.
- */
-predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
-  recordDataFlowCallSiteDispatch(call, callable) or
-  recordDataFlowCallSiteUnreachable(call, callable)
-}
-
 /**
  * A `Node` at which a cast can occur such that the type should be checked.
  */

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -550,39 +550,6 @@ module TaintedWithPath {
     )
   }
 
-  /**
-   * Holds if there is flow from `arg` to `out` across a call that can by summarized by the flow
-   * from `par` to `ret` within it, in the graph of data flow path explanations.
-   */
-  query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
-    DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
-      ret.(WrapPathNode).inner(), out.(WrapPathNode).inner())
-    or
-    // To avoid showing trivial-looking steps, we _replace_ the last node instead
-    // of adding an edge out of it.
-    exists(WrapPathNode sinkNode |
-      DataFlow3::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), sinkNode.inner()) and
-      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-    or
-    // Same for the first node
-    exists(WrapPathNode sourceNode |
-      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
-    )
-    or
-    // Finally, handle the case where the path goes directly from a source to a
-    // sink, meaning that they both need to be translated.
-    exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
-      DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
-        ret.(WrapPathNode).inner(), sinkNode.inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
-      out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
-    )
-  }
-
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
     key = "semmle.label" and val = n.toString()

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -923,29 +923,28 @@ private module Stage2 {
 
   ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
 
-  class Cc = CallContext;
+  class Cc = boolean;
 
-  class CcCall = CallContextCall;
+  class CcCall extends Cc {
+    CcCall() { this = true }
 
-  class CcNoCall = CallContextNoCall;
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
 
-  Cc ccNone() { result instanceof CallContextAny }
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
 
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
-  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
-    checkCallContextCall(outercc, call, c) and
-    if recordDataFlowCallSiteDispatch(call, c)
-    then result = TSpecificCall(call)
-    else result = TSomeCall()
-  }
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
 
   bindingset[call, c, innercc]
-  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
-    checkCallContextReturn(innercc, c, call) and
-    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
-  }
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
 
   bindingset[node, cc, config]
   private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1173,8 +1172,7 @@ private module Stage2 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -1862,8 +1860,7 @@ private module Stage3 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -2120,7 +2117,7 @@ private module Stage3 {
 private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
   exists(AccessPathFront apf |
     Stage3::revFlow(node, true, _, apf, config) and
-    Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
   )
 }
 
@@ -2621,8 +2618,7 @@ private module Stage4 {
       fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, out, argAp0, ap, config) and
-      fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
-        pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
   }
@@ -3324,8 +3320,8 @@ private predicate directReach(PathNode n) {
 /** Holds if `n` can reach a sink or is used in a subpath. */
 private predicate reach(PathNode n) { directReach(n) or Subpaths::retReach(n) }
 
-/** Holds if `n1.getASuccessor() = n2` and `n2` can reach a sink. */
-private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and directReach(n2) }
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink or is used in a subpath. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
 
 private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
 
@@ -3334,7 +3330,7 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
  */
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(PathNode n, string key, string val) {
@@ -3643,10 +3639,9 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+    pathThroughCallable(arg, out, _, apout) and
     pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    paramFlowsThrough(kind, innercc, sc, apout, _, unbindConf(arg.getConfiguration()))
   }
 
   /**
@@ -3691,8 +3686,8 @@ private module Subpaths {
    */
   predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
     exists(ParamNodeEx p, NodeEx o, AccessPath apout |
-      pragma[only_bind_into](arg).getASuccessor() = par and
-      pragma[only_bind_into](arg).getASuccessor() = out and
+      arg.getASuccessor() = par and
+      arg.getASuccessor() = out and
       subpaths03(arg, p, ret, o, apout) and
       par.getNodeEx() = p and
       out.getNodeEx() = o and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -786,18 +786,13 @@ private module Cached {
   }
 
   /**
-   * Holds if the call context `call` improves virtual dispatch in `callable`.
+   * Holds if the call context `call` either improves virtual dispatch in
+   * `callable` or if it allows us to prune unreachable nodes in `callable`.
    */
   cached
-  predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) {
+  predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
     reducedViableImplInCallContext(_, callable, call)
-  }
-
-  /**
-   * Holds if the call context `call` allows us to prune unreachable nodes in `callable`.
-   */
-  cached
-  predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) {
+    or
     exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
@@ -851,15 +846,6 @@ private module Cached {
     TAccessPathFrontSome(AccessPathFront apf)
 }
 
-/**
- * Holds if the call context `call` either improves virtual dispatch in
- * `callable` or if it allows us to prune unreachable nodes in `callable`.
- */
-predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
-  recordDataFlowCallSiteDispatch(call, callable) or
-  recordDataFlowCallSiteUnreachable(call, callable)
-}
-
 /**
  * A `Node` at which a cast can occur such that the type should be checked.
  */

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -1856,12 +1856,12 @@ class InitializeDynamicAllocationInstruction extends SideEffectInstruction {
   }
 
   /**
-   * Gets the operand that represents the address of the allocation this instruction is initializing.
+   * Gets the address of the allocation this instruction is initializing.
    */
   final AddressOperand getAllocationAddressOperand() { result = getAnOperand() }
 
   /**
-   * Gets the address for the allocation this instruction is initializing.
+   * Gets the operand for the allocation this instruction is initializing.
    */
   final Instruction getAllocationAddress() { result = getAllocationAddressOperand().getDef() }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -1856,12 +1856,12 @@ class InitializeDynamicAllocationInstruction extends SideEffectInstruction {
   }
 
   /**
-   * Gets the operand that represents the address of the allocation this instruction is initializing.
+   * Gets the address of the allocation this instruction is initializing.
    */
   final AddressOperand getAllocationAddressOperand() { result = getAnOperand() }
 
   /**
-   * Gets the address for the allocation this instruction is initializing.
+   * Gets the operand for the allocation this instruction is initializing.
    */
   final Instruction getAllocationAddress() { result = getAllocationAddressOperand().getDef() }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -1856,12 +1856,12 @@ class InitializeDynamicAllocationInstruction extends SideEffectInstruction {
   }
 
   /**
-   * Gets the operand that represents the address of the allocation this instruction is initializing.
+   * Gets the address of the allocation this instruction is initializing.
    */
   final AddressOperand getAllocationAddressOperand() { result = getAnOperand() }
 
   /**
-   * Gets the address for the allocation this instruction is initializing.
+   * Gets the operand for the allocation this instruction is initializing.
    */
   final Instruction getAllocationAddress() { result = getAllocationAddressOperand().getDef() }
 }

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -33,6 +33,3 @@ private import implementations.Recv
 private import implementations.Accept
 private import implementations.Poll
 private import implementations.Select
-private import implementations.MySql
-private import implementations.SqLite3
-private import implementations.PostgreSql

cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll

@@ -1,32 +0,0 @@
-/**
- * Provides implementation classes modeling the MySql C API.
- * See `semmle.code.cpp.models.Models` for usage information.
- */
-
-private import semmle.code.cpp.models.interfaces.Sql
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
-
-/**
- * The `mysql_query` family of functions from the MySQL C API.
- */
-private class MySqlExecutionFunction extends SqlExecutionFunction {
-  MySqlExecutionFunction() {
-    this.hasName(["mysql_query", "mysql_real_query", "mysql_real_query_nonblocking"])
-  }
-
-  override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
-}
-
-/**
- * The `mysql_real_escape_string` family of functions from the MySQL C API.
- */
-private class MySqlBarrierFunction extends SqlBarrierFunction {
-  MySqlBarrierFunction() {
-    this.hasName(["mysql_real_escape_string", "mysql_real_escape_string_quote"])
-  }
-
-  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(2) and
-    output.isParameterDeref(1)
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/PostgreSql.qll

@@ -1,94 +0,0 @@
-private import semmle.code.cpp.models.interfaces.Sql
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
-
-private predicate pqxxTransactionSqlArgument(string function, int arg) {
-  function = "exec" and arg = 0
-  or
-  function = "exec0" and arg = 0
-  or
-  function = "exec1" and arg = 0
-  or
-  function = "exec_n" and arg = 1
-  or
-  function = "exec_params" and arg = 0
-  or
-  function = "exec_params0" and arg = 0
-  or
-  function = "exec_params1" and arg = 0
-  or
-  function = "exec_params_n" and arg = 1
-  or
-  function = "query_value" and arg = 0
-  or
-  function = "stream" and arg = 0
-}
-
-private predicate pqxxConnectionSqlArgument(string function, int arg) {
-  function = "prepare" and arg = 1
-}
-
-private predicate pqxxTransationClassNames(string className, string namespace) {
-  namespace = "pqxx" and
-  className in [
-      "dbtransaction", "nontransaction", "basic_robusttransaction", "robusttransaction",
-      "subtransaction", "transaction", "basic_transaction", "transaction_base", "work"
-    ]
-}
-
-private predicate pqxxConnectionClassNames(string className, string namespace) {
-  namespace = "pqxx" and
-  className in ["connection_base", "basic_connection", "connection"]
-}
-
-private predicate pqxxEscapeArgument(string function, int arg) {
-  arg = 0 and
-  function in ["esc", "esc_raw", "quote", "quote_raw", "quote_name", "quote_table", "esc_like"]
-}
-
-private class PostgreSqlExecutionFunction extends SqlExecutionFunction {
-  PostgreSqlExecutionFunction() {
-    exists(Class c |
-      this.getDeclaringType() = c and
-      // transaction exec and connection prepare variations
-      (
-        pqxxTransationClassNames(c.getName(), c.getNamespace().getName()) and
-        pqxxTransactionSqlArgument(this.getName(), _)
-        or
-        pqxxConnectionSqlArgument(this.getName(), _) and
-        pqxxConnectionClassNames(c.getName(), c.getNamespace().getName())
-      )
-    )
-  }
-
-  override predicate hasSqlArgument(FunctionInput input) {
-    exists(int argIndex |
-      pqxxTransactionSqlArgument(this.getName(), argIndex)
-      or
-      pqxxConnectionSqlArgument(this.getName(), argIndex)
-    |
-      input.isParameterDeref(argIndex)
-    )
-  }
-}
-
-private class PostgreSqlBarrierFunction extends SqlBarrierFunction {
-  PostgreSqlBarrierFunction() {
-    exists(Class c |
-      this.getDeclaringType() = c and
-      // transaction and connection escape functions
-      (
-        pqxxTransationClassNames(c.getName(), c.getNamespace().getName()) or
-        pqxxConnectionClassNames(c.getName(), c.getNamespace().getName())
-      ) and
-      pqxxEscapeArgument(this.getName(), _)
-    )
-  }
-
-  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
-    exists(int argIndex |
-      input.isParameterDeref(argIndex) and
-      output.isReturnValueDeref() and
-      pqxxEscapeArgument(this.getName(), argIndex)
-    )
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/SqLite3.qll

@@ -1,21 +0,0 @@
-/**
- * Provides implementation classes modeling the SQLite C API.
- * See `semmle.code.cpp.models.Models` for usage information.
- */
-
-private import semmle.code.cpp.models.interfaces.Sql
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
-
-/**
- * The `sqlite3_exec` and `sqlite3_prepare` families of functions from the SQLite C API.
- */
-private class SqLite3ExecutionFunction extends SqlExecutionFunction {
-  SqLite3ExecutionFunction() {
-    this.hasName([
-        "sqlite3_exec", "sqlite3_prepare", "sqlite3_prepare_v2", "sqlite3_prepare_v3",
-        "sqlite3_prepare16", "sqlite3_prepare16_v2", "sqlite3_prepare16_v3"
-      ])
-  }
-
-  override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
-}

cpp/ql/lib/semmle/code/cpp/models/interfaces/Sql.qll

@@ -1,30 +0,0 @@
-/**
- * Provides abstract classes for modeling functions that execute and escape SQL query strings.
- * To extend this QL library, create a QL class extending `SqlExecutionFunction` or `SqlEscapeFunction`
- * with a characteristic predicate that selects the function or set of functions you are modeling.
- * Within that class, override the predicates provided by the class to match the way a
- * parameter flows into the function and, in the case of `SqlEscapeFunction`, out of the function.
- */
-
-private import cpp
-
-/**
- * An abstract class that represents a function that executes an SQL query.
- */
-abstract class SqlExecutionFunction extends Function {
-  /**
-   * Holds if `input` to this function represents SQL code to be executed.
-   */
-  abstract predicate hasSqlArgument(FunctionInput input);
-}
-
-/**
- * An abstract class that represents a function that is a barrier to an SQL query string.
- */
-abstract class SqlBarrierFunction extends Function {
-  /**
-   * Holds if the `output` is a barrier to the SQL input `input` such that is it safe to pass to
-   * an `SqlExecutionFunction`.
-   */
-  abstract predicate barrierSqlArgument(FunctionInput input, FunctionOutput output);
-}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeSSA.qll

@@ -95,19 +95,10 @@ class RangeSsaDefinition extends ControlFlowNodeBase {
 
   /**
    * If this definition is a phi node corresponding to a guard,
-   * then return the variable access and the guard.
+   * then return the variable and the guard.
    */
-  predicate isGuardPhi(VariableAccess va, Expr guard, boolean branch) {
-    guard_defn(va, guard, this, branch)
-  }
-
-  /**
-   * If this definition is a phi node corresponding to a guard,
-   * then return the variable guarded, the variable access and the guard.
-   */
-  predicate isGuardPhi(StackVariable v, VariableAccess va, Expr guard, boolean branch) {
-    guard_defn(va, guard, this, branch) and
-    va.getTarget() = v
+  predicate isGuardPhi(VariableAccess v, Expr guard, boolean branch) {
+    guard_defn(v, guard, this, branch)
   }
 
   /** Gets the primary location of this definition. */

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -1530,30 +1530,6 @@ private predicate isUnsupportedGuardPhi(Variable v, RangeSsaDefinition phi, Vari
   )
 }
 
-/**
- * Gets the upper bound of the expression, if the expression is guarded.
- * An upper bound can only be found, if a guard phi node can be found, and the
- * expression has only one immediate predecessor.
- */
-private float getGuardedUpperBound(VariableAccess guardedAccess) {
-  exists(
-    RangeSsaDefinition def, StackVariable v, VariableAccess guardVa, Expr guard, boolean branch
-  |
-    def.isGuardPhi(v, guardVa, guard, branch) and
-    // If the basic block for the variable access being examined has
-    // more than one predecessor, the guard phi node could originate
-    // from one of the predecessors. This is because the guard phi
-    // node is attached to the block at the end of the edge and not on
-    // the actual edge. It is therefore not possible to determine which
-    // edge the guard phi node belongs to. The predicate below ensures
-    // that there is one predecessor, albeit somewhat conservative.
-    exists(unique(BasicBlock b | b = def.(BasicBlock).getAPredecessor())) and
-    guardedAccess = def.getAUse(v) and
-    result = max(float ub | upperBoundFromGuard(guard, guardVa, ub, branch)) and
-    not convertedExprMightOverflow(guard.getAChild+())
-  )
-}
-
 cached
 private module SimpleRangeAnalysisCached {
   /**
@@ -1589,9 +1565,9 @@ private module SimpleRangeAnalysisCached {
    */
   cached
   float upperBound(Expr expr) {
-    // Combine the upper bounds returned by getTruncatedUpperBounds and
-    // getGuardedUpperBound into a single maximum value
-    result = min([max(getTruncatedUpperBounds(expr)), getGuardedUpperBound(expr)])
+    // Combine the upper bounds returned by getTruncatedUpperBounds into a
+    // single maximum value.
+    result = max(float ub | ub = getTruncatedUpperBounds(expr) | ub)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/security/Security.qll

@@ -7,7 +7,6 @@ import semmle.code.cpp.exprs.Expr
 import semmle.code.cpp.commons.Environment
 import semmle.code.cpp.security.SecurityOptions
 import semmle.code.cpp.models.interfaces.FlowSource
-import semmle.code.cpp.models.interfaces.Sql
 
 /**
  * Extend this class to customize the security queries for
@@ -35,11 +34,13 @@ class SecurityOptions extends string {
    * An argument to a function that is passed to a SQL server.
    */
   predicate sqlArgument(string function, int arg) {
-    exists(FunctionInput input, SqlExecutionFunction sql |
-      sql.hasName(function) and
-      input.isParameterDeref(arg) and
-      sql.hasSqlArgument(input)
-    )
+    // MySQL C API
+    function = "mysql_query" and arg = 1
+    or
+    function = "mysql_real_query" and arg = 1
+    or
+    // SQLite3 C API
+    function = "sqlite3_exec" and arg = 1
   }
 
   /**

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -310,14 +310,23 @@ diagnostics(
     int location: @location_default ref
 );
 
+/*
+  fromSource(0) = unknown,
+  fromSource(1) = from source,
+  fromSource(2) = from library
+*/
 files(
     unique int id: @file,
-    string name: string ref
+    string name: string ref,
+    string simple: string ref,
+    string ext: string ref,
+    int fromSource: int ref
 );
 
 folders(
     unique int id: @folder,
-    string name: string ref
+    string name: string ref,
+    string simple: string ref
 );
 
 @container = @folder | @file

cpp/ql/lib/semmlecode.cpp.dbscheme.stats

@@ -12875,6 +12875,18 @@
 <k>name</k>
 <v>59320</v>
 </e>
+<e>
+<k>simple</k>
+<v>40580</v>
+</e>
+<e>
+<k>ext</k>
+<v>97</v>
+</e>
+<e>
+<k>fromSource</k>
+<v>10</v>
+</e>
 </columnsizes>
 <dependencies>
 <dep>
@@ -12894,6 +12906,54 @@
 </val>
 </dep>
 <dep>
+<src>id</src>
+<trg>simple</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>59320</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>ext</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>59320</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>id</src>
+<trg>fromSource</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>59320</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
 <src>name</src>
 <trg>id</trg>
 <val>
@@ -12909,6 +12969,406 @@
 </hist>
 </val>
 </dep>
+<dep>
+<src>name</src>
+<trg>simple</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>59320</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>ext</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>59320</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>name</src>
+<trg>fromSource</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>59320</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>simple</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>30814</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>6123</v>
+</b>
+<b>
+<a>3</a>
+<b>7</b>
+<v>3197</v>
+</b>
+<b>
+<a>7</a>
+<b>42</b>
+<v>444</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>simple</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>30814</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>6123</v>
+</b>
+<b>
+<a>3</a>
+<b>7</b>
+<v>3197</v>
+</b>
+<b>
+<a>7</a>
+<b>42</b>
+<v>444</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>simple</src>
+<trg>ext</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>36277</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>3739</v>
+</b>
+<b>
+<a>3</a>
+<b>6</b>
+<v>563</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>simple</src>
+<trg>fromSource</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>40580</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>ext</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>10</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>10</v>
+</b>
+<b>
+<a>15</a>
+<b>16</b>
+<v>10</v>
+</b>
+<b>
+<a>38</a>
+<b>39</b>
+<v>10</v>
+</b>
+<b>
+<a>80</a>
+<b>81</b>
+<v>10</v>
+</b>
+<b>
+<a>114</a>
+<b>115</b>
+<v>10</v>
+</b>
+<b>
+<a>441</a>
+<b>442</b>
+<v>10</v>
+</b>
+<b>
+<a>768</a>
+<b>769</b>
+<v>10</v>
+</b>
+<b>
+<a>4013</a>
+<b>4014</b>
+<v>10</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>ext</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>10</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>10</v>
+</b>
+<b>
+<a>15</a>
+<b>16</b>
+<v>10</v>
+</b>
+<b>
+<a>38</a>
+<b>39</b>
+<v>10</v>
+</b>
+<b>
+<a>80</a>
+<b>81</b>
+<v>10</v>
+</b>
+<b>
+<a>114</a>
+<b>115</b>
+<v>10</v>
+</b>
+<b>
+<a>441</a>
+<b>442</b>
+<v>10</v>
+</b>
+<b>
+<a>768</a>
+<b>769</b>
+<v>10</v>
+</b>
+<b>
+<a>4013</a>
+<b>4014</b>
+<v>10</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>ext</src>
+<trg>simple</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>10</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>10</v>
+</b>
+<b>
+<a>15</a>
+<b>16</b>
+<v>10</v>
+</b>
+<b>
+<a>38</a>
+<b>39</b>
+<v>10</v>
+</b>
+<b>
+<a>75</a>
+<b>76</b>
+<v>10</v>
+</b>
+<b>
+<a>112</a>
+<b>113</b>
+<v>10</v>
+</b>
+<b>
+<a>428</a>
+<b>429</b>
+<v>10</v>
+</b>
+<b>
+<a>688</a>
+<b>689</b>
+<v>10</v>
+</b>
+<b>
+<a>2838</a>
+<b>2839</b>
+<v>10</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>ext</src>
+<trg>fromSource</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>97</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>fromSource</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>5473</a>
+<b>5474</b>
+<v>10</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>fromSource</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>5473</a>
+<b>5474</b>
+<v>10</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>fromSource</src>
+<trg>simple</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>3744</a>
+<b>3745</b>
+<v>10</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>fromSource</src>
+<trg>ext</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>9</a>
+<b>10</b>
+<v>10</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
 </dependencies>
 </relation>
 <relation>
@@ -12923,6 +13383,10 @@
 <k>name</k>
 <v>10817</v>
 </e>
+<e>
+<k>simple</k>
+<v>3099</v>
+</e>
 </columnsizes>
 <dependencies>
 <dep>
@@ -12942,6 +13406,22 @@
 </val>
 </dep>
 <dep>
+<src>id</src>
+<trg>simple</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>10817</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
 <src>name</src>
 <trg>id</trg>
 <val>
@@ -12957,6 +13437,94 @@
 </hist>
 </val>
 </dep>
+<dep>
+<src>name</src>
+<trg>simple</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>10817</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>simple</src>
+<trg>id</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1669</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>661</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>433</v>
+</b>
+<b>
+<a>4</a>
+<b>17</b>
+<v>238</v>
+</b>
+<b>
+<a>27</a>
+<b>121</b>
+<v>97</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
+<dep>
+<src>simple</src>
+<trg>name</trg>
+<val>
+<hist>
+<budget>12</budget>
+<bs>
+<b>
+<a>1</a>
+<b>2</b>
+<v>1669</v>
+</b>
+<b>
+<a>2</a>
+<b>3</b>
+<v>661</v>
+</b>
+<b>
+<a>3</a>
+<b>4</b>
+<v>433</v>
+</b>
+<b>
+<a>4</a>
+<b>17</b>
+<v>238</v>
+</b>
+<b>
+<a>27</a>
+<b>121</b>
+<v>97</v>
+</b>
+</bs>
+</hist>
+</val>
+</dep>
 </dependencies>
 </relation>
 <relation>

cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql

@@ -1,12 +0,0 @@
-/**
- * @name Sum of frontend and extractor time
- * @description The sum of elapsed frontend time, and the sum of elapsed extractor time.
- *              This query is for internal use only and may change without notice.
- * @kind table
- * @id cpp/frontend-and-extractor-time
- */
-
-import cpp
-
-select sum(Compilation c, float seconds | compilation_time(c, _, 2, seconds) | seconds) as sum_frontend_elapsed_seconds,
-  sum(Compilation c, float seconds | compilation_time(c, _, 4, seconds) | seconds) as sum_extractor_elapsed_seconds

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -30,15 +30,7 @@ class Configuration extends TaintTrackingConfiguration {
   }
 
   override predicate isBarrier(Expr e) {
-    super.isBarrier(e)
-    or
-    e.getUnspecifiedType() instanceof IntegralType
-    or
-    exists(SqlBarrierFunction sql, int arg, FunctionInput input |
-      e = sql.getACallToThisFunction().getArgument(arg) and
-      input.isParameterDeref(arg) and
-      sql.barrierSqlArgument(input, _)
-    )
+    super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
   }
 }
 

cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.cpp

@@ -0,0 +1,28 @@
+#include <iostream>
+#include <stdexcept>
+#include <pqxx/pqxx>
+
+int main(int argc, char ** argv) {
+
+    if (argc != 2) { 
+        throw std::runtime_error("Give me a string!");
+    }
+    
+    pqxx::connection c;
+    pqxx::work w(c);
+
+    // BAD
+    char *userName = argv[1];
+    char query1[1000] = {0};
+    sprintf(query1, "SELECT UID FROM USERS where name = \"%s\"", userName);
+    pqxx::row r = w.exec1(query1);
+    w.commit();
+    std::cout << r[0].as<int>() << std::endl;
+
+    // GOOD
+    pqxx::result r2 = w.exec("SELECT " + w.quote(argv[1]));
+    w.commit();
+    std::cout << r2[0][0].c_str() << std::endl;
+
+    return 0;
+}

cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The code passes user input as part of a SQL query without escaping special elements. 
+It generates a SQL query to Postgres using <code>sprintf</code>,
+with the user-supplied data directly passed as an argument
+to <code>sprintf</code>. This leaves the code vulnerable to attack by SQL Injection.</p>
+
+</overview>
+<recommendation>
+
+<p>Use a library routine to escape characters in the user-supplied
+string before converting it to SQL. Use <code>esc</code> and <code>quote</code> pqxx library functions.</p>
+
+</recommendation>
+<example>
+<sample src="SqlPqxxTainted.cpp" />
+
+</example>
+<references>
+
+<li>MSDN Library: <a href="https://docs.microsoft.com/en-us/sql/relational-databases/security/sql-injection">SQL Injection</a>.</li>
+
+
+<!--  LocalWords:  SQL CWE
+ -->
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql

@@ -0,0 +1,113 @@
+/**
+ * @name Uncontrolled data in SQL query to Postgres
+ * @description Including user-supplied data in a SQL query to Postgres
+ *              without neutralizing special elements can make code
+ *              vulnerable to SQL Injection.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/sql-injection-via-pqxx
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import cpp
+import semmle.code.cpp.security.Security
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+predicate pqxxTransationClassNames(string className, string namespace) {
+  namespace = "pqxx" and
+  className in [
+      "dbtransaction", "nontransaction", "basic_robusttransaction", "robusttransaction",
+      "subtransaction", "transaction", "basic_transaction", "transaction_base", "work"
+    ]
+}
+
+predicate pqxxConnectionClassNames(string className, string namespace) {
+  namespace = "pqxx" and
+  className in ["connection_base", "basic_connection", "connection"]
+}
+
+predicate pqxxTransactionSqlArgument(string function, int arg) {
+  function = "exec" and arg = 0
+  or
+  function = "exec0" and arg = 0
+  or
+  function = "exec1" and arg = 0
+  or
+  function = "exec_n" and arg = 1
+  or
+  function = "exec_params" and arg = 0
+  or
+  function = "exec_params0" and arg = 0
+  or
+  function = "exec_params1" and arg = 0
+  or
+  function = "exec_params_n" and arg = 1
+  or
+  function = "query_value" and arg = 0
+  or
+  function = "stream" and arg = 0
+}
+
+predicate pqxxConnectionSqlArgument(string function, int arg) { function = "prepare" and arg = 1 }
+
+Expr getPqxxSqlArgument() {
+  exists(FunctionCall fc, Expr e, int argIndex, UserType t |
+    // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
+    e = fc.getQualifier() and
+    // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
+    // and return pointer to a connection/transation object
+    e.getType().refersTo(t) and
+    // transaction exec and connection prepare variations
+    (
+      pqxxTransationClassNames(t.getName(), t.getNamespace().getName()) and
+      pqxxTransactionSqlArgument(fc.getTarget().getName(), argIndex)
+      or
+      pqxxConnectionClassNames(t.getName(), t.getNamespace().getName()) and
+      pqxxConnectionSqlArgument(fc.getTarget().getName(), argIndex)
+    ) and
+    result = fc.getArgument(argIndex)
+  )
+}
+
+predicate pqxxEscapeArgument(string function, int arg) {
+  arg = 0 and
+  function in ["esc", "esc_raw", "quote", "quote_raw", "quote_name", "quote_table", "esc_like"]
+}
+
+predicate isEscapedPqxxArgument(Expr argExpr) {
+  exists(FunctionCall fc, Expr e, int argIndex, UserType t |
+    // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
+    e = fc.getQualifier() and
+    // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
+    // and return pointer to a connection/transation object
+    e.getType().refersTo(t) and
+    // transaction and connection escape functions
+    (
+      pqxxTransationClassNames(t.getName(), t.getNamespace().getName()) or
+      pqxxConnectionClassNames(t.getName(), t.getNamespace().getName())
+    ) and
+    pqxxEscapeArgument(fc.getTarget().getName(), argIndex) and
+    // is escaped arg == argExpr
+    argExpr = fc.getArgument(argIndex)
+  )
+}
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "SqlPqxxTainted" }
+
+  override predicate isSource(DataFlow::Node source) { isUserInput(source.asExpr(), _) }
+
+  override predicate isSink(DataFlow::Node sink) { sink.asExpr() = getPqxxSqlArgument() }
+
+  override predicate isSanitizer(DataFlow::Node node) { isEscapedPqxxArgument(node.asExpr()) }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, Configuration config, string taintCause
+where
+  config.hasFlowPath(source, sink) and
+  isUserInput(source.getNode().asExpr(), taintCause)
+select sink, source, sink, "This argument to a SQL query function is derived from $@", source,
+  "user input (" + taintCause + ")"

cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.c

@@ -1,13 +0,0 @@
-...
-  fs = socket(AF_UNIX, SOCK_STREAM, 0)
-...
-  close(fs);
-  fs = -1; // GOOD
-...
-
-...
-  fs = socket(AF_UNIX, SOCK_STREAM, 0)
-...
-  close(fs);
-  if(fs) close(fs); // BAD
-...

cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.qhelp

@@ -1,26 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>Double release of the descriptor can lead to a crash of the program. Requires the attention of developers.</p>
-
-</overview>
-<recommendation>
-<p>We recommend that you exclude situations of possible double release.</p>
-
-</recommendation>
-<example>
-<p>The following example demonstrates an erroneous and corrected use of descriptor deallocation.</p>
-<sample src="DoubleRelease.c" />
-
-</example>
-<references>
-
-<li>
-  CERT C Coding Standard:
-  <a href="https://wiki.sei.cmu.edu/confluence/display/c/FIO46-C.+Do+not+access+a+closed+file">FIO46-C. Do not access a closed file</a>.
-</li>
-
-</references>
-</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql

@@ -1,142 +0,0 @@
-/**
- * @name Errors When Double Release
- * @description Double release of the descriptor can lead to a crash of the program.
- * @kind problem
- * @id cpp/double-release
- * @problem.severity warning
- * @precision medium
- * @tags security
- *       external/cwe/cwe-675
- *       external/cwe/cwe-666
- */
-
-import cpp
-import semmle.code.cpp.commons.File
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-import semmle.code.cpp.valuenumbering.HashCons
-
-/**
- * A function call that potentially does not return (such as `exit`).
- */
-class CallMayNotReturn extends FunctionCall {
-  CallMayNotReturn() {
-    // call that is known to not return
-    not exists(this.(ControlFlowNode).getASuccessor())
-    or
-    // call to another function that may not return
-    exists(CallMayNotReturn exit | getTarget() = exit.getEnclosingFunction())
-    or
-    exists(ThrowExpr tex | tex = this.(ControlFlowNode).getASuccessor())
-  }
-}
-
-/** Holds if there are no assignment expressions to the function argument. */
-pragma[inline]
-predicate checkChangeVariable(FunctionCall fc0, ControlFlowNode fc1, ControlFlowNode fc2) {
-  not exists(Expr exptmp |
-    (
-      exptmp = fc0.getArgument(0).(VariableAccess).getTarget().getAnAssignedValue() or
-      exptmp.(AddressOfExpr).getOperand() =
-        fc0.getArgument(0).(VariableAccess).getTarget().getAnAccess()
-    ) and
-    exptmp = fc1.getASuccessor*() and
-    exptmp = fc2.getAPredecessor*()
-  ) and
-  (
-    (
-      not fc0.getArgument(0) instanceof PointerFieldAccess and
-      not fc0.getArgument(0) instanceof ValueFieldAccess
-      or
-      fc0.getArgument(0).(VariableAccess).getQualifier() instanceof ThisExpr
-    )
-    or
-    not exists(Expr exptmp |
-      (
-        exptmp =
-          fc0.getArgument(0)
-              .(VariableAccess)
-              .getQualifier()
-              .(VariableAccess)
-              .getTarget()
-              .getAnAssignedValue() or
-        exptmp.(AddressOfExpr).getOperand() =
-          fc0.getArgument(0)
-              .(VariableAccess)
-              .getQualifier()
-              .(VariableAccess)
-              .getTarget()
-              .getAnAccess()
-      ) and
-      exptmp = fc1.getASuccessor*() and
-      exptmp = fc2.getAPredecessor*()
-    )
-  )
-}
-
-/** Holds if the underlying expression is a call to the close function. Provided that the function parameter does not change after the call. */
-predicate closeReturn(FunctionCall fc) {
-  fcloseCall(fc, _) and
-  checkChangeVariable(fc, fc, fc.getEnclosingFunction())
-}
-
-/** Holds if the underlying expression is a call to the close function. Provided that the function parameter does not change before the call. */
-predicate closeWithoutChangeBefore(FunctionCall fc) {
-  fcloseCall(fc, _) and
-  checkChangeVariable(fc, fc.getEnclosingFunction().getEntryPoint(), fc)
-}
-
-/** Holds, if a sequential call of the specified functions is possible, via a higher-level function call. */
-predicate callInOtherFunctions(FunctionCall fc, FunctionCall fc1) {
-  exists(FunctionCall fec1, FunctionCall fec2 |
-    fc.getEnclosingFunction() != fc1.getEnclosingFunction() and
-    fec1 = fc.getEnclosingFunction().getACallToThisFunction() and
-    fec2 = fc1.getEnclosingFunction().getACallToThisFunction() and
-    fec1.getASuccessor*() = fec2 and
-    checkChangeVariable(fc, fec1, fec2)
-  )
-}
-
-/** Holds if successive calls to close functions are possible. */
-predicate interDoubleCloseFunctions(FunctionCall fc, FunctionCall fc1) {
-  fcloseCall(fc, _) and
-  fcloseCall(fc1, _) and
-  fc != fc1 and
-  fc.getASuccessor*() = fc1 and
-  checkChangeVariable(fc, fc, fc1)
-}
-
-/** Holds if the first arguments of the two functions are similar. */
-predicate similarArguments(FunctionCall fc, FunctionCall fc1) {
-  globalValueNumber(fc.getArgument(0)) = globalValueNumber(fc1.getArgument(0))
-  or
-  fc.getArgument(0).(VariableAccess).getTarget() = fc1.getArgument(0).(VariableAccess).getTarget() and
-  (
-    not fc.getArgument(0) instanceof PointerFieldAccess and
-    not fc.getArgument(0) instanceof ValueFieldAccess
-    or
-    fc.getArgument(0).(VariableAccess).getQualifier() instanceof ThisExpr
-  )
-  or
-  fc.getArgument(0).(VariableAccess).getTarget() = fc1.getArgument(0).(VariableAccess).getTarget() and
-  (
-    fc.getArgument(0) instanceof PointerFieldAccess or
-    fc.getArgument(0) instanceof ValueFieldAccess
-  ) and
-  hashCons(fc.getArgument(0)) = hashCons(fc1.getArgument(0))
-}
-
-from FunctionCall fc, FunctionCall fc1
-where
-  not exists(CallMayNotReturn fctmp | fctmp = fc.getASuccessor*()) and
-  not exists(IfStmt ifs | ifs.getCondition().getAChild*() = fc) and
-  (
-    // detecting a repeated call situation within one function
-    closeReturn(fc) and
-    closeWithoutChangeBefore(fc1) and
-    callInOtherFunctions(fc, fc1)
-    or
-    // detection of repeated call in different functions
-    interDoubleCloseFunctions(fc, fc1)
-  ) and
-  similarArguments(fc, fc1)
-select fc, "Second call to the $@ function is possible.", fc1, fc1.getTarget().getName()

cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql

@@ -1,30 +0,0 @@
-/**
- * @name unsigned to signed used in pointer arithmetic
- * @description finds unsigned to signed conversions used in pointer arithmetic, potentially causing an out-of-bound access
- * @id cpp/sign-conversion-pointer-arithmetic
- * @kind problem
- * @problem.severity warning
- * @tags reliability
- *       security
- *       external/cwe/cwe-787
- */
-
-import cpp
-import semmle.code.cpp.dataflow.DataFlow
-import semmle.code.cpp.security.Overflow
-
-from FunctionCall call, Function f, Parameter p, DataFlow::Node sink, PointerArithmeticOperation pao
-where
-  f = call.getTarget() and
-  p = f.getAParameter() and
-  p.getUnspecifiedType().(IntegralType).isSigned() and
-  call.getArgument(p.getIndex()).getUnspecifiedType().(IntegralType).isUnsigned() and
-  pao.getAnOperand() = sink.asExpr() and
-  not exists(Operation a | guardedLesser(a, sink.asExpr())) and
-  not exists(Operation b | guardedGreater(b, call.getArgument(p.getIndex()))) and
-  not call.getArgument(p.getIndex()).isConstant() and
-  DataFlow::localFlow(DataFlow::parameterNode(p), sink) and
-  p.getUnspecifiedType().getSize() < 8
-select call,
-  "This call: $@  passes an unsigned int to a function that requires a signed int: $@. And then used in pointer arithmetic: $@",
-  call, call.toString(), f, f.toString(), sink, sink.toString()

cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql

@@ -63,7 +63,6 @@ where
   functionsMissingReturnStmt(f, blame) and
   reachable(blame) and
   not functionImperfectlyExtracted(f) and
-  not f.isFromUninstantiatedTemplate(_) and
   (blame = stmt or blame.(Expr).getEnclosingStmt() = stmt) and
   msg =
     "Function " + f.getName() + " should return a value of type " + f.getType().getName() +

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected

@@ -594,15 +594,6 @@
 | test.c:659:9:659:9 | u | 0 |
 | test.c:664:12:664:12 | s | -2147483648 |
 | test.c:665:7:665:8 | s2 | -4 |
-| test.c:670:7:670:7 | x | -2147483648 |
-| test.c:671:9:671:9 | y | -2147483648 |
-| test.c:675:7:675:7 | y | -2147483648 |
-| test.c:684:7:684:7 | x | -2147483648 |
-| test.c:689:7:689:7 | x | -2147483648 |
-| test.c:696:8:696:8 | x | 2147483647 |
-| test.c:696:12:696:12 | y | 256 |
-| test.c:697:9:697:9 | x | 2147483647 |
-| test.c:698:9:698:9 | y | 256 |
 | test.cpp:10:7:10:7 | b | -2147483648 |
 | test.cpp:11:5:11:5 | x | -2147483648 |
 | test.cpp:13:10:13:10 | x | -2147483648 |
@@ -656,18 +647,16 @@
 | test.cpp:97:10:97:10 | i | -2147483648 |
 | test.cpp:97:22:97:22 | i | -2147483648 |
 | test.cpp:98:5:98:5 | i | -2147483648 |
-| test.cpp:98:9:98:9 | i | -2147483648 |
-| test.cpp:99:5:99:5 | i | -2147483648 |
-| test.cpp:106:7:106:7 | n | -32768 |
-| test.cpp:109:7:109:7 | n | 0 |
-| test.cpp:110:5:110:5 | n | 1 |
-| test.cpp:112:5:112:5 | n | 0 |
-| test.cpp:115:8:115:8 | n | 0 |
-| test.cpp:116:5:116:5 | n | 0 |
-| test.cpp:118:5:118:5 | n | 1 |
-| test.cpp:121:3:121:3 | n | 0 |
-| test.cpp:121:8:121:8 | n | 1 |
-| test.cpp:121:12:121:12 | n | 0 |
-| test.cpp:122:4:122:4 | n | 0 |
-| test.cpp:122:8:122:8 | n | 0 |
-| test.cpp:122:12:122:12 | n | 1 |
+| test.cpp:105:7:105:7 | n | -32768 |
+| test.cpp:108:7:108:7 | n | 0 |
+| test.cpp:109:5:109:5 | n | 1 |
+| test.cpp:111:5:111:5 | n | 0 |
+| test.cpp:114:8:114:8 | n | 0 |
+| test.cpp:115:5:115:5 | n | 0 |
+| test.cpp:117:5:117:5 | n | 1 |
+| test.cpp:120:3:120:3 | n | 0 |
+| test.cpp:120:8:120:8 | n | 1 |
+| test.cpp:120:12:120:12 | n | 0 |
+| test.cpp:121:4:121:4 | n | 0 |
+| test.cpp:121:8:121:8 | n | 0 |
+| test.cpp:121:12:121:12 | n | 1 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryLower.expected

@@ -15,5 +15,5 @@
 | test.c:394:20:394:36 | ... ? ... : ... | 0.0 | 0.0 | 100.0 |
 | test.c:606:5:606:14 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
 | test.c:607:5:607:14 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |
-| test.cpp:121:3:121:12 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
-| test.cpp:122:3:122:12 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |
+| test.cpp:120:3:120:12 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
+| test.cpp:121:3:121:12 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryUpper.expected

@@ -15,5 +15,5 @@
 | test.c:394:20:394:36 | ... ? ... : ... | 100.0 | 99.0 | 100.0 |
 | test.c:606:5:606:14 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
 | test.c:607:5:607:14 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |
-| test.cpp:121:3:121:12 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
-| test.cpp:122:3:122:12 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |
+| test.cpp:120:3:120:12 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
+| test.cpp:121:3:121:12 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c

@@ -664,37 +664,3 @@ void test_mod(int s) {
   int s2 = s % 5;
   out(s2); // -4 .. 4
 }
-
-void exit(int);
-void guard_with_exit(int x, int y) {
-  if (x) {
-    if (y != 0) {
-      exit(0);
-    }
-  }
-  out(y); // ..
-
-  // This test ensures that we correctly identify
-  // that the upper bound for y is max_int when calling `out(y)`.
-  // The RangeSsa will place guardPhy on `out(y)`, and consequently there is no
-  // frontier phi node at out(y).
-}
-
-void test(int x) {
-  if (x >= 10) {
-    return;
-  }
-  // The basic below has two predecessors.
-label:
-  out(x);
-  goto label;
-}
-
-void test_overflow() {
-  const int x = 2147483647; // 2^31-1
-  const int y = 256;
-  if ((x + y) <= 512) {
-    out(x);
-    out(y);
-  }
-}

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.cpp

@@ -95,7 +95,6 @@ int ref_to_number(int &i, const int &ci, int &aliased) {
     return alias;
 
   for (; i <= 12345; i++) { // test that widening works for references
-    i = i;
     i;
   }
 

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected

@@ -584,9 +584,9 @@
 | test.c:639:9:639:10 | ss | 2 |
 | test.c:645:8:645:8 | s | 2147483647 |
 | test.c:645:15:645:15 | s | 127 |
-| test.c:645:23:645:23 | s | 9 |
-| test.c:646:18:646:18 | s | 9 |
-| test.c:646:22:646:22 | s | 9 |
+| test.c:645:23:645:23 | s | 15 |
+| test.c:646:18:646:18 | s | 15 |
+| test.c:646:22:646:22 | s | 15 |
 | test.c:647:9:647:14 | result | 127 |
 | test.c:653:7:653:7 | i | 0 |
 | test.c:654:9:654:9 | i | 2147483647 |
@@ -594,15 +594,6 @@
 | test.c:659:9:659:9 | u | 4294967295 |
 | test.c:664:12:664:12 | s | 2147483647 |
 | test.c:665:7:665:8 | s2 | 4 |
-| test.c:670:7:670:7 | x | 2147483647 |
-| test.c:671:9:671:9 | y | 2147483647 |
-| test.c:675:7:675:7 | y | 2147483647 |
-| test.c:684:7:684:7 | x | 2147483647 |
-| test.c:689:7:689:7 | x | 15 |
-| test.c:696:8:696:8 | x | 2147483647 |
-| test.c:696:12:696:12 | y | 256 |
-| test.c:697:9:697:9 | x | 2147483647 |
-| test.c:698:9:698:9 | y | 256 |
 | test.cpp:10:7:10:7 | b | 2147483647 |
 | test.cpp:11:5:11:5 | x | 2147483647 |
 | test.cpp:13:10:13:10 | x | 2147483647 |
@@ -655,19 +646,17 @@
 | test.cpp:95:12:95:16 | alias | 2147483647 |
 | test.cpp:97:10:97:10 | i | 65535 |
 | test.cpp:97:22:97:22 | i | 32767 |
-| test.cpp:98:5:98:5 | i | 2147483647 |
-| test.cpp:98:9:98:9 | i | 12345 |
-| test.cpp:99:5:99:5 | i | 32767 |
-| test.cpp:106:7:106:7 | n | 32767 |
-| test.cpp:109:7:109:7 | n | 32767 |
-| test.cpp:110:5:110:5 | n | 32767 |
-| test.cpp:112:5:112:5 | n | 0 |
-| test.cpp:115:8:115:8 | n | 32767 |
-| test.cpp:116:5:116:5 | n | 0 |
-| test.cpp:118:5:118:5 | n | 32767 |
-| test.cpp:121:3:121:3 | n | 32767 |
-| test.cpp:121:8:121:8 | n | 32767 |
-| test.cpp:121:12:121:12 | n | 0 |
-| test.cpp:122:4:122:4 | n | 32767 |
-| test.cpp:122:8:122:8 | n | 0 |
-| test.cpp:122:12:122:12 | n | 32767 |
+| test.cpp:98:5:98:5 | i | 32767 |
+| test.cpp:105:7:105:7 | n | 32767 |
+| test.cpp:108:7:108:7 | n | 32767 |
+| test.cpp:109:5:109:5 | n | 32767 |
+| test.cpp:111:5:111:5 | n | 0 |
+| test.cpp:114:8:114:8 | n | 32767 |
+| test.cpp:115:5:115:5 | n | 0 |
+| test.cpp:117:5:117:5 | n | 32767 |
+| test.cpp:120:3:120:3 | n | 32767 |
+| test.cpp:120:8:120:8 | n | 32767 |
+| test.cpp:120:12:120:12 | n | 0 |
+| test.cpp:121:4:121:4 | n | 32767 |
+| test.cpp:121:8:121:8 | n | 0 |
+| test.cpp:121:12:121:12 | n | 32767 |

cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected

@@ -9,10 +9,6 @@
 | test.c:15:9:15:13 | access to array | Potential buffer-overflow: 'xs' has size 5 but 'xs[6]' is accessed here. |
 | test.c:20:9:20:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[5]' is accessed here. |
 | test.c:21:9:21:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[6]' is accessed here. |
-| test.c:47:3:47:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
-| test.c:54:3:54:26 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
-| test.c:61:3:61:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
-| test.c:72:3:72:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[1]' is accessed here. |
 | test.cpp:19:3:19:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer1' has 3 elements. |
 | test.cpp:20:3:20:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer2' has 3 elements. |
 | test.cpp:24:27:24:27 | 4 | Potential buffer-overflow: 'buffer1' has size 3 not 4. |

cpp/ql/test/query-tests/Critical/OverflowStatic/test.c

@@ -27,47 +27,3 @@ void f(void) {
     c = stru.zs[6]; // GOOD (zs is variable size)
 }
 
-void* malloc(long unsigned int);
-void test_buffer_sentinal() {
-  struct { char len; char buf[1]; } *b = malloc(10); // len(buf.buffer) effectively 8
-  b->buf[0] = 0; // GOOD
-  b->buf[7] = 0; // GOOD
-  b->buf[8] = 0; // BAD [NOT DETECTED]
-}
-
-union u {
-  unsigned long value;
-  char ptr[1];
-};
-
-void union_test() {
-  union u u;
-  u.ptr[0] = 0; // GOOD
-  u.ptr[sizeof(u)-1] = 0; // GOOD
-  u.ptr[sizeof(u)] = 0; // BAD
-}
-
-void test_struct_union() {
-  struct { union u u; } v;
-  v.u.ptr[0] = 0; // GOOD
-  v.u.ptr[sizeof(union u)-1] = 0; // GOOD
-  v.u.ptr[sizeof(union u)] = 0; // BAD
-}
-
-void union_test2() {
-  union { char ptr[1]; unsigned long value; } u;
-  u.ptr[0] = 0; // GOOD
-  u.ptr[sizeof(u)-1] = 0; // GOOD
-  u.ptr[sizeof(u)] = 0; // BAD
-}
-
-typedef struct {
-    char len;
-    char buf[1];
-} var_buf;
-
-void test_alloc() {
-  // Special case of taking sizeof without any addition or multiplications
-  var_buf *b = malloc(sizeof(var_buf));
-  b->buf[1] = 0; // BAD
-}

cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp

@@ -46,13 +46,3 @@ void f2(char *src)
 	ptr = &(buffer[1]);
 	memcpy(ptr, src, 100); // BAD [NOT DETECTED]
 }
-
-void f3() {
-    int i;
-    char buffer[5];
-    for (i=0; i<10; i++) {
-        if (i < 5) {
-            buffer[i] = 0; // GOOD
-        }
-    }
-}

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c

@@ -115,7 +115,7 @@ int twoReasons(int a, int b) {
   if (a <= 0 && b > 5) {
     return a < b;
   }
-  if (a <= 100 && b > 105) { // BUG [Not detected - this clause is always false]
+  if (a <= 100 && b > 105) {
     return a > b;
   }
   return 0;

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp

@@ -1,134 +0,0 @@
-/**
- * This test case is closely based on CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp
- * from the SAMATE Juliet test suite.
- */
-
-#define NULL (0)
-
-typedef unsigned long size_t;
-typedef size_t time_t;
-time_t time(time_t *timer);
-
-typedef struct {} FILE;
-extern FILE *stdin;
-FILE *fopen(const char *filename, const char *mode);
-int fclose(FILE *stream);
-#define FILENAME_MAX (4096)
-
-typedef unsigned long size_t;
-size_t strlen(const char *s);
-char *strcat(char *s1, const char *s2);
-char *fgets(char *s, int n, FILE *stream);
-
-int globalReturnsTrue() 
-{
-    return 1;
-}
-
-int globalReturnsFalse() 
-{
-    return 0;
-}
-
-void printLine(const char *str);
-
-#define BASEPATH "c:\\temp\\"
-#define FOPEN fopen
-
-namespace CWE23_Relative_Path_Traversal__char_console_fopen_11
-{
-
-void bad()
-{
-    char * data;
-    char dataBuffer[FILENAME_MAX] = BASEPATH;
-    data = dataBuffer;
-    if(globalReturnsTrue())
-    {
-        {
-            /* Read input from the console */
-            size_t dataLen = strlen(data);
-            /* if there is room in data, read into it from the console */
-            if (FILENAME_MAX-dataLen > 1)
-            {
-                /* POTENTIAL FLAW: Read data from the console */
-                if (fgets(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL)
-                {
-                    /* The next few lines remove the carriage return from the string that is
-                     * inserted by fgets() */
-                    dataLen = strlen(data);
-                    if (dataLen > 0 && data[dataLen-1] == '\n')
-                    {
-                        data[dataLen-1] = '\0';
-                    }
-                }
-                else
-                {
-                    printLine("fgets() failed");
-                    /* Restore NUL terminator if fgets fails */
-                    data[dataLen] = '\0';
-                }
-            }
-        }
-    }
-    {
-        FILE *pFile = NULL;
-        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
-        pFile = FOPEN(data, "wb+");
-        if (pFile != NULL)
-        {
-            fclose(pFile);
-        }
-    }
-}
-
-/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
-static void goodG2B1()
-{
-    char * data;
-    char dataBuffer[FILENAME_MAX] = BASEPATH;
-    data = dataBuffer;
-    if(globalReturnsFalse())
-    {
-        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
-        printLine("Benign, fixed string");
-    }
-    else
-    {
-        /* FIX: Use a fixed file name */
-        strcat(data, "file.txt");
-    }
-    {
-        FILE *pFile = NULL;
-        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
-        pFile = FOPEN(data, "wb+");
-        if (pFile != NULL)
-        {
-            fclose(pFile);
-        }
-    }
-}
-
-/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
-static void goodG2B2()
-{
-    char * data;
-    char dataBuffer[FILENAME_MAX] = BASEPATH;
-    data = dataBuffer;
-    if(globalReturnsTrue())
-    {
-        /* FIX: Use a fixed file name */
-        strcat(data, "file.txt");
-    }
-    {
-        FILE *pFile = NULL;
-        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
-        pFile = FOPEN(data, "wb+");
-        if (pFile != NULL)
-        {
-            fclose(pFile);
-        }
-    }
-}
-
-}

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected

@@ -1,18 +0,0 @@
-edges
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
-subpaths
-nodes
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | semmle.label | ... + ... |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | semmle.label | data |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
-#select
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | This argument to a file access function is derived from $@ and then passed to fopen(filename) | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | user input (fgets) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-022/TaintedPath.ql

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected

@@ -5,7 +5,6 @@ edges
 | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
 | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
 | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
-subpaths
 nodes
 | test.c:9:23:9:26 | argv | semmle.label | argv |
 | test.c:9:23:9:26 | argv | semmle.label | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected

@@ -1 +0,0 @@
-| tests.cpp:53:16:53:19 | data | This argument to an OS command is derived from $@ and then passed to system(string) | tests.cpp:33:34:33:39 | call to getenv | user input (getenv) |

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-078/ExecTainted.ql

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp

@@ -1,58 +0,0 @@
-//semmle-extractor-options: --edg --target --edg win64
-
-// A selection of tests from the SAMATE Juliet framework for rule CWE-78.
-
-// library types, functions etc
-#define NULL (0)
-typedef unsigned long size_t;
-size_t strlen(const char *s);
-char *strncat(char *s1, const char *s2, size_t n);
-char *getenv(const char *name);
-int system(const char *string);
-void exit(int status);
-
-#define FULL_COMMAND "dir "
-#define ENV_VARIABLE "ADD"
-#define GETENV getenv
-#define SYSTEM system
-
-void printLine(const char *str);
-
-// ----------
-
-/* The static variable below is used to drive control flow in the source function */
-static int badStatic = 0;
-
-static char * badSource(char * data)
-{
-    if(badStatic)
-    {
-        {
-            /* Append input from an environment variable to data */
-            size_t dataLen = strlen(data);
-            char * environment = GETENV(ENV_VARIABLE);
-            /* If there is data in the environment variable */
-            if (environment != NULL)
-            {
-                /* POTENTIAL FLAW: Read data from an environment variable */
-                strncat(data+dataLen, environment, 100-dataLen-1);
-            }
-        }
-    }
-    return data;
-}
-
-void CWE78_OS_Command_Injection__char_environment_system_21_bad()
-{
-    char * data;
-    char data_buf[100] = FULL_COMMAND;
-    data = data_buf;
-    badStatic = 1; /* true */
-    data = badSource(data);
-    /* POTENTIAL FLAW: Execute command in data possibly leading to command injection [NOT DETECTED] */
-    if (SYSTEM(data) != 0)
-    {
-        printLine("command execution failed!");
-        exit(1);
-    }
-}

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

@@ -24,7 +24,6 @@ edges
 | search.c:55:17:55:25 | raw_query indirection | search.c:14:24:14:28 | *query |
 | search.c:57:5:57:15 | raw_query | search.c:22:24:22:28 | query |
 | search.c:57:17:57:25 | raw_query indirection | search.c:22:24:22:28 | *query |
-subpaths
 nodes
 | search.c:14:24:14:28 | *query | semmle.label | *query |
 | search.c:14:24:14:28 | query | semmle.label | query |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected

@@ -5,15 +5,6 @@ edges
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
-| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | (const char *)... |
-| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | (const char *)... |
-| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array |
-| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array |
-| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array |
-| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array |
-| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array indirection |
-| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array indirection |
-subpaths
 nodes
 | test.c:15:20:15:23 | argv | semmle.label | argv |
 | test.c:15:20:15:23 | argv | semmle.label | argv |
@@ -22,15 +13,5 @@ nodes
 | test.c:21:18:21:23 | query1 | semmle.label | query1 |
 | test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
 | test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
-| test.cpp:43:27:43:30 | argv | semmle.label | argv |
-| test.cpp:43:27:43:30 | argv | semmle.label | argv |
-| test.cpp:43:27:43:33 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:43:27:43:33 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
-| test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
-| test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
-| test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
-| test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
 #select
 | test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
-| test.cpp:43:27:43:33 | access to array | test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)) | test.cpp:43:27:43:30 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.cpp

@@ -1,48 +0,0 @@
-int sprintf(char* str, const char* format, ...);
-
-namespace std
-{
-	template<class charT> struct char_traits;
-
-	template <class T> class allocator {
-	public:
-		allocator() throw();
-	};
-	
-	template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
-	class basic_string {
-	public:
-		explicit basic_string(const Allocator& a = Allocator());
-		basic_string(const charT* s, const Allocator& a = Allocator());
-
-		const charT* c_str() const;
-	};
-
-	typedef basic_string<char> string;
-}
-
-namespace pqxx {
-    struct connection {};
-
-    struct row {};
-    struct result {};
-
-    struct work {
-      work(connection&);
-
-      row exec1(const char*);
-      result exec(const std::string&);
-      std::string quote(const char*);
-    };
-}
-
-int main(int argc, char** argv) {
-    pqxx::connection c;
-    pqxx::work w(c);
-    
-    pqxx::row r = w.exec1(argv[1]); // BAD
-    
-    pqxx::result r2 = w.exec(w.quote(argv[1])); // GOOD
-
-    return 0;
-}

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -1,31 +0,0 @@
-edges
-| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | (LPCSTR)... |
-| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | data indirection |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | (LPCSTR)... |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data indirection |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:17:73:22 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:17:73:22 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:73:17:73:22 | data | test.cpp:37:73:37:76 | data |
-| test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | *data |
-subpaths
-nodes
-| test.cpp:37:73:37:76 | *data | semmle.label | *data |
-| test.cpp:37:73:37:76 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
-| test.cpp:43:32:43:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
-| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:73:17:73:22 | data | semmle.label | data |
-| test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
-#select
-| test.cpp:43:32:43:35 | data | test.cpp:64:30:64:35 | call to getenv | test.cpp:43:32:43:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA | test.cpp:64:30:64:35 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-114/UncontrolledProcessOperation.ql

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp

@@ -1,132 +0,0 @@
-// Some SAMATE Juliet test cases for CWE-114.
-
-typedef unsigned long size_t;
-typedef unsigned int BOOL;
-typedef const char *LPCSTR;
-typedef void *HMODULE;
-#define NULL (0)
-
-size_t strlen(const char *s);
-char *strncat(char *s1, const char *s2, size_t n);
-
-HMODULE LoadLibraryA(LPCSTR libname);
-BOOL FreeLibrary(HMODULE hModule);
-
-char *getenv(const char *name);
-
-#define GETENV getenv
-#define ENV_VARIABLE "ADD"
-
-void printLine(const char *msg);
-
-// --- CWE114_Process_Control__w32_char_environment_82 ---
-
-class CWE114_Process_Control__w32_char_environment_82_base
-{
-public:
-    /* pure virtual function */
-    virtual void action(char * data) = 0;
-};
-
-class CWE114_Process_Control__w32_char_environment_82_bad : public CWE114_Process_Control__w32_char_environment_82_base
-{
-public:
-    void action(char * data);
-};
-
-void CWE114_Process_Control__w32_char_environment_82_bad::action(char * data)
-{
-    {
-        HMODULE hModule;
-        /* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to
-         * replace his own file with the intended library */
-        hModule = LoadLibraryA(data);
-        if (hModule != NULL)
-        {
-            FreeLibrary(hModule);
-            printLine("Library loaded and freed successfully");
-        }
-        else
-        {
-            printLine("Unable to load library");
-        }
-    }
-}
-
-void bad()
-{
-    char * data;
-    char dataBuffer[100] = "";
-    data = dataBuffer;
-    {
-        /* Append input from an environment variable to data */
-        size_t dataLen = strlen(data);
-        char * environment = GETENV(ENV_VARIABLE);
-        /* If there is data in the environment variable */
-        if (environment != NULL)
-        {
-            /* POTENTIAL FLAW: Read data from an environment variable */
-            strncat(data+dataLen, environment, 100-dataLen-1);
-        }
-    }
-    CWE114_Process_Control__w32_char_environment_82_base* baseObject = new CWE114_Process_Control__w32_char_environment_82_bad;
-    baseObject->action(data);
-    delete baseObject;
-}
-
-// --- CWE114_Process_Control__w32_char_console_33 ---
-
-typedef struct {} FILE;
-char *fgets(char *s, int n, FILE *stream);
-FILE *stdin;
-
-void CWE114_Process_Control__w32_char_console_33_bad()
-{
-    char * data;
-    char * &dataRef = data;
-    char dataBuffer[100] = "";
-    data = dataBuffer;
-    {
-        /* Read input from the console */
-        size_t dataLen = strlen(data);
-        /* if there is room in data, read into it from the console */
-        if (100-dataLen > 1)
-        {
-            /* POTENTIAL FLAW: Read data from the console [NOT DETECTED] */
-            if (fgets(data+dataLen, (int)(100-dataLen), stdin) != NULL)
-            {
-                /* The next few lines remove the carriage return from the string that is
-                 * inserted by fgets() */
-                dataLen = strlen(data);
-                if (dataLen > 0 && data[dataLen-1] == '\n')
-                {
-                    data[dataLen-1] = '\0';
-                }
-            }
-            else
-            {
-                printLine("fgets() failed");
-                /* Restore NUL terminator if fgets fails */
-                data[dataLen] = '\0';
-            }
-        }
-    }
-    {
-        char * data = dataRef;
-        {
-            HMODULE hModule;
-            /* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to
-             * replace his own file with the intended library */
-            hModule = LoadLibraryA(data);
-            if (hModule != NULL)
-            {
-                FreeLibrary(hModule);
-                printLine("Library loaded and freed successfully");
-            }
-            else
-            {
-                printLine("Unable to load library");
-            }
-        }
-    }
-}

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -47,7 +47,6 @@ edges
 | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | (const char *)... |
 | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
 | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
-subpaths
 nodes
 | test.cpp:24:30:24:36 | *command | semmle.label | *command |
 | test.cpp:24:30:24:36 | command | semmle.label | command |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.expected

@@ -1,4 +0,0 @@
-| tests.cpp:350:13:350:19 | call to strncat | This 'call to strncat' operation is limited to 100 bytes but the destination is only 50 bytes. |
-| tests.cpp:452:9:452:15 | call to wcsncpy | This 'call to wcsncpy' operation is limited to 396 bytes but the destination is only 200 bytes. |
-| tests.cpp:481:9:481:16 | call to swprintf | This 'call to swprintf' operation is limited to 400 bytes but the destination is only 200 bytes. |
-| tests.cpp:630:13:630:20 | call to swprintf | This 'call to swprintf' operation is limited to 400 bytes but the destination is only 200 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-120/BadlyBoundedWrite.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref

@@ -1 +0,0 @@
-Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.expected

@@ -1,19 +0,0 @@
-| tests.cpp:45:9:45:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
-| tests.cpp:60:9:60:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
-| tests.cpp:171:9:171:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | destination buffer |
-| tests.cpp:172:9:172:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | array |
-| tests.cpp:192:9:192:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:181:10:181:22 | dataBadBuffer | destination buffer |
-| tests.cpp:192:9:192:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:185:12:185:24 | dataBadBuffer | destination buffer |
-| tests.cpp:193:9:193:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:181:10:181:22 | dataBadBuffer | array |
-| tests.cpp:193:9:193:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:185:12:185:24 | dataBadBuffer | array |
-| tests.cpp:212:9:212:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:201:36:201:41 | call to alloca | destination buffer |
-| tests.cpp:212:9:212:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:205:12:205:24 | dataBadBuffer | destination buffer |
-| tests.cpp:213:9:213:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:201:36:201:41 | call to alloca | array |
-| tests.cpp:213:9:213:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:205:12:205:24 | dataBadBuffer | array |
-| tests.cpp:237:9:237:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:221:36:221:41 | call to alloca | array |
-| tests.cpp:237:9:237:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:225:12:225:24 | dataBadBuffer | array |
-| tests.cpp:261:9:261:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:245:10:245:22 | dataBadBuffer | array |
-| tests.cpp:261:9:261:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:249:12:249:24 | dataBadBuffer | array |
-| tests.cpp:384:9:384:14 | call to memcpy | This 'memcpy' operation accesses 40 bytes but the $@ is only 10 bytes. | tests.cpp:380:19:380:24 | call to alloca | destination buffer |
-| tests.cpp:434:9:434:19 | access to array | This array indexing operation accesses byte offset 399 but the $@ is only 200 bytes. | tests.cpp:422:12:422:26 | new[] | array |
-| tests.cpp:453:9:453:19 | access to array | This array indexing operation accesses byte offset 399 but the $@ is only 200 bytes. | tests.cpp:445:12:445:26 | new[] | array |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-119/OverflowBuffer.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref

@@ -1 +0,0 @@
-Critical/OverflowDestination.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.expected

@@ -1,2 +0,0 @@
-| tests.cpp:45:51:45:72 | sizeof(<expr>) | Potential buffer-overflow: 'charFirst' has size 16 not 32. |
-| tests.cpp:60:52:60:74 | sizeof(<expr>) | Potential buffer-overflow: 'charFirst' has size 16 not 32. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref

@@ -1 +0,0 @@
-Critical/OverflowStatic.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-120/OverrunWrite.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-120/OverrunWriteFloat.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.expected

@@ -1,3 +0,0 @@
-| tests.cpp:290:13:290:19 | call to wcsncpy | Potentially unsafe call to wcsncpy; third argument should be size of destination. |
-| tests.cpp:306:4:306:10 | call to wcsncpy | Potentially unsafe call to wcsncpy; third argument should be size of destination. |
-| tests.cpp:452:9:452:15 | call to wcsncpy | Potentially unsafe call to wcsncpy; third argument should be size of destination. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref

@@ -1 +0,0 @@
-Likely Bugs/Memory Management/StrncpyFlippedArgs.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected

@@ -1,4 +0,0 @@
-edges
-subpaths
-nodes
-#select

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-120/UnboundedWrite.ql

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp

@@ -1,671 +0,0 @@
-// A sample of tests from the SAMATE Juliet framework for rule CWE-119.
-
-// library types, functions etc
-typedef unsigned long size_t;
-void *malloc(size_t size);
-void *alloca(size_t size);
-void free(void *ptr);
-#define ALLOCA alloca
-
-void *memcpy(void *s1, const void *s2, size_t n);
-void *memset(void *s, int c, size_t n);
-char *strcpy(char *s1, const char *s2);
-size_t strlen(const char *s);
-
-void exit(int status);
-
-typedef unsigned int DWORD;
-DWORD GetCurrentDirectoryA(DWORD bufferLength, char *buffer);
-bool PathAppendA(char *path, const char *more);
-#define MAX_PATH 4096
-
-void printLine(const char *str);
-void printSizeTLine(size_t val);
-void printIntLine(int val);
-
-// ----------
-
-#define SRC_STR "0123456789abcde0123"
-
-typedef struct _charVoid
-{
-    char charFirst[16];
-    void * voidSecond;
-    void * voidThird;
-} charVoid;
-
-void CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memcpy_01_bad()
-{
-    {
-        charVoid structCharVoid;
-        structCharVoid.voidSecond = (void *)SRC_STR;
-        /* Print the initial block pointed to by structCharVoid.voidSecond */
-        printLine((char *)structCharVoid.voidSecond);
-        /* FLAW: Use the sizeof(structCharVoid) which will overwrite the pointer voidSecond */
-        memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid));
-        structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
-        printLine((char *)structCharVoid.charFirst);
-        printLine((char *)structCharVoid.voidSecond);
-    }
-}
-
-void CWE122_Heap_Based_Buffer_Overflow__char_type_overrun_memcpy_01_bad()
-{
-    {
-        charVoid * structCharVoid = (charVoid *)malloc(sizeof(charVoid));
-        structCharVoid->voidSecond = (void *)SRC_STR;
-        /* Print the initial block pointed to by structCharVoid->voidSecond */
-        printLine((char *)structCharVoid->voidSecond);
-        /* FLAW: Use the sizeof(*structCharVoid) which will overwrite the pointer y */
-        memcpy(structCharVoid->charFirst, SRC_STR, sizeof(*structCharVoid));
-        structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
-        printLine((char *)structCharVoid->charFirst);
-        printLine((char *)structCharVoid->voidSecond);
-        free(structCharVoid);
-    }
-}
-
-void CWE124_Buffer_Underwrite__char_alloca_cpy_01_bad()
-{
-    char * data;
-    char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
-    memset(dataBuffer, 'A', 100-1);
-    dataBuffer[100-1] = '\0';
-    /* FLAW: Set data pointer to before the allocated memory buffer */
-    data = dataBuffer - 8;
-    {
-        char source[100];
-        memset(source, 'C', 100-1); /* fill with 'C's */
-        source[100-1] = '\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
-        strcpy(data, source); // [NOT DETECTED]
-        printLine(data);
-    }
-}
-
-void CWE126_Buffer_Overread__char_alloca_loop_01_bad()
-{
-    char * data;
-    char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
-    char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
-    memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
-    dataBadBuffer[50-1] = '\0'; /* null terminate */
-    memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
-    dataGoodBuffer[100-1] = '\0'; /* null terminate */
-    /* FLAW: Set data pointer to a small buffer */
-    data = dataBadBuffer;
-    {
-        size_t i, destLen;
-        char dest[100];
-        memset(dest, 'C', 100-1);
-        dest[100-1] = '\0'; /* null terminate */
-        destLen = strlen(dest);
-        /* POTENTIAL FLAW: using length of the dest where data
-         * could be smaller than dest causing buffer overread */
-        for (i = 0; i < destLen; i++)
-        {
-            dest[i] = data[i]; // [NOT DETECTED]
-        }
-        dest[100-1] = '\0';
-        printLine(dest);
-    }
-}
-
-void CWE127_Buffer_Underread__char_alloca_cpy_01_bad()
-{
-    char * data;
-    char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
-    memset(dataBuffer, 'A', 100-1);
-    dataBuffer[100-1] = '\0';
-    /* FLAW: Set data pointer to before the allocated memory buffer */
-    data = dataBuffer - 8;
-    {
-        char dest[100*2];
-        memset(dest, 'C', 100*2-1); /* fill with 'C's */
-        dest[100*2-1] = '\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
-        strcpy(dest, data); // [NOT DETECTED]
-        printLine(dest);
-    }
-}
-
-#define BAD_PATH_SIZE (MAX_PATH / 2) /* maintenance note: must be < MAX_PATH in order for 'bad' to be 'bad' */
-
-void CWE785_Path_Manipulation_Function_Without_Max_Sized_Buffer__w32_01_bad()
-{
-    {
-        char path[BAD_PATH_SIZE];
-        DWORD length;
-        length = GetCurrentDirectoryA(BAD_PATH_SIZE, path);
-        if (length == 0 || length >= BAD_PATH_SIZE) /* failure conditions for this API call */
-        {
-            exit(1);
-        }
-        /* FLAW: PathAppend assumes the 'path' parameter is MAX_PATH */
-        /* INCIDENTAL: CWE 121 stack based buffer overflow, which is intrinsic to
-         * this example identified on the CWE webpage */
-        if (!PathAppendA(path, "AAAAAAAAAAAA")) // [NOT DETECTED]
-        {
-            exit(1);
-        }
-        printSizeTLine(strlen(path));
-        printIntLine(BAD_PATH_SIZE);
-        printLine(path);
-    }
-}
-
-#define NULL (0)
-
-void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01_bad()
-{
-    char * data;
-    data = NULL;
-    /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
-    data = (char *)malloc(50*sizeof(char));
-    data[0] = '\0'; /* null terminate */
-    {
-        char source[100];
-        memset(source, 'C', 100-1); /* fill with 'C's */
-        source[100-1] = '\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
-        memcpy(data, source, 100*sizeof(char));
-        data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
-        printLine(data);
-        free(data);
-    }
-}
-
-void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01_bad()
-{
-    char * data;
-    char dataBadBuffer[50];
-    char dataGoodBuffer[100];
-    /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
-     * buffer in various memory copying functions using a "large" source buffer. */
-    data = dataBadBuffer;
-    data[0] = '\0'; /* null terminate */
-    {
-        char source[100];
-        memset(source, 'C', 100-1); /* fill with 'C's */
-        source[100-1] = '\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
-        memcpy(data, source, 100*sizeof(char));
-        data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
-        printLine(data);
-    }
-}
-
-void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memcpy_01_bad()
-{
-    char * data;
-    char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
-    char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
-    /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
-     * buffer in various memory copying functions using a "large" source buffer. */
-    data = dataBadBuffer;
-    data[0] = '\0'; /* null terminate */
-    {
-        char source[100];
-        memset(source, 'C', 100-1); /* fill with 'C's */
-        source[100-1] = '\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
-        memcpy(data, source, 100*sizeof(char));
-        data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
-        printLine(data);
-    }
-}
-
-void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_loop_01_bad()
-{
-    char * data;
-    char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
-    char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
-    /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
-     * buffer in various memory copying functions using a "large" source buffer. */
-    data = dataBadBuffer;
-    data[0] = '\0'; /* null terminate */
-    {
-        size_t i;
-        char source[100];
-        memset(source, 'C', 100-1); /* fill with 'C's */
-        source[100-1] = '\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
-        for (i = 0; i < 100; i++)
-        {
-            data[i] = source[i];
-        }
-        data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
-        printLine(data);
-    }
-}
-
-void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_01_bad()
-{
-    char * data;
-    char dataBadBuffer[50];
-    char dataGoodBuffer[100];
-    /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
-     * buffer in various memory copying functions using a "large" source buffer. */
-    data = dataBadBuffer;
-    data[0] = '\0'; /* null terminate */
-    {
-        size_t i;
-        char source[100];
-        memset(source, 'C', 100-1); /* fill with 'C's */
-        source[100-1] = '\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
-        for (i = 0; i < 100; i++)
-        {
-            data[i] = source[i];
-        }
-        data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
-        printLine(data);
-    }
-}
-
-wchar_t *wcsncpy(wchar_t *destination, const wchar_t *source, size_t num);
-size_t wcslen(const wchar_t *str);
-char *strcat(char *destination, const char *source);
-char *strncat(char *destination, const char *source, size_t num);
-
-void *memmove(void *destination, const void *source, size_t num);
-
-void printWLine(const wchar_t *line);
-
-/* MAINTENANCE NOTE: The length of this string should equal the 10 */
-#define SRC_STRING L"AAAAAAAAAA"
-
-namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_ncpy_01
-{
-    void bad()
-    {
-        wchar_t * data;
-        data = NULL;
-        /* FLAW: Did not leave space for a null terminator */
-        data = new wchar_t[10];
-        {
-            wchar_t source[10+1] = SRC_STRING;
-            /* Copy length + 1 to include NUL terminator from source */
-            /* POTENTIAL FLAW: data may not have enough space to hold source */
-            wcsncpy(data, source, wcslen(source) + 1);
-            printWLine(data);
-            delete [] data;
-        }
-    }
-    
-    static void goodG2B()
-	{
-		wchar_t * data;
-		data = NULL;
-		/* FIX: Allocate space for a null terminator */
-		data = new wchar_t[10+1];
-		{
-			wchar_t source[10+1] = SRC_STRING;
-			/* Copy length + 1 to include NUL terminator from source */
-			/* POTENTIAL FLAW: data may not have enough space to hold source */
-			wcsncpy(data, source, wcslen(source) + 1); // [FALSE POSITIVE RESULT] (debatable)
-			printWLine(data);
-			delete [] data;
-		}
-	}
-} /* close namespace */
-
-namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_31
-{
-    void bad()
-    {
-        wchar_t * data;
-        data = NULL;
-        /* FLAW: Did not leave space for a null terminator */
-        data = new wchar_t[10];
-        {
-            wchar_t * dataCopy = data;
-            wchar_t * data = dataCopy;
-            {
-                wchar_t source[10+1] = SRC_STRING;
-                /* Copy length + 1 to include NUL terminator from source */
-                /* POTENTIAL FLAW: data may not have enough space to hold source */
-                memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t)); // [NOT DETECTED]
-                printWLine(data);
-                delete [] data;
-            }
-        }
-    }
-} /* close namespace */
-
-namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncat_01
-{
-    void bad()
-    {
-        char * data;
-        data = NULL;
-        /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
-        data = new char[50];
-        data[0] = '\0'; /* null terminate */
-        {
-            char source[100];
-            memset(source, 'C', 100-1); /* fill with 'C's */
-            source[100-1] = '\0'; /* null terminate */
-            /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
-            strncat(data, source, 100);
-            printLine(data);
-            delete [] data;
-        }
-    }
-} /* close namespace */
-
-void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01_bad()
-{
-    char * data;
-    data = NULL;
-    /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
-    data = (char *)malloc(50*sizeof(char));
-    data[0] = '\0'; /* null terminate */
-    {
-        char source[100];
-        memset(source, 'C', 100-1); /* fill with 'C's */
-        source[100-1] = '\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
-        strcat(data, source); // [NOT DETECTED]
-        printLine(data);
-        free(data);
-    }
-}
-
-void CWE121_Stack_Based_Buffer_Overflow__CWE131_memcpy_01_bad()
-{
-    int * data;
-    data = NULL;
-    /* FLAW: Allocate memory without using sizeof(int) */
-    data = (int *)ALLOCA(10);
-    {
-        int source[10] = {0};
-        /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
-        memcpy(data, source, 10*sizeof(int));
-        printIntLine(data[0]);
-    }
-}
-
-typedef long long int64_t;
-wchar_t *wmemset(wchar_t *dest, wchar_t c, size_t count);
-void* calloc(size_t num, size_t size);
-
-void printLongLongLine(int64_t longLongIntNumber);
-void printDoubleLine(double doubleNumber);
-
-void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_loop_01_bad()
-{
-    int64_t * data;
-    data = NULL;
-    /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
-    data = new int64_t[50];
-    {
-        int64_t source[100] = {0}; /* fill with 0's */
-        {
-            size_t i;
-            /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
-            for (i = 0; i < 100; i++)
-            {
-                data[i] = source[i]; // [NOT DETECTED]
-            }
-            printLongLongLine(data[0]);
-            delete [] data;
-        }
-    }
-}
-
-void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_01_bad()
-{
-    wchar_t * data;
-    data = NULL;
-    /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
-    data = new wchar_t[50];
-    data[0] = L'\0'; /* null terminate */
-    {
-        size_t i;
-        wchar_t source[100];
-        wmemset(source, L'C', 100-1); /* fill with L'C's */
-        source[100-1] = L'\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
-        for (i = 0; i < 100; i++)
-        {
-            data[i] = source[i];
-        }
-        data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
-        printWLine(data);
-        delete [] data;
-    }
-}
-
-void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_01_bad()
-{
-    wchar_t * data;
-    data = NULL;
-    /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
-    data = new wchar_t[50];
-    data[0] = L'\0'; /* null terminate */
-    {
-        wchar_t source[100];
-        wmemset(source, L'C', 100-1); /* fill with L'C's */
-        source[100-1] = L'\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
-        wcsncpy(data, source, 100-1);
-        data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
-        printWLine(data);
-        delete [] data;
-    }
-}
-
-#ifdef _WIN32
-int _snwprintf(wchar_t *buffer, size_t count, const wchar_t *format, ...);
-#define SNPRINTF _snwprintf
-#else 
-int snprintf(char *s, size_t n, const char *format, ...);
-int swprintf(wchar_t *wcs, size_t maxlen, const wchar_t *format, ...);
-//#define SNPRINTF snprintf --- original code; using snprintf appears to be a mistake in samate?
-#define SNPRINTF swprintf
-#endif
-
-void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_01_bad()
-{
-    wchar_t * data;
-    data = NULL;
-    /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
-    data = new wchar_t[50];
-    data[0] = L'\0'; /* null terminate */
-    {
-        wchar_t source[100];
-        wmemset(source, L'C', 100-1); /* fill with L'C's */
-        source[100-1] = L'\0'; /* null terminate */
-        /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
-        SNPRINTF(data, 100, L"%s", source);
-        printWLine(data);
-        delete [] data;
-    }
-}
-
-/* classes used in some test cases as a custom type */
-class TwoIntsClass 
-{
-    public: // Needed to access variables from label files
-        int intOne;
-        int intTwo;
-};
-
-class OneIntClass 
-{
-    public: // Needed to access variables from label files
-        int intOne;
-};
-
-void *operator new(size_t size, void *ptr) throw(); // placement new (from #include <new>)
-
-void CWE122_Heap_Based_Buffer_Overflow__placement_new_01_bad()
-{
-    char * data;
-    char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));
-    char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));
-    /* POTENTIAL FLAW: Initialize data to a buffer small than the sizeof(TwoIntsClass) */
-    data = dataBadBuffer;
-    {
-        /* The Visual C++ compiler generates a warning if you initialize the class with ().
-         * This will cause the compile to default-initialize the object.
-         * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
-         */
-        /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */
-        TwoIntsClass * classTwo = new(data) TwoIntsClass; // [NOT DETECTED]
-        /* Initialize and make use of the class */
-        classTwo->intOne = 5;
-        classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */
-        printIntLine(classTwo->intOne);
-        /* skip printing classTwo->intTwo since that could be a buffer overread */
-        free(data);
-    }
-}
-
-void CWE122_Heap_Based_Buffer_Overflow__sizeof_double_01_bad()
-{
-    double * data;
-    /* Initialize data */
-    data = NULL;
-    /* INCIDENTAL: CWE-467 (Use of sizeof() on a pointer type) */
-    /* FLAW: Using sizeof the pointer and not the data type in malloc() */
-    data = (double *)malloc(sizeof(data)); // [NOT DETECTED]
-    *data = 1.7E300;
-    /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
-    printDoubleLine(*data);
-    free(data);
-}
-
-int rand(void);
-#define RAND32() ((rand()<<30) ^ (rand()<<15) ^ rand())
-
-void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_01_bad()
-{
-    int data;
-    /* Initialize data */
-    data = -1;
-    /* POTENTIAL FLAW: Set data to a random value */
-    data = RAND32();
-    {
-        int i;
-        int * buffer = (int *)malloc(10 * sizeof(int));
-        /* initialize buffer */
-        for (i = 0; i < 10; i++)
-        {
-            buffer[i] = 0;
-        }
-        /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
-         * This code does check to see if the array index is negative */
-        if (data >= 0)
-        {
-            buffer[data] = 1; // [NOT DETECTED]
-            /* Print the array values */
-            for(i = 0; i < 10; i++)
-            {
-                printIntLine(buffer[i]);
-            }
-        }
-        else
-        {
-            printLine("ERROR: Array index is negative.");
-        }
-        free(buffer);
-    }
-}
-
-typedef struct FILE;
-int fscanf(FILE *stream, const char *format, ...);
-FILE *stdin;
-
-void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_01_bad()
-{
-    int data;
-    /* Initialize data */
-    data = -1;
-    /* POTENTIAL FLAW: Read data from the console using fscanf() */
-    fscanf(stdin, "%d", &data);
-    {
-        int i;
-        int * buffer = (int *)malloc(10 * sizeof(int));
-        /* initialize buffer */
-        for (i = 0; i < 10; i++)
-        {
-            buffer[i] = 0;
-        }
-        /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
-         * This code does check to see if the array index is negative */
-        if (data >= 0)
-        {
-            buffer[data] = 1; // [NOT DETECTED]
-            /* Print the array values */
-            for(i = 0; i < 10; i++)
-            {
-                printIntLine(buffer[i]);
-            }
-        }
-        else
-        {
-            printLine("ERROR: Array index is negative.");
-        }
-        free(buffer);
-    }
-}
-
-void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_31_bad()
-{
-    wchar_t * data;
-    data = NULL;
-    /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
-    data = new wchar_t[50];
-    data[0] = L'\0'; /* null terminate */
-    {
-        wchar_t * dataCopy = data;
-        wchar_t * data = dataCopy;
-        {
-            wchar_t source[100];
-            wmemset(source, L'C', 100-1); /* fill with L'C's */
-            source[100-1] = L'\0'; /* null terminate */
-            /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
-            SNPRINTF(data, 100, L"%s", source);
-            printWLine(data);
-            delete [] data;
-        }
-    }
-}
-
-int rand(void);
-
-int globalReturnsTrueOrFalse() 
-{
-    return (rand() % 2);
-}
-
-#define SRC_STRING "AAAAAAAAAA"
-
-void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_cpy_12_bad()
-{
-    char * data;
-    char dataBadBuffer[10];
-    char dataGoodBuffer[10+1];
-    if(globalReturnsTrueOrFalse())
-    {
-        /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
-         * string copies in the sinks  */
-        data = dataBadBuffer;
-        data[0] = '\0'; /* null terminate */
-    }
-    else
-    {
-        /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
-         * string copies in the sinks  */
-        data = dataGoodBuffer;
-        data[0] = '\0'; /* null terminate */
-    }
-    {
-        char source[10+1] = SRC_STRING;
-        /* POTENTIAL FLAW: data may not have enough space to hold source */ // [NOT DETECTED]
-        strcpy(data, source);
-        printLine(data);
-    }
-}

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected

@@ -80,4 +80,4 @@
 | var_size_struct.cpp:99:3:99:8 | call to memset | This 'memset' operation accesses 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
 | var_size_struct.cpp:101:3:101:8 | call to memset | This 'memset' operation accesses 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
 | var_size_struct.cpp:103:3:103:9 | call to strncpy | This 'strncpy' operation may access 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
-| var_size_struct.cpp:169:3:169:8 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 1 byte. | var_size_struct.cpp:125:17:125:19 | arr | destination buffer |
+| var_size_struct.cpp:171:3:171:8 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 1 byte. | var_size_struct.cpp:125:17:125:19 | arr | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -1,4 +1,3 @@
 edges
-subpaths
 nodes
 #select

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp

@@ -161,6 +161,8 @@ void useVarStruct34(varStruct5 *vs5) {
   varStruct5 *vs5b = (varStruct5 *)malloc(sizeof(*vs5));
   varStruct6 *vs6 = (varStruct6 *)malloc(offsetof(varStruct6, arr) + 9); // establish varStruct6 as variable size
   varStruct7 *vs7 = (varStruct7 *)malloc(sizeForVarStruct7(9)); // establish varStruct7 as variable size
+  varStruct8 *vs8a = (varStruct8 *)malloc(sizeof(varStruct8) + 9); // establish varStruct8 as variable size
+  varStruct8 *vs8b = (varStruct8 *)malloc(sizeof(varStruct8));
   varStruct9 *vs9 = (varStruct9 *)malloc(__builtin_offsetof(varStruct9, arr) + 9); // establish varStruct9 as variable size
 }
 

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected

@@ -49,7 +49,6 @@ edges
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array indirection |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array indirection |
-subpaths
 nodes
 | tests.c:28:22:28:25 | argv | semmle.label | argv |
 | tests.c:28:22:28:25 | argv | semmle.label | argv |