Swift: update prebuilt package

No functional change: we just changed the prebuilding macOS runners.

.bazelrc

@@ -1,12 +1,4 @@
 common --enable_platform_specific_config
-common --enable_bzlmod
-# because we use --override_module with `%workspace%`, the lock file is not stable
-common --lockfile_mode=off
-
-# when building from this repository in isolation, the internal repository will not be found at ..
-# where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so
-# that we can build things that do not rely on that
-common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
 
@@ -14,11 +6,4 @@ build:linux --cxxopt=-std=c++20
 build:macos --cxxopt=-std=c++20 --cpu=darwin_x86_64
 build:windows --cxxopt=/std:c++20 --cxxopt=/Zc:preprocessor
 
-# this requires developer mode, but is required to have pack installer functioning
-startup --windows_enable_symlinks
-common --enable_runfiles
-
-common --registry=file:///%workspace%/misc/bazel/registry
-common --registry=https://bcr.bazel.build
-
 try-import %workspace%/local.bazelrc

.bazelrc.internal

@@ -1,4 +0,0 @@
-# this file should contain bazel settings required to build things from `semmle-code`
-
-common --registry=file:///%workspace%/ql/misc/bazel/registry
-common --registry=https://bcr.bazel.build

.bazelversion

@@ -1 +1 @@
-7.1.2
+6.3.1

.gitattributes

@@ -67,14 +67,10 @@ go/extractor/opencsv/CSVReader.java -text
 # for those testing dbscheme files.
 */ql/lib/upgrades/initial/*.dbscheme -text
 
+# Generated test files - these are synced from the standard JavaScript libraries using
+# `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
+javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
+javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
+
 # Auto-generated modeling for Python
 python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
-
-# auto-generated bazel lock file
-ruby/extractor/cargo-bazel-lock.json linguist-generated=true
-ruby/extractor/cargo-bazel-lock.json -merge
-
-# auto-generated files for the C# build
-csharp/paket.lock linguist-generated=true
-# needs eol=crlf, as `paket` touches this file and saves it als crlf
-csharp/.paket/Paket.Restore.targets linguist-generated=true eol=crlf

.github/labeler.yml

@@ -15,12 +15,12 @@ Java:
   - change-notes/**/*java.*
 
 JS:
-  - any: [ 'javascript/**/*' ]
+  - any: [ 'javascript/**/*', '!javascript/ql/experimental/adaptivethreatmodeling/**/*' ]
   - change-notes/**/*javascript*
 
 Kotlin:
   - java/kotlin-extractor/**/*
-  - java/ql/test-kotlin*/**/*
+  - java/ql/test/kotlin/**/*
 
 Python:
   - python/**/*
@@ -46,3 +46,6 @@ documentation:
 # Since these are all shared files that need to be synced, just pick _one_ copy of each.
 "DataFlow Library":
   - "shared/dataflow/**/*"
+
+"ATM":
+  - javascript/ql/experimental/adaptivethreatmodeling/**/*

.github/workflows/buildifier.yml

@@ -1,28 +0,0 @@
-name: Check bazel formatting
-
-on:
-  pull_request:
-    paths:
-      - "**.bazel"
-      - "**.bzl"
-    branches:
-      - main
-      - "rc/*"
-
-permissions:
-  contents: read
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Check bazel formatting
-        uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
-        with:
-          extra_args: >
-            buildifier --all-files 2>&1 ||
-            (
-              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel:buildifier"; exit 1
-            )

.github/workflows/codeql-analysis.yml

@@ -56,9 +56,7 @@ jobs:
     #    uses a compiled language
 
     - run: |
-       cd csharp
-       dotnet tool restore
-       dotnet build .
+       dotnet build csharp
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@main

.github/workflows/compile-queries.yml

@@ -28,7 +28,7 @@ jobs:
         with: 
           key: all-queries
       - name: check formatting
-        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}

.github/workflows/cpp-swift-analysis.yml

@@ -1,55 +0,0 @@
-name: "Code scanning - C++"
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - 'swift/**'
-      - '.github/codeql/**'
-      - '.github/workflows/cpp-swift-analysis.yml'
-  schedule:
-    - cron: '0 9 * * 1'
-
-jobs:
-  CodeQL-Build:
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: read
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@main
-      # Override language selection by uncommenting this and choosing your languages
-      with:
-        languages: cpp
-        config-file: ./.github/codeql/codeql-config.yml
-  
-    - name: "[Ubuntu] Remove GCC 13 from runner image"
-      shell: bash
-      run: |
-        sudo rm -f /etc/apt/sources.list.d/ubuntu-toolchain-r-ubuntu-test-jammy.list
-        sudo apt-get update
-        sudo apt-get install -y --allow-downgrades libc6=2.35-* libc6-dev=2.35-* libstdc++6=12.3.0-* libgcc-s1=12.3.0-*
-
-    - name: "Build Swift extractor using Bazel"
-      run: |
-        bazel clean --expunge
-        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
-        bazel shutdown
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@main

.github/workflows/csharp-qltest.yml

@@ -81,11 +81,10 @@ jobs:
           dotnet-version: 8.0.101
       - name: Extractor unit tests
         run: |
-          dotnet tool restore
           dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Util.Tests
           dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Extraction.Tests
           dotnet test -p:RuntimeFrameworkVersion=8.0.1 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=8.0.1 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest

.github/workflows/go-tests-other-os.yml

@@ -7,6 +7,8 @@ on:
       - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
+env:
+  GO_VERSION: '~1.22.0'
 
 permissions:
   contents: read
@@ -16,17 +18,72 @@ jobs:
     name: Test MacOS
     runs-on: macos-latest
     steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+        id: go
+
       - name: Check out code
         uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
+
+      - name: Set up CodeQL CLI
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Enable problem matchers in repository
+        shell: bash
+        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+      - name: Build
+        run: |
+          cd go
+          make
+
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: go-qltest
+      - name: Test
+        run: |
+          cd go
+          make test cache="${{ steps.query-cache.outputs.cache-dir }}"
 
   test-win:
     if: github.repository_owner == 'github'
     name: Test Windows
     runs-on: windows-latest-xl
     steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+        id: go
+
       - name: Check out code
         uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
+
+      - name: Set up CodeQL CLI
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Enable problem matchers in repository
+        shell: bash
+        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+      - name: Build
+        run: |
+          cd go
+          make
+
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: go-qltest
+
+      - name: Test
+        run: |
+          cd go
+          make test cache="${{ steps.query-cache.outputs.cache-dir }}"

.github/workflows/go-tests.yml

@@ -16,6 +16,9 @@ on:
       - .github/actions/**
       - codeql-workspace.yml
 
+env:
+  GO_VERSION: '~1.22.0'
+
 permissions:
   contents: read
 
@@ -25,9 +28,51 @@ jobs:
     name: Test Linux (Ubuntu)
     runs-on: ubuntu-latest-xl
     steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+        id: go
+
       - name: Check out code
         uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
+
+      - name: Set up CodeQL CLI
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Enable problem matchers in repository
+        shell: bash
+        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+      - name: Build
+        run: |
+          cd go
+          make
+
+      - name: Check that all Go code is autoformatted
+        run: |
+          cd go
+          make check-formatting
+
+      - name: Compile qhelp files to markdown
+        run: |
+          cd go
+          env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
+
+      - name: Upload qhelp markdown
+        uses: actions/upload-artifact@v3
         with:
-          run-code-checks: true
+          name: qhelp-markdown
+          path: go/qhelp-out/**/*.md
+
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: go-qltest
+
+      - name: Test
+        run: |
+          cd go
+          make test cache="${{ steps.query-cache.outputs.cache-dir }}"

.github/workflows/ruby-build.yml

@@ -51,11 +51,9 @@ jobs:
         run: |
           brew install gnu-tar
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - name: Prepare Windows
-        if: runner.os == 'Windows'
-        shell: powershell
-        run: |
-          git config --global core.longpaths true
+      - name: Install cargo-cross
+        if: runner.os == 'Linux'
+        run: cargo install cross --version 0.2.5
       - uses: ./.github/actions/os-version
         id: os_version
       - name: Cache entire extractor
@@ -84,8 +82,16 @@ jobs:
       - name: Run tests
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cd extractor && cargo test --verbose
-      - name: Release build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+      # On linux, build the extractor via cross in a centos7 container.
+      # This ensures we don't depend on glibc > 2.17.
+      - name: Release build (linux)
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
+        run: |
+          cd extractor
+          cross build --release
+          mv target/x86_64-unknown-linux-gnu/release/codeql-extractor-ruby target/release/
+      - name: Release build (windows and macos)
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
         run: cd extractor && cargo build --release
       - name: Generate dbscheme
         if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
@@ -117,7 +123,7 @@ jobs:
       - name: Cache compilation cache
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
-        with:
+        with: 
           key: ruby-build
       - name: Build Query Pack
         run: |
@@ -229,3 +235,54 @@ jobs:
         shell: bash
         run: |
           codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
+
+  # This is a copy of the 'test' job that runs in a centos7 container.
+  # This tests that the extractor works correctly on systems with an old glibc.
+  test-centos7:
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    container:
+      image: centos:centos7
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    needs: [package]
+    steps:
+      - name: Install gh cli
+        run: |
+          yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
+          # fetch-codeql requires unzip and jq
+          # jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/)
+          yum install -y gh unzip epel-release
+          yum install -y jq
+      - uses: actions/checkout@v3
+      - name: Fetch CodeQL
+        uses: ./.github/actions/fetch-codeql
+
+      # Due to a bug in Actions, we can't use runner.temp in the run blocks here.
+      # https://github.com/actions/runner/issues/2185
+
+      - name: Download Ruby bundle
+        uses: actions/download-artifact@v3
+        with:
+          name: codeql-ruby-bundle
+          path: ${{ runner.temp }}
+      - name: Unzip Ruby bundle
+        shell: bash
+        run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip
+
+      - name: Run QL test
+        shell: bash
+        run: |
+          codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/
+      - name: Create database
+        shell: bash
+        run: |
+          codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
+      - name: Analyze database
+        shell: bash
+        run: |
+          codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls

.github/workflows/swift.yml

@@ -6,7 +6,6 @@ on:
       - "swift/**"
       - "misc/bazel/**"
       - "misc/codegen/**"
-      - "shared/**"
       - "*.bazel*"
       - .github/workflows/swift.yml
       - .github/actions/**
@@ -23,12 +22,10 @@ on:
       - "swift/**"
       - "misc/bazel/**"
       - "misc/codegen/**"
-      - "shared/**"
       - "*.bazel*"
       - .github/workflows/swift.yml
       - .github/actions/**
       - codeql-workspace.yml
-      - .pre-commit-config.yaml
       - "!**/*.md"
       - "!**/*.qhelp"
     branches:

.gitignore

@@ -39,9 +39,6 @@
 # local bazel options
 /local.bazelrc
 
-# generated cmake directory
-/.bazel-cmake
-
 # CLion project files
 /.clwb
 

.lfsconfig

@@ -1,5 +0,0 @@
-[lfs]
-# codeql is publicly forked by many users, and we don't want any LFS file polluting their working
-# copies. We therefore exclude everything by default.
-# For files required by bazel builds, use rules in `misc/bazel/lfs.bzl` to download them on demand.
-fetchinclude = /nothing

.pre-commit-config.yaml

@@ -20,23 +20,13 @@ repos:
       - id: autopep8
         files: ^misc/codegen/.*\.py
 
-  - repo: local
+  - repo: https://github.com/warchant/pre-commit-buildifier
+    rev: 0.0.2
     hooks:
       - id: buildifier
-        name: Format bazel files
-        files: \.(bazel|bzl)
-        language: system
-        entry: bazel run //misc/bazel:buildifier
-        pass_filenames: false
-
-#      DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
-#      - id: go-gen
-#        name: Check checked in generated files in go
-#        files: ^go/.*
-#        language: system
-#        entry: bazel run //go:gen
-#        pass_filenames: false
 
+  - repo: local
+    hooks:
       - id: codeql-format
         name: Fix QL file formatting
         files: \.qll?$

CODEOWNERS

@@ -1,7 +1,5 @@
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
-/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
-/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor
 /go/ @github/codeql-go
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
@@ -13,6 +11,9 @@
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
+# ML-powered queries
+/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
+
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
@@ -24,7 +25,6 @@
 
 # Bazel (excluding BUILD.bazel files)
 WORKSPACE.bazel @github/codeql-ci-reviewers
-MODULE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers
 .bazelrc @github/codeql-ci-reviewers
 **/*.bzl @github/codeql-ci-reviewers
@@ -35,7 +35,9 @@ MODULE.bazel @github/codeql-ci-reviewers
 
 # Workflows
 /.github/workflows/ @github/codeql-ci-reviewers
+/.github/workflows/atm-* @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/go-* @github/codeql-go
+/.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby
 /.github/workflows/swift.yml @github/codeql-swift

CONTRIBUTING.md

@@ -4,8 +4,6 @@ We welcome contributions to our CodeQL libraries and queries. Got an idea for a
 
 There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries) on [codeql.github.com](https://codeql.github.com).
 
-Note that the CodeQL for Visual Studio Code documentation has been migrated to https://docs.github.com/en/code-security/codeql-for-vs-code/, but you can still contribute to it via a different repository. For more information, see [Contributing to GitHub Docs documentation](https://docs.github.com/en/contributing)."
-
 ## Change notes
 
 Any nontrivial user-visible change to a query pack or library pack should have a change note. For details on how to add a change note for your change, see [this guide](docs/change-notes.md).
@@ -45,7 +43,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
 3. **Formatting**
 
-    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://docs.github.com/en/code-security/codeql-for-vs-code/).
+    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/about-codeql-for-visual-studio-code).
 
     If you prefer, you can either:
     1. install the [pre-commit framework](https://pre-commit.com/) and install the configured hooks on this repo via `pre-commit install`, or

MODULE.bazel

@@ -1,62 +0,0 @@
-module(
-    name = "codeql",
-    version = "0.0",
-)
-
-# this points to our internal repository when `codeql` is checked out as a submodule thereof
-# when building things from `codeql` independently this is stubbed out in `.bazelrc`
-bazel_dep(name = "semmle_code", version = "0.0")
-local_path_override(
-    module_name = "semmle_code",
-    path = "..",
-)
-
-# see https://registry.bazel.build/ for a list of available packages
-
-bazel_dep(name = "platforms", version = "0.0.9")
-bazel_dep(name = "rules_go", version = "0.47.0")
-bazel_dep(name = "rules_pkg", version = "0.10.1")
-bazel_dep(name = "rules_nodejs", version = "6.0.3")
-bazel_dep(name = "rules_python", version = "0.31.0")
-bazel_dep(name = "bazel_skylib", version = "1.5.0")
-bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
-bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "gazelle", version = "0.36.0")
-
-bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
-
-pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
-pip.parse(
-    hub_name = "codegen_deps",
-    python_version = "3.11",
-    requirements_lock = "//misc/codegen:requirements_lock.txt",
-)
-use_repo(pip, "codegen_deps")
-
-swift_deps = use_extension("//swift/third_party:load.bzl", "swift_deps")
-
-# following list can be kept in sync with `bazel mod tidy`
-use_repo(
-    swift_deps,
-    "binlog",
-    "picosha2",
-    "swift_prebuilt_darwin_x86_64",
-    "swift_prebuilt_linux",
-    "swift_toolchain_linux",
-    "swift_toolchain_macos",
-)
-
-node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node")
-node.toolchain(
-    name = "nodejs",
-    node_version = "18.15.0",
-)
-use_repo(node, "nodejs", "nodejs_toolchains")
-
-go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.22.2")
-
-register_toolchains(
-    "@nodejs_toolchains//:all",
-)

README.md

@@ -4,7 +4,7 @@ This open source repository contains the standard CodeQL libraries and queries t
 
 ## How do I learn CodeQL and run queries?
 
-There is extensive documentation about the [CodeQL language](https://codeql.github.com/docs/), writing CodeQL using the [CodeQL extension for Visual Studio Code](https://docs.github.com/en/code-security/codeql-for-vs-code/) and using the [CodeQL CLI](https://docs.github.com/en/code-security/codeql-cli).
+There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL using the [CodeQL extension for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) and the [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/).
 
 ## Contributing
 

WORKSPACE.bazel

@@ -1,2 +1,12 @@
-# please use MODULE.bazel to add dependencies
-# this empty file is required by internal repositories, don't remove it
+# Please notice that any bazel targets and definitions in this repository are currently experimental
+# and for internal use only.
+
+workspace(name = "codeql")
+
+load("//misc/bazel:workspace.bzl", "codeql_workspace")
+
+codeql_workspace()
+
+load("//misc/bazel:workspace_deps.bzl", "codeql_workspace_deps")
+
+codeql_workspace_deps()

codeql-workspace.yml

@@ -6,11 +6,20 @@ provide:
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"
   - "*/ql/automodel/test/qlpack.yml"
-  - "python/extractor/qlpack.yml"
   - "shared/**/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
   - "go/build/codeql-extractor-go/codeql-extractor.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml"
+  # This pack is explicitly excluded from the workspace since most users
+  # will want to use a version of this pack from the package cache. Internal
+  # users can uncomment the following line and place a custom ML model
+  # in the corresponding pack to test a custom ML model within their local
+  # checkout.
+  # - "javascript/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/test/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/test/qlpack.yml"
@@ -18,6 +27,7 @@ provide:
   - "misc/suite-helpers/qlpack.yml"
   - "ruby/extractor-pack/codeql-extractor.yml"
   - "swift/extractor-pack/codeql-extractor.yml"
+  - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
 

config/identical-files.json

@@ -88,46 +88,123 @@
   "IR Instruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
   ],
   "IR IRBlock": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
   ],
   "IR IRVariable": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
   ],
   "IR IRFunction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
   ],
   "IR Operand": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
+  ],
+  "IR IRType": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll",
+    "csharp/ql/src/experimental/ir/implementation/IRType.qll"
+  ],
+  "IR IRConfiguration": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
+    "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
+  ],
+  "IR UseSoundEscapeAnalysis": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
+    "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
+  ],
+  "IR IRFunctionBase": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
+    "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
+  ],
+  "IR Operand Tag": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
+    "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
+  ],
+  "IR TInstruction": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
+    "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
+  ],
+  "IR TIRVariable": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
+    "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
   ],
   "IR IR": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
   ],
   "IR IRConsistency": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
   ],
   "IR PrintIR": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
+  ],
+  "IR IntegerConstant": [
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerConstant.qll",
+    "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
+  ],
+  "IR IntegerInteval": [
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerInterval.qll",
+    "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
+  ],
+  "IR IntegerPartial": [
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll",
+    "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
+  ],
+  "IR Overlap": [
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll",
+    "csharp/ql/src/experimental/ir/internal/Overlap.qll"
+  ],
+  "IR EdgeKind": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll",
+    "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
+  ],
+  "IR MemoryAccessKind": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
+    "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
+  ],
+  "IR TempVariableTag": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
+    "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
+  ],
+  "IR Opcode": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll",
+    "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
   ],
   "IR SSAConsistency": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
   ],
   "C++ IR InstructionImports": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
@@ -175,7 +252,8 @@
   ],
   "SSA AliasAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
   "SSA PrintAliasAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
@@ -190,28 +268,44 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
+  "IR SSA SimpleSSA": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
+  ],
+  "IR AliasConfiguration (unaliased_ssa)": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
+  ],
   "IR SSA SSAConstruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
   ],
   "IR SSA PrintSSA": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
   ],
   "IR ValueNumberInternal": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
   ],
   "C++ IR ValueNumber": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR PrintValueNumbering": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
+    "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -239,6 +333,38 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
+  "C# IR InstructionImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
+  ],
+  "C# IR IRImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRImports.qll"
+  ],
+  "C# IR IRBlockImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRBlockImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
+  ],
+  "C# IR IRFunctionImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRFunctionImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll"
+  ],
+  "C# IR IRVariableImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRVariableImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
+  ],
+  "C# IR OperandImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/OperandImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
+  ],
+  "C# IR PrintIRImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/internal/PrintIRImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
+  ],
+  "C# IR ValueNumberingImports": [
+    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
+  ],
   "C# ControlFlowReachability": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
@@ -251,6 +377,13 @@
     "cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll",
     "cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
   ],
+  "XML": [
+    "cpp/ql/lib/semmle/code/cpp/XML.qll",
+    "csharp/ql/lib/semmle/code/csharp/XML.qll",
+    "java/ql/lib/semmle/code/xml/XML.qll",
+    "javascript/ql/lib/semmle/javascript/XML.qll",
+    "python/ql/lib/semmle/python/xml/XML.qll"
+  ],
   "DuplicationProblems.inc.qhelp": [
     "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
     "javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
@@ -298,6 +431,13 @@
     "java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
     "java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
   ],
+  "IDE Contextual Queries": [
+    "cpp/ql/lib/IDEContextual.qll",
+    "csharp/ql/lib/IDEContextual.qll",
+    "java/ql/lib/IDEContextual.qll",
+    "javascript/ql/lib/IDEContextual.qll",
+    "python/ql/lib/analysis/IDEContextual.qll"
+  ],
   "CryptoAlgorithms Python/JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
     "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
@@ -362,7 +502,7 @@
     "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
   ],
   "Python model summaries test extension": [
-    "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
-    "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
+    "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
+    "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
   ]
-}
+}

cpp/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup")
+load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
 
 package(default_visibility = ["//visibility:public"])
 

cpp/autobuilder/.gitignore

@@ -0,0 +1,13 @@
+obj/
+TestResults/
+*.manifest
+*.pdb
+*.suo
+*.mdb
+*.vsmdi
+csharp.log
+**/bin/Debug
+**/bin/Release
+*.tlog
+.vs
+*.user

cpp/autobuilder/README.md

@@ -1 +0,0 @@
-The Windows autobuilder that used to live in this directory moved to `csharp/autobuilder/Semmle.Autobuild.Cpp`.

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -203,8 +203,6 @@ namespace Semmle.Autobuild.Cpp.Tests
         public IList<DiagnosticMessage> Diagnostics { get; } = new List<DiagnosticMessage>();
 
         public void AddEntry(DiagnosticMessage message) => this.Diagnostics.Add(message);
-
-        public void Dispose() { }
     }
 
     /// <summary>
@@ -252,7 +250,12 @@ namespace Semmle.Autobuild.Cpp.Tests
             EndCallbackIn.Add(s);
         }
 
-        CppAutobuilder CreateAutoBuilder(bool isWindows, string? dotnetVersion = null, string cwd = @"C:\Project")
+        CppAutobuilder CreateAutoBuilder(bool isWindows,
+            string? buildless = null, string? solution = null, string? buildCommand = null, string? ignoreErrors = null,
+            string? msBuildArguments = null, string? msBuildPlatform = null, string? msBuildConfiguration = null, string? msBuildTarget = null,
+            string? dotnetArguments = null, string? dotnetVersion = null, string? vsToolsVersion = null,
+            string? nugetRestore = null, string? allSolutions = null,
+            string cwd = @"C:\Project")
         {
             string codeqlUpperLanguage = Language.Cpp.UpperCaseName;
             Actions.GetEnvironmentVariable[$"CODEQL_AUTOBUILDER_{codeqlUpperLanguage}_NO_INDEXING"] = "false";
@@ -262,7 +265,22 @@ namespace Semmle.Autobuild.Cpp.Tests
             Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_DIAGNOSTIC_DIR"] = "";
             Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
             Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
-            Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_OPTION_DOTNET_VERSION"] = dotnetVersion;
+            Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
+            Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
+            Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
+            Actions.GetEnvironmentVariable["LGTM_INDEX_VSTOOLS_VERSION"] = vsToolsVersion;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_ARGUMENTS"] = msBuildArguments;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_PLATFORM"] = msBuildPlatform;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_CONFIGURATION"] = msBuildConfiguration;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_TARGET"] = msBuildTarget;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_DOTNET_ARGUMENTS"] = dotnetArguments;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_DOTNET_VERSION"] = dotnetVersion;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_BUILD_COMMAND"] = buildCommand;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_SOLUTION"] = solution;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_IGNORE_ERRORS"] = ignoreErrors;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_BUILDLESS"] = buildless;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_ALL_SOLUTIONS"] = allSolutions;
+            Actions.GetEnvironmentVariable["LGTM_INDEX_NUGET_RESTORE"] = nugetRestore;
             Actions.GetEnvironmentVariable["ProgramFiles(x86)"] = isWindows ? @"C:\Program Files (x86)" : null;
             Actions.GetCurrentDirectory = cwd;
             Actions.IsWindows = isWindows;

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -0,0 +1,26 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
+    <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
+    <PackageReference Include="xunit" Version="2.6.2" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.4">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Semmle.Autobuild.Cpp\Semmle.Autobuild.Cpp.csproj" />
+    <ProjectReference Include="..\..\..\csharp\autobuilder\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj" />
+  </ItemGroup>
+</Project>

cpp/autobuilder/Semmle.Autobuild.Cpp/CppAutobuilder.cs

@@ -26,6 +26,9 @@ namespace Semmle.Autobuild.Cpp
 
         public override BuildScript GetBuildScript()
         {
+            if (Options.BuildCommand != null)
+                return new BuildCommandRule((_, f) => f(null)).Analyse(this, false);
+
             return
                 // First try MSBuild
                 new MsBuildRule().Analyse(this, true) |

cpp/autobuilder/Semmle.Autobuild.Cpp/Program.cs

@@ -0,0 +1,33 @@
+using System;
+using Semmle.Autobuild.Shared;
+
+namespace Semmle.Autobuild.Cpp
+{
+    class Program
+    {
+        static int Main()
+        {
+
+            try
+            {
+                var actions = SystemBuildActions.Instance;
+                var options = new CppAutobuildOptions(actions);
+                try
+                {
+                    Console.WriteLine("CodeQL C++ autobuilder");
+                    var builder = new CppAutobuilder(actions, options);
+                    return builder.AttemptBuild();
+                }
+                catch (InvalidEnvironmentException ex)
+                {
+                    Console.WriteLine("The environment is invalid: {0}", ex.Message);
+                }
+            }
+            catch (ArgumentOutOfRangeException ex)
+            {
+                Console.WriteLine("The value \"{0}\" for parameter \"{1}\" is invalid", ex.ActualValue, ex.ParamName);
+            }
+            return 1;
+        }
+    }
+}

cpp/autobuilder/Semmle.Autobuild.Cpp/Properties/AssemblyInfo.cs

@@ -0,0 +1,32 @@
+using System.Reflection;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("Semmle.Autobuild.Cpp")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("GitHub")]
+[assembly: AssemblyProduct("CodeQL autobuilder for C++")]
+[assembly: AssemblyCopyright("Copyright © GitHub 2020")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -0,0 +1,28 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
+    <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
+    <ApplicationIcon />
+    <OutputType>Exe</OutputType>
+    <StartupObject />
+    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Folder Include="Properties\" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Build" Version="17.8.3" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\csharp\extractor\Semmle.Util\Semmle.Util.csproj" />
+    <ProjectReference Include="..\..\..\csharp\autobuilder\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj" />
+  </ItemGroup>
+
+</Project>

cpp/downgrades/19887dbd33327fb07d54251786e0cb2578539775/upgrade.properties

@@ -1,4 +1,4 @@
 description: Revert support for repeated initializers, which are allowed in C with designated initializers.
 compatibility: full
-aggregate_field_init.rel: reorder aggregate_field_init.rel (@aggregateliteral aggregate, @expr initializer, @membervariable field, int position) aggregate initializer field
-aggregate_array_init.rel: reorder aggregate_array_init.rel (@aggregateliteral aggregate, @expr initializer, int element_index, int position) aggregate initializer element_index
+aggregate_field_init.rel: reorder aggregate_field_init.rel (int aggregate, int initializer, int field, int position) aggregate initializer field
+aggregate_array_init.rel: reorder aggregate_array_init.rel (int aggregate, int initializer, int element_index, int position) aggregate initializer element_index

cpp/downgrades/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@rules_pkg//pkg:mappings.bzl", "pkg_files", "strip_prefix")
+load("@rules_pkg//:mappings.bzl", "pkg_files", "strip_prefix")
 
 pkg_files(
     name = "downgrades",

cpp/downgrades/aa7ff0ab32cd4674f6ab731d32fea64116997b05/exprs.ql

@@ -1,13 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-from Expr expr, int kind, int kind_new, Location loc
-where
-  exprs(expr, kind, loc) and
-  if kind = 363 then kind_new = 1 else kind_new = kind
-select expr, kind_new, loc

cpp/downgrades/aa7ff0ab32cd4674f6ab731d32fea64116997b05/upgrade.properties

@@ -1,4 +0,0 @@
-description: Introduce re-use expressions
-compatibility: partial
-expr_reuse.rel: delete
-exprs.rel: run exprs.qlo

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/expr_reuse.ql

@@ -1,7 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-from Expr reuse, Expr original
-where expr_reuse(reuse, original, _)
-select reuse, original

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/expr_types.ql

@@ -1,22 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-predicate existingType(Expr expr, Type type, int value_category) {
-  expr_types(expr, type, value_category)
-}
-
-predicate reuseType(Expr reuse, Type type, int value_category) {
-  exists(Expr original |
-    expr_reuse(reuse, original, value_category) and
-    expr_types(original, type, _)
-  )
-}
-
-from Expr expr, Type type, int value_category
-where existingType(expr, type, value_category) or reuseType(expr, type, value_category)
-select expr, type, value_category

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/upgrade.properties

@@ -1,4 +0,0 @@
-description: Add value category to expr_reuse table
-compatibility: full
-expr_reuse.rel: run expr_reuse.qlo
-expr_types.rel: run expr_types.qlo

cpp/ql/lib/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
+load("@rules_pkg//:mappings.bzl", "pkg_files")
 
 package(default_visibility = ["//cpp:__pkg__"])
 

cpp/ql/lib/CHANGELOG.md

@@ -1,57 +1,3 @@
-## 0.13.1
-
-No user-facing changes.
-
-## 0.13.0
-
-### Breaking Changes
-
-* Deleted the deprecated `GlobalValueNumberingImpl.qll` implementation.
-
-### New Features
-
-* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See `dataflow/ExternalFlow.qll` for documentation and specification of the model format, and `models/implementations/ZMQ.qll` for a simple example of models. Importing models from `.yml` is not yet supported.
-
-### Minor Analysis Improvements
-
-* Source models have been added for the standard library function `getc` (and variations).
-* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
-* Parameters of functions without definitions now have `ParameterNode`s.
-* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
-
-## 0.12.11
-
-No user-facing changes.
-
-## 0.12.10
-
-### New Features
-
-* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
-* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
-* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
-* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
-* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
-* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
-
-### Minor Analysis Improvements
-
-* Added destructors for temporary objects with extended lifetimes to the intermediate representation.
-
-## 0.12.9
-
-No user-facing changes.
-
-## 0.12.8
-
-No user-facing changes.
-
-## 0.12.7
-
-### Minor Analysis Improvements
-
-* Added destructors for named objects to the intermediate representation.
-
 ## 0.12.6
 
 ### New Features

cpp/ql/lib/IDEContextual.qll

@@ -3,7 +3,6 @@
  */
 
 import semmle.files.FileSystem
-private import codeql.util.FileSystem
 
 /**
  * Returns the `File` matching the given source file name as encoded by the VS
@@ -11,5 +10,13 @@ private import codeql.util.FileSystem
  */
 cached
 File getFileBySourceArchiveName(string name) {
-  result = IdeContextual<File>::getFileBySourceArchiveName(name)
+  // The name provided for a file in the source archive by the VS Code extension
+  // has some differences from the absolute path in the database:
+  // 1. colons are replaced by underscores
+  // 2. there's a leading slash, even for Windows paths: "C:/foo/bar" ->
+  //    "/C_/foo/bar"
+  // 3. double slashes in UNC prefixes are replaced with a single slash
+  // We can handle 2 and 3 together by unconditionally adding a leading slash
+  // before replacing double slashes.
+  name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/")
 }

cpp/ql/lib/change-notes/2024-05-23-Version1.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

cpp/ql/lib/change-notes/released/0.12.10.md

@@ -1,14 +0,0 @@
-## 0.12.10
-
-### New Features
-
-* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
-* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
-* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
-* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
-* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
-* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
-
-### Minor Analysis Improvements
-
-* Added destructors for temporary objects with extended lifetimes to the intermediate representation.

cpp/ql/lib/change-notes/released/0.12.11.md

@@ -1,3 +0,0 @@
-## 0.12.11
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.7.md

@@ -1,5 +0,0 @@
-## 0.12.7
-
-### Minor Analysis Improvements
-
-* Added destructors for named objects to the intermediate representation.

cpp/ql/lib/change-notes/released/0.12.8.md

@@ -1,3 +0,0 @@
-## 0.12.8
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.9.md

@@ -1,3 +0,0 @@
-## 0.12.9
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.13.0.md

@@ -1,16 +0,0 @@
-## 0.13.0
-
-### Breaking Changes
-
-* Deleted the deprecated `GlobalValueNumberingImpl.qll` implementation.
-
-### New Features
-
-* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See `dataflow/ExternalFlow.qll` for documentation and specification of the model format, and `models/implementations/ZMQ.qll` for a simple example of models. Importing models from `.yml` is not yet supported.
-
-### Minor Analysis Improvements
-
-* Source models have been added for the standard library function `getc` (and variations).
-* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
-* Parameters of functions without definitions now have `ParameterNode`s.
-* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.

cpp/ql/lib/change-notes/released/0.13.1.md

@@ -1,3 +0,0 @@
-## 0.13.1
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.13.1
+lastReleaseVersion: 0.12.6

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.0.0-dev
+version: 0.12.7-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,11 +7,8 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/dataflow: ${workspace}
-  codeql/mad: ${workspace}
   codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
-  codeql/typeflow: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
-  codeql/xml: ${workspace}
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/Enclosing.qll

@@ -60,6 +60,4 @@ Element exprEnclosingElement(Expr e) {
       )
     else result = de.getDeclaration()
   )
-  or
-  result.(Stmt).getAnImplicitDestructorCall() = e
 }

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -309,12 +309,9 @@ class ExprNode extends AstNode {
   override AstNode getChildInternal(int childIndex) {
     result.getAst() = expr.getChild(childIndex)
     or
-    childIndex = max(int index | exists(expr.getChild(index)) or index = 0) + 1 and
-    result.getAst() = expr.(ConditionDeclExpr).getInitializingExpr()
-    or
     exists(int destructorIndex |
       result.getAst() = expr.getImplicitDestructorCall(destructorIndex) and
-      childIndex = destructorIndex + max(int index | exists(expr.getChild(index)) or index = 0) + 2
+      childIndex = destructorIndex + max(int index | exists(expr.getChild(index)) or index = 0) + 1
     )
   }
 
@@ -364,8 +361,6 @@ class ConversionNode extends ExprNode {
     childIndex = 0 and
     result.getAst() = conv.getExpr() and
     conv.getExpr() instanceof Conversion
-    or
-    result.getAst() = expr.getImplicitDestructorCall(childIndex - 1)
   }
 }
 
@@ -463,25 +458,6 @@ class StmtNode extends AstNode {
   }
 }
 
-/**
- * A node representing a child of a `Stmt` that is itself a `Stmt`.
- */
-class ChildStmtNode extends StmtNode {
-  Stmt childStmt;
-
-  ChildStmtNode() { exists(Stmt parent | parent.getAChild() = childStmt and childStmt = ast) }
-
-  override BaseAstNode getChildInternal(int childIndex) {
-    result = super.getChildInternal(childIndex)
-    or
-    exists(int destructorIndex |
-      result.getAst() = childStmt.getImplicitDestructorCall(destructorIndex) and
-      childIndex =
-        destructorIndex + max(int index | exists(childStmt.getChild(index)) or index = 0) + 1
-    )
-  }
-}
-
 /**
  * A node representing a `DeclStmt`.
  */
@@ -693,13 +669,6 @@ class FunctionNode extends FunctionOrGlobalOrNamespaceVariableNode {
 private string getChildAccessorWithoutConversions(Locatable parent, Element child) {
   shouldPrintDeclaration(getAnEnclosingDeclaration(parent)) and
   (
-    exists(Stmt s, int i | s.getChild(i) = parent |
-      exists(int n |
-        s.getChild(i).(Stmt).getImplicitDestructorCall(n) = child and
-        result = "getImplicitDestructorCall(" + n + ")"
-      )
-    )
-    or
     exists(Stmt s | s = parent |
       namedStmtChildPredicates(s, child, result)
       or
@@ -717,8 +686,6 @@ private string getChildAccessorWithoutConversions(Locatable parent, Element chil
       not namedExprChildPredicates(expr, child, _) and
       exists(int n | expr.getChild(n) = child and result = "getChild(" + n + ")")
       or
-      expr.(ConditionDeclExpr).getInitializingExpr() = child and result = "getInitializingExpr()"
-      or
       exists(int n |
         expr.getImplicitDestructorCall(n) = child and
         result = "getImplicitDestructorCall(" + n + ")"
@@ -890,7 +857,7 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(DeleteOrDeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
     or
-    expr.(DeleteOrDeleteArrayExpr).getExprWithReuse() = ele and pred = "getExprWithReuse()"
+    expr.(DeleteOrDeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
     or
     expr.(DestructorFieldDestruction).getExpr() = ele and pred = "getExpr()"
     or

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -590,33 +590,6 @@ class TemplateVariable extends Variable {
   Variable getAnInstantiation() { result.isConstructedFrom(this) }
 }
 
-/**
- * A variable that is an instantiation of a template. For example
- * the instantiation `myTemplateVariable<int>` in the following code:
- * ```
- * template<class T>
- * T myTemplateVariable;
- *
- * void caller(int i) {
- *   myTemplateVariable<int> = i;
- * }
- * ```
- */
-class VariableTemplateInstantiation extends Variable {
-  TemplateVariable tv;
-
-  VariableTemplateInstantiation() { tv.getAnInstantiation() = this }
-
-  override string getAPrimaryQlClass() { result = "VariableTemplateInstantiation" }
-
-  /**
-   * Gets the variable template from which this instantiation was instantiated.
-   *
-   * Example: For `int x<int>`, returns `T x`.
-   */
-  TemplateVariable getTemplate() { result = tv }
-}
-
 /**
  * A non-static local variable or parameter that is not part of an
  * uninstantiated template. Uninstantiated templates are purely syntax, and

cpp/ql/lib/semmle/code/cpp/XML.qll

@@ -3,67 +3,305 @@
  */
 
 import semmle.files.FileSystem
-private import codeql.xml.Xml
 
-private module Input implements InputSig<File, Location> {
-  class XmlLocatableBase = @xmllocatable or @xmlnamespaceable;
+private class TXmlLocatable =
+  @xmldtd or @xmlelement or @xmlattribute or @xmlnamespace or @xmlcomment or @xmlcharacters;
 
-  predicate xmllocations_(XmlLocatableBase e, Location loc) { xmllocations(e, loc) }
+/** An XML element that has a location. */
+class XmlLocatable extends @xmllocatable, TXmlLocatable {
+  /** Gets the source location for this element. */
+  Location getLocation() { xmllocations(this, result) }
 
-  class XmlParentBase = @xmlparent;
-
-  class XmlNamespaceableBase = @xmlnamespaceable;
-
-  class XmlElementBase = @xmlelement;
-
-  class XmlFileBase = File;
-
-  predicate xmlEncoding_(XmlFileBase f, string enc) { xmlEncoding(f, enc) }
-
-  class XmlDtdBase = @xmldtd;
-
-  predicate xmlDTDs_(XmlDtdBase e, string root, string publicId, string systemId, XmlFileBase file) {
-    xmlDTDs(e, root, publicId, systemId, file)
-  }
-
-  predicate xmlElements_(
-    XmlElementBase e, string name, XmlParentBase parent, int idx, XmlFileBase file
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    xmlElements(e, name, parent, idx, file)
+    exists(File f, Location l | l = this.getLocation() |
+      locations_default(l, f, startline, startcolumn, endline, endcolumn) and
+      filepath = f.getAbsolutePath()
+    )
   }
 
-  class XmlAttributeBase = @xmlattribute;
+  /** Gets a textual representation of this element. */
+  string toString() { none() } // overridden in subclasses
+}
 
-  predicate xmlAttrs_(
-    XmlAttributeBase e, XmlElementBase elementid, string name, string value, int idx,
-    XmlFileBase file
-  ) {
-    xmlAttrs(e, elementid, name, value, idx, file)
+/**
+ * An `XmlParent` is either an `XmlElement` or an `XmlFile`,
+ * both of which can contain other elements.
+ */
+class XmlParent extends @xmlparent {
+  XmlParent() {
+    // explicitly restrict `this` to be either an `XmlElement` or an `XmlFile`;
+    // the type `@xmlparent` currently also includes non-XML files
+    this instanceof @xmlelement or xmlEncoding(this, _)
   }
 
-  class XmlNamespaceBase = @xmlnamespace;
+  /**
+   * Gets a printable representation of this XML parent.
+   * (Intended to be overridden in subclasses.)
+   */
+  string getName() { none() } // overridden in subclasses
 
-  predicate xmlNs_(XmlNamespaceBase e, string prefixName, string uri, XmlFileBase file) {
-    xmlNs(e, prefixName, uri, file)
+  /** Gets the file to which this XML parent belongs. */
+  XmlFile getFile() { result = this or xmlElements(this, _, _, _, result) }
+
+  /** Gets the child element at a specified index of this XML parent. */
+  XmlElement getChild(int index) { xmlElements(result, _, this, index, _) }
+
+  /** Gets a child element of this XML parent. */
+  XmlElement getAChild() { xmlElements(result, _, this, _, _) }
+
+  /** Gets a child element of this XML parent with the given `name`. */
+  XmlElement getAChild(string name) { xmlElements(result, _, this, _, _) and result.hasName(name) }
+
+  /** Gets a comment that is a child of this XML parent. */
+  XmlComment getAComment() { xmlComments(result, _, this, _) }
+
+  /** Gets a character sequence that is a child of this XML parent. */
+  XmlCharacters getACharactersSet() { xmlChars(result, _, this, _, _, _) }
+
+  /** Gets the depth in the tree. (Overridden in XmlElement.) */
+  int getDepth() { result = 0 }
+
+  /** Gets the number of child XML elements of this XML parent. */
+  int getNumberOfChildren() { result = count(XmlElement e | xmlElements(e, _, this, _, _)) }
+
+  /** Gets the number of places in the body of this XML parent where text occurs. */
+  int getNumberOfCharacterSets() { result = count(int pos | xmlChars(_, _, this, pos, _, _)) }
+
+  /**
+   * Gets the result of appending all the character sequences of this XML parent from
+   * left to right, separated by a space.
+   */
+  string allCharactersString() {
+    result =
+      concat(string chars, int pos | xmlChars(_, chars, this, pos, _, _) | chars, " " order by pos)
   }
 
-  predicate xmlHasNs_(XmlNamespaceableBase e, XmlNamespaceBase ns, XmlFileBase file) {
-    xmlHasNs(e, ns, file)
-  }
+  /** Gets the text value contained in this XML parent. */
+  string getTextValue() { result = this.allCharactersString() }
 
-  class XmlCommentBase = @xmlcomment;
+  /** Gets a printable representation of this XML parent. */
+  string toString() { result = this.getName() }
+}
 
-  predicate xmlComments_(XmlCommentBase e, string text, XmlParentBase parent, XmlFileBase file) {
-    xmlComments(e, text, parent, file)
-  }
+/** An XML file. */
+class XmlFile extends XmlParent, File {
+  XmlFile() { xmlEncoding(this, _) }
 
-  class XmlCharactersBase = @xmlcharacters;
+  /** Gets a printable representation of this XML file. */
+  override string toString() { result = this.getName() }
 
-  predicate xmlChars_(
-    XmlCharactersBase e, string text, XmlParentBase parent, int idx, int isCDATA, XmlFileBase file
-  ) {
-    xmlChars(e, text, parent, idx, isCDATA, file)
+  /** Gets the name of this XML file. */
+  override string getName() { result = File.super.getAbsolutePath() }
+
+  /** Gets the encoding of this XML file. */
+  string getEncoding() { xmlEncoding(this, result) }
+
+  /** Gets the XML file itself. */
+  override XmlFile getFile() { result = this }
+
+  /** Gets a top-most element in an XML file. */
+  XmlElement getARootElement() { result = this.getAChild() }
+
+  /** Gets a DTD associated with this XML file. */
+  XmlDtd getADtd() { xmlDTDs(result, _, _, _, this) }
+}
+
+/**
+ * An XML document type definition (DTD).
+ *
+ * Example:
+ *
+ * ```
+ * <!ELEMENT person (firstName, lastName?)>
+ * <!ELEMENT firstName (#PCDATA)>
+ * <!ELEMENT lastName (#PCDATA)>
+ * ```
+ */
+class XmlDtd extends XmlLocatable, @xmldtd {
+  /** Gets the name of the root element of this DTD. */
+  string getRoot() { xmlDTDs(this, result, _, _, _) }
+
+  /** Gets the public ID of this DTD. */
+  string getPublicId() { xmlDTDs(this, _, result, _, _) }
+
+  /** Gets the system ID of this DTD. */
+  string getSystemId() { xmlDTDs(this, _, _, result, _) }
+
+  /** Holds if this DTD is public. */
+  predicate isPublic() { not xmlDTDs(this, _, "", _, _) }
+
+  /** Gets the parent of this DTD. */
+  XmlParent getParent() { xmlDTDs(this, _, _, _, result) }
+
+  override string toString() {
+    this.isPublic() and
+    result = this.getRoot() + " PUBLIC '" + this.getPublicId() + "' '" + this.getSystemId() + "'"
+    or
+    not this.isPublic() and
+    result = this.getRoot() + " SYSTEM '" + this.getSystemId() + "'"
   }
 }
 
-import Make<File, Location, Input>
+/**
+ * An XML element in an XML file.
+ *
+ * Example:
+ *
+ * ```
+ * <manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ *           package="com.example.exampleapp" android:versionCode="1">
+ * </manifest>
+ * ```
+ */
+class XmlElement extends @xmlelement, XmlParent, XmlLocatable {
+  /** Holds if this XML element has the given `name`. */
+  predicate hasName(string name) { name = this.getName() }
+
+  /** Gets the name of this XML element. */
+  override string getName() { xmlElements(this, result, _, _, _) }
+
+  /** Gets the XML file in which this XML element occurs. */
+  override XmlFile getFile() { xmlElements(this, _, _, _, result) }
+
+  /** Gets the parent of this XML element. */
+  XmlParent getParent() { xmlElements(this, _, result, _, _) }
+
+  /** Gets the index of this XML element among its parent's children. */
+  int getIndex() { xmlElements(this, _, _, result, _) }
+
+  /** Holds if this XML element has a namespace. */
+  predicate hasNamespace() { xmlHasNs(this, _, _) }
+
+  /** Gets the namespace of this XML element, if any. */
+  XmlNamespace getNamespace() { xmlHasNs(this, result, _) }
+
+  /** Gets the index of this XML element among its parent's children. */
+  int getElementPositionIndex() { xmlElements(this, _, _, result, _) }
+
+  /** Gets the depth of this element within the XML file tree structure. */
+  override int getDepth() { result = this.getParent().getDepth() + 1 }
+
+  /** Gets an XML attribute of this XML element. */
+  XmlAttribute getAnAttribute() { result.getElement() = this }
+
+  /** Gets the attribute with the specified `name`, if any. */
+  XmlAttribute getAttribute(string name) { result.getElement() = this and result.getName() = name }
+
+  /** Holds if this XML element has an attribute with the specified `name`. */
+  predicate hasAttribute(string name) { exists(this.getAttribute(name)) }
+
+  /** Gets the value of the attribute with the specified `name`, if any. */
+  string getAttributeValue(string name) { result = this.getAttribute(name).getValue() }
+
+  /** Gets a printable representation of this XML element. */
+  override string toString() { result = this.getName() }
+}
+
+/**
+ * An attribute that occurs inside an XML element.
+ *
+ * Examples:
+ *
+ * ```
+ * package="com.example.exampleapp"
+ * android:versionCode="1"
+ * ```
+ */
+class XmlAttribute extends @xmlattribute, XmlLocatable {
+  /** Gets the name of this attribute. */
+  string getName() { xmlAttrs(this, _, result, _, _, _) }
+
+  /** Gets the XML element to which this attribute belongs. */
+  XmlElement getElement() { xmlAttrs(this, result, _, _, _, _) }
+
+  /** Holds if this attribute has a namespace. */
+  predicate hasNamespace() { xmlHasNs(this, _, _) }
+
+  /** Gets the namespace of this attribute, if any. */
+  XmlNamespace getNamespace() { xmlHasNs(this, result, _) }
+
+  /** Gets the value of this attribute. */
+  string getValue() { xmlAttrs(this, _, _, result, _, _) }
+
+  /** Gets a printable representation of this XML attribute. */
+  override string toString() { result = this.getName() + "=" + this.getValue() }
+}
+
+/**
+ * A namespace used in an XML file.
+ *
+ * Example:
+ *
+ * ```
+ * xmlns:android="http://schemas.android.com/apk/res/android"
+ * ```
+ */
+class XmlNamespace extends XmlLocatable, @xmlnamespace {
+  /** Gets the prefix of this namespace. */
+  string getPrefix() { xmlNs(this, result, _, _) }
+
+  /** Gets the URI of this namespace. */
+  string getUri() { xmlNs(this, _, result, _) }
+
+  /** Holds if this namespace has no prefix. */
+  predicate isDefault() { this.getPrefix() = "" }
+
+  override string toString() {
+    this.isDefault() and result = this.getUri()
+    or
+    not this.isDefault() and result = this.getPrefix() + ":" + this.getUri()
+  }
+}
+
+/**
+ * A comment in an XML file.
+ *
+ * Example:
+ *
+ * ```
+ * <!-- This is a comment. -->
+ * ```
+ */
+class XmlComment extends @xmlcomment, XmlLocatable {
+  /** Gets the text content of this XML comment. */
+  string getText() { xmlComments(this, result, _, _) }
+
+  /** Gets the parent of this XML comment. */
+  XmlParent getParent() { xmlComments(this, _, result, _) }
+
+  /** Gets a printable representation of this XML comment. */
+  override string toString() { result = this.getText() }
+}
+
+/**
+ * A sequence of characters that occurs between opening and
+ * closing tags of an XML element, excluding other elements.
+ *
+ * Example:
+ *
+ * ```
+ * <content>This is a sequence of characters.</content>
+ * ```
+ */
+class XmlCharacters extends @xmlcharacters, XmlLocatable {
+  /** Gets the content of this character sequence. */
+  string getCharacters() { xmlChars(this, result, _, _, _, _) }
+
+  /** Gets the parent of this character sequence. */
+  XmlParent getParent() { xmlChars(this, _, result, _, _, _) }
+
+  /** Holds if this character sequence is CDATA. */
+  predicate isCDATA() { xmlChars(this, _, _, _, 1, _) }
+
+  /** Gets a printable representation of this XML character sequence. */
+  override string toString() { result = this.getCharacters() }
+}

cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll

@@ -1,6 +1,6 @@
 // NOTE: There are two copies of this file, and they must be kept identical:
 // - semmle/code/cpp/controlflow/SubBasicBlocks.qll
-// - semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll [now DEPRECATED]
+// - semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll
 //
 // The second one is a private copy of the `SubBasicBlocks` library for
 // internal use by the data flow library. Having an extra copy prevents

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll

@@ -28,6 +28,6 @@ import cpp
 deprecated module DataFlow {
   private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
-  import DataFlowMake<Location, CppOldDataFlow>
+  import DataFlowMake<CppOldDataFlow>
   import semmle.code.cpp.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -1,556 +0,0 @@
-/**
- * INTERNAL use only. This is an experimental API subject to change without notice.
- *
- * Provides classes and predicates for dealing with flow models specified in CSV format.
- *
- * The CSV specification has the following columns:
- * - Sources:
- *   `namespace; type; subtypes; name; signature; ext; output; kind`
- * - Sinks:
- *   `namespace; type; subtypes; name; signature; ext; input; kind`
- * - Summaries:
- *   `namespace; type; subtypes; name; signature; ext; input; output; kind`
- *
- * The interpretation of a row is similar to API-graphs with a left-to-right
- * reading.
- * 1. The `namespace` column selects a namespace.
- * 2. The `type` column selects a type within that namespace.
- * 3. The `subtypes` is a boolean that indicates whether to jump to an
- *    arbitrary subtype of that type. Set this to `false` if leaving the `type`
- *    blank (for example, a free function).
- * 4. The `name` column optionally selects a specific named member of the type.
- * 5. The `signature` column optionally restricts the named member. If
- *    `signature` is blank then no such filtering is done. The format of the
- *    signature is a comma-separated list of types enclosed in parentheses. The
- *    types can be short names or fully qualified names (mixing these two options
- *    is not allowed within a single signature).
- * 6. The `ext` column specifies additional API-graph-like edges. Currently
- *    there is only one valid value: "".
- * 7. The `input` column specifies how data enters the element selected by the
- *    first 6 columns, and the `output` column specifies how data leaves the
- *    element selected by the first 6 columns. An `input` can be either:
- *    - "": Selects a write to the selected element in case this is a field.
- *    - "Argument[n]": Selects an argument in a call to the selected element.
- *      The arguments are zero-indexed, and `-1` specifies the qualifier object,
- *      that is, `*this`.
- *      - one or more "*" can be added in front of the argument index to indicate
- *        indirection, for example, `Argument[*0]` indicates the first indirection
- *        of the 0th argument.
- *      - `n1..n2` syntax can be used to indicate a range of arguments, inclusive
- *        at both ends. One or more "*"s can be added in front of the whole range
- *        to indicate that every argument in the range is indirect, for example
- *        `*0..1` is the first indirection of both arguments 0 and 1.
- *    - "ReturnValue": Selects a value being returned by the selected element.
- *      One or more "*" can be added as an argument to indicate indirection, for
- *      example, "ReturnValue[*]" indicates the first indirection of the return
- *      value.
- *
- *    An `output` can be either:
- *    - "": Selects a read of a selected field.
- *    - "Argument[n]": Selects the post-update value of an argument in a call to
- *      the selected element. That is, the value of the argument after the call
- *      returns. The arguments are zero-indexed, and `-1` specifies the qualifier
- *      object, that is, `*this`.
- *      - one or more "*" can be added in front of the argument index to indicate
- *        indirection, for example, `Argument[*0]` indicates the first indirection
- *        of the 0th argument.
- *      - `n1..n2` syntax can be used to indicate a range of arguments, inclusive
- *        at both ends. One or more "*"s can be added in front of the whole range
- *        to indicate that every argument in the range is indirect, for example
- *        `*0..1` is the first indirection of both arguments 0 and 1.
- *    - "Parameter[n]": Selects the value of a parameter of the selected element.
- *      The syntax is the same as for "Argument", for example "Parameter[0]",
- *      "Parameter[*0]", "Parameter[0..2]" etc.
- *    - "ReturnValue": Selects a value being returned by the selected element.
- *      One or more "*" can be added as an argument to indicate indirection, for
- *      example, "ReturnValue[*]" indicates the first indirection of the return
- *      value.
- * 8. The `kind` column is a tag that can be referenced from QL to determine to
- *    which classes the interpreted elements should be added. For example, for
- *    sources "remote" indicates a default remote flow source, and for summaries
- *    "taint" indicates a default additional taint step and "value" indicates a
- *    globally applicable value-preserving step.
- */
-
-import cpp
-private import new.DataFlow
-private import internal.FlowSummaryImpl
-private import internal.FlowSummaryImpl::Public
-private import internal.FlowSummaryImpl::Private
-private import internal.FlowSummaryImpl::Private::External
-private import codeql.mad.ModelValidation as SharedModelVal
-private import codeql.util.Unit
-
-/**
- * A unit class for adding additional source model rows.
- *
- * Extend this class to add additional source definitions.
- */
-class SourceModelCsv extends Unit {
-  /** Holds if `row` specifies a source definition. */
-  abstract predicate row(string row);
-}
-
-/**
- * A unit class for adding additional sink model rows.
- *
- * Extend this class to add additional sink definitions.
- */
-class SinkModelCsv extends Unit {
-  /** Holds if `row` specifies a sink definition. */
-  abstract predicate row(string row);
-}
-
-/**
- * A unit class for adding additional summary model rows.
- *
- * Extend this class to add additional flow summary definitions.
- */
-class SummaryModelCsv extends Unit {
-  /** Holds if `row` specifies a summary definition. */
-  abstract predicate row(string row);
-}
-
-/** Holds if `row` is a source model. */
-predicate sourceModel(string row) { any(SourceModelCsv s).row(row) }
-
-/** Holds if `row` is a sink model. */
-predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
-
-/** Holds if `row` is a summary model. */
-predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
-
-/** Holds if a source model exists for the given parameters. */
-predicate sourceModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance
-) {
-  exists(string row |
-    sourceModel(row) and
-    row.splitAt(";", 0) = namespace and
-    row.splitAt(";", 1) = type and
-    row.splitAt(";", 2) = subtypes.toString() and
-    subtypes = [true, false] and
-    row.splitAt(";", 3) = name and
-    row.splitAt(";", 4) = signature and
-    row.splitAt(";", 5) = ext and
-    row.splitAt(";", 6) = output and
-    row.splitAt(";", 7) = kind
-  ) and
-  provenance = "manual"
-}
-
-/** Holds if a sink model exists for the given parameters. */
-predicate sinkModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance
-) {
-  exists(string row |
-    sinkModel(row) and
-    row.splitAt(";", 0) = namespace and
-    row.splitAt(";", 1) = type and
-    row.splitAt(";", 2) = subtypes.toString() and
-    subtypes = [true, false] and
-    row.splitAt(";", 3) = name and
-    row.splitAt(";", 4) = signature and
-    row.splitAt(";", 5) = ext and
-    row.splitAt(";", 6) = input and
-    row.splitAt(";", 7) = kind
-  ) and
-  provenance = "manual"
-}
-
-/** Holds if a summary model exists for the given parameters. */
-predicate summaryModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance
-) {
-  exists(string row |
-    summaryModel(row) and
-    row.splitAt(";", 0) = namespace and
-    row.splitAt(";", 1) = type and
-    row.splitAt(";", 2) = subtypes.toString() and
-    subtypes = [true, false] and
-    row.splitAt(";", 3) = name and
-    row.splitAt(";", 4) = signature and
-    row.splitAt(";", 5) = ext and
-    row.splitAt(";", 6) = input and
-    row.splitAt(";", 7) = output and
-    row.splitAt(";", 8) = kind
-  ) and
-  provenance = "manual"
-}
-
-private predicate relevantNamespace(string namespace) {
-  sourceModel(namespace, _, _, _, _, _, _, _, _) or
-  sinkModel(namespace, _, _, _, _, _, _, _, _) or
-  summaryModel(namespace, _, _, _, _, _, _, _, _, _)
-}
-
-private predicate namespaceLink(string shortns, string longns) {
-  relevantNamespace(shortns) and
-  relevantNamespace(longns) and
-  longns.prefix(longns.indexOf("::")) = shortns
-}
-
-private predicate canonicalNamespace(string namespace) {
-  relevantNamespace(namespace) and not namespaceLink(_, namespace)
-}
-
-private predicate canonicalNamespaceLink(string namespace, string subns) {
-  canonicalNamespace(namespace) and
-  (subns = namespace or namespaceLink(namespace, subns))
-}
-
-/**
- * Holds if CSV framework coverage of `namespace` is `n` api endpoints of the
- * kind `(kind, part)`.
- */
-predicate modelCoverage(string namespace, int namespaces, string kind, string part, int n) {
-  namespaces = strictcount(string subns | canonicalNamespaceLink(namespace, subns)) and
-  (
-    part = "source" and
-    n =
-      strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string output, string provenance |
-        canonicalNamespaceLink(namespace, subns) and
-        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance)
-      )
-    or
-    part = "sink" and
-    n =
-      strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string provenance |
-        canonicalNamespaceLink(namespace, subns) and
-        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance)
-      )
-    or
-    part = "summary" and
-    n =
-      strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string output, string provenance |
-        canonicalNamespaceLink(namespace, subns) and
-        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance)
-      )
-  )
-}
-
-/** Provides a query predicate to check the CSV data for validation errors. */
-module CsvValidation {
-  private string getInvalidModelInput() {
-    exists(string pred, AccessPath input, string part |
-      sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
-      or
-      summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
-    |
-      (
-        invalidSpecComponent(input, part) and
-        not part = "" and
-        not (part = "Argument" and pred = "sink") and
-        not parseArg(part, _)
-        or
-        part = input.getToken(_) and
-        parseParam(part, _)
-      ) and
-      result = "Unrecognized input specification \"" + part + "\" in " + pred + " model."
-    )
-  }
-
-  private string getInvalidModelOutput() {
-    exists(string pred, string output, string part |
-      sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
-      or
-      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
-    |
-      invalidSpecComponent(output, part) and
-      not part = "" and
-      not (part = ["Argument", "Parameter"] and pred = "source") and
-      result = "Unrecognized output specification \"" + part + "\" in " + pred + " model."
-    )
-  }
-
-  private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
-    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _) }
-
-    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _) }
-
-    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _) }
-  }
-
-  private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
-
-  private string getInvalidModelSubtype() {
-    exists(string pred, string row |
-      sourceModel(row) and pred = "source"
-      or
-      sinkModel(row) and pred = "sink"
-      or
-      summaryModel(row) and pred = "summary"
-    |
-      exists(string b |
-        b = row.splitAt(";", 2) and
-        not b = ["true", "false"] and
-        result = "Invalid boolean \"" + b + "\" in " + pred + " model."
-      )
-    )
-  }
-
-  private string getInvalidModelColumnCount() {
-    exists(string pred, string row, int expect |
-      sourceModel(row) and expect = 8 and pred = "source"
-      or
-      sinkModel(row) and expect = 8 and pred = "sink"
-      or
-      summaryModel(row) and expect = 9 and pred = "summary"
-    |
-      exists(int cols |
-        cols = 1 + max(int n | exists(row.splitAt(";", n))) and
-        cols != expect and
-        result =
-          "Wrong number of columns in " + pred + " model row, expected " + expect + ", got " + cols +
-            "."
-      )
-    )
-  }
-
-  private string getInvalidModelSignature() {
-    exists(string pred, string namespace, string type, string name, string signature, string ext |
-      sourceModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "source"
-      or
-      sinkModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "sink"
-      or
-      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
-    |
-      not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
-      result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
-      or
-      not type.regexpMatch("[a-zA-Z0-9_<>,\\+]+") and
-      result = "Dubious type \"" + type + "\" in " + pred + " model."
-      or
-      not name.regexpMatch("[a-zA-Z0-9_<>,]*") and
-      result = "Dubious member name \"" + name + "\" in " + pred + " model."
-      or
-      not signature.regexpMatch("|\\([a-zA-Z0-9_<>\\.\\+\\*,\\[\\]]*\\)") and
-      result = "Dubious signature \"" + signature + "\" in " + pred + " model."
-      or
-      not ext.regexpMatch("|Attribute") and
-      result = "Unrecognized extra API graph element \"" + ext + "\" in " + pred + " model."
-    )
-  }
-
-  /** Holds if some row in a CSV-based flow model appears to contain typos. */
-  query predicate invalidModelRow(string msg) {
-    msg =
-      [
-        getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
-        getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind()
-      ]
-  }
-}
-
-private predicate elementSpec(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext
-) {
-  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
-  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
-  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
-}
-
-private string paramsStringPart(Function c, int i) {
-  i = -1 and result = "(" and exists(c)
-  or
-  exists(int n, string p | c.getParameter(n).getType().toString() = p |
-    i = 2 * n and result = p
-    or
-    i = 2 * n - 1 and result = "," and n != 0
-  )
-  or
-  i = 2 * c.getNumberOfParameters() and result = ")"
-}
-
-/**
- * Gets a parenthesized string containing all parameter types of this callable, separated by a comma.
- *
- * Returns the empty string if the callable has no parameters.
- * Parameter types are represented by their type erasure.
- */
-cached
-private string paramsString(Function c) {
-  result = concat(int i | | paramsStringPart(c, i) order by i)
-}
-
-bindingset[func]
-private predicate matchesSignature(Function func, string signature) {
-  signature = "" or
-  paramsString(func) = signature
-}
-
-/**
- * Gets the element in module `namespace` that satisfies the following properties:
- * 1. If the element is a member of a class-like type, then the class-like type has name `type`
- * 2. If `subtypes = true` and the element is a member of a class-like type, then overrides of the element
- *    are also returned.
- * 3. The element has name `name`
- * 4. If `signature` is non-empty, then the element has a list of parameter types described by `signature`.
- *
- * NOTE: `namespace` is currently not used (since we don't properly extract modules yet).
- */
-pragma[nomagic]
-private Element interpretElement0(
-  string namespace, string type, boolean subtypes, string name, string signature
-) {
-  elementSpec(namespace, type, subtypes, name, signature, _) and
-  (
-    // Non-member functions
-    exists(Function func |
-      func.hasQualifiedName(namespace, name) and
-      type = "" and
-      matchesSignature(func, signature) and
-      subtypes = false and
-      not exists(func.getDeclaringType()) and
-      result = func
-    )
-    or
-    // Member functions
-    exists(Class namedClass, Class classWithMethod, Function method |
-      classWithMethod = method.getClassAndName(name) and
-      namedClass.hasQualifiedName(namespace, type) and
-      matchesSignature(method, signature) and
-      result = method
-    |
-      // member declared in the named type or a subtype of it
-      subtypes = true and
-      classWithMethod = namedClass.getADerivedClass*()
-      or
-      // member declared directly in the named type
-      subtypes = false and
-      classWithMethod = namedClass
-    )
-    or
-    // Member variables
-    signature = "" and
-    exists(Class namedClass, Class classWithMember, MemberVariable member |
-      member.getName() = name and
-      member = classWithMember.getAMember() and
-      namedClass.hasQualifiedName(namespace, type) and
-      result = member
-    |
-      // field declared in the named type or a subtype of it (or an extension of any)
-      subtypes = true and
-      classWithMember = namedClass.getADerivedClass*()
-      or
-      // field declared directly in the named type (or an extension of it)
-      subtypes = false and
-      classWithMember = namedClass
-    )
-    or
-    // Global or namespace variables
-    signature = "" and
-    type = "" and
-    subtypes = false and
-    result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name))
-  )
-}
-
-/** Gets the source/sink/summary element corresponding to the supplied parameters. */
-Element interpretElement(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext
-) {
-  elementSpec(namespace, type, subtypes, name, signature, ext) and
-  exists(Element e | e = interpretElement0(namespace, type, subtypes, name, signature) |
-    ext = "" and result = e
-  )
-}
-
-cached
-private module Cached {
-  /**
-   * Holds if `node` is specified as a source with the given kind in a CSV flow
-   * model.
-   */
-  cached
-  predicate sourceNode(DataFlow::Node node, string kind) {
-    exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSourceNode(n, kind, _) and n.asNode() = node // TODO
-    )
-  }
-
-  /**
-   * Holds if `node` is specified as a sink with the given kind in a CSV flow
-   * model.
-   */
-  cached
-  predicate sinkNode(DataFlow::Node node, string kind) {
-    exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSinkNode(n, kind, _) and n.asNode() = node // TODO
-    )
-  }
-}
-
-import Cached
-
-private predicate interpretSummary(
-  Function f, string input, string output, string kind, string provenance
-) {
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext
-  |
-    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and
-    f = interpretElement(namespace, type, subtypes, name, signature, ext)
-  )
-}
-
-// adapter class for converting Mad summaries to `SummarizedCallable`s
-private class SummarizedCallableAdapter extends SummarizedCallable {
-  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _) }
-
-  private predicate relevantSummaryElementManual(string input, string output, string kind) {
-    exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance) and
-      provenance.isManual()
-    )
-  }
-
-  private predicate relevantSummaryElementGenerated(string input, string output, string kind) {
-    exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance) and
-      provenance.isGenerated()
-    )
-  }
-
-  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
-  ) {
-    exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind)
-      or
-      not this.relevantSummaryElementManual(_, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind)
-    |
-      if kind = "value" then preservesValue = true else preservesValue = false
-    ) and
-    model = "" // TODO
-  }
-
-  override predicate hasProvenance(Provenance provenance) {
-    interpretSummary(this, _, _, _, provenance)
-  }
-}
-
-// adapter class for converting Mad neutrals to `NeutralCallable`s
-private class NeutralCallableAdapter extends NeutralCallable {
-  string kind;
-  string provenance_;
-
-  NeutralCallableAdapter() {
-    // Neutral models have not been implemented for CPP.
-    none() and
-    exists(this) and
-    exists(kind) and
-    exists(provenance_)
-  }
-
-  override string getKind() { result = kind }
-
-  override predicate hasProvenance(Provenance provenance) { provenance = provenance_ }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll

@@ -29,6 +29,6 @@ deprecated module TaintTracking {
   private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  import TaintFlowMake<Location, CppOldDataFlow, CppOldTaintTracking>
+  import TaintFlowMake<CppOldDataFlow, CppOldTaintTracking>
   import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/AddressFlow.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- *
  * Provides a local analysis for identifying where a variable address
  * is effectively taken. Array-like offsets are allowed to pass through but
  * not field-like offsets.

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll

@@ -1,7 +1,3 @@
-/**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- */
-
 private import cpp
 private import DataFlowPrivate
 private import DataFlowUtil

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -1,8 +1,3 @@
-/**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- */
-
-private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImpl
-import MakeImpl<Location, CppOldDataFlow>
+import MakeImpl<CppOldDataFlow>

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -263,10 +263,9 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
+  predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
+    any(Configuration config).isAdditionalFlowStep(node1, node2)
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -286,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -263,10 +263,9 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
+  predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
+    any(Configuration config).isAdditionalFlowStep(node1, node2)
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -286,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -263,10 +263,9 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
+  predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
+    any(Configuration config).isAdditionalFlowStep(node1, node2)
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -286,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -263,10 +263,9 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
+  predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
+    any(Configuration config).isAdditionalFlowStep(node1, node2)
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -286,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -1,8 +1,3 @@
-/**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- */
-
-private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImplCommon
-import MakeImplCommon<Location, CppOldDataFlow>
+import MakeImplCommon<CppOldDataFlow>

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- *
  * Provides consistency queries for checking invariants in the language-specific
  * data-flow classes and predicates.
  */
@@ -10,7 +8,7 @@ private import DataFlowImplSpecific
 private import TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
 
-private module Input implements InputSig<Location, CppOldDataFlow> {
+private module Input implements InputSig<CppOldDataFlow> {
   predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
     // Is the null pointer (or something that's not really a pointer)
     exists(n.asExpr().getValue())
@@ -26,4 +24,4 @@ private module Input implements InputSig<Location, CppOldDataFlow> {
   }
 }
 
-module Consistency = MakeConsistency<Location, CppOldDataFlow, CppOldTaintTracking, Input>;
+module Consistency = MakeConsistency<CppOldDataFlow, CppOldTaintTracking, Input>;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -263,10 +263,9 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
+  predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
+    any(Configuration config).isAdditionalFlowStep(node1, node2)
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -286,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,10 +1,7 @@
 /**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- *
  * Provides C++-specific definitions for use in the data flow library.
  */
 
-private import semmle.code.cpp.Location
 private import codeql.dataflow.DataFlow
 
 module Private {
@@ -16,7 +13,7 @@ module Public {
   import DataFlowUtil
 }
 
-module CppOldDataFlow implements InputSig<Location> {
+module CppOldDataFlow implements InputSig {
   import Private
   import Public
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -1,7 +1,3 @@
-/**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- */
-
 private import cpp
 private import DataFlowUtil
 private import DataFlowDispatch
@@ -286,12 +282,6 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { no
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
 
-predicate knownSourceModel(Node source, string model) { none() }
-
-predicate knownSinkModel(Node sink, string model) { none() }
-
-class DataFlowSecondLevelScope = Unit;
-
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a
  * side-effect, resulting in a summary from `p` to itself.

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- *
  * Provides C++-specific definitions for use in the data flow library.
  */
 
@@ -105,7 +103,7 @@ class Node extends TNode {
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
-  deprecated predicate hasLocationInfo(
+  predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
@@ -516,7 +514,7 @@ private module ThisFlow {
  */
 cached
 predicate localFlowStep(Node nodeFrom, Node nodeTo) {
-  simpleLocalFlowStep(nodeFrom, nodeTo, _)
+  simpleLocalFlowStep(nodeFrom, nodeTo)
   or
   // Field flow is not strictly a "step" but covers the whole function
   // transitively. There's no way to get a step-like relation out of the global
@@ -530,67 +528,64 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
  * This is the local flow predicate that's used as a building block in global
  * data flow. It may have less flow than the `localFlowStep` predicate.
  */
-predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
-  (
-    // Expr -> Expr
-    exprToExprStep_nocfg(nodeFrom.asExpr(), nodeTo.asExpr())
-    or
-    // Assignment -> LValue post-update node
-    //
-    // This is used for assignments whose left-hand side is not a variable
-    // assignment or a storeStep but is still modeled by other means. It could be
-    // a call to `operator*` or `operator[]` where taint should flow to the
-    // post-update node of the qualifier.
-    exists(AssignExpr assign |
-      nodeFrom.asExpr() = assign and
-      nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getLValue()
-    )
-    or
-    // Node -> FlowVar -> VariableAccess
-    exists(FlowVar var |
-      (
-        exprToVarStep(nodeFrom.asExpr(), var)
-        or
-        varSourceBaseCase(var, nodeFrom.asParameter())
-        or
-        varSourceBaseCase(var, nodeFrom.asUninitialized())
-        or
-        var.definedPartiallyAt(nodeFrom.asPartialDefinition())
-      ) and
-      varToNodeStep(var, nodeTo)
-    )
-    or
-    // Expr -> DefinitionByReferenceNode
-    exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
-    or
-    // `this` -> adjacent-`this`
-    ThisFlow::adjacentThisRefs(nodeFrom, nodeTo)
-    or
-    // post-update-`this` -> following-`this`-ref
-    ThisFlow::adjacentThisRefs(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
-    or
-    // In `f(&x->a)`, this step provides the flow from post-`&` to post-`x->a`,
-    // from which there is field flow to `x` via reverse read.
-    exists(PartialDefinition def, Expr inner, Expr outer |
-      def.definesExpressions(inner, outer) and
-      inner = nodeTo.(InnerPartialDefinitionNode).getPreUpdateNode().asExpr() and
-      outer = nodeFrom.(PartialDefinitionNode).getPreUpdateNode().asExpr()
-    )
-    or
-    // Reverse flow: data that flows from the post-update node of a reference
-    // returned by a function call, back into the qualifier of that function.
-    // This allows data to flow 'in' through references returned by a modeled
-    // function such as `operator[]`.
-    exists(DataFlowFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
-      call.getTarget() = f and
-      inModel.isReturnValueDeref() and
-      outModel.isQualifierObject() and
-      f.hasDataFlow(inModel, outModel) and
-      nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
-      nodeTo.asDefiningArgument() = call.getQualifier()
-    )
-  ) and
-  model = ""
+predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
+  // Expr -> Expr
+  exprToExprStep_nocfg(nodeFrom.asExpr(), nodeTo.asExpr())
+  or
+  // Assignment -> LValue post-update node
+  //
+  // This is used for assignments whose left-hand side is not a variable
+  // assignment or a storeStep but is still modeled by other means. It could be
+  // a call to `operator*` or `operator[]` where taint should flow to the
+  // post-update node of the qualifier.
+  exists(AssignExpr assign |
+    nodeFrom.asExpr() = assign and
+    nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getLValue()
+  )
+  or
+  // Node -> FlowVar -> VariableAccess
+  exists(FlowVar var |
+    (
+      exprToVarStep(nodeFrom.asExpr(), var)
+      or
+      varSourceBaseCase(var, nodeFrom.asParameter())
+      or
+      varSourceBaseCase(var, nodeFrom.asUninitialized())
+      or
+      var.definedPartiallyAt(nodeFrom.asPartialDefinition())
+    ) and
+    varToNodeStep(var, nodeTo)
+  )
+  or
+  // Expr -> DefinitionByReferenceNode
+  exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
+  or
+  // `this` -> adjacent-`this`
+  ThisFlow::adjacentThisRefs(nodeFrom, nodeTo)
+  or
+  // post-update-`this` -> following-`this`-ref
+  ThisFlow::adjacentThisRefs(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
+  or
+  // In `f(&x->a)`, this step provides the flow from post-`&` to post-`x->a`,
+  // from which there is field flow to `x` via reverse read.
+  exists(PartialDefinition def, Expr inner, Expr outer |
+    def.definesExpressions(inner, outer) and
+    inner = nodeTo.(InnerPartialDefinitionNode).getPreUpdateNode().asExpr() and
+    outer = nodeFrom.(PartialDefinitionNode).getPreUpdateNode().asExpr()
+  )
+  or
+  // Reverse flow: data that flows from the post-update node of a reference
+  // returned by a function call, back into the qualifier of that function.
+  // This allows data to flow 'in' through references returned by a modeled
+  // function such as `operator[]`.
+  exists(DataFlowFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
+    call.getTarget() = f and
+    inModel.isReturnValueDeref() and
+    outModel.isQualifierObject() and
+    f.hasDataFlow(inModel, outModel) and
+    nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
+    nodeTo.asDefiningArgument() = call.getQualifier()
+  )
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -1,271 +0,0 @@
-/**
- * Provides classes and predicates for defining flow summaries.
- */
-
-private import cpp as Cpp
-private import codeql.dataflow.internal.FlowSummaryImpl
-private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific as DataFlowImplSpecific
-private import semmle.code.cpp.dataflow.ExternalFlow
-private import semmle.code.cpp.ir.IR
-
-module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
-  class SummarizedCallableBase = Function;
-
-  ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }
-
-  ReturnKind getStandardReturnValueKind() { result.(NormalReturnKind).getIndirectionIndex() = 0 }
-
-  string encodeParameterPosition(ParameterPosition pos) { result = pos.toString() }
-
-  string encodeArgumentPosition(ArgumentPosition pos) { result = pos.toString() }
-
-  string encodeReturn(ReturnKind rk, string arg) {
-    rk != getStandardReturnValueKind() and
-    result = "ReturnValue" and
-    arg = repeatStars(rk.(NormalReturnKind).getIndirectionIndex())
-  }
-
-  string encodeContent(ContentSet cs, string arg) {
-    exists(FieldContent c |
-      cs.isSingleton(c) and
-      // FieldContent indices have 0 for the address, 1 for content, so we need to subtract one.
-      result = "Field" and
-      arg = repeatStars(c.getIndirectionIndex() - 1) + c.getField().getName()
-    )
-  }
-
-  string encodeWithoutContent(ContentSet c, string arg) {
-    // used for type tracking, not currently used in C/C++.
-    result = "WithoutContent" + c and arg = ""
-  }
-
-  string encodeWithContent(ContentSet c, string arg) {
-    // used for type tracking, not currently used in C/C++.
-    result = "WithContent" + c and arg = ""
-  }
-
-  /**
-   * Decodes an argument / parameter position string, for example the `0` in `Argument[0]`.
-   * Supports ranges (`Argument[x..y]`), qualifiers (`Argument[-1]`), indirections
-   * (`Argument[*x]`) and combinations (such as `Argument[**0..1]`).
-   */
-  bindingset[argString]
-  private TPosition decodePosition(string argString) {
-    exists(int indirection, string posString, int pos |
-      argString = repeatStars(indirection) + posString and
-      pos = AccessPath::parseInt(posString) and
-      (
-        pos >= 0 and indirection = 0 and result = TDirectPosition(pos)
-        or
-        pos >= 0 and indirection > 0 and result = TIndirectionPosition(pos, indirection)
-        or
-        // `Argument[-1]` / `Parameter[-1]` is the qualifier object `*this`, not the `this` pointer itself.
-        pos = -1 and result = TIndirectionPosition(pos, indirection + 1)
-      )
-    )
-  }
-
-  bindingset[token]
-  ParameterPosition decodeUnknownParameterPosition(AccessPath::AccessPathTokenBase token) {
-    token.getName() = "Argument" and
-    result = decodePosition(token.getAnArgument())
-  }
-
-  bindingset[token]
-  ArgumentPosition decodeUnknownArgumentPosition(AccessPath::AccessPathTokenBase token) {
-    token.getName() = "Parameter" and
-    result = decodePosition(token.getAnArgument())
-  }
-
-  bindingset[token]
-  ContentSet decodeUnknownContent(AccessPath::AccessPathTokenBase token) {
-    // field content (no indirection support)
-    exists(FieldContent c |
-      result.isSingleton(c) and
-      token.getName() = c.getField().getName() and
-      not exists(token.getArgumentList()) and
-      c.getIndirectionIndex() = 1
-    )
-    or
-    // field content (with indirection support)
-    exists(FieldContent c |
-      result.isSingleton(c) and
-      token.getName() = c.getField().getName() and
-      // FieldContent indices have 0 for the address, 1 for content, so we need to subtract one.
-      token.getAnArgument() = repeatStars(c.getIndirectionIndex() - 1)
-    )
-  }
-}
-
-private import Make<Location, DataFlowImplSpecific::CppDataFlow, Input> as Impl
-
-private module StepsInput implements Impl::Private::StepsInputSig {
-  DataFlowCall getACall(Public::SummarizedCallable sc) {
-    result.getStaticCallTarget().getUnderlyingCallable() = sc
-  }
-}
-
-module SourceSinkInterpretationInput implements
-  Impl::Private::External::SourceSinkInterpretationInputSig
-{
-  class Element = Cpp::Element;
-
-  class SourceOrSinkElement = Element;
-
-  /**
-   * Holds if an external source specification exists for `e` with output specification
-   * `output`, kind `kind`, and provenance `provenance`.
-   */
-  predicate sourceElement(
-    SourceOrSinkElement e, string output, string kind, Public::Provenance provenance, string model
-  ) {
-    exists(
-      string namespace, string type, boolean subtypes, string name, string signature, string ext
-    |
-      sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance) and
-      e = interpretElement(namespace, type, subtypes, name, signature, ext) and
-      model = "" // TODO
-    )
-  }
-
-  /**
-   * Holds if an external sink specification exists for `e` with input specification
-   * `input`, kind `kind` and provenance `provenance`.
-   */
-  predicate sinkElement(
-    SourceOrSinkElement e, string input, string kind, Public::Provenance provenance, string model
-  ) {
-    exists(
-      string package, string type, boolean subtypes, string name, string signature, string ext
-    |
-      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance) and
-      e = interpretElement(package, type, subtypes, name, signature, ext) and
-      model = "" // TODO
-    )
-  }
-
-  private newtype TInterpretNode =
-    TElement_(Element n) or
-    TNode_(Node n)
-
-  /** An entity used to interpret a source/sink specification. */
-  class InterpretNode extends TInterpretNode {
-    /** Gets the element that this node corresponds to, if any. */
-    SourceOrSinkElement asElement() { this = TElement_(result) }
-
-    /** Gets the data-flow node that this node corresponds to, if any. */
-    Node asNode() { this = TNode_(result) }
-
-    /** Gets the call that this node corresponds to, if any. */
-    DataFlowCall asCall() {
-      this.asElement() = result.asCallInstruction().getUnconvertedResultExpression()
-    }
-
-    /** Gets the callable that this node corresponds to, if any. */
-    DataFlowCallable asCallable() { result.getUnderlyingCallable() = this.asElement() }
-
-    /** Gets the target of this call, if any. */
-    Element getCallTarget() { result = this.asCall().getStaticCallTarget().getUnderlyingCallable() }
-
-    /** Gets a textual representation of this node. */
-    string toString() {
-      result = this.asElement().toString()
-      or
-      result = this.asNode().toString()
-      or
-      result = this.asCall().toString()
-    }
-
-    /** Gets the location of this node. */
-    Location getLocation() {
-      result = this.asElement().getLocation()
-      or
-      result = this.asNode().getLocation()
-      or
-      result = this.asCall().getLocation()
-    }
-  }
-
-  /** Provides additional sink specification logic. */
-  bindingset[c]
-  predicate interpretOutput(string c, InterpretNode mid, InterpretNode node) {
-    // Allow variables to be picked as output nodes.
-    exists(Node n, Element ast |
-      n = node.asNode() and
-      ast = mid.asElement()
-    |
-      c = "" and
-      n.asExpr().(VariableAccess).getTarget() = ast
-    )
-  }
-
-  /** Provides additional source specification logic. */
-  bindingset[c]
-  predicate interpretInput(string c, InterpretNode mid, InterpretNode node) {
-    exists(Node n, Element ast, VariableAccess e |
-      n = node.asNode() and
-      ast = mid.asElement() and
-      e.getTarget() = ast
-    |
-      // Allow variables to be picked as input nodes.
-      // We could simply do this as `e = n.asExpr()`, but that would not allow
-      // us to pick `x` as a sink in an example such as `x = source()` (but
-      // only subsequent uses of `x`) since the variable access on `x` doesn't
-      // actually load the value of `x`. So instead, we pick the instruction
-      // node corresponding to the generated `StoreInstruction` and use the
-      // expression associated with the destination instruction. This means
-      // that the `x` in `x = source()` can be marked as an input.
-      c = "" and
-      exists(StoreInstruction store |
-        store.getDestinationAddress().getUnconvertedResultExpression() = e and
-        n.asInstruction() = store
-      )
-    )
-  }
-}
-
-module Private {
-  import Impl::Private
-
-  module Steps = Impl::Private::Steps<StepsInput>;
-
-  module External {
-    import Impl::Private::External
-    import Impl::Private::External::SourceSinkInterpretation<SourceSinkInterpretationInput>
-  }
-
-  /**
-   * Provides predicates for constructing summary components.
-   */
-  module SummaryComponent {
-    private import Impl::Private::SummaryComponent as SC
-
-    predicate parameter = SC::parameter/1;
-
-    predicate argument = SC::argument/1;
-
-    predicate content = SC::content/1;
-
-    predicate withoutContent = SC::withoutContent/1;
-
-    predicate withContent = SC::withContent/1;
-  }
-
-  /**
-   * Provides predicates for constructing stacks of summary components.
-   */
-  module SummaryComponentStack {
-    private import Impl::Private::SummaryComponentStack as SCS
-
-    predicate singleton = SCS::singleton/1;
-
-    predicate push = SCS::push/2;
-
-    predicate argument = SCS::argument/1;
-  }
-}
-
-module Public = Impl::Public;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- *
  * Provides a class for handling variables in the data flow analysis.
  */
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll

@@ -1,6 +1,6 @@
 // NOTE: There are two copies of this file, and they must be kept identical:
 // - semmle/code/cpp/controlflow/SubBasicBlocks.qll
-// - semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll [now DEPRECATED]
+// - semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll
 //
 // The second one is a private copy of the `SubBasicBlocks` library for
 // internal use by the data flow library. Having an extra copy prevents

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingImplSpecific.qll

@@ -1,13 +1,10 @@
 /**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- *
  * Provides C++-specific definitions for use in the taint tracking library.
  */
 
-private import semmle.code.cpp.Location
 private import codeql.dataflow.TaintTracking
 private import DataFlowImplSpecific
 
-module CppOldTaintTracking implements InputSig<Location, CppOldDataFlow> {
+module CppOldTaintTracking implements InputSig<CppOldDataFlow> {
   import TaintTrackingUtil
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

@@ -1,6 +1,4 @@
 /**
- * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
- *
  * Provides classes for performing local (intra-procedural) and
  * global (inter-procedural) taint-tracking analyses.
  *
@@ -32,8 +30,8 @@ predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * Holds if the additional step from `src` to `sink` should be included in all
  * global taint flow configurations.
  */
-predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink, string model) {
-  localAdditionalTaintStep(src, sink) and model = ""
+predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+  localAdditionalTaintStep(src, sink)
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

@@ -127,7 +127,7 @@ abstract deprecated class Configuration extends DataFlow::Configuration {
 
   final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
+    defaultAdditionalTaintStep(node1, node2)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingParameter.qll

@@ -1,7 +1,3 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- */
-
 import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
 
 module Private {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

@@ -127,7 +127,7 @@ abstract deprecated class Configuration extends DataFlow::Configuration {
 
   final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     this.isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2, _)
+    defaultAdditionalTaintStep(node1, node2)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingParameter.qll

@@ -1,7 +1,3 @@
-/**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
- */
-
 import semmle.code.cpp.dataflow.internal.TaintTrackingUtil as Public
 
 module Private {

cpp/ql/lib/semmle/code/cpp/dataflow/new/DataFlow.qll

@@ -28,6 +28,6 @@ import cpp
 module DataFlow {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
-  import DataFlowMake<Location, CppDataFlow>
+  import DataFlowMake<CppDataFlow>
   import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll

@@ -27,7 +27,6 @@ module TaintTracking {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  private import semmle.code.cpp.Location
-  import TaintFlowMake<Location, CppDataFlow, CppTaintTracking>
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
   import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -63,12 +63,6 @@ class Expr extends StmtParent, @expr {
    * order of destruction.
    */
   DestructorCall getImplicitDestructorCall(int n) {
-    exists(Expr e |
-      e = this.(TemporaryObjectExpr).getExpr() and
-      synthetic_destructor_call(e, max(int i | synthetic_destructor_call(e, i, _)) - n, result)
-    )
-    or
-    not this = any(TemporaryObjectExpr temp).getExpr() and
     synthetic_destructor_call(this, max(int i | synthetic_destructor_call(this, i, _)) - n, result)
   }
 
@@ -1021,33 +1015,8 @@ class DeleteOrDeleteArrayExpr extends Expr, TDeleteOrDeleteArrayExpr {
   Expr getExpr() {
     // If there is a destructor call, the object being deleted is the qualifier
     // otherwise it is the third child.
-    exists(Expr exprWithReuse | exprWithReuse = this.getExprWithReuse() |
-      if not exprWithReuse instanceof ReuseExpr
-      then result = exprWithReuse
-      else result = this.getDestructorCall().getQualifier()
-    )
+    result = this.getChild(3) or result = this.getDestructorCall().getQualifier()
   }
-
-  /**
-   * Gets the object or array being deleted, and gets a `ReuseExpr` when there
-   * is a destructor call and the object is also the qualifier of the call.
-   *
-   * For example, given:
-   * ```
-   * struct HasDestructor { ~HasDestructor(); };
-   * struct PlainOldData { int x, char y; };
-   *
-   * void f(HasDestructor* hasDestructor, PlainOldData* pod) {
-   *   delete hasDestructor;
-   *   delete pod;
-   * }
-   * ```
-   * This predicate yields a `ReuseExpr` for `delete hasDestructor`, as the
-   * the deleted expression has a destructor, and that expression is also
-   * the qualifier of the destructor call. In the case of `delete pod` the
-   * predicate does not yield a `ReuseExpr`, as there is no destructor call.
-   */
-  Expr getExprWithReuse() { result = this.getChild(3) }
 }
 
 /**
@@ -1338,24 +1307,6 @@ class CoAwaitExpr extends UnaryOperation, @co_await {
   override string getOperator() { result = "co_await" }
 
   override int getPrecedence() { result = 16 }
-
-  /**
-   * Gets the Boolean expression that is used to decide if the enclosing
-   * coroutine should be suspended.
-   */
-  Expr getAwaitReady() { result = this.getChild(1) }
-
-  /**
-   * Gets the expression that represents the resume point if the enclosing
-   * coroutine was suspended.
-   */
-  Expr getAwaitResume() { result = this.getChild(2) }
-
-  /**
-   * Gets the expression that is evaluated when the enclosing coroutine is
-   * suspended.
-   */
-  Expr getAwaitSuspend() { result = this.getChild(3) }
 }
 
 /**
@@ -1370,50 +1321,4 @@ class CoYieldExpr extends UnaryOperation, @co_yield {
   override string getOperator() { result = "co_yield" }
 
   override int getPrecedence() { result = 2 }
-
-  /**
-   * Gets the Boolean expression that is used to decide if the enclosing
-   * coroutine should be suspended.
-   */
-  Expr getAwaitReady() { result = this.getChild(1) }
-
-  /**
-   * Gets the expression that represents the resume point if the enclosing
-   * coroutine was suspended.
-   */
-  Expr getAwaitResume() { result = this.getChild(2) }
-
-  /**
-   * Gets the expression that is evaluated when the enclosing coroutine is
-   * suspended.
-   */
-  Expr getAwaitSuspend() { result = this.getChild(3) }
-}
-
-/**
- * An expression representing the re-use of another expression.
- *
- * In some specific cases an expression may be referred to outside its
- * original context. A re-use expression wraps any such reference. A
- * re-use expression can for example occur as the qualifier of an implicit
- * destructor called on a temporary object, where the original use of the
- * expression is in the definition of the temporary.
- */
-class ReuseExpr extends Expr, @reuseexpr {
-  override string getAPrimaryQlClass() { result = "ReuseExpr" }
-
-  override string toString() { result = "reuse of " + this.getReusedExpr().toString() }
-
-  /**
-   * Gets the expression that is being re-used.
-   */
-  Expr getReusedExpr() { expr_reuse(underlyingElement(this), unresolveElement(result), _) }
-
-  override Type getType() { result = this.getReusedExpr().getType() }
-
-  override predicate isLValueCategory() { expr_reuse(underlyingElement(this), _, 3) }
-
-  override predicate isXValueCategory() { expr_reuse(underlyingElement(this), _, 2) }
-
-  override predicate isPRValueCategory() { expr_reuse(underlyingElement(this), _, 1) }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DataFlow.qll

@@ -24,6 +24,6 @@ import cpp
 module DataFlow {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
-  import DataFlowMake<Location, CppDataFlow>
+  import DataFlowMake<CppDataFlow>
   import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/FlowSteps.qll

@@ -1,20 +0,0 @@
-/**
- * This file provides an abstract class that can be used to model additional
- * object-to-field taint-flow.
- */
-
-private import codeql.util.Unit
-private import semmle.code.cpp.dataflow.new.DataFlow
-
-/**
- * A `Content` that should be implicitly regarded as tainted whenever an object with such `Content`
- * is itself tainted.
- *
- * For example, if we had a type `struct Container { int field; }`, then by default a tainted
- * `Container` and a `Container` with a tainted `int` stored in its `field` are distinct.
- *
- * If `any(DataFlow::FieldContent fc | fc.getField().hasQualifiedName("Container", "field"))` was
- * included in this type however, then a tainted `Container` would imply that its `field` is also
- * tainted (but not vice versa).
- */
-abstract class TaintInheritingContent extends DataFlow::Content { }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/ResolveCall.qll

@@ -7,7 +7,6 @@ import cpp
 private import semmle.code.cpp.ir.ValueNumbering
 private import internal.DataFlowDispatch
 private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 
 /**
  * Resolve potential target function(s) for `call`.
@@ -17,9 +16,8 @@ private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
  * to identify the possible target(s).
  */
 Function resolveCall(Call call) {
-  exists(DataFlowCall dataFlowCall, CallInstruction callInstruction |
+  exists(CallInstruction callInstruction |
     callInstruction.getAst() = call and
-    callInstruction = dataFlowCall.asCallInstruction() and
-    result = viableCallable(dataFlowCall).getUnderlyingCallable()
+    result = viableCallable(callInstruction)
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/TaintTracking.qll

@@ -23,6 +23,6 @@ module TaintTracking {
   private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  import TaintFlowMake<Location, CppDataFlow, CppTaintTracking>
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
   import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -23,13 +23,13 @@ DataFlowCallable defaultViableCallable(DataFlowCall call) {
   // function with the right signature is present in the database, we return
   // that as a potential callee.
   exists(string qualifiedName, int nparams |
-    callSignatureWithoutBody(qualifiedName, nparams, call.asCallInstruction()) and
-    functionSignatureWithBody(qualifiedName, nparams, result.getUnderlyingCallable()) and
+    callSignatureWithoutBody(qualifiedName, nparams, call) and
+    functionSignatureWithBody(qualifiedName, nparams, result) and
     strictcount(Function other | functionSignatureWithBody(qualifiedName, nparams, other)) = 1
   )
   or
   // Virtual dispatch
-  result.asSourceCallable() = call.(VirtualDispatch::DataSensitiveCall).resolve()
+  result = call.(VirtualDispatch::DataSensitiveCall).resolve()
 }
 
 /**
@@ -40,9 +40,7 @@ DataFlowCallable viableCallable(DataFlowCall call) {
   result = defaultViableCallable(call)
   or
   // Additional call targets
-  result.getUnderlyingCallable() =
-    any(AdditionalCallTarget additional)
-        .viableTarget(call.asCallInstruction().getUnconvertedResultExpression())
+  result = any(AdditionalCallTarget additional).viableTarget(call.getUnconvertedResultExpression())
 }
 
 /**
@@ -152,7 +150,7 @@ private module VirtualDispatch {
     ReturnNode node, ReturnKind kind, DataFlowCallable callable
   ) {
     node.getKind() = kind and
-    node.getEnclosingCallable() = callable.getUnderlyingCallable()
+    node.getEnclosingCallable() = callable
   }
 
   /** Call through a function pointer. */
@@ -178,15 +176,10 @@ private module VirtualDispatch {
   /** Call to a virtual function. */
   private class DataSensitiveOverriddenFunctionCall extends DataSensitiveCall {
     DataSensitiveOverriddenFunctionCall() {
-      exists(
-        this.getStaticCallTarget()
-            .getUnderlyingCallable()
-            .(VirtualFunction)
-            .getAnOverridingFunction()
-      )
+      exists(this.getStaticCallTarget().(VirtualFunction).getAnOverridingFunction())
     }
 
-    override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getArgument(-1) }
+    override DataFlow::Node getDispatchValue() { result.asInstruction() = this.getThisArgument() }
 
     override MemberFunction resolve() {
       exists(Class overridingClass |
@@ -201,8 +194,7 @@ private module VirtualDispatch {
      */
     pragma[noinline]
     private predicate overrideMayAffectCall(Class overridingClass, MemberFunction overridingFunction) {
-      overridingFunction.getAnOverriddenFunction+() =
-        this.getStaticCallTarget().getUnderlyingCallable().(VirtualFunction) and
+      overridingFunction.getAnOverriddenFunction+() = this.getStaticCallTarget().(VirtualFunction) and
       overridingFunction.getDeclaringType() = overridingClass
     }
 
@@ -264,12 +256,12 @@ predicate mayBenefitFromCallContext(DataFlowCall call) { mayBenefitFromCallConte
  * value is given as the `arg`'th argument to `f`.
  */
 private predicate mayBenefitFromCallContext(
-  VirtualDispatch::DataSensitiveCall call, DataFlowCallable f, int arg
+  VirtualDispatch::DataSensitiveCall call, Function f, int arg
 ) {
   f = pragma[only_bind_out](call).getEnclosingCallable() and
   exists(InitializeParameterInstruction init |
     not exists(call.getStaticCallTarget()) and
-    init.getEnclosingFunction() = f.getUnderlyingCallable() and
+    init.getEnclosingFunction() = f and
     call.flowsFrom(DataFlow::instructionNode(init), _) and
     init.getParameter().getIndex() = arg
   )
@@ -281,11 +273,10 @@ private predicate mayBenefitFromCallContext(
  */
 DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
   result = viableCallable(call) and
-  exists(int i, DataFlowCallable f |
+  exists(int i, Function f |
     mayBenefitFromCallContext(pragma[only_bind_into](call), f, i) and
     f = ctx.getStaticCallTarget() and
-    result.asSourceCallable() =
-      ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget()
+    result = ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget()
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -1,4 +1,3 @@
-private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImpl
-import MakeImpl<Location, CppDataFlow>
+import MakeImpl<CppDataFlow>

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -263,10 +263,9 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
+  predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
+    any(Configuration config).isAdditionalFlowStep(node1, node2)
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -286,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -263,10 +263,9 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
+  predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
+    any(Configuration config).isAdditionalFlowStep(node1, node2)
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -286,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -263,10 +263,9 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
+  predicate isAdditionalFlowStep(Node node1, Node node2) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2) and
-    model = ""
+    any(Configuration config).isAdditionalFlowStep(node1, node2)
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -286,8 +285,6 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
-  int accessPathLimit() { result = 5 }
-
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {