Python: Remove some FPs for ContainsNonContainer.ql

First fix handles the case where there's interference from a class-based
decorator on a function. In this case, _technically_ we have an instance
of the decorator class, but in practice this decorator will (hopefully)
forward all accesses to the thing it wraps.

The second fix has to do with methods that are added dynamically using
`setattr`. In this case, we cannot be sure that the relevant methods are
actually missing.

.github/dependabot.yml

@@ -45,5 +45,3 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
-    exclude-paths:
-      - "misc/bazel/registry/**"

config/add-overlay-annotations.py

@@ -199,7 +199,6 @@ def annotate_as_appropriate(filename, lines):
     # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
     # but they seem to work well enough for now (as determined by speed and accuracy numbers).
     if (filename.endswith("Test.qll") or
-        re.search(r"go/ql/lib/semmle/go/security/[^/]+[.]qll$", filename.replace(os.sep, "/")) or
         ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
          any("implements DataFlow::ConfigSig" in line for line in lines))):
         return None

config/identical-files.json

@@ -172,6 +172,10 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
+  "C# ControlFlowReachability": [
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
+  ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
     "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -524,12 +524,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
       not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
     )
   }
-
-  /**
-   * Holds if this function has an ambiguous return type, meaning that zero or multiple return
-   * types for this function are present in the database (this can occur in `build-mode: none`).
-   */
-  predicate hasAmbiguousReturnType() { count(this.getType()) != 1 }
 }
 
 pragma[noinline]

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -218,9 +218,7 @@ where
   // only report if we cannot prove that the result of the
   // multiplication will be less (resp. greater) than the
   // maximum (resp. minimum) number we can compute.
-  overflows(me, t1) and
-  // exclude cases where the expression type may not have been extracted accurately
-  not me.getParent().(Call).getTarget().hasAmbiguousReturnType()
+  overflows(me, t1)
 select me,
   "Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"
     + me.getFullyConverted().getType().toString() + "'."

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
  * @precision high
  * @id cpp/cgi-xss
  * @tags security

cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c

@@ -1,28 +0,0 @@
-// semmle-extractor-options: --expect_errors
-
-void test_float_double1(float f, double d) {
-    float r1 = f * f; // GOOD
-    float r2 = f * d; // GOOD
-    double r3 = f * f; // BAD
-    double r4 = f * d; // GOOD
-
-    float f1 = fabsf(f * f); // GOOD
-    float f2 = fabsf(f * d); // GOOD
-    double f3 = fabs(f * f); // BAD [NOT DETECTED]
-    double f4 = fabs(f * d); // GOOD
-}
-
-double fabs(double f);
-float fabsf(float f);
-
-void test_float_double2(float f, double d) {
-    float r1 = f * f; // GOOD
-    float r2 = f * d; // GOOD
-    double r3 = f * f; // BAD
-    double r4 = f * d; // GOOD
-
-    float f1 = fabsf(f * f); // GOOD
-    float f2 = fabsf(f * d); // GOOD
-    double f3 = fabs(f * f); // BAD [NOT DETECTED]
-    double f4 = fabs(f * d); // GOOD
-}

cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected

@@ -1,5 +1,3 @@
-| Buildless.c:6:17:6:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
-| Buildless.c:21:17:21:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
 | IntMultToLong.c:4:10:4:14 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
 | IntMultToLong.c:7:16:7:20 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
 | IntMultToLong.c:18:19:18:23 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |

csharp/ql/consistency-queries/CfgConsistency.ql

@@ -1,5 +1,63 @@
 import csharp
 import semmle.code.csharp.controlflow.internal.Completion
+import semmle.code.csharp.controlflow.internal.PreBasicBlocks
 import ControlFlow
 import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl::Consistency
 import semmle.code.csharp.controlflow.internal.Splitting
+
+private predicate splitBB(ControlFlow::BasicBlock bb) {
+  exists(ControlFlow::Node first |
+    first = bb.getFirstNode() and
+    first.isJoin() and
+    strictcount(first.getAPredecessor().getAstNode()) = 1
+  )
+}
+
+private class RelevantBasicBlock extends ControlFlow::BasicBlock {
+  RelevantBasicBlock() { not splitBB(this) }
+}
+
+predicate bbStartInconsistency(ControlFlowElement cfe) {
+  exists(RelevantBasicBlock bb | bb.getFirstNode() = cfe.getAControlFlowNode()) and
+  not cfe = any(PreBasicBlock bb).getFirstElement()
+}
+
+predicate bbSuccInconsistency(ControlFlowElement pred, ControlFlowElement succ) {
+  exists(RelevantBasicBlock predBB, RelevantBasicBlock succBB |
+    predBB.getLastNode() = pred.getAControlFlowNode() and
+    succBB = predBB.getASuccessor() and
+    succBB.getFirstNode() = succ.getAControlFlowNode()
+  ) and
+  not exists(PreBasicBlock predBB, PreBasicBlock succBB |
+    predBB.getLastNode() = pred and
+    succBB = predBB.getASuccessor() and
+    succBB.getFirstElement() = succ
+  )
+}
+
+predicate bbIntraSuccInconsistency(ControlFlowElement pred, ControlFlowElement succ) {
+  exists(ControlFlow::BasicBlock bb, int i |
+    pred.getAControlFlowNode() = bb.getNode(i) and
+    succ.getAControlFlowNode() = bb.getNode(i + 1)
+  ) and
+  not exists(PreBasicBlock bb |
+    bb.getLastNode() = pred and
+    bb.getASuccessor().getFirstElement() = succ
+  ) and
+  not exists(PreBasicBlock bb, int i |
+    bb.getNode(i) = pred and
+    bb.getNode(i + 1) = succ
+  )
+}
+
+query predicate preBasicBlockConsistency(ControlFlowElement cfe1, ControlFlowElement cfe2, string s) {
+  bbStartInconsistency(cfe1) and
+  cfe2 = cfe1 and
+  s = "start inconsistency"
+  or
+  bbSuccInconsistency(cfe1, cfe2) and
+  s = "succ inconsistency"
+  or
+  bbIntraSuccInconsistency(cfe1, cfe2) and
+  s = "intra succ inconsistency"
+}

csharp/ql/consistency-queries/DataFlowConsistency.ql

@@ -35,7 +35,9 @@ private module Input implements InputSig<Location, CsharpDataFlow> {
     or
     n.asExpr().(ObjectCreation).hasInitializer()
     or
-    n.(PostUpdateNode).getPreUpdateNode().asExpr() = LocalFlow::getPostUpdateReverseStep(_)
+    exists(
+      n.(PostUpdateNode).getPreUpdateNode().asExprAtNode(LocalFlow::getPostUpdateReverseStep(_))
+    )
   }
 
   predicate argHasPostUpdateExclude(ArgumentNode n) {

csharp/ql/lib/semmle/code/csharp/Callable.qll

@@ -336,22 +336,6 @@ class ExtensionTypeExtensionMethod extends ExtensionMethodImpl {
   ExtensionTypeExtensionMethod() { this.isInExtension() }
 }
 
-/**
- * A non-static member with an initializer, for example a field `int Field = 0`.
- */
-private class InitializedInstanceMember extends Member {
-  private AssignExpr ae;
-
-  InitializedInstanceMember() {
-    not this.isStatic() and
-    expr_parent_top_level(ae, _, this) and
-    not ae = getExpressionBody(_)
-  }
-
-  /** Gets the initializer expression. */
-  AssignExpr getInitializer() { result = ae }
-}
-
 /**
  * An object initializer method.
  *
@@ -363,17 +347,6 @@ private class InitializedInstanceMember extends Member {
  */
 class ObjectInitMethod extends Method {
   ObjectInitMethod() { this.getName() = "<object initializer>" }
-
-  /**
-   * Holds if this object initializer method performs the initialization
-   * of a member via assignment `init`.
-   */
-  predicate initializes(AssignExpr init) {
-    exists(InitializedInstanceMember m |
-      this.getDeclaringType().getAMember() = m and
-      init = m.getInitializer()
-    )
-  }
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll

@@ -214,8 +214,6 @@ private module Cached {
     parent*(enclosingStart(cfe), c.(Constructor).getInitializer())
     or
     parent*(cfe, c.(Constructor).getObjectInitializerCall())
-    or
-    parent*(cfe, any(AssignExpr init | c.(ObjectInitMethod).initializes(init)))
   }
 
   /** Holds if the enclosing statement of expression `e` is `s`. */

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll

@@ -10,15 +10,42 @@ private import semmle.code.csharp.ExprOrStmtParent
 private import semmle.code.csharp.commons.Compilation
 
 private module Initializers {
+  /**
+   * A non-static member with an initializer, for example a field `int Field = 0`.
+   */
+  class InitializedInstanceMember extends Member {
+    private AssignExpr ae;
+
+    InitializedInstanceMember() {
+      not this.isStatic() and
+      expr_parent_top_level(ae, _, this) and
+      not ae = any(Callable c).getExpressionBody()
+    }
+
+    /** Gets the initializer expression. */
+    AssignExpr getInitializer() { result = ae }
+  }
+
+  /**
+   * Holds if `obinit` is an object initializer method that performs the initialization
+   * of a member via assignment `init`.
+   */
+  predicate obinitInitializes(ObjectInitMethod obinit, AssignExpr init) {
+    exists(InitializedInstanceMember m |
+      obinit.getDeclaringType().getAMember() = m and
+      init = m.getInitializer()
+    )
+  }
+
   /**
    * Gets the `i`th member initializer expression for object initializer method `obinit`
    * in compilation `comp`.
    */
   AssignExpr initializedInstanceMemberOrder(ObjectInitMethod obinit, CompilationExt comp, int i) {
-    obinit.initializes(result) and
+    obinitInitializes(obinit, result) and
     result =
       rank[i + 1](AssignExpr ae0, Location l |
-        obinit.initializes(ae0) and
+        obinitInitializes(obinit, ae0) and
         l = ae0.getLocation() and
         getCompilation(l.getFile()) = comp
       |
@@ -47,7 +74,7 @@ class CfgScope extends Element, @top_level_exprorstmt_parent {
         any(Callable c |
           c.(Constructor).hasInitializer()
           or
-          c.(ObjectInitMethod).initializes(_)
+          Initializers::obinitInitializes(c, _)
           or
           c.hasBody()
         )

csharp/ql/lib/semmle/code/csharp/controlflow/internal/PreBasicBlocks.qll

@@ -0,0 +1,175 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides a basic block implementation on control flow elements. That is,
+ * a "pre-CFG" where the nodes are (unsplit) control flow elements and the
+ * successor relation is `succ = succ(pred, _)`.
+ *
+ * The logic is duplicated from the implementation in `BasicBlocks.qll`, and
+ * being an internal class, all predicate documentation has been removed.
+ */
+
+import csharp
+private import Completion
+private import ControlFlowGraphImpl
+private import semmle.code.csharp.controlflow.ControlFlowGraph::ControlFlow as Cfg
+private import codeql.controlflow.BasicBlock as BB
+
+private predicate startsBB(ControlFlowElement cfe) {
+  not succ(_, cfe, _) and
+  (
+    succ(cfe, _, _)
+    or
+    scopeLast(_, cfe, _)
+  )
+  or
+  strictcount(ControlFlowElement pred, Completion c | succ(pred, cfe, c)) > 1
+  or
+  succ(_, cfe, any(ConditionalCompletion c))
+  or
+  exists(ControlFlowElement pred, int i |
+    succ(pred, cfe, _) and
+    i = count(ControlFlowElement succ, Completion c | succ(pred, succ, c))
+  |
+    i > 1
+    or
+    i = 1 and
+    scopeLast(_, pred, _)
+  )
+}
+
+private predicate intraBBSucc(ControlFlowElement pred, ControlFlowElement succ) {
+  succ(pred, succ, _) and
+  not startsBB(succ)
+}
+
+private predicate bbIndex(ControlFlowElement bbStart, ControlFlowElement cfe, int i) =
+  shortestDistances(startsBB/1, intraBBSucc/2)(bbStart, cfe, i)
+
+private predicate succBB(PreBasicBlock pred, PreBasicBlock succ) { succ = pred.getASuccessor() }
+
+private predicate entryBB(PreBasicBlock bb) { scopeFirst(_, bb) }
+
+private predicate bbIDominates(PreBasicBlock dom, PreBasicBlock bb) =
+  idominance(entryBB/1, succBB/2)(_, dom, bb)
+
+class PreBasicBlock extends ControlFlowElement {
+  PreBasicBlock() { startsBB(this) }
+
+  PreBasicBlock getASuccessor(Cfg::SuccessorType t) {
+    succ(this.getLastNode(), result, any(Completion c | t = c.getAMatchingSuccessorType()))
+  }
+
+  deprecated PreBasicBlock getASuccessorByType(Cfg::SuccessorType t) {
+    result = this.getASuccessor(t)
+  }
+
+  PreBasicBlock getASuccessor() { result = this.getASuccessor(_) }
+
+  PreBasicBlock getAPredecessor() { result.getASuccessor() = this }
+
+  ControlFlowElement getNode(int pos) { bbIndex(this, result, pos) }
+
+  deprecated ControlFlowElement getElement(int pos) { result = this.getNode(pos) }
+
+  ControlFlowElement getAnElement() { result = this.getNode(_) }
+
+  ControlFlowElement getFirstElement() { result = this }
+
+  ControlFlowElement getLastNode() { result = this.getNode(this.length() - 1) }
+
+  deprecated ControlFlowElement getLastElement() { result = this.getLastNode() }
+
+  int length() { result = strictcount(this.getAnElement()) }
+
+  PreBasicBlock getImmediateDominator() { bbIDominates(result, this) }
+
+  predicate immediatelyDominates(PreBasicBlock bb) { bbIDominates(this, bb) }
+
+  pragma[inline]
+  predicate strictlyDominates(PreBasicBlock bb) { this.immediatelyDominates+(bb) }
+
+  pragma[inline]
+  predicate dominates(PreBasicBlock bb) {
+    bb = this
+    or
+    this.strictlyDominates(bb)
+  }
+
+  predicate inDominanceFrontier(PreBasicBlock df) {
+    this = df.getAPredecessor() and not bbIDominates(this, df)
+    or
+    exists(PreBasicBlock prev | prev.inDominanceFrontier(df) |
+      bbIDominates(this, prev) and
+      not bbIDominates(this, df)
+    )
+  }
+
+  /** Unsupported. Do not use. */
+  predicate strictlyPostDominates(PreBasicBlock bb) { none() }
+
+  /** Unsupported. Do not use. */
+  predicate postDominates(PreBasicBlock bb) {
+    this.strictlyPostDominates(bb) or
+    this = bb
+  }
+}
+
+private Completion getConditionalCompletion(ConditionalCompletion cc) {
+  result.getInnerCompletion() = cc
+}
+
+pragma[nomagic]
+private predicate conditionBlockImmediatelyControls(
+  ConditionBlock cond, PreBasicBlock succ, ConditionalCompletion cc
+) {
+  exists(ControlFlowElement last, Completion c |
+    last = cond.getLastNode() and
+    c = getConditionalCompletion(cc) and
+    succ(last, succ, c) and
+    // In the pre-CFG, we need to account for case where one predecessor node has
+    // two edges to the same successor node. Assertion expressions are examples of
+    // such nodes.
+    not exists(Completion other |
+      succ(last, succ, other) and
+      other != c
+    ) and
+    forall(PreBasicBlock pred | pred = succ.getAPredecessor() and pred != cond |
+      succ.dominates(pred)
+    )
+  )
+}
+
+class ConditionBlock extends PreBasicBlock {
+  ConditionBlock() {
+    exists(Completion c | c = getConditionalCompletion(_) |
+      succ(this.getLastNode(), _, c)
+      or
+      scopeLast(_, this.getLastNode(), c)
+    )
+  }
+
+  pragma[nomagic]
+  predicate controls(PreBasicBlock controlled, Cfg::ConditionalSuccessor s) {
+    exists(PreBasicBlock succ, ConditionalCompletion c |
+      conditionBlockImmediatelyControls(this, succ, c)
+    |
+      succ.dominates(controlled) and
+      s = c.getAMatchingSuccessorType()
+    )
+  }
+}
+
+module PreCfg implements BB::CfgSig<Location> {
+  class ControlFlowNode = ControlFlowElement;
+
+  class BasicBlock = PreBasicBlock;
+
+  class EntryBasicBlock extends BasicBlock {
+    EntryBasicBlock() { entryBB(this) }
+  }
+
+  predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
+    conditionBlockImmediatelyControls(bb1, bb2, _)
+  }
+}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll

@@ -0,0 +1,246 @@
+import csharp
+
+private class ControlFlowScope extends ControlFlowElement {
+  private boolean exactScope;
+
+  ControlFlowScope() {
+    exists(ControlFlowReachabilityConfiguration c |
+      c.candidate(_, _, this, exactScope, _) or
+      c.candidateDef(_, _, this, exactScope, _)
+    )
+  }
+
+  predicate isExact() { exactScope = true }
+
+  predicate isNonExact() { exactScope = false }
+}
+
+private newtype TControlFlowElementOrBasicBlock =
+  TControlFlowElement(ControlFlowElement cfe) or
+  TBasicBlock(ControlFlow::BasicBlock bb)
+
+class ControlFlowElementOrBasicBlock extends TControlFlowElementOrBasicBlock {
+  ControlFlowElement asControlFlowElement() { this = TControlFlowElement(result) }
+
+  ControlFlow::BasicBlock asBasicBlock() { this = TBasicBlock(result) }
+
+  string toString() {
+    result = this.asControlFlowElement().toString()
+    or
+    result = this.asBasicBlock().toString()
+  }
+
+  Location getLocation() {
+    result = this.asControlFlowElement().getLocation()
+    or
+    result = this.asBasicBlock().getLocation()
+  }
+}
+
+private predicate isBasicBlock(ControlFlowElementOrBasicBlock c) { c instanceof TBasicBlock }
+
+private predicate isNonExactScope(ControlFlowElementOrBasicBlock c) {
+  c.asControlFlowElement().(ControlFlowScope).isNonExact()
+}
+
+private predicate step(ControlFlowElementOrBasicBlock pred, ControlFlowElementOrBasicBlock succ) {
+  pred.asBasicBlock().getANode().getAstNode() = succ.asControlFlowElement()
+  or
+  pred.asControlFlowElement() = succ.asControlFlowElement().getAChild()
+}
+
+private predicate basicBlockInNonExactScope(
+  ControlFlowElementOrBasicBlock bb, ControlFlowElementOrBasicBlock scope
+) = doublyBoundedFastTC(step/2, isBasicBlock/1, isNonExactScope/1)(bb, scope)
+
+pragma[noinline]
+private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowScope scope, boolean exactScope) {
+  basicBlockInNonExactScope(TBasicBlock(result), TControlFlowElement(scope)) and
+  exactScope = false
+  or
+  scope.isExact() and
+  result.getANode().getAstNode() = scope and
+  exactScope = true
+}
+
+/**
+ * A helper class for determining control-flow reachability for pairs of
+ * elements.
+ *
+ * This is useful when defining for example expression-based data-flow steps in
+ * the presence of control-flow splitting, where a data-flow step should make
+ * sure to stay in the same split.
+ *
+ * For example, in
+ *
+ * ```csharp
+ * if (b)
+ *     ....
+ * var x = "foo";
+ * if (b)
+ *     ....
+ * ```
+ *
+ * there should only be steps from `[b = true] "foo"` to `[b = true] SSA def(x)`
+ * and `[b = false] "foo"` to `[b = false] SSA def(x)`, and for example not from
+ * `[b = true] "foo"` to `[b = false] SSA def(x)`
+ */
+abstract class ControlFlowReachabilityConfiguration extends string {
+  bindingset[this]
+  ControlFlowReachabilityConfiguration() { any() }
+
+  /**
+   * Holds if `e1` and `e2` are expressions for which we want to find a
+   * control-flow path that follows control flow successors (resp.
+   * predecessors, as specified by `isSuccessor`) inside the syntactic scope
+   * `scope`. The Boolean `exactScope` indicates whether a transitive child
+   * of `scope` is allowed (`exactScope = false`).
+   */
+  predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    none()
+  }
+
+  /**
+   * Holds if `e` and `def` are elements for which we want to find a
+   * control-flow path that follows control flow successors (resp.
+   * predecessors, as specified by `isSuccessor`) inside the syntactic scope
+   * `scope`. The Boolean `exactScope` indicates whether a transitive child
+   * of `scope` is allowed (`exactScope = false`).
+   */
+  predicate candidateDef(
+    Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
+    boolean isSuccessor
+  ) {
+    none()
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExprBase(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1, int i,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.candidate(e1, e2, _, _, isSuccessor) and
+    cfn1 = e1.getAControlFlowNode() and
+    bb.getNode(i) = cfn1
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExprRec(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1,
+    ControlFlow::BasicBlock bb
+  ) {
+    exists(ControlFlow::BasicBlock mid |
+      this.reachesBasicBlockExpr(e1, e2, isSuccessor, cfn1, mid)
+    |
+      isSuccessor = true and
+      bb = mid.getASuccessor()
+      or
+      isSuccessor = false and
+      bb = mid.getAPredecessor()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExpr(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.reachesBasicBlockExprBase(e1, e2, isSuccessor, cfn1, _, bb)
+    or
+    exists(ControlFlowElement scope, boolean exactScope |
+      this.candidate(e1, e2, scope, exactScope, isSuccessor) and
+      this.reachesBasicBlockExprRec(e1, e2, isSuccessor, cfn1, bb) and
+      bb = getABasicBlockInScope(scope, exactScope)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinitionBase(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    int i, ControlFlow::BasicBlock bb
+  ) {
+    this.candidateDef(e, def, _, _, isSuccessor) and
+    cfn = e.getAControlFlowNode() and
+    bb.getNode(i) = cfn
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinitionRec(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    ControlFlow::BasicBlock bb
+  ) {
+    exists(ControlFlow::BasicBlock mid |
+      this.reachesBasicBlockDefinition(e, def, isSuccessor, cfn, mid)
+    |
+      isSuccessor = true and
+      bb = mid.getASuccessor()
+      or
+      isSuccessor = false and
+      bb = mid.getAPredecessor()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinition(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.reachesBasicBlockDefinitionBase(e, def, isSuccessor, cfn, _, bb)
+    or
+    exists(ControlFlowElement scope, boolean exactScope |
+      this.candidateDef(e, def, scope, exactScope, isSuccessor) and
+      this.reachesBasicBlockDefinitionRec(e, def, isSuccessor, cfn, bb) and
+      bb = getABasicBlockInScope(scope, exactScope)
+    )
+  }
+
+  /**
+   * Holds if there is a control-flow path from `cfn1` to `cfn2`, where `cfn1` is a
+   * control-flow node for `e1` and `cfn2` is a control-flow node for `e2`.
+   */
+  pragma[nomagic]
+  predicate hasExprPath(Expr e1, ControlFlow::Node cfn1, Expr e2, ControlFlow::Node cfn2) {
+    exists(ControlFlow::BasicBlock bb, boolean isSuccessor, int i, int j |
+      this.reachesBasicBlockExprBase(e1, e2, isSuccessor, cfn1, i, bb) and
+      cfn2 = bb.getNode(j) and
+      cfn2 = e2.getAControlFlowNode()
+    |
+      isSuccessor = true and j >= i
+      or
+      isSuccessor = false and i >= j
+    )
+    or
+    exists(ControlFlow::BasicBlock bb |
+      this.reachesBasicBlockExprRec(e1, e2, _, cfn1, bb) and
+      cfn2 = bb.getANode() and
+      cfn2 = e2.getAControlFlowNode()
+    )
+  }
+
+  /**
+   * Holds if there is a control-flow path from `cfn` to `cfnDef`, where `cfn` is a
+   * control-flow node for `e` and `cfnDef` is a control-flow node for `def`.
+   */
+  pragma[nomagic]
+  predicate hasDefPath(
+    Expr e, ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef
+  ) {
+    exists(ControlFlow::BasicBlock bb, boolean isSuccessor, int i, int j |
+      this.reachesBasicBlockDefinitionBase(e, def, isSuccessor, cfn, i, bb) and
+      cfnDef = bb.getNode(j) and
+      def.getExpr().getAControlFlowNode() = cfnDef
+    |
+      isSuccessor = true and j >= i
+      or
+      isSuccessor = false and i >= j
+    )
+    or
+    exists(ControlFlow::BasicBlock bb |
+      this.reachesBasicBlockDefinitionRec(e, def, _, cfn, bb) and
+      def.getExpr().getAControlFlowNode() = cfnDef and
+      cfnDef = bb.getANode()
+    )
+  }
+}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -2,6 +2,7 @@ private import csharp
 private import DataFlowPublic
 private import DataFlowDispatch
 private import DataFlowImplCommon
+private import ControlFlowReachability
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.FlowSummary as FlowSummary
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
@@ -258,16 +259,34 @@ private module ThisFlow {
   }
 }
 
+/**
+ * Holds if there is a control-flow path from `n1` to `n2`. `n2` is either an
+ * expression node or an SSA definition node.
+ */
+pragma[nomagic]
+predicate hasNodePath(ControlFlowReachabilityConfiguration conf, ExprNode n1, Node n2) {
+  exists(ControlFlow::Node cfn1, ControlFlow::Node cfn2 | conf.hasExprPath(_, cfn1, _, cfn2) |
+    cfn1 = n1.getControlFlowNode() and
+    cfn2 = n2.(ExprNode).getControlFlowNode()
+  )
+  or
+  exists(ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef |
+    conf.hasDefPath(_, cfn, def, cfnDef) and
+    cfn = n1.getControlFlowNode() and
+    n2 = TAssignableDefinitionNode(def, cfnDef)
+  )
+}
+
 /** Provides logic related to captured variables. */
 module VariableCapture {
   private import codeql.dataflow.VariableCapture as Shared
   private import semmle.code.csharp.controlflow.BasicBlocks as BasicBlocks
 
   private predicate closureFlowStep(ControlFlow::Nodes::ExprNode e1, ControlFlow::Nodes::ExprNode e2) {
-    e1.getExpr() = LocalFlow::getALastEvalNode(e2.getExpr())
+    e1 = LocalFlow::getALastEvalNode(e2)
     or
     exists(Ssa::Definition def, AssignableDefinition adef |
-      LocalFlow::defAssigns(adef, _, _, e1) and
+      LocalFlow::defAssigns(adef, _, e1) and
       def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and
       exists(def.getAReadAtNode(e2))
     )
@@ -360,7 +379,7 @@ module VariableCapture {
         this = def.getExpr().getAControlFlowNode()
       }
 
-      ControlFlow::Node getRhs() { LocalFlow::defAssigns(def, this, _, result) }
+      ControlFlow::Node getRhs() { LocalFlow::defAssigns(def, this, result) }
 
       CapturedVariable getVariable() { result = v }
     }
@@ -509,74 +528,127 @@ module SsaFlow {
 
 /** Provides predicates related to local data flow. */
 module LocalFlow {
-  predicate localExprStep(Expr e1, Expr e2) {
-    e1 = e2.(ParenthesizedExpr).getExpr()
-    or
-    e1 = e2.(NullCoalescingExpr).getAnOperand()
-    or
-    e1 = e2.(SuppressNullableWarningExpr).getExpr()
-    or
-    e2 =
-      any(ConditionalExpr ce |
-        e1 = ce.getThen() or
-        e1 = ce.getElse()
+  class LocalExprStepConfiguration extends ControlFlowReachabilityConfiguration {
+    LocalExprStepConfiguration() { this = "LocalExprStepConfiguration" }
+
+    override predicate candidate(
+      Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+    ) {
+      exactScope = false and
+      (
+        e1 = e2.(ParenthesizedExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(NullCoalescingExpr).getAnOperand() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(SuppressNullableWarningExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e2 =
+          any(ConditionalExpr ce |
+            e1 = ce.getThen() or
+            e1 = ce.getElse()
+          ) and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(Cast).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        // An `=` expression, where the result of the expression is used
+        e2 =
+          any(AssignExpr ae |
+            ae.getParent() = any(ControlFlowElement cfe | not cfe instanceof ExprStmt) and
+            e1 = ae.getRValue()
+          ) and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(ObjectCreation).getInitializer() and
+        scope = e2 and
+        isSuccessor = false
+        or
+        e1 = e2.(ArrayCreation).getInitializer() and
+        scope = e2 and
+        isSuccessor = false
+        or
+        e1 = e2.(SwitchExpr).getACase().getBody() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(CheckedExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(UncheckedExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(CollectionExpression).getAnElement() and
+        e1 instanceof SpreadElementExpr and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(SpreadElementExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        exists(WithExpr we |
+          scope = we and
+          isSuccessor = true
+        |
+          e1 = we.getExpr() and
+          e2 = we.getInitializer()
+          or
+          e1 = we.getInitializer() and
+          e2 = we
+        )
+        or
+        scope = any(AssignExpr ae | ae.getLValue().(TupleExpr) = e2 and ae.getRValue() = e1) and
+        isSuccessor = false
+        or
+        isSuccessor = true and
+        exists(ControlFlowElement cfe | cfe = e2.(TupleExpr).(PatternExpr).getPatternMatch() |
+          cfe.(IsExpr).getExpr() = e1 and scope = cfe
+          or
+          exists(Switch sw | sw.getACase() = cfe and sw.getExpr() = e1 and scope = sw)
+        )
       )
-    or
-    e1 = e2.(Cast).getExpr()
-    or
-    // An `=` expression, where the result of the expression is used
-    e2 =
-      any(AssignExpr ae |
-        ae.getParent() = any(ControlFlowElement cfe | not cfe instanceof ExprStmt) and
-        e1 = ae.getRValue()
+    }
+
+    override predicate candidateDef(
+      Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
+      boolean isSuccessor
+    ) {
+      // Flow from source to definition
+      exactScope = false and
+      def.getSource() = e and
+      (
+        scope = def.getExpr() and
+        isSuccessor = true
+        or
+        scope = def.(AssignableDefinitions::PatternDefinition).getMatch().(IsExpr) and
+        isSuccessor = false
+        or
+        exists(Switch s |
+          s.getACase() = def.(AssignableDefinitions::PatternDefinition).getMatch() and
+          isSuccessor = true
+        |
+          scope = s.getExpr()
+          or
+          scope = s.getACase()
+        )
       )
-    or
-    e1 = e2.(ObjectCreation).getInitializer()
-    or
-    e1 = e2.(ArrayCreation).getInitializer()
-    or
-    e1 = e2.(SwitchExpr).getACase().getBody()
-    or
-    e1 = e2.(CheckedExpr).getExpr()
-    or
-    e1 = e2.(UncheckedExpr).getExpr()
-    or
-    e1 = e2.(CollectionExpression).getAnElement() and
-    e1 instanceof SpreadElementExpr
-    or
-    e1 = e2.(SpreadElementExpr).getExpr()
-    or
-    exists(WithExpr we |
-      e1 = we.getExpr() and
-      e2 = we.getInitializer()
-      or
-      e1 = we.getInitializer() and
-      e2 = we
-    )
-    or
-    exists(AssignExpr ae | ae.getLValue().(TupleExpr) = e2 and ae.getRValue() = e1)
-    or
-    exists(ControlFlowElement cfe | cfe = e2.(TupleExpr).(PatternExpr).getPatternMatch() |
-      cfe.(IsExpr).getExpr() = e1
-      or
-      exists(Switch sw | sw.getACase() = cfe and sw.getExpr() = e1)
-    )
+    }
   }
 
-  predicate defAssigns(
-    AssignableDefinition def, ControlFlow::Node cfnDef, Expr value, ControlFlow::Node valueCfn
-  ) {
-    def.getSource() = value and
-    valueCfn = value.getControlFlowNode() and
-    cfnDef = def.getExpr().getAControlFlowNode()
-  }
-
-  private predicate defAssigns(ExprNode value, AssignableDefinitionNode defNode) {
-    exists(ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef |
-      defAssigns(def, cfnDef, value.getExpr(), _) and
-      cfn = value.getControlFlowNode() and
-      defNode = TAssignableDefinitionNode(def, cfnDef)
-    )
+  predicate defAssigns(AssignableDefinition def, ControlFlow::Node cfnDef, ControlFlow::Node value) {
+    any(LocalExprStepConfiguration x).hasDefPath(_, value, def, cfnDef)
   }
 
   /**
@@ -587,9 +659,7 @@ module LocalFlow {
   }
 
   predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
-    localExprStep(nodeFrom.asExpr(), nodeTo.asExpr())
-    or
-    defAssigns(nodeFrom, nodeTo)
+    hasNodePath(any(LocalExprStepConfiguration x), nodeFrom, nodeTo)
     or
     ThisFlow::adjacentThisRefs(nodeFrom, nodeTo) and
     nodeFrom != nodeTo
@@ -615,12 +685,11 @@ module LocalFlow {
   }
 
   /**
-   * Gets a node that may execute last in `e`, and which, when it executes last,
-   * will be the value of `e`.
+   * Gets a node that may execute last in `n`, and which, when it executes last,
+   * will be the value of `n`.
    */
-  Expr getALastEvalNode(Expr e) {
-    localExprStep(result, e) and
-    (
+  ControlFlow::Nodes::ExprNode getALastEvalNode(ControlFlow::Nodes::ExprNode cfn) {
+    exists(Expr e | any(LocalExprStepConfiguration x).hasExprPath(_, result, e, cfn) |
       e instanceof ConditionalExpr or
       e instanceof Cast or
       e instanceof NullCoalescingExpr or
@@ -644,7 +713,9 @@ module LocalFlow {
    * we add a reverse flow step from `[post] b ? x : y` to `[post] x` and to
    * `[post] y`, in order for the side-effect of `m` to reach both `x` and `y`.
    */
-  Expr getPostUpdateReverseStep(Expr e) { result = getALastEvalNode(e) }
+  ControlFlow::Nodes::ExprNode getPostUpdateReverseStep(ControlFlow::Nodes::ExprNode e) {
+    result = getALastEvalNode(e)
+  }
 
   /**
    * Holds if the value of `node2` is given by `node1`.
@@ -658,10 +729,9 @@ module LocalFlow {
       e instanceof ThisAccess or e instanceof BaseAccess
     )
     or
-    defAssigns(node1, node2)
-    or
-    localExprStep(node1.asExpr(), node2.asExpr()) and
+    hasNodePath(any(LocalExprStepConfiguration x), node1, node2) and
     (
+      node2 instanceof AssignableDefinitionNode or
       node2.asExpr() instanceof Cast or
       node2.asExpr() instanceof AssignExpr
     )
@@ -705,8 +775,12 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
     or
     nodeTo = nodeFrom.(LocalFunctionCreationNode).getAnAccess(true)
     or
-    nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() =
-      LocalFlow::getPostUpdateReverseStep(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr())
+    nodeTo.(PostUpdateNode).getPreUpdateNode().(ExprNode).getControlFlowNode() =
+      LocalFlow::getPostUpdateReverseStep(nodeFrom
+            .(PostUpdateNode)
+            .getPreUpdateNode()
+            .(ExprNode)
+            .getControlFlowNode())
   ) and
   model = ""
   or
@@ -760,11 +834,11 @@ private class Argument extends Expr {
 }
 
 /**
- * Holds if there is an assignment of `src` to field or property `c` of `q`.
+ * Holds if `e` is an assignment of `src` to field or property `c` of `q`.
  *
  * `postUpdate` indicates whether the store targets a post-update node.
  */
-private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean postUpdate) {
+private predicate fieldOrPropertyStore(Expr e, ContentSet c, Expr src, Expr q, boolean postUpdate) {
   exists(FieldOrProperty f |
     c = f.getContentSet() and
     (
@@ -787,20 +861,25 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
       f = fa.getTarget() and
       src = def.getSource() and
       q = fa.getQualifier() and
+      e = def.getExpr() and
       postUpdate = true
     )
     or
     // `with` expression initializer, `x with { f = src }`
-    exists(WithExpr we, MemberInitializer mi |
-      q = we and
-      mi = we.getInitializer().getAMemberInitializer() and
-      f = mi.getInitializedMember() and
-      src = mi.getRValue() and
-      postUpdate = false
-    )
+    e =
+      any(WithExpr we |
+        exists(MemberInitializer mi |
+          q = we and
+          mi = we.getInitializer().getAMemberInitializer() and
+          f = mi.getInitializedMember() and
+          src = mi.getRValue() and
+          postUpdate = false
+        )
+      )
     or
     // Object initializer, `new C() { f = src }`
     exists(MemberInitializer mi |
+      e = q and
       mi = q.(ObjectInitializer).getAMemberInitializer() and
       q.getParent() instanceof ObjectCreation and
       f = mi.getInitializedMember() and
@@ -809,13 +888,16 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
     )
     or
     // Tuple element, `(..., src, ...)` `f` is `ItemX` of tuple `q`
-    exists(TupleExpr te, int i |
-      te = q and
-      src = te.getArgument(i) and
-      te.isConstruction() and
-      f = q.getType().(TupleType).getElement(i) and
-      postUpdate = false
-    )
+    e =
+      any(TupleExpr te |
+        exists(int i |
+          e = q and
+          src = te.getArgument(i) and
+          te.isConstruction() and
+          f = q.getType().(TupleType).getElement(i) and
+          postUpdate = false
+        )
+      )
   )
   or
   // A write to a dynamic property
@@ -825,6 +907,7 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
     c.isDynamicProperty(dp) and
     src = def.getSource() and
     q = dma.getQualifier() and
+    e = def.getExpr() and
     postUpdate = true
   )
 }
@@ -860,20 +943,22 @@ private predicate collectionStore(Expr src, CollectionExpression ce) {
 }
 
 /**
- * Holds if there is an expression that adds `src` to array `a`.
+ * Holds if `e` is an expression that adds `src` to array `a`.
  *
  * `postUpdate` indicates whether the store targets a post-update node.
  */
-private predicate arrayStore(Expr src, Expr a, boolean postUpdate) {
+private predicate arrayStore(Expr e, Expr src, Expr a, boolean postUpdate) {
   // Direct assignment, `a[i] = src`
   exists(AssignableDefinition def |
     a = def.getTargetAccess().(ArrayWrite).getQualifier() and
     src = def.getSource() and
+    e = def.getExpr() and
     postUpdate = true
   )
   or
   // Array initializer, `new [] { src }`
   src = a.(ArrayInitializer).getAnElement() and
+  e = a and
   postUpdate = false
   or
   // Member initializer, `new C { Array = { [i] = src } }`
@@ -881,6 +966,7 @@ private predicate arrayStore(Expr src, Expr a, boolean postUpdate) {
     mi = a.(ObjectInitializer).getAMemberInitializer() and
     mi.getLValue() instanceof ArrayAccess and
     mi.getRValue() = src and
+    e = a and
     postUpdate = false
   )
 }
@@ -1055,17 +1141,17 @@ private module Cached {
       (
         cfn.getExpr() instanceof Argument
         or
-        cfn.getExpr() =
-          LocalFlow::getPostUpdateReverseStep(any(SourcePostUpdateNode p)
-                .getPreUpdateNode()
-                .asExpr())
+        cfn =
+          LocalFlow::getPostUpdateReverseStep(any(ControlFlow::Nodes::ExprNode e |
+              exists(any(SourcePostUpdateNode p).getPreUpdateNode().asExprAtNode(e))
+            ))
       ) and
       exprMayHavePostUpdateNode(cfn.getExpr())
       or
       exists(Expr e | e = cfn.getExpr() |
-        fieldOrPropertyStore(_, _, e, true)
+        fieldOrPropertyStore(_, _, _, e, true)
         or
-        arrayStore(_, e, true)
+        arrayStore(_, _, e, true)
         or
         // needed for reverse stores; e.g. `x.f1.f2 = y` induces
         // a store step of `f1` into `x`
@@ -1080,7 +1166,7 @@ private module Cached {
         )
       )
       or
-      lambdaCallExpr(_, _, cfn)
+      lambdaCallExpr(_, cfn)
     } or
     TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) {
       sn.getSummarizedCallable() instanceof CallableUsedInSource
@@ -1477,15 +1563,35 @@ abstract private class ArgumentNodeImpl extends Node {
 }
 
 private module ArgumentNodes {
+  private class ArgumentConfiguration extends ControlFlowReachabilityConfiguration {
+    ArgumentConfiguration() { this = "ArgumentConfiguration" }
+
+    override predicate candidate(
+      Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+    ) {
+      e1.(Argument).isArgumentOf(e2, _) and
+      exactScope = false and
+      isSuccessor = true and
+      if e2 instanceof PropertyWrite
+      then
+        exists(AssignableDefinition def |
+          def.getTargetAccess() = e2 and
+          scope = def.getExpr()
+        )
+      else scope = e2
+    }
+  }
+
   /** A data-flow node that represents an explicit call argument. */
   class ExplicitArgumentNode extends ArgumentNodeImpl {
     ExplicitArgumentNode() { this.asExpr() instanceof Argument }
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-      exists(Expr c, Argument arg |
+      exists(ArgumentConfiguration x, Expr c, Argument arg |
         arg = this.asExpr() and
         c = call.getExpr() and
-        arg.isArgumentOf(c, pos)
+        arg.isArgumentOf(c, pos) and
+        x.hasExprPath(_, this.getControlFlowNode(), _, call.getControlFlowNode())
       )
     }
   }
@@ -1494,7 +1600,7 @@ private module ArgumentNodes {
   class DelegateSelfArgumentNode extends ArgumentNodeImpl, ExprNode {
     private DataFlowCall call_;
 
-    DelegateSelfArgumentNode() { lambdaCallExpr(call_, this.getExpr(), _) }
+    DelegateSelfArgumentNode() { lambdaCallExpr(call_, this.getControlFlowNode()) }
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       call = call_ and
@@ -1751,6 +1857,27 @@ private module OutNodes {
     }
   }
 
+  class ObjectOrCollectionInitializerConfiguration extends ControlFlowReachabilityConfiguration {
+    ObjectOrCollectionInitializerConfiguration() {
+      this = "ObjectOrCollectionInitializerConfiguration"
+    }
+
+    override predicate candidate(
+      Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+    ) {
+      exactScope = false and
+      scope = e1 and
+      isSuccessor = true and
+      exists(ObjectOrCollectionInitializer init | init = e1.(ObjectCreation).getInitializer() |
+        // E.g. `new Dictionary<int, string>{ {0, "a"}, {1, "b"} }`
+        e2 = init.(CollectionInitializer).getAnElementInitializer()
+        or
+        // E.g. `new Dictionary<int, string>() { [0] = "a", [1] = "b" }`
+        e2 = init.(ObjectInitializer).getAMemberInitializer().getLValue()
+      )
+    }
+  }
+
   /**
    * A data-flow node that reads a value returned by a callable using an
    * `out` or `ref` parameter.
@@ -2109,6 +2236,30 @@ predicate jumpStep(Node pred, Node succ) {
   succ = pred.(LocalFunctionCreationNode).getAnAccess(false)
 }
 
+private class StoreStepConfiguration extends ControlFlowReachabilityConfiguration {
+  StoreStepConfiguration() { this = "StoreStepConfiguration" }
+
+  override predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    exactScope = false and
+    fieldOrPropertyStore(scope, _, e1, e2, isSuccessor.booleanNot())
+    or
+    exactScope = false and
+    arrayStore(scope, e1, e2, isSuccessor.booleanNot())
+    or
+    exactScope = false and
+    isSuccessor = true and
+    collectionStore(e1, e2) and
+    scope = e2
+    or
+    exactScope = false and
+    isSuccessor = true and
+    isParamsArg(e2, e1, _) and
+    scope = e2
+  }
+}
+
 pragma[nomagic]
 private ContentSet getResultContent() {
   result.isProperty(any(SystemThreadingTasksTaskTClass c_).getResultProperty())
@@ -2131,17 +2282,21 @@ private predicate recordParameter(RecordType t, Parameter p, string name) {
 }
 
 private predicate storeContentStep(Node node1, Content c, Node node2) {
-  exists(ExprNode node, boolean postUpdate |
+  exists(StoreStepConfiguration x, ExprNode node, boolean postUpdate |
+    hasNodePath(x, node1, node) and
     if postUpdate = true then node = node2.(PostUpdateNode).getPreUpdateNode() else node = node2
   |
-    arrayStore(node1.asExpr(), node.getExpr(), postUpdate) and c instanceof ElementContent
+    arrayStore(_, node1.asExpr(), node.getExpr(), postUpdate) and c instanceof ElementContent
   )
   or
-  collectionStore(node1.asExpr(), node2.asExpr()) and c instanceof ElementContent
+  exists(StoreStepConfiguration x | hasNodePath(x, node1, node2) |
+    collectionStore(node1.asExpr(), node2.asExpr()) and c instanceof ElementContent
+  )
   or
-  exists(Call call |
-    node2 = TParamsArgumentNode(call.getControlFlowNode()) and
-    isParamsArg(call, node1.asExpr(), _) and
+  exists(StoreStepConfiguration x, Expr arg, ControlFlow::Node callCfn |
+    x.hasExprPath(arg, node1.(ExprNode).getControlFlowNode(), _, callCfn) and
+    node2 = TParamsArgumentNode(callCfn) and
+    isParamsArg(_, arg, _) and
     c instanceof ElementContent
   )
   or
@@ -2197,10 +2352,11 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
     c.isSingleton(cont)
   )
   or
-  exists(ExprNode node, boolean postUpdate |
+  exists(StoreStepConfiguration x, ExprNode node, boolean postUpdate |
+    hasNodePath(x, node1, node) and
     if postUpdate = true then node = node2.(PostUpdateNode).getPreUpdateNode() else node = node2
   |
-    fieldOrPropertyStore(c, node1.asExpr(), node.getExpr(), postUpdate)
+    fieldOrPropertyStore(_, c, node1.asExpr(), node.getExpr(), postUpdate)
   )
   or
   exists(Expr e |
@@ -2222,51 +2378,133 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
   storeStepDelegateCall(node1, c, node2)
 }
 
-private predicate readContentStep(Node node1, Content c, Node node2) {
-  arrayRead(node1.asExpr(), node2.asExpr()) and
-  c instanceof ElementContent
+pragma[nomagic]
+private predicate isAssignExprLValueDescendant(Expr e) {
+  e = any(AssignExpr ae).getLValue()
   or
-  exists(
-    ForeachStmt fs, Ssa::ExplicitDefinition def,
-    AssignableDefinitions::LocalVariableDefinition defTo
-  |
-    node1.asExpr() = fs.getIterableExpr() and
-    defTo.getDeclaration() = fs.getVariableDeclExpr() and
-    def.getADefinition() = defTo and
-    node2.(SsaDefinitionNode).getDefinition() = def and
-    c instanceof ElementContent
+  exists(Expr parent |
+    isAssignExprLValueDescendant(parent) and
+    e = parent.getAChildExpr()
   )
-  or
-  node1 =
-    any(InstanceParameterAccessPreNode n |
-      n.getUnderlyingControlFlowNode() = node2.(ExprNode).getControlFlowNode() and
-      n.getParameter() = c.(PrimaryConstructorParameterContent).getParameter()
-    ) and
-  node2.asExpr() instanceof ParameterRead
-  or
-  // node1 = (..., node2, ...)
-  // node1.ItemX flows to node2
-  exists(TupleExpr te, int i, Expr item |
-    te = node1.asExpr() and
-    not te.isConstruction() and
-    c.(FieldContent).getField() = te.getType().(TupleType).getElement(i).getUnboundDeclaration() and
-    // node1 = (..., item, ...)
-    te.getArgument(i) = item
-  |
-    // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
-    node2.asExpr().(TupleExpr) = item
+}
+
+private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration {
+  ReadStepConfiguration() { this = "ReadStepConfiguration" }
+
+  override predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    exactScope = false and
+    isSuccessor = true and
+    fieldOrPropertyRead(e1, _, e2) and
+    scope = e2
     or
-    // item = variable in node1 = (..., variable, ...)
-    exists(AssignableDefinitions::TupleAssignmentDefinition tad |
-      node2.(AssignableDefinitionNode).getDefinition() = tad and
-      tad.getLeaf() = item
+    exactScope = false and
+    isSuccessor = true and
+    dynamicPropertyRead(e1, _, e2) and
+    scope = e2
+    or
+    exactScope = false and
+    isSuccessor = true and
+    arrayRead(e1, e2) and
+    scope = e2
+    or
+    exactScope = false and
+    e1 = e2.(AwaitExpr).getExpr() and
+    scope = e2 and
+    isSuccessor = true
+    or
+    exactScope = false and
+    e2 = e1.(TupleExpr).getAnArgument() and
+    scope = e1 and
+    isSuccessor = false
+  }
+
+  override predicate candidateDef(
+    Expr e, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope,
+    boolean isSuccessor
+  ) {
+    exists(ForeachStmt fs |
+      e = fs.getIterableExpr() and
+      defTo.(AssignableDefinitions::LocalVariableDefinition).getDeclaration() =
+        fs.getVariableDeclExpr() and
+      isSuccessor = true
+    |
+      scope = fs and
+      exactScope = true
+      or
+      scope = fs.getIterableExpr() and
+      exactScope = false
+      or
+      scope = fs.getVariableDeclExpr() and
+      exactScope = false
     )
     or
-    // item = variable in node1 = (..., variable, ...) in a case/is var (..., ...)
-    isPatternExprDescendant(te) and
-    exists(AssignableDefinitions::LocalVariableDefinition lvd |
-      node2.(AssignableDefinitionNode).getDefinition() = lvd and
-      lvd.getDeclaration() = item
+    scope =
+      any(AssignExpr ae |
+        ae = defTo.(AssignableDefinitions::TupleAssignmentDefinition).getAssignment() and
+        isAssignExprLValueDescendant(e.(TupleExpr)) and
+        exactScope = false and
+        isSuccessor = true
+      )
+    or
+    scope =
+      any(TupleExpr te |
+        te.getAnArgument() = defTo.(AssignableDefinitions::LocalVariableDefinition).getDeclaration() and
+        e = te and
+        exactScope = false and
+        isSuccessor = false
+      )
+  }
+}
+
+private predicate readContentStep(Node node1, Content c, Node node2) {
+  exists(ReadStepConfiguration x |
+    hasNodePath(x, node1, node2) and
+    arrayRead(node1.asExpr(), node2.asExpr()) and
+    c instanceof ElementContent
+    or
+    exists(ForeachStmt fs, Ssa::ExplicitDefinition def |
+      x.hasDefPath(fs.getIterableExpr(), node1.getControlFlowNode(), def.getADefinition(),
+        def.getControlFlowNode()) and
+      node2.(SsaDefinitionNode).getDefinition() = def and
+      c instanceof ElementContent
+    )
+    or
+    node1 =
+      any(InstanceParameterAccessPreNode n |
+        n.getUnderlyingControlFlowNode() = node2.(ExprNode).getControlFlowNode() and
+        n.getParameter() = c.(PrimaryConstructorParameterContent).getParameter()
+      ) and
+    node2.asExpr() instanceof ParameterRead
+    or
+    // node1 = (..., node2, ...)
+    // node1.ItemX flows to node2
+    exists(TupleExpr te, int i, Expr item |
+      te = node1.asExpr() and
+      not te.isConstruction() and
+      c.(FieldContent).getField() = te.getType().(TupleType).getElement(i).getUnboundDeclaration() and
+      // node1 = (..., item, ...)
+      te.getArgument(i) = item
+    |
+      // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
+      node2.asExpr().(TupleExpr) = item and
+      hasNodePath(x, node1, node2)
+      or
+      // item = variable in node1 = (..., variable, ...)
+      exists(AssignableDefinitions::TupleAssignmentDefinition tad |
+        node2.(AssignableDefinitionNode).getDefinition() = tad and
+        tad.getLeaf() = item and
+        hasNodePath(x, node1, node2)
+      )
+      or
+      // item = variable in node1 = (..., variable, ...) in a case/is var (..., ...)
+      isPatternExprDescendant(te) and
+      exists(AssignableDefinitions::LocalVariableDefinition lvd |
+        node2.(AssignableDefinitionNode).getDefinition() = lvd and
+        lvd.getDeclaration() = item and
+        hasNodePath(x, node1, node2)
+      )
     )
   )
   or
@@ -2297,12 +2535,14 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     c.isSingleton(cont)
   )
   or
-  fieldOrPropertyRead(node1.asExpr(), c, node2.asExpr())
-  or
-  dynamicPropertyRead(node1.asExpr(), c, node2.asExpr())
-  or
-  node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
-  c = getResultContent()
+  exists(ReadStepConfiguration x | hasNodePath(x, node1, node2) |
+    fieldOrPropertyRead(node1.asExpr(), c, node2.asExpr())
+    or
+    dynamicPropertyRead(node1.asExpr(), c, node2.asExpr())
+    or
+    node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
+    c = getResultContent()
+  )
   or
   FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
     node2.(FlowSummaryNode).getSummaryNode())
@@ -2336,9 +2576,9 @@ predicate clearsContent(Node n, ContentSet c) {
     c.isSingleton(cont)
   )
   or
-  fieldOrPropertyStore(c, _, n.asExpr(), true)
+  fieldOrPropertyStore(_, c, _, n.asExpr(), true)
   or
-  fieldOrPropertyStore(c, _, n.(ObjectInitializerNode).getInitializer(), false)
+  fieldOrPropertyStore(_, c, _, n.(ObjectInitializerNode).getInitializer(), false)
   or
   FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(FlowSummaryNode).getSummaryNode(), c)
   or
@@ -2577,13 +2817,8 @@ module PostUpdateNodes {
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       pos.isQualifier() and
-      exists(ObjectOrCollectionInitializer init | init = oc.getInitializer() |
-        // E.g. `new Dictionary<int, string>{ {0, "a"}, {1, "b"} }`
-        call.getExpr() = init.(CollectionInitializer).getAnElementInitializer()
-        or
-        // E.g. `new Dictionary<int, string>() { [0] = "a", [1] = "b" }`
-        call.getExpr() = init.(ObjectInitializer).getAMemberInitializer().getLValue()
-      )
+      any(ObjectOrCollectionInitializerConfiguration x)
+          .hasExprPath(_, cfn, _, call.getControlFlowNode())
     }
 
     override DataFlowCallable getEnclosingCallableImpl() {
@@ -2745,26 +2980,45 @@ private predicate isLocalFunctionCallReceiver(
   f = receiver.getTarget().getUnboundDeclaration()
 }
 
-private predicate lambdaCallExpr(DataFlowCall call, Expr receiver, ControlFlow::Node receiverCfn) {
-  exists(DelegateLikeCall dc |
-    call.(ExplicitDelegateLikeDataFlowCall).getCall() = dc and
-    receiver = dc.getExpr() and
-    receiverCfn = receiver.getControlFlowNode()
+private class LambdaConfiguration extends ControlFlowReachabilityConfiguration {
+  LambdaConfiguration() { this = "LambdaConfiguration" }
+
+  override predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    e1 = e2.(DelegateLikeCall).getExpr() and
+    exactScope = false and
+    scope = e2 and
+    isSuccessor = true
+    or
+    e1 = e2.(DelegateCreation).getArgument() and
+    exactScope = false and
+    scope = e2 and
+    isSuccessor = true
+    or
+    isLocalFunctionCallReceiver(e2, e1, _) and
+    exactScope = false and
+    scope = e2 and
+    isSuccessor = true
+  }
+}
+
+private predicate lambdaCallExpr(DataFlowCall call, ControlFlow::Node receiver) {
+  exists(LambdaConfiguration x, DelegateLikeCall dc |
+    x.hasExprPath(dc.getExpr(), receiver, dc, call.getControlFlowNode())
   )
   or
   // In local function calls, `F()`, we use the local function access `F`
   // to represent the receiver. Only needed for flow through captured variables.
-  exists(LocalFunctionCall fc |
-    receiver = fc.getAChild() and
-    receiverCfn = receiver.getControlFlowNode() and
-    fc.getControlFlowNode() = call.getControlFlowNode()
+  exists(LambdaConfiguration x, LocalFunctionCall fc |
+    x.hasExprPath(fc.getAChild(), receiver, fc, call.getControlFlowNode())
   )
 }
 
 /** Holds if `call` is a lambda call where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
   (
-    lambdaCallExpr(call, receiver.asExpr(), _) and
+    lambdaCallExpr(call, receiver.(ExprNode).getControlFlowNode()) and
     // local function calls can be resolved directly without a flow analysis
     not call.getControlFlowNode().getAstNode() instanceof LocalFunctionCall
     or
@@ -2774,9 +3028,9 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 }
 
 private predicate delegateCreationStep(Node nodeFrom, Node nodeTo) {
-  exists(DelegateCreation dc |
-    dc.getArgument() = nodeFrom.asExpr() and
-    dc = nodeTo.asExpr()
+  exists(LambdaConfiguration x, DelegateCreation dc |
+    x.hasExprPath(dc.getArgument(), nodeFrom.(ExprNode).getControlFlowNode(), dc,
+      nodeTo.(ExprNode).getControlFlowNode())
   )
 }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll

@@ -4,6 +4,7 @@ private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.Caching
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import semmle.code.csharp.dataflow.internal.ControlFlowReachability
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.commons.ComparisonTest
 // import `TaintedMember` definitions from other files to avoid potential reevaluation
@@ -44,58 +45,82 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c)
   )
 }
 
-private predicate localTaintExprStep(Expr e1, Expr e2) {
-  e1 = e2.(ElementAccess).getQualifier()
-  or
-  e1 = e2.(AddExpr).getAnOperand()
-  or
-  // A comparison expression where taint can flow from one of the
-  // operands if the other operand is a constant value.
-  exists(ComparisonTest ct, Expr other |
-    ct.getExpr() = e2 and
-    e1 = ct.getAnArgument() and
-    other = ct.getAnArgument() and
-    other.stripCasts().hasValue() and
-    e1 != other
+private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityConfiguration {
+  LocalTaintExprStepConfiguration() { this = "LocalTaintExprStepConfiguration" }
+
+  override predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    exactScope = false and
+    isSuccessor = true and
+    (
+      e1 = e2.(ElementAccess).getQualifier() and
+      scope = e2
+      or
+      e1 = e2.(AddExpr).getAnOperand() and
+      scope = e2
+      or
+      // A comparison expression where taint can flow from one of the
+      // operands if the other operand is a constant value.
+      exists(ComparisonTest ct, Expr other |
+        ct.getExpr() = e2 and
+        e1 = ct.getAnArgument() and
+        other = ct.getAnArgument() and
+        other.stripCasts().hasValue() and
+        e1 != other and
+        scope = e2
+      )
+      or
+      e1 = e2.(UnaryLogicalOperation).getAnOperand() and
+      scope = e2
+      or
+      e1 = e2.(BinaryLogicalOperation).getAnOperand() and
+      scope = e2
+      or
+      e1 = e2.(InterpolatedStringExpr).getAChild() and
+      scope = e2
+      or
+      e1 = e2.(InterpolatedStringInsertExpr).getInsert() and
+      scope = e2
+      or
+      e2 =
+        any(OperatorCall oc |
+          oc.getTarget().(ConversionOperator).fromLibrary() and
+          e1 = oc.getAnArgument() and
+          scope = e2
+        )
+      or
+      e1 = e2.(AwaitExpr).getExpr() and
+      scope = e2
+      or
+      // Taint flows from the operand of a cast to the cast expression if the cast is to an interpolated string handler.
+      e2 =
+        any(CastExpr ce |
+          e1 = ce.getExpr() and
+          scope = ce and
+          ce.getTargetType()
+              .(Attributable)
+              .getAnAttribute()
+              .getType()
+              .hasFullyQualifiedName("System.Runtime.CompilerServices",
+                "InterpolatedStringHandlerAttribute")
+        )
+    )
+  }
+}
+
+private ControlFlow::Nodes::ExprNode getALastEvalNode(ControlFlow::Nodes::ExprNode cfn) {
+  exists(OperatorCall oc | any(LocalTaintExprStepConfiguration x).hasExprPath(_, result, oc, cfn) |
+    oc.getTarget() instanceof ImplicitConversionOperator
   )
-  or
-  e1 = e2.(UnaryLogicalOperation).getAnOperand()
-  or
-  e1 = e2.(BinaryLogicalOperation).getAnOperand()
-  or
-  e1 = e2.(InterpolatedStringExpr).getAChild()
-  or
-  e1 = e2.(InterpolatedStringInsertExpr).getInsert()
-  or
-  e2 =
-    any(OperatorCall oc |
-      oc.getTarget().(ConversionOperator).fromLibrary() and
-      e1 = oc.getAnArgument()
-    )
-  or
-  e1 = e2.(AwaitExpr).getExpr()
-  or
-  // Taint flows from the operand of a cast to the cast expression if the cast is to an interpolated string handler.
-  e2 =
-    any(CastExpr ce |
-      e1 = ce.getExpr() and
-      ce.getTargetType()
-          .(Attributable)
-          .getAnAttribute()
-          .getType()
-          .hasFullyQualifiedName("System.Runtime.CompilerServices",
-            "InterpolatedStringHandlerAttribute")
-    )
 }
 
-private Expr getALastEvalNode(OperatorCall oc) {
-  localTaintExprStep(result, oc) and oc.getTarget() instanceof ImplicitConversionOperator
+private ControlFlow::Nodes::ExprNode getPostUpdateReverseStep(ControlFlow::Nodes::ExprNode e) {
+  result = getALastEvalNode(e)
 }
 
-private Expr getPostUpdateReverseStep(Expr e) { result = getALastEvalNode(e) }
-
 private predicate localTaintStepCommon(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  localTaintExprStep(nodeFrom.asExpr(), nodeTo.asExpr())
+  hasNodePath(any(LocalTaintExprStepConfiguration x), nodeFrom, nodeTo)
 }
 
 cached
@@ -166,8 +191,12 @@ private module Cached {
       // Allow reverse update flow for implicit conversion operator calls.
       // This is needed to support flow out of method call arguments, where an implicit conversion is applied
       // to a call argument.
-      nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() =
-        getPostUpdateReverseStep(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr())
+      nodeTo.(PostUpdateNode).getPreUpdateNode().(DataFlow::ExprNode).getControlFlowNode() =
+        getPostUpdateReverseStep(nodeFrom
+              .(PostUpdateNode)
+              .getPreUpdateNode()
+              .(DataFlow::ExprNode)
+              .getControlFlowNode())
     ) and
     model = ""
     or

csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll

@@ -0,0 +1,246 @@
+import csharp
+
+private class ControlFlowScope extends ControlFlowElement {
+  private boolean exactScope;
+
+  ControlFlowScope() {
+    exists(ControlFlowReachabilityConfiguration c |
+      c.candidate(_, _, this, exactScope, _) or
+      c.candidateDef(_, _, this, exactScope, _)
+    )
+  }
+
+  predicate isExact() { exactScope = true }
+
+  predicate isNonExact() { exactScope = false }
+}
+
+private newtype TControlFlowElementOrBasicBlock =
+  TControlFlowElement(ControlFlowElement cfe) or
+  TBasicBlock(ControlFlow::BasicBlock bb)
+
+class ControlFlowElementOrBasicBlock extends TControlFlowElementOrBasicBlock {
+  ControlFlowElement asControlFlowElement() { this = TControlFlowElement(result) }
+
+  ControlFlow::BasicBlock asBasicBlock() { this = TBasicBlock(result) }
+
+  string toString() {
+    result = this.asControlFlowElement().toString()
+    or
+    result = this.asBasicBlock().toString()
+  }
+
+  Location getLocation() {
+    result = this.asControlFlowElement().getLocation()
+    or
+    result = this.asBasicBlock().getLocation()
+  }
+}
+
+private predicate isBasicBlock(ControlFlowElementOrBasicBlock c) { c instanceof TBasicBlock }
+
+private predicate isNonExactScope(ControlFlowElementOrBasicBlock c) {
+  c.asControlFlowElement().(ControlFlowScope).isNonExact()
+}
+
+private predicate step(ControlFlowElementOrBasicBlock pred, ControlFlowElementOrBasicBlock succ) {
+  pred.asBasicBlock().getANode().getAstNode() = succ.asControlFlowElement()
+  or
+  pred.asControlFlowElement() = succ.asControlFlowElement().getAChild()
+}
+
+private predicate basicBlockInNonExactScope(
+  ControlFlowElementOrBasicBlock bb, ControlFlowElementOrBasicBlock scope
+) = doublyBoundedFastTC(step/2, isBasicBlock/1, isNonExactScope/1)(bb, scope)
+
+pragma[noinline]
+private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowScope scope, boolean exactScope) {
+  basicBlockInNonExactScope(TBasicBlock(result), TControlFlowElement(scope)) and
+  exactScope = false
+  or
+  scope.isExact() and
+  result.getANode().getAstNode() = scope and
+  exactScope = true
+}
+
+/**
+ * A helper class for determining control-flow reachability for pairs of
+ * elements.
+ *
+ * This is useful when defining for example expression-based data-flow steps in
+ * the presence of control-flow splitting, where a data-flow step should make
+ * sure to stay in the same split.
+ *
+ * For example, in
+ *
+ * ```csharp
+ * if (b)
+ *     ....
+ * var x = "foo";
+ * if (b)
+ *     ....
+ * ```
+ *
+ * there should only be steps from `[b = true] "foo"` to `[b = true] SSA def(x)`
+ * and `[b = false] "foo"` to `[b = false] SSA def(x)`, and for example not from
+ * `[b = true] "foo"` to `[b = false] SSA def(x)`
+ */
+abstract class ControlFlowReachabilityConfiguration extends string {
+  bindingset[this]
+  ControlFlowReachabilityConfiguration() { any() }
+
+  /**
+   * Holds if `e1` and `e2` are expressions for which we want to find a
+   * control-flow path that follows control flow successors (resp.
+   * predecessors, as specified by `isSuccessor`) inside the syntactic scope
+   * `scope`. The Boolean `exactScope` indicates whether a transitive child
+   * of `scope` is allowed (`exactScope = false`).
+   */
+  predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    none()
+  }
+
+  /**
+   * Holds if `e` and `def` are elements for which we want to find a
+   * control-flow path that follows control flow successors (resp.
+   * predecessors, as specified by `isSuccessor`) inside the syntactic scope
+   * `scope`. The Boolean `exactScope` indicates whether a transitive child
+   * of `scope` is allowed (`exactScope = false`).
+   */
+  predicate candidateDef(
+    Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
+    boolean isSuccessor
+  ) {
+    none()
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExprBase(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1, int i,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.candidate(e1, e2, _, _, isSuccessor) and
+    cfn1 = e1.getAControlFlowNode() and
+    bb.getNode(i) = cfn1
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExprRec(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1,
+    ControlFlow::BasicBlock bb
+  ) {
+    exists(ControlFlow::BasicBlock mid |
+      this.reachesBasicBlockExpr(e1, e2, isSuccessor, cfn1, mid)
+    |
+      isSuccessor = true and
+      bb = mid.getASuccessor()
+      or
+      isSuccessor = false and
+      bb = mid.getAPredecessor()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExpr(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.reachesBasicBlockExprBase(e1, e2, isSuccessor, cfn1, _, bb)
+    or
+    exists(ControlFlowElement scope, boolean exactScope |
+      this.candidate(e1, e2, scope, exactScope, isSuccessor) and
+      this.reachesBasicBlockExprRec(e1, e2, isSuccessor, cfn1, bb) and
+      bb = getABasicBlockInScope(scope, exactScope)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinitionBase(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    int i, ControlFlow::BasicBlock bb
+  ) {
+    this.candidateDef(e, def, _, _, isSuccessor) and
+    cfn = e.getAControlFlowNode() and
+    bb.getNode(i) = cfn
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinitionRec(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    ControlFlow::BasicBlock bb
+  ) {
+    exists(ControlFlow::BasicBlock mid |
+      this.reachesBasicBlockDefinition(e, def, isSuccessor, cfn, mid)
+    |
+      isSuccessor = true and
+      bb = mid.getASuccessor()
+      or
+      isSuccessor = false and
+      bb = mid.getAPredecessor()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinition(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.reachesBasicBlockDefinitionBase(e, def, isSuccessor, cfn, _, bb)
+    or
+    exists(ControlFlowElement scope, boolean exactScope |
+      this.candidateDef(e, def, scope, exactScope, isSuccessor) and
+      this.reachesBasicBlockDefinitionRec(e, def, isSuccessor, cfn, bb) and
+      bb = getABasicBlockInScope(scope, exactScope)
+    )
+  }
+
+  /**
+   * Holds if there is a control-flow path from `cfn1` to `cfn2`, where `cfn1` is a
+   * control-flow node for `e1` and `cfn2` is a control-flow node for `e2`.
+   */
+  pragma[nomagic]
+  predicate hasExprPath(Expr e1, ControlFlow::Node cfn1, Expr e2, ControlFlow::Node cfn2) {
+    exists(ControlFlow::BasicBlock bb, boolean isSuccessor, int i, int j |
+      this.reachesBasicBlockExprBase(e1, e2, isSuccessor, cfn1, i, bb) and
+      cfn2 = bb.getNode(j) and
+      cfn2 = e2.getAControlFlowNode()
+    |
+      isSuccessor = true and j >= i
+      or
+      isSuccessor = false and i >= j
+    )
+    or
+    exists(ControlFlow::BasicBlock bb |
+      this.reachesBasicBlockExprRec(e1, e2, _, cfn1, bb) and
+      cfn2 = bb.getANode() and
+      cfn2 = e2.getAControlFlowNode()
+    )
+  }
+
+  /**
+   * Holds if there is a control-flow path from `cfn` to `cfnDef`, where `cfn` is a
+   * control-flow node for `e` and `cfnDef` is a control-flow node for `def`.
+   */
+  pragma[nomagic]
+  predicate hasDefPath(
+    Expr e, ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef
+  ) {
+    exists(ControlFlow::BasicBlock bb, boolean isSuccessor, int i, int j |
+      this.reachesBasicBlockDefinitionBase(e, def, isSuccessor, cfn, i, bb) and
+      cfnDef = bb.getNode(j) and
+      def.getExpr().getAControlFlowNode() = cfnDef
+    |
+      isSuccessor = true and j >= i
+      or
+      isSuccessor = false and i >= j
+    )
+    or
+    exists(ControlFlow::BasicBlock bb |
+      this.reachesBasicBlockDefinitionRec(e, def, _, cfn, bb) and
+      def.getExpr().getAControlFlowNode() = cfnDef and
+      cfnDef = bb.getANode()
+    )
+  }
+}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll

@@ -8,14 +8,26 @@ private module Impl {
   private import ConstantUtils
   private import SsaReadPositionCommon
   private import semmle.code.csharp.controlflow.Guards as G
+  private import ControlFlowReachability
 
   private class ExprNode = ControlFlow::Nodes::ExprNode;
 
+  private class ExprChildReachability extends ControlFlowReachabilityConfiguration {
+    ExprChildReachability() { this = "ExprChildReachability" }
+
+    override predicate candidate(
+      Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+    ) {
+      e2 = e1.getAChild() and
+      scope = e1 and
+      exactScope = false and
+      isSuccessor in [false, true]
+    }
+  }
+
   /** Holds if `parent` having child `child` implies `parentNode` having child `childNode`. */
   predicate hasChild(Expr parent, Expr child, ExprNode parentNode, ExprNode childNode) {
-    parent.getAChild() = child and
-    parentNode = parent.getControlFlowNode() and
-    childNode = child.getControlFlowNode()
+    any(ExprChildReachability x).hasExprPath(parent, parentNode, child, childNode)
   }
 
   /** Holds if SSA definition `def` equals `e + delta`. */

csharp/ql/src/Security Features/CWE-079/XSS.ql

@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
  * @precision high
  * @id cs/web/xss
  * @tags security

csharp/ql/src/Security Features/CWE-117/LogForging.ql

@@ -4,7 +4,7 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision high
  * @id cs/log-forging
  * @tags security

csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -1,5 +0,0 @@
----
-category: queryMetadata
----
-* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).

csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected

@@ -26,7 +26,6 @@
 | CSharp7.cs:31:16:31:16 | access to parameter i | CSharp7.cs:31:16:31:20 | ... > ... |
 | CSharp7.cs:31:16:31:16 | access to parameter i | CSharp7.cs:31:24:31:24 | access to parameter i |
 | CSharp7.cs:31:24:31:24 | access to parameter i | CSharp7.cs:31:16:31:59 | ... ? ... : ... |
-| CSharp7.cs:31:28:31:59 | throw ... | CSharp7.cs:31:16:31:59 | ... ? ... : ... |
 | CSharp7.cs:35:7:35:18 | this | CSharp7.cs:35:7:35:18 | this access |
 | CSharp7.cs:39:9:39:9 | access to parameter x | CSharp7.cs:39:9:39:21 | SSA def(x) |
 | CSharp7.cs:39:13:39:21 | "tainted" | CSharp7.cs:39:9:39:9 | access to parameter x |
@@ -254,7 +253,6 @@
 | CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:235:13:235:42 | [input] SSA phi read(o) |
 | CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:237:18:237:18 | access to local variable o |
 | CSharp7.cs:233:13:233:23 | [false] ... is ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
-| CSharp7.cs:233:13:233:23 | [false] ... is ... | CSharp7.cs:233:13:233:33 | [true] ... && ... |
 | CSharp7.cs:233:13:233:23 | [true] ... is ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
 | CSharp7.cs:233:13:233:23 | [true] ... is ... | CSharp7.cs:233:13:233:33 | [true] ... && ... |
 | CSharp7.cs:233:18:233:23 | Int32 i1 | CSharp7.cs:233:18:233:23 | SSA def(i1) |
@@ -340,8 +338,6 @@
 | CSharp7.cs:297:35:297:35 | access to local variable x | CSharp7.cs:297:40:297:44 | Int32 y |
 | CSharp7.cs:297:35:297:35 | access to local variable x | CSharp7.cs:297:49:297:49 | access to local variable x |
 | CSharp7.cs:297:35:297:44 | [false] ... is ... | CSharp7.cs:297:25:297:44 | [false] ... && ... |
-| CSharp7.cs:297:35:297:44 | [false] ... is ... | CSharp7.cs:297:25:297:44 | [true] ... && ... |
-| CSharp7.cs:297:35:297:44 | [true] ... is ... | CSharp7.cs:297:25:297:44 | [false] ... && ... |
 | CSharp7.cs:297:35:297:44 | [true] ... is ... | CSharp7.cs:297:25:297:44 | [true] ... && ... |
 | CSharp7.cs:297:40:297:44 | Int32 y | CSharp7.cs:297:40:297:44 | SSA def(y) |
 | CSharp7.cs:297:40:297:44 | SSA def(y) | CSharp7.cs:299:31:299:31 | access to local variable y |

csharp/ql/test/library-tests/dispatch/CallGraph.expected

@@ -24,7 +24,6 @@
 | ExactCallable.cs:15:25:15:35 | Run`2 | ExactCallable.cs:172:21:172:33 | MethodWithOut |
 | ExactCallable.cs:15:25:15:35 | Run`2 | ExactCallable.cs:177:21:177:34 | MethodWithOut2 |
 | ExactCallable.cs:182:21:182:22 | M1 | ExactCallable.cs:187:21:187:22 | M2 |
-| TypeFlow.cs:3:7:3:14 | <object initializer> | TypeFlow.cs:22:20:22:22 | set_Prop |
 | TypeFlow.cs:5:5:5:12 | TypeFlow | TypeFlow.cs:24:10:24:12 | Run |
 | TypeFlow.cs:24:10:24:12 | Run | TypeFlow.cs:12:29:12:34 | Method |
 | TypeFlow.cs:24:10:24:12 | Run | TypeFlow.cs:17:30:17:35 | Method |

csharp/ql/test/library-tests/structuralcomparison/structuralComparison.expected

@@ -56,11 +56,11 @@ gvn
 | StructuralComparison.cs:3:14:3:18 | this access | (kind:Expr(12),false,Class) |
 | StructuralComparison.cs:3:14:3:18 | {...} | (kind:Stmt(1)) |
 | StructuralComparison.cs:5:26:5:26 | access to field x | (kind:Expr(16),true,x) |
-| StructuralComparison.cs:5:26:5:26 | this access | (kind:Expr(12),false,Class) |
+| StructuralComparison.cs:5:26:5:26 | this access | (kind:Expr(12)) |
 | StructuralComparison.cs:5:26:5:30 | ... = ... | ((kind:Expr(16),true,x) :: (0 :: (kind:Expr(63)))) |
 | StructuralComparison.cs:5:30:5:30 | 0 | 0 |
 | StructuralComparison.cs:6:26:6:26 | access to field y | (kind:Expr(16),true,y) |
-| StructuralComparison.cs:6:26:6:26 | this access | (kind:Expr(12),false,Class) |
+| StructuralComparison.cs:6:26:6:26 | this access | (kind:Expr(12)) |
 | StructuralComparison.cs:6:26:6:30 | ... = ... | ((kind:Expr(16),true,y) :: (1 :: (kind:Expr(63)))) |
 | StructuralComparison.cs:6:30:6:30 | 1 | 1 |
 | StructuralComparison.cs:8:24:8:24 | 0 | 0 |

docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst

@@ -406,7 +406,7 @@ Adds a new taint source. Most taint-tracking queries will use the new source.
 
 - **type**: Name of a type from which to evaluate **path**.
 - **path**: Access path leading to the source.
-- **kind**: Kind of source to add. See the section on source kinds for a list of supported kinds.
+- **kind**: Kind of source to add. Currently only **remote** is used.
 
 Example:
 
@@ -553,16 +553,7 @@ Kinds
 Source kinds
 ~~~~~~~~~~~~
 
-- **remote**: A general source of remote flow.
-- **browser**: A source in the browser environment that does not fit a more specific browser kind.
-- **browser-url-query**: A source derived from the query parameters of the browser URL, such as ``location.search``.
-- **browser-url-fragment**: A source derived from the fragment part of the browser URL, such as ``location.hash``.
-- **browser-url-path**: A source derived from the pathname of the browser URL, such as ``location.pathname``.
-- **browser-url**: A source derived from the browser URL, where the untrusted part is prefixed by trusted data such as the scheme and hostname.
-- **browser-window-name**: A source derived from the window name, such as ``window.name``.
-- **browser-message-event**: A source derived from cross-window message passing, such as ``event`` in ``window.onmessage = event => {...}``.
-
-See also :ref:`Threat models <threat-models-javascript>`.
+See documentation below for :ref:`Threat models <threat-models-javascript>`.
 
 Sink kinds
 ~~~~~~~~~~

go/extractor/go.mod

@@ -9,8 +9,8 @@ toolchain go1.26.0
 // when adding or removing dependencies, run
 //    bazel mod tidy
 require (
-	golang.org/x/mod v0.34.0
-	golang.org/x/tools v0.43.0
+	golang.org/x/mod v0.33.0
+	golang.org/x/tools v0.42.0
 )
 
 require github.com/stretchr/testify v1.11.1
@@ -18,6 +18,6 @@ require github.com/stretchr/testify v1.11.1
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go/extractor/go.sum

@@ -6,12 +6,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

go/ql/lib/Customizations.qll

@@ -8,7 +8,5 @@
  * `FileSystemAccess`, or the `Source` and `Sink` classes associated with the security queries
  * to model frameworks that are not covered by the standard library.
  */
-overlay[local?]
-module;
 
 import go

go/ql/lib/go.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with Go programs.
  */
-overlay[local?]
-module;
 
 import Customizations
 import semmle.go.Architectures

go/ql/lib/ideContextual.qll

@@ -2,8 +2,6 @@
  * Provides classes and predicates related to contextual queries
  * in the code viewer.
  */
-overlay[local?]
-module;
 
 import go
 private import codeql.util.FileSystem

go/ql/lib/semmle/go/AST.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with AST nodes.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Architectures.qll

@@ -1,6 +1,4 @@
 /** Provides classes for working with architectures. */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Comments.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with code comments.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Concepts.qll

@@ -3,8 +3,6 @@
  * access or system command execution, for which individual framework libraries
  * provide concrete subclasses.
  */
-overlay[local?]
-module;
 
 import go
 import semmle.go.dataflow.FunctionInputsAndOutputs

go/ql/lib/semmle/go/Decls.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with declarations.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/DiagnosticsReporting.qll

@@ -1,6 +1,4 @@
 /** Provides classes for working with errors and warnings recorded during extraction. */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Errors.qll

@@ -1,6 +1,4 @@
 /** Provides classes for working with Go frontend errors recorded during extraction. */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Expr.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with expressions.
  */
-overlay[local]
-module;
 
 import go
 
@@ -831,7 +829,7 @@ class ConversionExpr extends CallOrConversionExpr {
 /**
  * A function call expression.
  *
- * On databases with incomplete type information, type conversions may be misclassified
+ * On snapshots with incomplete type information, type conversions may be misclassified
  * as function call expressions.
  *
  * Examples:
@@ -2037,9 +2035,6 @@ class ConstantName extends ValueName {
   override string getAPrimaryQlClass() { result = "ConstantName" }
 }
 
-/** Holds if `e` is an expression that refers to the `nil` constant. */
-predicate exprRefersToNil(Expr e) { e.(ConstantName).getTarget() = Builtin::nil() }
-
 /**
  * A name referring to a variable.
  *
@@ -2098,7 +2093,7 @@ class LabelName extends Name {
  * Holds if `e` is a type expression, as determined by a bottom-up syntactic
  * analysis starting with `TypeName`s.
  *
- * On a database with full type information, this predicate covers all type
+ * On a snapshot with full type information, this predicate covers all type
  * expressions. However, if type information is missing then not all type names
  * may be identified as such, so not all type expressions can be determined by
  * a bottom-up analysis. In such cases, `isTypeExprTopDown` below is useful.
@@ -2136,12 +2131,11 @@ private predicate isTypeExprBottomUp(Expr e) {
  * Holds if `e` must be a type expression because it either occurs in a syntactic
  * position where a type is expected, or it is part of a larger type expression.
  *
- * This predicate is only needed on databases for which type information is
- * incomplete - for example, when some dependencies could not be reached during
- * extraction. It is an underapproximation; in cases where it is syntactically
- * ambiguous whether an expression refers to a type or a value, we conservatively
- * assume that it may be the latter and so this predicate does not consider the
- * expression to be a type expression.
+ * This predicate is only needed on snapshots for which type information is
+ * incomplete. It is an underapproximation; in cases where it is syntactically ambiguous
+ * whether an expression refers to a type or a value, we conservatively assume that
+ * it may be the latter and so this predicate does not consider the expression to be
+ * a type expression.
  */
 pragma[nomagic]
 private predicate isTypeExprTopDown(Expr e) {
@@ -2151,12 +2145,20 @@ private predicate isTypeExprTopDown(Expr e) {
   or
   e = any(ArrayTypeExpr ae).getElement()
   or
-  e = any(FieldBase fb).getTypeExpr()
+  e = any(FieldDecl f).getTypeExpr()
+  or
+  e = any(ParameterDecl pd).getTypeExpr()
   or
   e = any(TypeParamDecl tpd).getTypeConstraintExpr()
   or
   e = any(TypeParamDecl tpd).getNameExpr(_)
   or
+  e = any(ReceiverDecl rd).getTypeExpr()
+  or
+  e = any(ResultVariableDecl rvd).getTypeExpr()
+  or
+  e = any(MethodSpec md).getTypeExpr()
+  or
   e = any(MapTypeExpr mt).getKeyTypeExpr()
   or
   e = any(MapTypeExpr mt).getValueTypeExpr()
@@ -2173,7 +2175,7 @@ private predicate isTypeExprTopDown(Expr e) {
   or
   e = any(TypeSwitchStmt s).getACase().getExpr(_) and
   // special case: `nil` is allowed in a type case but isn't a type
-  not exprRefersToNil(e)
+  not e = Builtin::nil().getAReference()
   or
   e = any(SelectorExpr sel | isTypeExprTopDown(sel)).getBase()
   or

go/ql/lib/semmle/go/Files.qll

@@ -1,6 +1,4 @@
 /** Provides classes for working with files and folders. */
-overlay[local]
-module;
 
 import go
 private import codeql.util.FileSystem

go/ql/lib/semmle/go/GoMod.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with go.mod files.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/HTML.qll

@@ -1,6 +1,4 @@
 /** Provides classes for working with HTML documents. */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Locations.qll

@@ -1,6 +1,4 @@
 /** Provides classes for working with locations and program elements that have locations. */
-overlay[local]
-module;
 
 import go
 private import semmle.go.Overlay

go/ql/lib/semmle/go/Packages.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with packages.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/PrintAst.qll

@@ -1,8 +1,6 @@
 /**
  * Provides queries to pretty-print a Go AST as a graph.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Scopes.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with scopes and declared objects.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Stmt.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with statements.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/StringOps.qll

@@ -1,8 +1,6 @@
 /**
  * Provides predicates and classes for working with string operations.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/Types.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with Go types.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/Util.qll

@@ -1,6 +1,4 @@
 /** This module provides general utility classes and predicates. */
-overlay[local]
-module;
 
 /**
  * A Boolean value.

go/ql/lib/semmle/go/VariableWithFields.qll

@@ -1,6 +1,4 @@
 /** Provides the `VariableWithFields` class, for working with variables with a chain of field or element accesses chained to it. */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/concepts/GeneratedFile.qll

@@ -1,6 +1,4 @@
 /** Provides a class for generated files. */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/concepts/HTTP.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with HTTP-related concepts such as requests and responses.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/controlflow/BasicBlocks.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with basic blocks.
  */
-overlay[local]
-module;
 
 import go
 private import ControlFlowGraphImpl

go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with a CFG-based program representation.
  */
-overlay[local]
-module;
 
 import go
 private import ControlFlowGraphImpl
@@ -64,7 +62,6 @@ module ControlFlow {
     BasicBlock getBasicBlock() { result.getANode() = this }
 
     /** Holds if this node dominates `dominee` in the control-flow graph. */
-    overlay[caller?]
     pragma[inline]
     predicate dominatesNode(ControlFlow::Node dominee) {
       exists(ReachableBasicBlock thisbb, ReachableBasicBlock dbb, int i, int j |

go/ql/lib/semmle/go/controlflow/ControlFlowGraphImpl.qll

@@ -3,8 +3,6 @@
  *
  * Provides predicates for building intra-procedural CFGs.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/controlflow/IR.qll

@@ -9,8 +9,6 @@
  * Each instruction is also a control-flow node, but there are control-flow nodes that are not
  * instructions (synthetic entry and exit nodes, as well as no-op skip nodes).
  */
-overlay[local]
-module;
 
 import go
 private import semmle.go.controlflow.ControlFlowGraphImpl
@@ -296,7 +294,7 @@ module IR {
   /**
    * An IR instruction that reads the value of a field.
    *
-   * On databases with incomplete type information, method expressions may sometimes be
+   * On snapshots with incomplete type information, method expressions may sometimes be
    * misclassified as field reads.
    */
   class FieldReadInstruction extends ComponentReadInstruction {

go/ql/lib/semmle/go/dataflow/DataFlow.qll

@@ -14,8 +14,6 @@
  * (intraprocedural) data flow, invoke `DataFlow::localFlow` or
  * `DataFlow::LocalFlowStep` with arguments of type `DataFlow::Node`.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/dataflow/ExternalFlow.qll

@@ -84,8 +84,6 @@
  *    "taint" indicates a default additional taint step and "value" indicates a
  *    globally applicable value-preserving step.
  */
-overlay[local?]
-module;
 
 private import go
 private import internal.ExternalFlowExtensions::Extensions as Extensions

go/ql/lib/semmle/go/dataflow/FlowSummary.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes and predicates for defining flow summaries.
  */
-overlay[local?]
-module;
 
 import go
 private import internal.FlowSummaryImpl as Impl

go/ql/lib/semmle/go/dataflow/FunctionInputsAndOutputs.qll

@@ -2,8 +2,6 @@
  * Provides QL classes for indicating data flow through a function parameter, return value,
  * or receiver.
  */
-overlay[local]
-module;
 
 import go
 private import semmle.go.dataflow.internal.DataFlowPrivate

go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll

@@ -29,8 +29,6 @@
  * common reason for this is that the analysis cannot prove that there
  * are no side-effects that might cause the computed value to change.
  */
-overlay[local]
-module;
 
 /*
  * Note to developers: the correctness of this module depends on the

go/ql/lib/semmle/go/dataflow/Properties.qll

@@ -1,8 +1,6 @@
 /**
  * Provides a class for representing and reasoning about properties of data-flow nodes.
  */
-overlay[local]
-module;
 
 import go
 
@@ -24,7 +22,7 @@ class Property extends TProperty {
       isTrue = eq.getPolarity().booleanXor(e.getBoolValue().booleanXor(outcome))
       or
       this = IsNil(isTrue) and
-      exprRefersToNil(e) and
+      e = Builtin::nil().getAReference() and
       isTrue = eq.getPolarity().booleanXor(outcome).booleanNot()
     )
     or

go/ql/lib/semmle/go/dataflow/SSA.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with static single assignment form (SSA).
  */
-overlay[local]
-module;
 
 import go
 private import SsaImpl

go/ql/lib/semmle/go/dataflow/SsaImpl.qll

@@ -3,8 +3,6 @@
  *
  * Provides predicates for constructing an SSA representation for functions.
  */
-overlay[local]
-module;
 
 import go
 

go/ql/lib/semmle/go/dataflow/TaintTracking.qll

@@ -2,8 +2,6 @@
  * Provides classes for performing local (intra-procedural) and
  * global (inter-procedural) taint-tracking analyses.
  */
-overlay[local?]
-module;
 
 import semmle.go.dataflow.DataFlow
 

go/ql/lib/semmle/go/dataflow/barrierguardutil/RedirectCheckBarrierGuard.qll

@@ -1,8 +1,6 @@
 /**
  * Provides an implementation of a commonly used barrier guard for sanitizing untrusted URLs.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/dataflow/barrierguardutil/RegexpCheck.qll

@@ -1,8 +1,6 @@
 /**
  * Provides an implementation of a commonly used barrier guard for sanitizing untrusted URLs.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/dataflow/barrierguardutil/UrlCheck.qll

@@ -1,8 +1,6 @@
 /**
  * Provides an implementation of a commonly used barrier guard for sanitizing untrusted URLs.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll

@@ -1,6 +1,4 @@
 /** Contains predicates for dealing with container flow. */
-overlay[local?]
-module;
 
 import go
 private import DataFlowNodes

go/ql/lib/semmle/go/dataflow/internal/DataFlowDispatch.qll

@@ -1,6 +1,3 @@
-overlay[local?]
-module;
-
 private import go
 private import DataFlowPrivate
 
@@ -122,7 +119,6 @@ class ArgumentPosition extends int {
 }
 
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
-overlay[caller?]
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
 
@@ -134,7 +130,6 @@ private predicate isInterfaceMethod(Method c) {
  * Holds if `call` is passing `arg` to param `p` in any circumstance except passing
  * a receiver parameter to a concrete method.
  */
-overlay[caller?]
 pragma[inline]
 predicate golangSpecificParamArgFilter(
   DataFlowCall call, DataFlow::ParameterNode p, DataFlow::ArgumentNode arg

go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll

@@ -1,6 +1,3 @@
-overlay[local?]
-module;
-
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImpl
 private import semmle.go.Locations

go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll

@@ -1,6 +1,3 @@
-overlay[local?]
-module;
-
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImplCommon
 private import semmle.go.Locations

go/ql/lib/semmle/go/dataflow/internal/DataFlowImplConsistency.qll

@@ -2,8 +2,6 @@
  * Provides consistency queries for checking invariants in the language-specific
  * data-flow classes and predicates.
  */
-overlay[local?]
-module;
 
 private import go
 private import DataFlowImplSpecific as Impl

go/ql/lib/semmle/go/dataflow/internal/DataFlowImplSpecific.qll

@@ -1,8 +1,6 @@
 /**
  * Provides Go-specific definitions for use in the data flow library.
  */
-overlay[local?]
-module;
 
 private import codeql.dataflow.DataFlow
 private import semmle.go.Locations

go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll

@@ -1,6 +1,3 @@
-overlay[local]
-module;
-
 private import go
 private import semmle.go.dataflow.FunctionInputsAndOutputs
 private import semmle.go.dataflow.FlowSummary

go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll

@@ -1,6 +1,3 @@
-overlay[local?]
-module;
-
 private import go
 private import DataFlowUtil
 private import DataFlowImplCommon
@@ -481,6 +478,5 @@ predicate allowParameterReturnInSelf(ParameterNode p) {
 class ContentApprox = Unit;
 
 /** Gets an approximated value for content `c`. */
-overlay[caller?]
 pragma[inline]
 ContentApprox getContentApprox(Content c) { any() }

go/ql/lib/semmle/go/dataflow/internal/DataFlowUtil.qll

@@ -1,8 +1,6 @@
 /**
  * Provides Go-specific definitions for use in the data flow library.
  */
-overlay[local?]
-module;
 
 private import go
 private import semmle.go.dataflow.FunctionInputsAndOutputs
@@ -149,7 +147,6 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
  * Holds if data flows from `source` to `sink` in zero or more local
  * (intra-procedural) steps.
  */
-overlay[caller?]
 pragma[inline]
 predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
 
@@ -563,7 +560,7 @@ private predicate onlyPossibleReturnOfBool(FuncDecl fd, FunctionOutput res, Node
  */
 predicate possiblyReturnsNonNil(FuncDecl fd, FunctionOutput res, Node ret) {
   ret = res.getEntryNode(fd) and
-  not exprRefersToNil(ret.asExpr())
+  not ret.asExpr() = Builtin::nil().getAReference()
 }
 
 /**
@@ -573,7 +570,7 @@ predicate possiblyReturnsNonNil(FuncDecl fd, FunctionOutput res, Node ret) {
 private predicate onlyPossibleReturnOfNonNil(FuncDecl fd, FunctionOutput res, Node ret) {
   possiblyReturnsNonNil(fd, res, ret) and
   forall(Node otherRet | otherRet = res.getEntryNode(fd) and otherRet != ret |
-    exprRefersToNil(otherRet.asExpr())
+    otherRet.asExpr() = Builtin::nil().getAReference()
   )
 }
 
@@ -612,7 +609,7 @@ private predicate isCertainlyNotNil(DataFlow::Node node) {
  */
 private predicate onlyPossibleReturnOfNil(FuncDecl fd, FunctionOutput res, DataFlow::Node ret) {
   ret = res.getEntryNode(fd) and
-  exprRefersToNil(ret.asExpr()) and
+  ret.asExpr() = Builtin::nil().getAReference() and
   forall(DataFlow::Node otherRet | otherRet = res.getEntryNode(fd) and otherRet != ret |
     isCertainlyNotNil(otherRet)
   )

go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll

@@ -1,8 +1,6 @@
 /**
  * This module provides extensible predicates for defining MaD models.
  */
-overlay[local?]
-module;
 
 private import codeql.mad.static.ModelsAsData as SharedMaD
 

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes and predicates for defining flow summaries.
  */
-overlay[local?]
-module;
 
 private import go
 private import codeql.dataflow.internal.FlowSummaryImpl

go/ql/lib/semmle/go/dataflow/internal/TaintTrackingImplSpecific.qll

@@ -1,8 +1,6 @@
 /**
  * Provides Go-specific definitions for use in the taint tracking library.
  */
-overlay[local?]
-module;
 
 private import codeql.dataflow.TaintTracking
 private import DataFlowImplSpecific

go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll

@@ -1,8 +1,6 @@
 /**
  * Provides Go-specific definitions for use in the taint-tracking library.
  */
-overlay[local?]
-module;
 
 private import go
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -13,7 +11,6 @@ private import DataFlowPrivate as DataFlowPrivate
  * Holds if taint can flow from `src` to `sink` in zero or more
  * local (intra-procedural) steps.
  */
-overlay[caller?]
 pragma[inline]
 predicate localTaint(DataFlow::Node src, DataFlow::Node sink) { localTaintStep*(src, sink) }
 
@@ -21,7 +18,6 @@ predicate localTaint(DataFlow::Node src, DataFlow::Node sink) { localTaintStep*(
  * Holds if taint can flow from `src` to `sink` in zero or more
  * local (intra-procedural) steps.
  */
-overlay[caller?]
 pragma[inline]
 predicate localExprTaint(Expr src, Expr sink) {
   localTaint(DataFlow::exprNode(src), DataFlow::exprNode(sink))
@@ -422,7 +418,7 @@ predicate functionEnsuresInputIsConstant(
     forex(DataFlow::Node ret, IR::ReturnInstruction ri |
       ret = outp.getEntryNode(fd) and
       ri.getReturnStmt().getAnExpr() = ret.asExpr() and
-      exprRefersToNil(ret.asExpr())
+      ret.asExpr() = Builtin::nil().getAReference()
     |
       DataFlow::localFlow(inp.getExitNode(fd), _) and
       mustPassConstantCaseTestToReach(ri, inp.getExitNode(fd))

go/ql/lib/semmle/go/dependencies/Dependencies.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for modeling go.mod dependencies.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/dependencies/SemVer.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for dealing with semantic versions, for dependency versions.
  */
-overlay[local?]
-module;
 
 import semmle.go.dependencies.Dependencies
 

go/ql/lib/semmle/go/frameworks/Afero.qll

@@ -2,8 +2,6 @@
  * Provides classes for working with sinks and taint propagators
  * from the `github.com/spf13/afero` package.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/frameworks/AwsLambda.qll

@@ -2,8 +2,6 @@
  * Provides classes for working with remote flow sources, sinks and taint propagators
  * from the `github.com/aws/aws-lambda-go/lambda` package.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/frameworks/Beego.qll

@@ -2,8 +2,6 @@
  * Provides classes for working with remote flow sources, sinks and taint propagators
  * from the `github.com/beego/beego` package.
  */
-overlay[local?]
-module;
 
 import go
 import semmle.go.security.Xss

go/ql/lib/semmle/go/frameworks/BeegoOrm.qll

@@ -2,8 +2,6 @@
  * Provides classes for working with remote flow sources, sinks and taint propagators
  * from the `github.com/astaxie/beego/orm` subpackage.
  */
-overlay[local?]
-module;
 
 import go
 private import semmle.go.security.StoredXssCustomizations

go/ql/lib/semmle/go/frameworks/Bun.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes modeling security-relevant aspects of the `Bun` package.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/frameworks/Couchbase.qll

@@ -1,8 +1,6 @@
 /**
  * Provides models of commonly used functions in the official Couchbase Go SDK library.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/frameworks/CryptoLibraries.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for modeling cryptographic libraries.
  */
-overlay[local?]
-module;
 
 import go
 import semmle.go.Concepts::Cryptography

go/ql/lib/semmle/go/frameworks/Echo.qll

@@ -2,8 +2,6 @@
  * Provides classes for working with remote flow sources, taint propagators, and HTTP sinks
  * from the `github.com/labstack/echo` package.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for working with concepts relating to the [github.com/elazarl/goproxy](https://pkg.go.dev/github.com/elazarl/goproxy) package.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/frameworks/Email.qll

@@ -1,6 +1,4 @@
 /** Provides classes for working with email-related APIs. */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/frameworks/Encoding.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes modeling taint propagation through marshalling and encoding functions.
  */
-overlay[local?]
-module;
 
 import go
 

go/ql/lib/semmle/go/frameworks/Fasthttp.qll

@@ -2,8 +2,6 @@
  * Provides classes for working with remote flow sources, sinks and taint propagators
  * from the `github.com/valyala/fasthttp` package.
  */
-overlay[local?]
-module;
 
 import go
 private import semmle.go.security.RequestForgeryCustomizations

go/ql/lib/semmle/go/frameworks/Gin.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for modeling the `github.com/gin-gonic/gin` package.
  */
-overlay[local?]
-module;
 
 import go
 import semmle.go.concepts.HTTP

go/ql/lib/semmle/go/frameworks/GinCors.qll

@@ -1,8 +1,6 @@
 /**
  * Provides classes for modeling the `github.com/gin-contrib/cors` package.
  */
-overlay[local?]
-module;
 
 import go