Python: Remove some FPs for ContainsNonContainer.ql

First fix handles the case where there's interference from a class-based decorator on a function. In this case, _technically_ we have an instance of the decorator class, but in practice this decorator will (hopefully) forward all accesses to the thing it wraps. The second fix has to do with methods that are added dynamically using `setattr`. In this case, we cannot be sure that the relevant methods are actually missing.
Python: Exclude iterators guarded by isinstance checks
2026-05-27 09:31:30 +02:00 · 2026-03-16 14:36:29 +00:00 · 2026-03-16 14:33:59 +00:00 · 2026-03-13 16:36:36 +00:00 · 2026-03-11 16:59:22 +00:00 · 2026-03-11 16:59:21 +00:00
900 changed files with 4894 additions and 4778 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -45,5 +45,3 @@ updates:
    directory: "/"
    schedule:
      interval: weekly
-    exclude-paths:
-      - "misc/bazel/registry/**"
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -0,0 +1,78 @@
+name: "Compile all queries using the latest stable CodeQL CLI"
+
+on:
+  push:
+    branches:  # makes sure the cache gets populated - running on the branches people tend to merge into.
+      - main
+      - "rc/*"
+      - "codeql-cli-*"
+  pull_request:
+    paths:
+      - '**.ql'
+      - '**.qll'
+      - '**/qlpack.yml'
+      - '**.dbscheme'
+
+permissions:
+  contents: read
+
+jobs:
+  detect-changes:
+    if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest
+    outputs:
+      languages: ${{ steps.detect.outputs.languages }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Detect changed languages
+        id: detect
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            # For PRs, detect which languages have changes
+            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
+            languages=()
+            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
+              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
+                languages+=("$lang")
+              fi
+            done
+            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
+          else
+            # For pushes to main/rc branches, run all languages
+            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  compile-queries:
+    needs: detect-changes
+    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
+
+    steps:
+      - uses: actions/checkout@v5
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+        with:
+          channel: 'release'
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: ${{ matrix.language }}-queries
+      - name: check formatting
+        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+      - name: compile queries - check-only
+        # run with --check-only if running in a PR (github.sha != main)
+        if : ${{ github.event_name == 'pull_request' }}
+        shell: bash
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+      - name: compile queries - full
+        # do full compile if running on main - this populates the cache
+        if : ${{ github.event_name != 'pull_request' }}
+        shell: bash
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -76,7 +76,7 @@ jobs:
    needs: measure
    steps:
      - uses: actions/checkout@v5
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@v4
        with:
          name: measurements
          path: stats
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -0,0 +1,236 @@
+name: "Ruby: Build"
+
+on:
+  push:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-build.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+      - "shared/tree-sitter-extractor/**"
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-build.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+      - "shared/tree-sitter-extractor/**"
+    branches:
+      - main
+      - "rc/*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Version tag to create"
+        required: false
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: ruby
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v5
+      - name: Install GNU tar
+        if: runner.os == 'macOS'
+        run: |
+          brew install gnu-tar
+          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - name: Prepare Windows
+        if: runner.os == 'Windows'
+        shell: powershell
+        run: |
+          git config --global core.longpaths true
+      - uses: ./.github/actions/os-version
+        id: os_version
+      - name: Cache entire extractor
+        uses: actions/cache@v3
+        id: cache-extractor
+        with:
+          path: |
+            target/release/codeql-extractor-ruby
+            target/release/codeql-extractor-ruby.exe
+            ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
+      - uses: actions/cache@v3
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
+      - name: Check formatting
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: cd extractor && cargo fmt -- --check
+      - name: Build
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: cd extractor && cargo build --verbose
+      - name: Run tests
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: cd extractor && cargo test --verbose
+      - name: Release build
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: cd extractor && cargo build --release
+      - name: Generate dbscheme
+        if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
+        run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v4
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          name: ruby.dbscheme
+          path: ruby/ql/lib/ruby.dbscheme
+      - uses: actions/upload-artifact@v4
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          name: TreeSitter.qll
+          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v4
+        with:
+          name: extractor-${{ matrix.os }}
+          path: |
+            target/release/codeql-extractor-ruby
+            target/release/codeql-extractor-ruby.exe
+          retention-days: 1
+  compile-queries:
+    if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest-xl
+    steps:
+      - uses: actions/checkout@v5
+      - name: Fetch CodeQL
+        uses: ./.github/actions/fetch-codeql
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: ruby-build
+      - name: Build Query Pack
+        run: |
+          PACKS=${{ runner.temp }}/query-packs
+          rm -rf $PACKS
+          codeql pack create ../misc/suite-helpers --output "$PACKS"
+          codeql pack create ../shared/regex --output "$PACKS"
+          codeql pack create ../shared/ssa --output "$PACKS"
+          codeql pack create ../shared/tutorial --output "$PACKS"
+          codeql pack create ql/lib --output "$PACKS"
+          codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
+          codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
+          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
+      - uses: actions/upload-artifact@v4
+        with:
+          name: codeql-ruby-queries
+          path: |
+            ${{ runner.temp }}/query-packs/*
+          retention-days: 1
+          include-hidden-files: true
+
+  package:
+    runs-on: ubuntu-latest
+    needs: [build, compile-queries]
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/download-artifact@v4
+        with:
+          name: ruby.dbscheme
+          path: ruby/ruby
+      - uses: actions/download-artifact@v4
+        with:
+          name: extractor-ubuntu-latest
+          path: ruby/linux64
+      - uses: actions/download-artifact@v4
+        with:
+          name: extractor-windows-latest
+          path: ruby/win64
+      - uses: actions/download-artifact@v4
+        with:
+          name: extractor-macos-latest
+          path: ruby/osx64
+      - run: |
+          mkdir -p ruby
+          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
+          mkdir -p ruby/tools/{linux64,osx64,win64}
+          cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor
+          cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor
+          cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
+          chmod +x ruby/tools/{linux64,osx64}/extractor
+          zip -rq codeql-ruby.zip ruby
+      - uses: actions/upload-artifact@v4
+        with:
+          name: codeql-ruby-pack
+          path: ruby/codeql-ruby.zip
+          retention-days: 1
+          include-hidden-files: true
+      - uses: actions/download-artifact@v4
+        with:
+          name: codeql-ruby-queries
+          path: ruby/qlpacks
+      - run: |
+          echo '{
+            "provide": [
+            "ruby/codeql-extractor.yml",
+            "qlpacks/*/*/*/qlpack.yml"
+            ]
+          }' > .codeqlmanifest.json
+          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
+      - uses: actions/upload-artifact@v4
+        with:
+          name: codeql-ruby-bundle
+          path: ruby/codeql-ruby-bundle.zip
+          retention-days: 1
+          include-hidden-files: true
+
+  test:
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
+    needs: [package]
+    steps:
+      - uses: actions/checkout@v5
+      - name: Fetch CodeQL
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Download Ruby bundle
+        uses: actions/download-artifact@v4
+        with:
+          name: codeql-ruby-bundle
+          path: ${{ runner.temp }}
+      - name: Unzip Ruby bundle
+        shell: bash
+        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
+
+      - name: Run QL test
+        shell: bash
+        run: |
+          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
+      - name: Create database
+        shell: bash
+        run: |
+          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
+      - name: Analyze database
+        shell: bash
+        run: |
+          codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -0,0 +1,75 @@
+name: "Ruby: Collect database stats"
+
+on:
+  push:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - ruby/ql/lib/ruby.dbscheme
+      - .github/workflows/ruby-dataset-measure.yml
+  pull_request:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - ruby/ql/lib/ruby.dbscheme
+      - .github/workflows/ruby-dataset-measure.yml
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  measure:
+    env:
+      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
+    strategy:
+      fail-fast: false
+      matrix:
+        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - uses: ./ruby/actions/create-extractor-pack
+
+      - name: Checkout ${{ matrix.repo }}
+        uses: actions/checkout@v5
+        with:
+          repository: ${{ matrix.repo }}
+          path: ${{ github.workspace }}/repo
+      - name: Create database
+        run: |
+          codeql database create \
+            --search-path "${{ github.workspace }}" \
+            --threads 4 \
+            --language ruby --source-root "${{ github.workspace }}/repo" \
+            "${{ runner.temp }}/database"
+      - name: Measure database
+        run: |
+          mkdir -p "stats/${{ matrix.repo }}"
+          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: measurements-${{ hashFiles('stats/**') }}
+          path: stats
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs: measure
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/download-artifact@v4
+        with:
+          path: stats
+      - run: |
+          python -m pip install --user lxml
+          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ruby.dbscheme.stats
+          path: ruby/ql/lib/ruby.dbscheme.stats
--- a/.github/workflows/ruby-qltest-rtjo.yml
+++ b/.github/workflows/ruby-qltest-rtjo.yml
@@ -0,0 +1,40 @@
+name: "Ruby: Run RTJO Language Tests"
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - labeled
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: ruby
+
+permissions:
+  contents: read
+
+jobs:
+  qltest-rtjo:
+    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./ruby/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: ruby-qltest
+      - name: Run QL tests
+        run: |
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -0,0 +1,73 @@
+name: "Ruby: Run QL Tests"
+
+on:
+  push:
+    paths:
+      - "ruby/**"
+      - "shared/**"
+      - .github/workflows/ruby-build.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "ruby/**"
+      - "shared/**"
+      - .github/workflows/ruby-qltest.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+    branches:
+      - main
+      - "rc/*"
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: ruby
+
+permissions:
+  contents: read
+
+jobs:
+  qlupgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check DB upgrade scripts
+        run: |
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme
+      - name: Check DB downgrade scripts
+        run: |
+          echo >empty.trap
+          rm -rf testdb; codeql dataset import -S ql/lib/ruby.dbscheme testdb empty.trap
+          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
+           --dbscheme=ql/lib/ruby.dbscheme --target-dbscheme=downgrades/initial/ruby.dbscheme |
+           xargs codeql execute upgrades testdb
+          diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
+  qltest:
+    if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./ruby/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: ruby-qltest
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -15,14 +15,14 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages

 bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_cc", version = "0.2.17")
-bazel_dep(name = "rules_go", version = "0.60.0")
-bazel_dep(name = "rules_java", version = "9.6.1")
-bazel_dep(name = "rules_pkg", version = "1.2.0")
+bazel_dep(name = "rules_cc", version = "0.2.16")
+bazel_dep(name = "rules_go", version = "0.59.0")
+bazel_dep(name = "rules_java", version = "9.0.3")
+bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
 bazel_dep(name = "rules_python", version = "1.9.0")
 bazel_dep(name = "rules_shell", version = "0.6.1")
-bazel_dep(name = "bazel_skylib", version = "1.9.0")
+bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
@@ -30,7 +30,7 @@ bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
 bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
 bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
-bazel_dep(name = "rules_rust", version = "0.69.0")
+bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1")
 bazel_dep(name = "zstd", version = "1.5.7.bcr.1")

 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.4.30
-
-No user-facing changes.
-
 ## 0.4.29

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.30.md
+++ b/actions/ql/lib/change-notes/released/0.4.30.md
@@ -1,3 +0,0 @@
-## 0.4.30
-
-No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.30
+lastReleaseVersion: 0.4.29
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.31-dev
+version: 0.4.30-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.6.22
-
-No user-facing changes.
-
 ## 0.6.21

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.22.md
+++ b/actions/ql/src/change-notes/released/0.6.22.md
@@ -1,3 +0,0 @@
-## 0.6.22
-
-No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.22
+lastReleaseVersion: 0.6.21
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.23-dev
+version: 0.6.22-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/config/add-overlay-annotations.py
+++ b/config/add-overlay-annotations.py
@@ -199,7 +199,6 @@ def annotate_as_appropriate(filename, lines):
    # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
    # but they seem to work well enough for now (as determined by speed and accuracy numbers).
    if (filename.endswith("Test.qll") or
-        re.search(r"go/ql/lib/semmle/go/security/[^/]+[.]qll$", filename.replace(os.sep, "/")) or
        ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
         any("implements DataFlow::ConfigSig" in line for line in lines))):
        return None
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -172,6 +172,10 @@
    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
  ],
+  "C# ControlFlowReachability": [
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
+  ],
  "C++ ExternalAPIs": [
    "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
    "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"
--- a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
@@ -52,6 +52,5 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
 ql/cpp/ql/src/Telemetry/CompilerErrors.ql
 ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
 ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
-ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
 ql/cpp/ql/src/Telemetry/MissingIncludes.ql
 ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
--- a/cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected
@@ -160,7 +160,6 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
 ql/cpp/ql/src/Telemetry/CompilerErrors.ql
 ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
 ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
-ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
 ql/cpp/ql/src/Telemetry/MissingIncludes.ql
 ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
 ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql
--- a/cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected
@@ -93,6 +93,5 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
 ql/cpp/ql/src/Telemetry/CompilerErrors.ql
 ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
 ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
-ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
 ql/cpp/ql/src/Telemetry/MissingIncludes.ql
 ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 8.0.1
-
-### Minor Analysis Improvements
-
-* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
-
 ## 8.0.0

 ### Breaking Changes
--- a/cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,5 +1,4 @@
-## 7.0.2
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.1
+lastReleaseVersion: 8.0.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 8.0.2-dev
+version: 8.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -524,12 +524,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
      not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
    )
  }
-
-  /**
-   * Holds if this function has an ambiguous return type, meaning that zero or multiple return
-   * types for this function are present in the database (this can occur in `build-mode: none`).
-   */
-  predicate hasAmbiguousReturnType() { count(this.getType()) != 1 }
 }

 pragma[noinline]
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.5.13
-
-No user-facing changes.
-
 ## 1.5.12

 No user-facing changes.
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -218,9 +218,7 @@ where
  // only report if we cannot prove that the result of the
  // multiplication will be less (resp. greater) than the
  // maximum (resp. minimum) number we can compute.
-  overflows(me, t1) and
-  // exclude cases where the expression type may not have been extracted accurately
-  not me.getParent().(Call).getTarget().hasAmbiguousReturnType()
+  overflows(me, t1)
 select me,
  "Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"
    + me.getFullyConverted().getType().toString() + "'."
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -168,11 +168,9 @@ where
    formatOtherArgType(ffc, n, expected, arg, actual) and
    not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
  ) and
-  // Exclude some cases where we're less confident the result is correct / clear / valuable
  not arg.isAffectedByMacro() and
  not arg.isFromUninstantiatedTemplate(_) and
  not actual.stripType() instanceof ErroneousType and
-  not arg.getType().stripType().(RoutineType).getReturnType() instanceof ErroneousType and
  not arg.(Call).mayBeFromImplicitlyDeclaredFunction() and
  // Make sure that the format function definition is consistent
  count(ffc.getTarget().getFormatParameterIndex()) = 1
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
 * @precision high
 * @id cpp/cgi-xss
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -23,31 +23,13 @@ import Flow::PathGraph

 predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }

-/**
- * Holds if `f` is a printf-like function or a (possibly nested) wrapper
- * that forwards a format-string parameter to one.
- *
- * Functions that *implement* printf-like behavior (e.g. a custom
- * `vsnprintf` variant) internally parse the caller-supplied format string
- * and build small, bounded, local format strings such as `"%d"` or `"%ld"`
- * for inner `sprintf` calls.  Taint that reaches those inner calls via the
- * parsed format specifier is not exploitable, so sinks inside such
- * functions should be excluded.
- */
-private predicate isPrintfImplementation(Function f) {
-  f instanceof PrintfLikeFunction
-  or
-  exists(PrintfLikeFunction printf | printf.wrapperFunction(f, _, _))
-}
-
 module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) { isSource(node, _) }

  predicate isSink(DataFlow::Node node) {
    exists(PrintfLikeFunction printf |
      printf.outermostWrapperFunctionCall([node.asExpr(), node.asIndirectExpr()], _)
-    ) and
-    not isPrintfImplementation([node.asExpr(), node.asIndirectExpr()].getEnclosingFunction())
+    )
  }

  private predicate isArithmeticNonCharType(ArithmeticType type) {
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -18,8 +18,7 @@ import IncorrectPointerScalingCommon
 private predicate isCharSzPtrExpr(Expr e) {
  exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() |
    pt.getBaseType() instanceof CharType or
-    pt.getBaseType() instanceof VoidType or
-    pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation
+    pt.getBaseType() instanceof VoidType
  )
 }

--- a/cpp/ql/src/Telemetry/DatabaseQuality.qll
+++ b/cpp/ql/src/Telemetry/DatabaseQuality.qll
@@ -1,25 +0,0 @@
-import cpp
-import codeql.util.ReportStats
-
-module CallTargetStats implements StatsSig {
-  private class RelevantCall extends Call {
-    RelevantCall() { this.getFile() = any(File f | f.fromSource() and exists(f.getRelativePath())) }
-  }
-
-  // We assume that calls with an implicit target are calls that could not be
-  // resolved. This is accurate in the vast majority of cases, but is inaccurate
-  // for calls that deliberately rely on implicitly declared functions.
-  private predicate hasImplicitTarget(RelevantCall call) {
-    call.getTarget().getADeclarationEntry().isImplicit()
-  }
-
-  int getNumberOfOk() { result = count(RelevantCall call | not hasImplicitTarget(call)) }
-
-  int getNumberOfNotOk() { result = count(RelevantCall call | hasImplicitTarget(call)) }
-
-  string getOkText() { result = "calls with call target" }
-
-  string getNotOkText() { result = "calls with missing call target" }
-}
-
-module CallTargetStatsReport = ReportStats<CallTargetStats>;
--- a/cpp/ql/src/Telemetry/ExtractorInformation.ql
+++ b/cpp/ql/src/Telemetry/ExtractorInformation.ql
@@ -1,25 +0,0 @@
-/**
- * @name C/C++ extraction information
- * @description Information about the extraction for a C/C++ database
- * @kind metric
- * @tags summary telemetry
- * @id cpp/telemetry/extraction-information
- */
-
-import cpp
-import DatabaseQuality
-
-from string key, float value
-where
-  (
-    CallTargetStatsReport::numberOfOk(key, value) or
-    CallTargetStatsReport::numberOfNotOk(key, value) or
-    CallTargetStatsReport::percentageOfOk(key, value)
-  ) and
-  /* Infinity */
-  value != 1.0 / 0.0 and
-  /* -Infinity */
-  value != -1.0 / 0.0 and
-  /* NaN */
-  value != 0.0 / 0.0
-select key, value
--- a/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
+++ b/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -1,4 +0,0 @@
---
-category: queryMetadata
---
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
+++ b/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
+++ b/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
+++ b/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
--- a/cpp/ql/src/change-notes/released/1.5.13.md
+++ b/cpp/ql/src/change-notes/released/1.5.13.md
@@ -1,3 +0,0 @@
-## 1.5.13
-
-No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.13
+lastReleaseVersion: 1.5.12
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.14-dev
+version: 1.5.13-dev
 groups:
  - cpp
  - queries
--- a/Bugs/Arithmetic/IntMultToLong/Buildless.c
+++ b/Bugs/Arithmetic/IntMultToLong/Buildless.c
@@ -1,28 +0,0 @@
-// semmle-extractor-options: --expect_errors
-
-void test_float_double1(float f, double d) {
-    float r1 = f * f; // GOOD
-    float r2 = f * d; // GOOD
-    double r3 = f * f; // BAD
-    double r4 = f * d; // GOOD
-
-    float f1 = fabsf(f * f); // GOOD
-    float f2 = fabsf(f * d); // GOOD
-    double f3 = fabs(f * f); // BAD [NOT DETECTED]
-    double f4 = fabs(f * d); // GOOD
-}
-
-double fabs(double f);
-float fabsf(float f);
-
-void test_float_double2(float f, double d) {
-    float r1 = f * f; // GOOD
-    float r2 = f * d; // GOOD
-    double r3 = f * f; // BAD
-    double r4 = f * d; // GOOD
-
-    float f1 = fabsf(f * f); // GOOD
-    float f2 = fabsf(f * d); // GOOD
-    double f3 = fabs(f * f); // BAD [NOT DETECTED]
-    double f4 = fabs(f * d); // GOOD
-}
--- a/Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected
+++ b/Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected
@@ -1,5 +1,3 @@
-| Buildless.c:6:17:6:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
-| Buildless.c:21:17:21:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
 | IntMultToLong.c:4:10:4:14 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
 | IntMultToLong.c:7:16:7:20 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
 | IntMultToLong.c:18:19:18:23 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
--- a/Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected
@@ -1,3 +1 @@
-| second.cpp:26:18:26:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. |
-| second.cpp:29:18:29:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. |
 | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. |
--- a/Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp
+++ b/Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp
@@ -1,3 +0,0 @@
-
-// defines type size_t plausibly
-typedef unsigned long size_t;
--- a/Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp
+++ b/Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp
@@ -1,32 +0,0 @@
-// semmle-extractor-options: --expect_errors
-
-int printf(const char * format, ...);
-
-// defines type `myFunctionPointerType`, referencing `size_t`
-typedef size_t (*myFunctionPointerType) ();
-
-void test_size_t() {
-    size_t s = 0;
-
-    printf("%zd", s); // GOOD
-    printf("%zi", s); // GOOD
-    printf("%zu", s); // GOOD (we generally permit signedness changes)
-    printf("%zx", s); // GOOD (we generally permit signedness changes)
-    printf("%d", s); // BAD [NOT DETECTED]
-    printf("%ld", s); // DUBIOUS [NOT DETECTED]
-    printf("%lld", s); // DUBIOUS [NOT DETECTED]
-    printf("%u", s); // BAD [NOT DETECTED]
-
-    char buffer[1024];
-
-    printf("%zd", &buffer[1023] - buffer); // GOOD
-    printf("%zi", &buffer[1023] - buffer); // GOOD
-    printf("%zu", &buffer[1023] - buffer); // GOOD
-    printf("%zx", &buffer[1023] - buffer); // GOOD
-    printf("%d", &buffer[1023] - buffer); // BAD
-    printf("%ld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED]
-    printf("%lld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED]
-    printf("%u", &buffer[1023] - buffer); // BAD
-    // (for the `%ld` and `%lld` cases, the signedness and type sizes match, `%zd` would be most correct
-    //  and robust but the developer may know enough to make this safe)
-}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
@@ -1,5 +1,3 @@
-| buildless.cpp:5:15:5:25 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const short * | const short * |
-| buildless.cpp:6:13:6:23 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const int * | const int * |
 | test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
 | test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
 | test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp
@@ -1,10 +0,0 @@
-// semmle-extractor-options: --expect_errors
-
-void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32) {
-  *(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1)
-  *(p_short + sizeof(int)); // BAD
-  *(p_int + sizeof(int)); // BAD
-  *(p_8 + sizeof(int)); // GOOD (`sizeof(uint8_t)` is 1, but there's an error in the type)
-  *(p_16 + sizeof(int)); // BAD [NOT DETECTED]
-  *(p_32 + sizeof(int)); // BAD [NOT DETECTED]
-}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp
@@ -93,9 +93,3 @@ private:
  myChar * const myCharsPointer;
  myInt * const myIntsPointer;
 };
-
-typedef unsigned char uint8_t;
-typedef unsigned short uint16_t;
-typedef unsigned int uint32_t;
-
-void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32);
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.61
-
-No user-facing changes.
-
 ## 1.7.60

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.61.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.61.md
@@ -1,3 +0,0 @@
-## 1.7.61
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.61
+lastReleaseVersion: 1.7.60
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.62-dev
+version: 1.7.61-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.61
-
-No user-facing changes.
-
 ## 1.7.60

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.61.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.61.md
@@ -1,3 +0,0 @@
-## 1.7.61
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.61
+lastReleaseVersion: 1.7.60
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.62-dev
+version: 1.7.61-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/consistency-queries/CfgConsistency.ql
+++ b/csharp/ql/consistency-queries/CfgConsistency.ql
@@ -1,5 +1,63 @@
 import csharp
 import semmle.code.csharp.controlflow.internal.Completion
+import semmle.code.csharp.controlflow.internal.PreBasicBlocks
 import ControlFlow
 import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl::Consistency
 import semmle.code.csharp.controlflow.internal.Splitting
+
+private predicate splitBB(ControlFlow::BasicBlock bb) {
+  exists(ControlFlow::Node first |
+    first = bb.getFirstNode() and
+    first.isJoin() and
+    strictcount(first.getAPredecessor().getAstNode()) = 1
+  )
+}
+
+private class RelevantBasicBlock extends ControlFlow::BasicBlock {
+  RelevantBasicBlock() { not splitBB(this) }
+}
+
+predicate bbStartInconsistency(ControlFlowElement cfe) {
+  exists(RelevantBasicBlock bb | bb.getFirstNode() = cfe.getAControlFlowNode()) and
+  not cfe = any(PreBasicBlock bb).getFirstElement()
+}
+
+predicate bbSuccInconsistency(ControlFlowElement pred, ControlFlowElement succ) {
+  exists(RelevantBasicBlock predBB, RelevantBasicBlock succBB |
+    predBB.getLastNode() = pred.getAControlFlowNode() and
+    succBB = predBB.getASuccessor() and
+    succBB.getFirstNode() = succ.getAControlFlowNode()
+  ) and
+  not exists(PreBasicBlock predBB, PreBasicBlock succBB |
+    predBB.getLastNode() = pred and
+    succBB = predBB.getASuccessor() and
+    succBB.getFirstElement() = succ
+  )
+}
+
+predicate bbIntraSuccInconsistency(ControlFlowElement pred, ControlFlowElement succ) {
+  exists(ControlFlow::BasicBlock bb, int i |
+    pred.getAControlFlowNode() = bb.getNode(i) and
+    succ.getAControlFlowNode() = bb.getNode(i + 1)
+  ) and
+  not exists(PreBasicBlock bb |
+    bb.getLastNode() = pred and
+    bb.getASuccessor().getFirstElement() = succ
+  ) and
+  not exists(PreBasicBlock bb, int i |
+    bb.getNode(i) = pred and
+    bb.getNode(i + 1) = succ
+  )
+}
+
+query predicate preBasicBlockConsistency(ControlFlowElement cfe1, ControlFlowElement cfe2, string s) {
+  bbStartInconsistency(cfe1) and
+  cfe2 = cfe1 and
+  s = "start inconsistency"
+  or
+  bbSuccInconsistency(cfe1, cfe2) and
+  s = "succ inconsistency"
+  or
+  bbIntraSuccInconsistency(cfe1, cfe2) and
+  s = "intra succ inconsistency"
+}
--- a/csharp/ql/consistency-queries/DataFlowConsistency.ql
+++ b/csharp/ql/consistency-queries/DataFlowConsistency.ql
@@ -35,7 +35,9 @@ private module Input implements InputSig<Location, CsharpDataFlow> {
    or
    n.asExpr().(ObjectCreation).hasInitializer()
    or
-    n.(PostUpdateNode).getPreUpdateNode().asExpr() = LocalFlow::getPostUpdateReverseStep(_)
+    exists(
+      n.(PostUpdateNode).getPreUpdateNode().asExprAtNode(LocalFlow::getPostUpdateReverseStep(_))
+    )
  }

  predicate argHasPostUpdateExclude(ArgumentNode n) {
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,13 +1,3 @@
-## 5.4.9
-
-### Minor Analysis Improvements
-
-* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
-* Added `System.Net.WebSockets::ReceiveAsync` as a remote flow source.
-* Added reverse taint flow from implicit conversion operator calls to their arguments.
-* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.
-* C# 14: Added support for partial constructors.
-
 ## 5.4.8

 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/2026-02-24-partial-constructors.md
+++ b/csharp/ql/lib/change-notes/2026-02-24-partial-constructors.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 14: Added support for partial constructors.
--- a/csharp/ql/lib/change-notes/2026-03-02-post-update-nodes.md
+++ b/csharp/ql/lib/change-notes/2026-03-02-post-update-nodes.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.
--- a/csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md
+++ b/csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added reverse taint flow from implicit conversion operator calls to their arguments.
--- a/csharp/ql/lib/change-notes/2026-03-04-websocket-receiveasync.md
+++ b/csharp/ql/lib/change-notes/2026-03-04-websocket-receiveasync.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `System.Net.WebSockets::ReceiveAsync` as a remote flow source.
--- a/csharp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/csharp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,5 +1,4 @@
-## 8.0.1
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/csharp/ql/lib/change-notes/released/5.4.9.md
+++ b/csharp/ql/lib/change-notes/released/5.4.9.md
@@ -1,9 +0,0 @@
-## 5.4.9
-
-### Minor Analysis Improvements
-
-* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
-* Added `System.Net.WebSockets::ReceiveAsync` as a remote flow source.
-* Added reverse taint flow from implicit conversion operator calls to their arguments.
-* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.
-* C# 14: Added support for partial constructors.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.9
+lastReleaseVersion: 5.4.8
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.10-dev
+version: 5.4.9-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/Callable.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Callable.qll
@@ -336,22 +336,6 @@ class ExtensionTypeExtensionMethod extends ExtensionMethodImpl {
  ExtensionTypeExtensionMethod() { this.isInExtension() }
 }

-/**
- * A non-static member with an initializer, for example a field `int Field = 0`.
- */
-private class InitializedInstanceMember extends Member {
-  private AssignExpr ae;
-
-  InitializedInstanceMember() {
-    not this.isStatic() and
-    expr_parent_top_level(ae, _, this) and
-    not ae = getExpressionBody(_)
-  }
-
-  /** Gets the initializer expression. */
-  AssignExpr getInitializer() { result = ae }
-}
-
 /**
 * An object initializer method.
 *
@@ -363,17 +347,6 @@ private class InitializedInstanceMember extends Member {
 */
 class ObjectInitMethod extends Method {
  ObjectInitMethod() { this.getName() = "<object initializer>" }
-
-  /**
-   * Holds if this object initializer method performs the initialization
-   * of a member via assignment `init`.
-   */
-  predicate initializes(AssignExpr init) {
-    exists(InitializedInstanceMember m |
-      this.getDeclaringType().getAMember() = m and
-      init = m.getInitializer()
-    )
-  }
 }

 /**
--- a/csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll
+++ b/csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll
@@ -214,8 +214,6 @@ private module Cached {
    parent*(enclosingStart(cfe), c.(Constructor).getInitializer())
    or
    parent*(cfe, c.(Constructor).getObjectInitializerCall())
-    or
-    parent*(cfe, any(AssignExpr init | c.(ObjectInitMethod).initializes(init)))
  }

  /** Holds if the enclosing statement of expression `e` is `s`. */
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -10,15 +10,42 @@ private import semmle.code.csharp.ExprOrStmtParent
 private import semmle.code.csharp.commons.Compilation

 private module Initializers {
+  /**
+   * A non-static member with an initializer, for example a field `int Field = 0`.
+   */
+  class InitializedInstanceMember extends Member {
+    private AssignExpr ae;
+
+    InitializedInstanceMember() {
+      not this.isStatic() and
+      expr_parent_top_level(ae, _, this) and
+      not ae = any(Callable c).getExpressionBody()
+    }
+
+    /** Gets the initializer expression. */
+    AssignExpr getInitializer() { result = ae }
+  }
+
+  /**
+   * Holds if `obinit` is an object initializer method that performs the initialization
+   * of a member via assignment `init`.
+   */
+  predicate obinitInitializes(ObjectInitMethod obinit, AssignExpr init) {
+    exists(InitializedInstanceMember m |
+      obinit.getDeclaringType().getAMember() = m and
+      init = m.getInitializer()
+    )
+  }
+
  /**
   * Gets the `i`th member initializer expression for object initializer method `obinit`
   * in compilation `comp`.
   */
  AssignExpr initializedInstanceMemberOrder(ObjectInitMethod obinit, CompilationExt comp, int i) {
-    obinit.initializes(result) and
+    obinitInitializes(obinit, result) and
    result =
      rank[i + 1](AssignExpr ae0, Location l |
-        obinit.initializes(ae0) and
+        obinitInitializes(obinit, ae0) and
        l = ae0.getLocation() and
        getCompilation(l.getFile()) = comp
      |
@@ -47,7 +74,7 @@ class CfgScope extends Element, @top_level_exprorstmt_parent {
        any(Callable c |
          c.(Constructor).hasInitializer()
          or
-          c.(ObjectInitMethod).initializes(_)
+          Initializers::obinitInitializes(c, _)
          or
          c.hasBody()
        )
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/PreBasicBlocks.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/PreBasicBlocks.qll
@@ -0,0 +1,175 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides a basic block implementation on control flow elements. That is,
+ * a "pre-CFG" where the nodes are (unsplit) control flow elements and the
+ * successor relation is `succ = succ(pred, _)`.
+ *
+ * The logic is duplicated from the implementation in `BasicBlocks.qll`, and
+ * being an internal class, all predicate documentation has been removed.
+ */
+
+import csharp
+private import Completion
+private import ControlFlowGraphImpl
+private import semmle.code.csharp.controlflow.ControlFlowGraph::ControlFlow as Cfg
+private import codeql.controlflow.BasicBlock as BB
+
+private predicate startsBB(ControlFlowElement cfe) {
+  not succ(_, cfe, _) and
+  (
+    succ(cfe, _, _)
+    or
+    scopeLast(_, cfe, _)
+  )
+  or
+  strictcount(ControlFlowElement pred, Completion c | succ(pred, cfe, c)) > 1
+  or
+  succ(_, cfe, any(ConditionalCompletion c))
+  or
+  exists(ControlFlowElement pred, int i |
+    succ(pred, cfe, _) and
+    i = count(ControlFlowElement succ, Completion c | succ(pred, succ, c))
+  |
+    i > 1
+    or
+    i = 1 and
+    scopeLast(_, pred, _)
+  )
+}
+
+private predicate intraBBSucc(ControlFlowElement pred, ControlFlowElement succ) {
+  succ(pred, succ, _) and
+  not startsBB(succ)
+}
+
+private predicate bbIndex(ControlFlowElement bbStart, ControlFlowElement cfe, int i) =
+  shortestDistances(startsBB/1, intraBBSucc/2)(bbStart, cfe, i)
+
+private predicate succBB(PreBasicBlock pred, PreBasicBlock succ) { succ = pred.getASuccessor() }
+
+private predicate entryBB(PreBasicBlock bb) { scopeFirst(_, bb) }
+
+private predicate bbIDominates(PreBasicBlock dom, PreBasicBlock bb) =
+  idominance(entryBB/1, succBB/2)(_, dom, bb)
+
+class PreBasicBlock extends ControlFlowElement {
+  PreBasicBlock() { startsBB(this) }
+
+  PreBasicBlock getASuccessor(Cfg::SuccessorType t) {
+    succ(this.getLastNode(), result, any(Completion c | t = c.getAMatchingSuccessorType()))
+  }
+
+  deprecated PreBasicBlock getASuccessorByType(Cfg::SuccessorType t) {
+    result = this.getASuccessor(t)
+  }
+
+  PreBasicBlock getASuccessor() { result = this.getASuccessor(_) }
+
+  PreBasicBlock getAPredecessor() { result.getASuccessor() = this }
+
+  ControlFlowElement getNode(int pos) { bbIndex(this, result, pos) }
+
+  deprecated ControlFlowElement getElement(int pos) { result = this.getNode(pos) }
+
+  ControlFlowElement getAnElement() { result = this.getNode(_) }
+
+  ControlFlowElement getFirstElement() { result = this }
+
+  ControlFlowElement getLastNode() { result = this.getNode(this.length() - 1) }
+
+  deprecated ControlFlowElement getLastElement() { result = this.getLastNode() }
+
+  int length() { result = strictcount(this.getAnElement()) }
+
+  PreBasicBlock getImmediateDominator() { bbIDominates(result, this) }
+
+  predicate immediatelyDominates(PreBasicBlock bb) { bbIDominates(this, bb) }
+
+  pragma[inline]
+  predicate strictlyDominates(PreBasicBlock bb) { this.immediatelyDominates+(bb) }
+
+  pragma[inline]
+  predicate dominates(PreBasicBlock bb) {
+    bb = this
+    or
+    this.strictlyDominates(bb)
+  }
+
+  predicate inDominanceFrontier(PreBasicBlock df) {
+    this = df.getAPredecessor() and not bbIDominates(this, df)
+    or
+    exists(PreBasicBlock prev | prev.inDominanceFrontier(df) |
+      bbIDominates(this, prev) and
+      not bbIDominates(this, df)
+    )
+  }
+
+  /** Unsupported. Do not use. */
+  predicate strictlyPostDominates(PreBasicBlock bb) { none() }
+
+  /** Unsupported. Do not use. */
+  predicate postDominates(PreBasicBlock bb) {
+    this.strictlyPostDominates(bb) or
+    this = bb
+  }
+}
+
+private Completion getConditionalCompletion(ConditionalCompletion cc) {
+  result.getInnerCompletion() = cc
+}
+
+pragma[nomagic]
+private predicate conditionBlockImmediatelyControls(
+  ConditionBlock cond, PreBasicBlock succ, ConditionalCompletion cc
+) {
+  exists(ControlFlowElement last, Completion c |
+    last = cond.getLastNode() and
+    c = getConditionalCompletion(cc) and
+    succ(last, succ, c) and
+    // In the pre-CFG, we need to account for case where one predecessor node has
+    // two edges to the same successor node. Assertion expressions are examples of
+    // such nodes.
+    not exists(Completion other |
+      succ(last, succ, other) and
+      other != c
+    ) and
+    forall(PreBasicBlock pred | pred = succ.getAPredecessor() and pred != cond |
+      succ.dominates(pred)
+    )
+  )
+}
+
+class ConditionBlock extends PreBasicBlock {
+  ConditionBlock() {
+    exists(Completion c | c = getConditionalCompletion(_) |
+      succ(this.getLastNode(), _, c)
+      or
+      scopeLast(_, this.getLastNode(), c)
+    )
+  }
+
+  pragma[nomagic]
+  predicate controls(PreBasicBlock controlled, Cfg::ConditionalSuccessor s) {
+    exists(PreBasicBlock succ, ConditionalCompletion c |
+      conditionBlockImmediatelyControls(this, succ, c)
+    |
+      succ.dominates(controlled) and
+      s = c.getAMatchingSuccessorType()
+    )
+  }
+}
+
+module PreCfg implements BB::CfgSig<Location> {
+  class ControlFlowNode = ControlFlowElement;
+
+  class BasicBlock = PreBasicBlock;
+
+  class EntryBasicBlock extends BasicBlock {
+    EntryBasicBlock() { entryBB(this) }
+  }
+
+  predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
+    conditionBlockImmediatelyControls(bb1, bb2, _)
+  }
+}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll
@@ -0,0 +1,246 @@
+import csharp
+
+private class ControlFlowScope extends ControlFlowElement {
+  private boolean exactScope;
+
+  ControlFlowScope() {
+    exists(ControlFlowReachabilityConfiguration c |
+      c.candidate(_, _, this, exactScope, _) or
+      c.candidateDef(_, _, this, exactScope, _)
+    )
+  }
+
+  predicate isExact() { exactScope = true }
+
+  predicate isNonExact() { exactScope = false }
+}
+
+private newtype TControlFlowElementOrBasicBlock =
+  TControlFlowElement(ControlFlowElement cfe) or
+  TBasicBlock(ControlFlow::BasicBlock bb)
+
+class ControlFlowElementOrBasicBlock extends TControlFlowElementOrBasicBlock {
+  ControlFlowElement asControlFlowElement() { this = TControlFlowElement(result) }
+
+  ControlFlow::BasicBlock asBasicBlock() { this = TBasicBlock(result) }
+
+  string toString() {
+    result = this.asControlFlowElement().toString()
+    or
+    result = this.asBasicBlock().toString()
+  }
+
+  Location getLocation() {
+    result = this.asControlFlowElement().getLocation()
+    or
+    result = this.asBasicBlock().getLocation()
+  }
+}
+
+private predicate isBasicBlock(ControlFlowElementOrBasicBlock c) { c instanceof TBasicBlock }
+
+private predicate isNonExactScope(ControlFlowElementOrBasicBlock c) {
+  c.asControlFlowElement().(ControlFlowScope).isNonExact()
+}
+
+private predicate step(ControlFlowElementOrBasicBlock pred, ControlFlowElementOrBasicBlock succ) {
+  pred.asBasicBlock().getANode().getAstNode() = succ.asControlFlowElement()
+  or
+  pred.asControlFlowElement() = succ.asControlFlowElement().getAChild()
+}
+
+private predicate basicBlockInNonExactScope(
+  ControlFlowElementOrBasicBlock bb, ControlFlowElementOrBasicBlock scope
+) = doublyBoundedFastTC(step/2, isBasicBlock/1, isNonExactScope/1)(bb, scope)
+
+pragma[noinline]
+private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowScope scope, boolean exactScope) {
+  basicBlockInNonExactScope(TBasicBlock(result), TControlFlowElement(scope)) and
+  exactScope = false
+  or
+  scope.isExact() and
+  result.getANode().getAstNode() = scope and
+  exactScope = true
+}
+
+/**
+ * A helper class for determining control-flow reachability for pairs of
+ * elements.
+ *
+ * This is useful when defining for example expression-based data-flow steps in
+ * the presence of control-flow splitting, where a data-flow step should make
+ * sure to stay in the same split.
+ *
+ * For example, in
+ *
+ * ```csharp
+ * if (b)
+ *     ....
+ * var x = "foo";
+ * if (b)
+ *     ....
+ * ```
+ *
+ * there should only be steps from `[b = true] "foo"` to `[b = true] SSA def(x)`
+ * and `[b = false] "foo"` to `[b = false] SSA def(x)`, and for example not from
+ * `[b = true] "foo"` to `[b = false] SSA def(x)`
+ */
+abstract class ControlFlowReachabilityConfiguration extends string {
+  bindingset[this]
+  ControlFlowReachabilityConfiguration() { any() }
+
+  /**
+   * Holds if `e1` and `e2` are expressions for which we want to find a
+   * control-flow path that follows control flow successors (resp.
+   * predecessors, as specified by `isSuccessor`) inside the syntactic scope
+   * `scope`. The Boolean `exactScope` indicates whether a transitive child
+   * of `scope` is allowed (`exactScope = false`).
+   */
+  predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    none()
+  }
+
+  /**
+   * Holds if `e` and `def` are elements for which we want to find a
+   * control-flow path that follows control flow successors (resp.
+   * predecessors, as specified by `isSuccessor`) inside the syntactic scope
+   * `scope`. The Boolean `exactScope` indicates whether a transitive child
+   * of `scope` is allowed (`exactScope = false`).
+   */
+  predicate candidateDef(
+    Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
+    boolean isSuccessor
+  ) {
+    none()
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExprBase(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1, int i,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.candidate(e1, e2, _, _, isSuccessor) and
+    cfn1 = e1.getAControlFlowNode() and
+    bb.getNode(i) = cfn1
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExprRec(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1,
+    ControlFlow::BasicBlock bb
+  ) {
+    exists(ControlFlow::BasicBlock mid |
+      this.reachesBasicBlockExpr(e1, e2, isSuccessor, cfn1, mid)
+    |
+      isSuccessor = true and
+      bb = mid.getASuccessor()
+      or
+      isSuccessor = false and
+      bb = mid.getAPredecessor()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExpr(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.reachesBasicBlockExprBase(e1, e2, isSuccessor, cfn1, _, bb)
+    or
+    exists(ControlFlowElement scope, boolean exactScope |
+      this.candidate(e1, e2, scope, exactScope, isSuccessor) and
+      this.reachesBasicBlockExprRec(e1, e2, isSuccessor, cfn1, bb) and
+      bb = getABasicBlockInScope(scope, exactScope)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinitionBase(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    int i, ControlFlow::BasicBlock bb
+  ) {
+    this.candidateDef(e, def, _, _, isSuccessor) and
+    cfn = e.getAControlFlowNode() and
+    bb.getNode(i) = cfn
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinitionRec(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    ControlFlow::BasicBlock bb
+  ) {
+    exists(ControlFlow::BasicBlock mid |
+      this.reachesBasicBlockDefinition(e, def, isSuccessor, cfn, mid)
+    |
+      isSuccessor = true and
+      bb = mid.getASuccessor()
+      or
+      isSuccessor = false and
+      bb = mid.getAPredecessor()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinition(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.reachesBasicBlockDefinitionBase(e, def, isSuccessor, cfn, _, bb)
+    or
+    exists(ControlFlowElement scope, boolean exactScope |
+      this.candidateDef(e, def, scope, exactScope, isSuccessor) and
+      this.reachesBasicBlockDefinitionRec(e, def, isSuccessor, cfn, bb) and
+      bb = getABasicBlockInScope(scope, exactScope)
+    )
+  }
+
+  /**
+   * Holds if there is a control-flow path from `cfn1` to `cfn2`, where `cfn1` is a
+   * control-flow node for `e1` and `cfn2` is a control-flow node for `e2`.
+   */
+  pragma[nomagic]
+  predicate hasExprPath(Expr e1, ControlFlow::Node cfn1, Expr e2, ControlFlow::Node cfn2) {
+    exists(ControlFlow::BasicBlock bb, boolean isSuccessor, int i, int j |
+      this.reachesBasicBlockExprBase(e1, e2, isSuccessor, cfn1, i, bb) and
+      cfn2 = bb.getNode(j) and
+      cfn2 = e2.getAControlFlowNode()
+    |
+      isSuccessor = true and j >= i
+      or
+      isSuccessor = false and i >= j
+    )
+    or
+    exists(ControlFlow::BasicBlock bb |
+      this.reachesBasicBlockExprRec(e1, e2, _, cfn1, bb) and
+      cfn2 = bb.getANode() and
+      cfn2 = e2.getAControlFlowNode()
+    )
+  }
+
+  /**
+   * Holds if there is a control-flow path from `cfn` to `cfnDef`, where `cfn` is a
+   * control-flow node for `e` and `cfnDef` is a control-flow node for `def`.
+   */
+  pragma[nomagic]
+  predicate hasDefPath(
+    Expr e, ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef
+  ) {
+    exists(ControlFlow::BasicBlock bb, boolean isSuccessor, int i, int j |
+      this.reachesBasicBlockDefinitionBase(e, def, isSuccessor, cfn, i, bb) and
+      cfnDef = bb.getNode(j) and
+      def.getExpr().getAControlFlowNode() = cfnDef
+    |
+      isSuccessor = true and j >= i
+      or
+      isSuccessor = false and i >= j
+    )
+    or
+    exists(ControlFlow::BasicBlock bb |
+      this.reachesBasicBlockDefinitionRec(e, def, _, cfn, bb) and
+      def.getExpr().getAControlFlowNode() = cfnDef and
+      cfnDef = bb.getANode()
+    )
+  }
+}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -2,6 +2,7 @@ private import csharp
 private import DataFlowPublic
 private import DataFlowDispatch
 private import DataFlowImplCommon
+private import ControlFlowReachability
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.FlowSummary as FlowSummary
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
@@ -258,16 +259,34 @@ private module ThisFlow {
  }
 }

+/**
+ * Holds if there is a control-flow path from `n1` to `n2`. `n2` is either an
+ * expression node or an SSA definition node.
+ */
+pragma[nomagic]
+predicate hasNodePath(ControlFlowReachabilityConfiguration conf, ExprNode n1, Node n2) {
+  exists(ControlFlow::Node cfn1, ControlFlow::Node cfn2 | conf.hasExprPath(_, cfn1, _, cfn2) |
+    cfn1 = n1.getControlFlowNode() and
+    cfn2 = n2.(ExprNode).getControlFlowNode()
+  )
+  or
+  exists(ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef |
+    conf.hasDefPath(_, cfn, def, cfnDef) and
+    cfn = n1.getControlFlowNode() and
+    n2 = TAssignableDefinitionNode(def, cfnDef)
+  )
+}
+
 /** Provides logic related to captured variables. */
 module VariableCapture {
  private import codeql.dataflow.VariableCapture as Shared
  private import semmle.code.csharp.controlflow.BasicBlocks as BasicBlocks

  private predicate closureFlowStep(ControlFlow::Nodes::ExprNode e1, ControlFlow::Nodes::ExprNode e2) {
-    e1.getExpr() = LocalFlow::getALastEvalNode(e2.getExpr())
+    e1 = LocalFlow::getALastEvalNode(e2)
    or
    exists(Ssa::Definition def, AssignableDefinition adef |
-      LocalFlow::defAssigns(adef, _, _, e1) and
+      LocalFlow::defAssigns(adef, _, e1) and
      def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and
      exists(def.getAReadAtNode(e2))
    )
@@ -360,7 +379,7 @@ module VariableCapture {
        this = def.getExpr().getAControlFlowNode()
      }

-      ControlFlow::Node getRhs() { LocalFlow::defAssigns(def, this, _, result) }
+      ControlFlow::Node getRhs() { LocalFlow::defAssigns(def, this, result) }

      CapturedVariable getVariable() { result = v }
    }
@@ -509,74 +528,127 @@ module SsaFlow {

 /** Provides predicates related to local data flow. */
 module LocalFlow {
-  predicate localExprStep(Expr e1, Expr e2) {
-    e1 = e2.(ParenthesizedExpr).getExpr()
-    or
-    e1 = e2.(NullCoalescingExpr).getAnOperand()
-    or
-    e1 = e2.(SuppressNullableWarningExpr).getExpr()
-    or
-    e2 =
-      any(ConditionalExpr ce |
-        e1 = ce.getThen() or
-        e1 = ce.getElse()
+  class LocalExprStepConfiguration extends ControlFlowReachabilityConfiguration {
+    LocalExprStepConfiguration() { this = "LocalExprStepConfiguration" }
+
+    override predicate candidate(
+      Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+    ) {
+      exactScope = false and
+      (
+        e1 = e2.(ParenthesizedExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(NullCoalescingExpr).getAnOperand() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(SuppressNullableWarningExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e2 =
+          any(ConditionalExpr ce |
+            e1 = ce.getThen() or
+            e1 = ce.getElse()
+          ) and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(Cast).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        // An `=` expression, where the result of the expression is used
+        e2 =
+          any(AssignExpr ae |
+            ae.getParent() = any(ControlFlowElement cfe | not cfe instanceof ExprStmt) and
+            e1 = ae.getRValue()
+          ) and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(ObjectCreation).getInitializer() and
+        scope = e2 and
+        isSuccessor = false
+        or
+        e1 = e2.(ArrayCreation).getInitializer() and
+        scope = e2 and
+        isSuccessor = false
+        or
+        e1 = e2.(SwitchExpr).getACase().getBody() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(CheckedExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(UncheckedExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(CollectionExpression).getAnElement() and
+        e1 instanceof SpreadElementExpr and
+        scope = e2 and
+        isSuccessor = true
+        or
+        e1 = e2.(SpreadElementExpr).getExpr() and
+        scope = e2 and
+        isSuccessor = true
+        or
+        exists(WithExpr we |
+          scope = we and
+          isSuccessor = true
+        |
+          e1 = we.getExpr() and
+          e2 = we.getInitializer()
+          or
+          e1 = we.getInitializer() and
+          e2 = we
+        )
+        or
+        scope = any(AssignExpr ae | ae.getLValue().(TupleExpr) = e2 and ae.getRValue() = e1) and
+        isSuccessor = false
+        or
+        isSuccessor = true and
+        exists(ControlFlowElement cfe | cfe = e2.(TupleExpr).(PatternExpr).getPatternMatch() |
+          cfe.(IsExpr).getExpr() = e1 and scope = cfe
+          or
+          exists(Switch sw | sw.getACase() = cfe and sw.getExpr() = e1 and scope = sw)
+        )
      )
-    or
-    e1 = e2.(Cast).getExpr()
-    or
-    // An `=` expression, where the result of the expression is used
-    e2 =
-      any(AssignExpr ae |
-        ae.getParent() = any(ControlFlowElement cfe | not cfe instanceof ExprStmt) and
-        e1 = ae.getRValue()
+    }
+
+    override predicate candidateDef(
+      Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
+      boolean isSuccessor
+    ) {
+      // Flow from source to definition
+      exactScope = false and
+      def.getSource() = e and
+      (
+        scope = def.getExpr() and
+        isSuccessor = true
+        or
+        scope = def.(AssignableDefinitions::PatternDefinition).getMatch().(IsExpr) and
+        isSuccessor = false
+        or
+        exists(Switch s |
+          s.getACase() = def.(AssignableDefinitions::PatternDefinition).getMatch() and
+          isSuccessor = true
+        |
+          scope = s.getExpr()
+          or
+          scope = s.getACase()
+        )
      )
-    or
-    e1 = e2.(ObjectCreation).getInitializer()
-    or
-    e1 = e2.(ArrayCreation).getInitializer()
-    or
-    e1 = e2.(SwitchExpr).getACase().getBody()
-    or
-    e1 = e2.(CheckedExpr).getExpr()
-    or
-    e1 = e2.(UncheckedExpr).getExpr()
-    or
-    e1 = e2.(CollectionExpression).getAnElement() and
-    e1 instanceof SpreadElementExpr
-    or
-    e1 = e2.(SpreadElementExpr).getExpr()
-    or
-    exists(WithExpr we |
-      e1 = we.getExpr() and
-      e2 = we.getInitializer()
-      or
-      e1 = we.getInitializer() and
-      e2 = we
-    )
-    or
-    exists(AssignExpr ae | ae.getLValue().(TupleExpr) = e2 and ae.getRValue() = e1)
-    or
-    exists(ControlFlowElement cfe | cfe = e2.(TupleExpr).(PatternExpr).getPatternMatch() |
-      cfe.(IsExpr).getExpr() = e1
-      or
-      exists(Switch sw | sw.getACase() = cfe and sw.getExpr() = e1)
-    )
+    }
  }

-  predicate defAssigns(
-    AssignableDefinition def, ControlFlow::Node cfnDef, Expr value, ControlFlow::Node valueCfn
-  ) {
-    def.getSource() = value and
-    valueCfn = value.getControlFlowNode() and
-    cfnDef = def.getExpr().getAControlFlowNode()
-  }
-
-  private predicate defAssigns(ExprNode value, AssignableDefinitionNode defNode) {
-    exists(ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef |
-      defAssigns(def, cfnDef, value.getExpr(), _) and
-      cfn = value.getControlFlowNode() and
-      defNode = TAssignableDefinitionNode(def, cfnDef)
-    )
+  predicate defAssigns(AssignableDefinition def, ControlFlow::Node cfnDef, ControlFlow::Node value) {
+    any(LocalExprStepConfiguration x).hasDefPath(_, value, def, cfnDef)
  }

  /**
@@ -587,9 +659,7 @@ module LocalFlow {
  }

  predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
-    localExprStep(nodeFrom.asExpr(), nodeTo.asExpr())
-    or
-    defAssigns(nodeFrom, nodeTo)
+    hasNodePath(any(LocalExprStepConfiguration x), nodeFrom, nodeTo)
    or
    ThisFlow::adjacentThisRefs(nodeFrom, nodeTo) and
    nodeFrom != nodeTo
@@ -615,12 +685,11 @@ module LocalFlow {
  }

  /**
-   * Gets a node that may execute last in `e`, and which, when it executes last,
-   * will be the value of `e`.
+   * Gets a node that may execute last in `n`, and which, when it executes last,
+   * will be the value of `n`.
   */
-  Expr getALastEvalNode(Expr e) {
-    localExprStep(result, e) and
-    (
+  ControlFlow::Nodes::ExprNode getALastEvalNode(ControlFlow::Nodes::ExprNode cfn) {
+    exists(Expr e | any(LocalExprStepConfiguration x).hasExprPath(_, result, e, cfn) |
      e instanceof ConditionalExpr or
      e instanceof Cast or
      e instanceof NullCoalescingExpr or
@@ -644,7 +713,9 @@ module LocalFlow {
   * we add a reverse flow step from `[post] b ? x : y` to `[post] x` and to
   * `[post] y`, in order for the side-effect of `m` to reach both `x` and `y`.
   */
-  Expr getPostUpdateReverseStep(Expr e) { result = getALastEvalNode(e) }
+  ControlFlow::Nodes::ExprNode getPostUpdateReverseStep(ControlFlow::Nodes::ExprNode e) {
+    result = getALastEvalNode(e)
+  }

  /**
   * Holds if the value of `node2` is given by `node1`.
@@ -658,10 +729,9 @@ module LocalFlow {
      e instanceof ThisAccess or e instanceof BaseAccess
    )
    or
-    defAssigns(node1, node2)
-    or
-    localExprStep(node1.asExpr(), node2.asExpr()) and
+    hasNodePath(any(LocalExprStepConfiguration x), node1, node2) and
    (
+      node2 instanceof AssignableDefinitionNode or
      node2.asExpr() instanceof Cast or
      node2.asExpr() instanceof AssignExpr
    )
@@ -705,8 +775,12 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
    or
    nodeTo = nodeFrom.(LocalFunctionCreationNode).getAnAccess(true)
    or
-    nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() =
-      LocalFlow::getPostUpdateReverseStep(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr())
+    nodeTo.(PostUpdateNode).getPreUpdateNode().(ExprNode).getControlFlowNode() =
+      LocalFlow::getPostUpdateReverseStep(nodeFrom
+            .(PostUpdateNode)
+            .getPreUpdateNode()
+            .(ExprNode)
+            .getControlFlowNode())
  ) and
  model = ""
  or
@@ -760,11 +834,11 @@ private class Argument extends Expr {
 }

 /**
- * Holds if there is an assignment of `src` to field or property `c` of `q`.
+ * Holds if `e` is an assignment of `src` to field or property `c` of `q`.
 *
 * `postUpdate` indicates whether the store targets a post-update node.
 */
-private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean postUpdate) {
+private predicate fieldOrPropertyStore(Expr e, ContentSet c, Expr src, Expr q, boolean postUpdate) {
  exists(FieldOrProperty f |
    c = f.getContentSet() and
    (
@@ -787,20 +861,25 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
      f = fa.getTarget() and
      src = def.getSource() and
      q = fa.getQualifier() and
+      e = def.getExpr() and
      postUpdate = true
    )
    or
    // `with` expression initializer, `x with { f = src }`
-    exists(WithExpr we, MemberInitializer mi |
-      q = we and
-      mi = we.getInitializer().getAMemberInitializer() and
-      f = mi.getInitializedMember() and
-      src = mi.getRValue() and
-      postUpdate = false
-    )
+    e =
+      any(WithExpr we |
+        exists(MemberInitializer mi |
+          q = we and
+          mi = we.getInitializer().getAMemberInitializer() and
+          f = mi.getInitializedMember() and
+          src = mi.getRValue() and
+          postUpdate = false
+        )
+      )
    or
    // Object initializer, `new C() { f = src }`
    exists(MemberInitializer mi |
+      e = q and
      mi = q.(ObjectInitializer).getAMemberInitializer() and
      q.getParent() instanceof ObjectCreation and
      f = mi.getInitializedMember() and
@@ -809,13 +888,16 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
    )
    or
    // Tuple element, `(..., src, ...)` `f` is `ItemX` of tuple `q`
-    exists(TupleExpr te, int i |
-      te = q and
-      src = te.getArgument(i) and
-      te.isConstruction() and
-      f = q.getType().(TupleType).getElement(i) and
-      postUpdate = false
-    )
+    e =
+      any(TupleExpr te |
+        exists(int i |
+          e = q and
+          src = te.getArgument(i) and
+          te.isConstruction() and
+          f = q.getType().(TupleType).getElement(i) and
+          postUpdate = false
+        )
+      )
  )
  or
  // A write to a dynamic property
@@ -825,6 +907,7 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
    c.isDynamicProperty(dp) and
    src = def.getSource() and
    q = dma.getQualifier() and
+    e = def.getExpr() and
    postUpdate = true
  )
 }
@@ -860,20 +943,22 @@ private predicate collectionStore(Expr src, CollectionExpression ce) {
 }

 /**
- * Holds if there is an expression that adds `src` to array `a`.
+ * Holds if `e` is an expression that adds `src` to array `a`.
 *
 * `postUpdate` indicates whether the store targets a post-update node.
 */
-private predicate arrayStore(Expr src, Expr a, boolean postUpdate) {
+private predicate arrayStore(Expr e, Expr src, Expr a, boolean postUpdate) {
  // Direct assignment, `a[i] = src`
  exists(AssignableDefinition def |
    a = def.getTargetAccess().(ArrayWrite).getQualifier() and
    src = def.getSource() and
+    e = def.getExpr() and
    postUpdate = true
  )
  or
  // Array initializer, `new [] { src }`
  src = a.(ArrayInitializer).getAnElement() and
+  e = a and
  postUpdate = false
  or
  // Member initializer, `new C { Array = { [i] = src } }`
@@ -881,6 +966,7 @@ private predicate arrayStore(Expr src, Expr a, boolean postUpdate) {
    mi = a.(ObjectInitializer).getAMemberInitializer() and
    mi.getLValue() instanceof ArrayAccess and
    mi.getRValue() = src and
+    e = a and
    postUpdate = false
  )
 }
@@ -1055,17 +1141,17 @@ private module Cached {
      (
        cfn.getExpr() instanceof Argument
        or
-        cfn.getExpr() =
-          LocalFlow::getPostUpdateReverseStep(any(SourcePostUpdateNode p)
-                .getPreUpdateNode()
-                .asExpr())
+        cfn =
+          LocalFlow::getPostUpdateReverseStep(any(ControlFlow::Nodes::ExprNode e |
+              exists(any(SourcePostUpdateNode p).getPreUpdateNode().asExprAtNode(e))
+            ))
      ) and
      exprMayHavePostUpdateNode(cfn.getExpr())
      or
      exists(Expr e | e = cfn.getExpr() |
-        fieldOrPropertyStore(_, _, e, true)
+        fieldOrPropertyStore(_, _, _, e, true)
        or
-        arrayStore(_, e, true)
+        arrayStore(_, _, e, true)
        or
        // needed for reverse stores; e.g. `x.f1.f2 = y` induces
        // a store step of `f1` into `x`
@@ -1080,7 +1166,7 @@ private module Cached {
        )
      )
      or
-      lambdaCallExpr(_, _, cfn)
+      lambdaCallExpr(_, cfn)
    } or
    TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) {
      sn.getSummarizedCallable() instanceof CallableUsedInSource
@@ -1477,15 +1563,35 @@ abstract private class ArgumentNodeImpl extends Node {
 }

 private module ArgumentNodes {
+  private class ArgumentConfiguration extends ControlFlowReachabilityConfiguration {
+    ArgumentConfiguration() { this = "ArgumentConfiguration" }
+
+    override predicate candidate(
+      Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+    ) {
+      e1.(Argument).isArgumentOf(e2, _) and
+      exactScope = false and
+      isSuccessor = true and
+      if e2 instanceof PropertyWrite
+      then
+        exists(AssignableDefinition def |
+          def.getTargetAccess() = e2 and
+          scope = def.getExpr()
+        )
+      else scope = e2
+    }
+  }
+
  /** A data-flow node that represents an explicit call argument. */
  class ExplicitArgumentNode extends ArgumentNodeImpl {
    ExplicitArgumentNode() { this.asExpr() instanceof Argument }

    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-      exists(Expr c, Argument arg |
+      exists(ArgumentConfiguration x, Expr c, Argument arg |
        arg = this.asExpr() and
        c = call.getExpr() and
-        arg.isArgumentOf(c, pos)
+        arg.isArgumentOf(c, pos) and
+        x.hasExprPath(_, this.getControlFlowNode(), _, call.getControlFlowNode())
      )
    }
  }
@@ -1494,7 +1600,7 @@ private module ArgumentNodes {
  class DelegateSelfArgumentNode extends ArgumentNodeImpl, ExprNode {
    private DataFlowCall call_;

-    DelegateSelfArgumentNode() { lambdaCallExpr(call_, this.getExpr(), _) }
+    DelegateSelfArgumentNode() { lambdaCallExpr(call_, this.getControlFlowNode()) }

    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
      call = call_ and
@@ -1751,6 +1857,27 @@ private module OutNodes {
    }
  }

+  class ObjectOrCollectionInitializerConfiguration extends ControlFlowReachabilityConfiguration {
+    ObjectOrCollectionInitializerConfiguration() {
+      this = "ObjectOrCollectionInitializerConfiguration"
+    }
+
+    override predicate candidate(
+      Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+    ) {
+      exactScope = false and
+      scope = e1 and
+      isSuccessor = true and
+      exists(ObjectOrCollectionInitializer init | init = e1.(ObjectCreation).getInitializer() |
+        // E.g. `new Dictionary<int, string>{ {0, "a"}, {1, "b"} }`
+        e2 = init.(CollectionInitializer).getAnElementInitializer()
+        or
+        // E.g. `new Dictionary<int, string>() { [0] = "a", [1] = "b" }`
+        e2 = init.(ObjectInitializer).getAMemberInitializer().getLValue()
+      )
+    }
+  }
+
  /**
   * A data-flow node that reads a value returned by a callable using an
   * `out` or `ref` parameter.
@@ -2109,6 +2236,30 @@ predicate jumpStep(Node pred, Node succ) {
  succ = pred.(LocalFunctionCreationNode).getAnAccess(false)
 }

+private class StoreStepConfiguration extends ControlFlowReachabilityConfiguration {
+  StoreStepConfiguration() { this = "StoreStepConfiguration" }
+
+  override predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    exactScope = false and
+    fieldOrPropertyStore(scope, _, e1, e2, isSuccessor.booleanNot())
+    or
+    exactScope = false and
+    arrayStore(scope, e1, e2, isSuccessor.booleanNot())
+    or
+    exactScope = false and
+    isSuccessor = true and
+    collectionStore(e1, e2) and
+    scope = e2
+    or
+    exactScope = false and
+    isSuccessor = true and
+    isParamsArg(e2, e1, _) and
+    scope = e2
+  }
+}
+
 pragma[nomagic]
 private ContentSet getResultContent() {
  result.isProperty(any(SystemThreadingTasksTaskTClass c_).getResultProperty())
@@ -2131,17 +2282,21 @@ private predicate recordParameter(RecordType t, Parameter p, string name) {
 }

 private predicate storeContentStep(Node node1, Content c, Node node2) {
-  exists(ExprNode node, boolean postUpdate |
+  exists(StoreStepConfiguration x, ExprNode node, boolean postUpdate |
+    hasNodePath(x, node1, node) and
    if postUpdate = true then node = node2.(PostUpdateNode).getPreUpdateNode() else node = node2
  |
-    arrayStore(node1.asExpr(), node.getExpr(), postUpdate) and c instanceof ElementContent
+    arrayStore(_, node1.asExpr(), node.getExpr(), postUpdate) and c instanceof ElementContent
  )
  or
-  collectionStore(node1.asExpr(), node2.asExpr()) and c instanceof ElementContent
+  exists(StoreStepConfiguration x | hasNodePath(x, node1, node2) |
+    collectionStore(node1.asExpr(), node2.asExpr()) and c instanceof ElementContent
+  )
  or
-  exists(Call call |
-    node2 = TParamsArgumentNode(call.getControlFlowNode()) and
-    isParamsArg(call, node1.asExpr(), _) and
+  exists(StoreStepConfiguration x, Expr arg, ControlFlow::Node callCfn |
+    x.hasExprPath(arg, node1.(ExprNode).getControlFlowNode(), _, callCfn) and
+    node2 = TParamsArgumentNode(callCfn) and
+    isParamsArg(_, arg, _) and
    c instanceof ElementContent
  )
  or
@@ -2197,10 +2352,11 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
    c.isSingleton(cont)
  )
  or
-  exists(ExprNode node, boolean postUpdate |
+  exists(StoreStepConfiguration x, ExprNode node, boolean postUpdate |
+    hasNodePath(x, node1, node) and
    if postUpdate = true then node = node2.(PostUpdateNode).getPreUpdateNode() else node = node2
  |
-    fieldOrPropertyStore(c, node1.asExpr(), node.getExpr(), postUpdate)
+    fieldOrPropertyStore(_, c, node1.asExpr(), node.getExpr(), postUpdate)
  )
  or
  exists(Expr e |
@@ -2222,51 +2378,133 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
  storeStepDelegateCall(node1, c, node2)
 }

-private predicate readContentStep(Node node1, Content c, Node node2) {
-  arrayRead(node1.asExpr(), node2.asExpr()) and
-  c instanceof ElementContent
+pragma[nomagic]
+private predicate isAssignExprLValueDescendant(Expr e) {
+  e = any(AssignExpr ae).getLValue()
  or
-  exists(
-    ForeachStmt fs, Ssa::ExplicitDefinition def,
-    AssignableDefinitions::LocalVariableDefinition defTo
-  |
-    node1.asExpr() = fs.getIterableExpr() and
-    defTo.getDeclaration() = fs.getVariableDeclExpr() and
-    def.getADefinition() = defTo and
-    node2.(SsaDefinitionNode).getDefinition() = def and
-    c instanceof ElementContent
+  exists(Expr parent |
+    isAssignExprLValueDescendant(parent) and
+    e = parent.getAChildExpr()
  )
-  or
-  node1 =
-    any(InstanceParameterAccessPreNode n |
-      n.getUnderlyingControlFlowNode() = node2.(ExprNode).getControlFlowNode() and
-      n.getParameter() = c.(PrimaryConstructorParameterContent).getParameter()
-    ) and
-  node2.asExpr() instanceof ParameterRead
-  or
-  // node1 = (..., node2, ...)
-  // node1.ItemX flows to node2
-  exists(TupleExpr te, int i, Expr item |
-    te = node1.asExpr() and
-    not te.isConstruction() and
-    c.(FieldContent).getField() = te.getType().(TupleType).getElement(i).getUnboundDeclaration() and
-    // node1 = (..., item, ...)
-    te.getArgument(i) = item
-  |
-    // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
-    node2.asExpr().(TupleExpr) = item
+}
+
+private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration {
+  ReadStepConfiguration() { this = "ReadStepConfiguration" }
+
+  override predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    exactScope = false and
+    isSuccessor = true and
+    fieldOrPropertyRead(e1, _, e2) and
+    scope = e2
    or
-    // item = variable in node1 = (..., variable, ...)
-    exists(AssignableDefinitions::TupleAssignmentDefinition tad |
-      node2.(AssignableDefinitionNode).getDefinition() = tad and
-      tad.getLeaf() = item
+    exactScope = false and
+    isSuccessor = true and
+    dynamicPropertyRead(e1, _, e2) and
+    scope = e2
+    or
+    exactScope = false and
+    isSuccessor = true and
+    arrayRead(e1, e2) and
+    scope = e2
+    or
+    exactScope = false and
+    e1 = e2.(AwaitExpr).getExpr() and
+    scope = e2 and
+    isSuccessor = true
+    or
+    exactScope = false and
+    e2 = e1.(TupleExpr).getAnArgument() and
+    scope = e1 and
+    isSuccessor = false
+  }
+
+  override predicate candidateDef(
+    Expr e, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope,
+    boolean isSuccessor
+  ) {
+    exists(ForeachStmt fs |
+      e = fs.getIterableExpr() and
+      defTo.(AssignableDefinitions::LocalVariableDefinition).getDeclaration() =
+        fs.getVariableDeclExpr() and
+      isSuccessor = true
+    |
+      scope = fs and
+      exactScope = true
+      or
+      scope = fs.getIterableExpr() and
+      exactScope = false
+      or
+      scope = fs.getVariableDeclExpr() and
+      exactScope = false
    )
    or
-    // item = variable in node1 = (..., variable, ...) in a case/is var (..., ...)
-    isPatternExprDescendant(te) and
-    exists(AssignableDefinitions::LocalVariableDefinition lvd |
-      node2.(AssignableDefinitionNode).getDefinition() = lvd and
-      lvd.getDeclaration() = item
+    scope =
+      any(AssignExpr ae |
+        ae = defTo.(AssignableDefinitions::TupleAssignmentDefinition).getAssignment() and
+        isAssignExprLValueDescendant(e.(TupleExpr)) and
+        exactScope = false and
+        isSuccessor = true
+      )
+    or
+    scope =
+      any(TupleExpr te |
+        te.getAnArgument() = defTo.(AssignableDefinitions::LocalVariableDefinition).getDeclaration() and
+        e = te and
+        exactScope = false and
+        isSuccessor = false
+      )
+  }
+}
+
+private predicate readContentStep(Node node1, Content c, Node node2) {
+  exists(ReadStepConfiguration x |
+    hasNodePath(x, node1, node2) and
+    arrayRead(node1.asExpr(), node2.asExpr()) and
+    c instanceof ElementContent
+    or
+    exists(ForeachStmt fs, Ssa::ExplicitDefinition def |
+      x.hasDefPath(fs.getIterableExpr(), node1.getControlFlowNode(), def.getADefinition(),
+        def.getControlFlowNode()) and
+      node2.(SsaDefinitionNode).getDefinition() = def and
+      c instanceof ElementContent
+    )
+    or
+    node1 =
+      any(InstanceParameterAccessPreNode n |
+        n.getUnderlyingControlFlowNode() = node2.(ExprNode).getControlFlowNode() and
+        n.getParameter() = c.(PrimaryConstructorParameterContent).getParameter()
+      ) and
+    node2.asExpr() instanceof ParameterRead
+    or
+    // node1 = (..., node2, ...)
+    // node1.ItemX flows to node2
+    exists(TupleExpr te, int i, Expr item |
+      te = node1.asExpr() and
+      not te.isConstruction() and
+      c.(FieldContent).getField() = te.getType().(TupleType).getElement(i).getUnboundDeclaration() and
+      // node1 = (..., item, ...)
+      te.getArgument(i) = item
+    |
+      // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
+      node2.asExpr().(TupleExpr) = item and
+      hasNodePath(x, node1, node2)
+      or
+      // item = variable in node1 = (..., variable, ...)
+      exists(AssignableDefinitions::TupleAssignmentDefinition tad |
+        node2.(AssignableDefinitionNode).getDefinition() = tad and
+        tad.getLeaf() = item and
+        hasNodePath(x, node1, node2)
+      )
+      or
+      // item = variable in node1 = (..., variable, ...) in a case/is var (..., ...)
+      isPatternExprDescendant(te) and
+      exists(AssignableDefinitions::LocalVariableDefinition lvd |
+        node2.(AssignableDefinitionNode).getDefinition() = lvd and
+        lvd.getDeclaration() = item and
+        hasNodePath(x, node1, node2)
+      )
    )
  )
  or
@@ -2297,12 +2535,14 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
    c.isSingleton(cont)
  )
  or
-  fieldOrPropertyRead(node1.asExpr(), c, node2.asExpr())
-  or
-  dynamicPropertyRead(node1.asExpr(), c, node2.asExpr())
-  or
-  node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
-  c = getResultContent()
+  exists(ReadStepConfiguration x | hasNodePath(x, node1, node2) |
+    fieldOrPropertyRead(node1.asExpr(), c, node2.asExpr())
+    or
+    dynamicPropertyRead(node1.asExpr(), c, node2.asExpr())
+    or
+    node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
+    c = getResultContent()
+  )
  or
  FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
    node2.(FlowSummaryNode).getSummaryNode())
@@ -2336,9 +2576,9 @@ predicate clearsContent(Node n, ContentSet c) {
    c.isSingleton(cont)
  )
  or
-  fieldOrPropertyStore(c, _, n.asExpr(), true)
+  fieldOrPropertyStore(_, c, _, n.asExpr(), true)
  or
-  fieldOrPropertyStore(c, _, n.(ObjectInitializerNode).getInitializer(), false)
+  fieldOrPropertyStore(_, c, _, n.(ObjectInitializerNode).getInitializer(), false)
  or
  FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(FlowSummaryNode).getSummaryNode(), c)
  or
@@ -2577,13 +2817,8 @@ module PostUpdateNodes {

    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
      pos.isQualifier() and
-      exists(ObjectOrCollectionInitializer init | init = oc.getInitializer() |
-        // E.g. `new Dictionary<int, string>{ {0, "a"}, {1, "b"} }`
-        call.getExpr() = init.(CollectionInitializer).getAnElementInitializer()
-        or
-        // E.g. `new Dictionary<int, string>() { [0] = "a", [1] = "b" }`
-        call.getExpr() = init.(ObjectInitializer).getAMemberInitializer().getLValue()
-      )
+      any(ObjectOrCollectionInitializerConfiguration x)
+          .hasExprPath(_, cfn, _, call.getControlFlowNode())
    }

    override DataFlowCallable getEnclosingCallableImpl() {
@@ -2745,26 +2980,45 @@ private predicate isLocalFunctionCallReceiver(
  f = receiver.getTarget().getUnboundDeclaration()
 }

-private predicate lambdaCallExpr(DataFlowCall call, Expr receiver, ControlFlow::Node receiverCfn) {
-  exists(DelegateLikeCall dc |
-    call.(ExplicitDelegateLikeDataFlowCall).getCall() = dc and
-    receiver = dc.getExpr() and
-    receiverCfn = receiver.getControlFlowNode()
+private class LambdaConfiguration extends ControlFlowReachabilityConfiguration {
+  LambdaConfiguration() { this = "LambdaConfiguration" }
+
+  override predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    e1 = e2.(DelegateLikeCall).getExpr() and
+    exactScope = false and
+    scope = e2 and
+    isSuccessor = true
+    or
+    e1 = e2.(DelegateCreation).getArgument() and
+    exactScope = false and
+    scope = e2 and
+    isSuccessor = true
+    or
+    isLocalFunctionCallReceiver(e2, e1, _) and
+    exactScope = false and
+    scope = e2 and
+    isSuccessor = true
+  }
+}
+
+private predicate lambdaCallExpr(DataFlowCall call, ControlFlow::Node receiver) {
+  exists(LambdaConfiguration x, DelegateLikeCall dc |
+    x.hasExprPath(dc.getExpr(), receiver, dc, call.getControlFlowNode())
  )
  or
  // In local function calls, `F()`, we use the local function access `F`
  // to represent the receiver. Only needed for flow through captured variables.
-  exists(LocalFunctionCall fc |
-    receiver = fc.getAChild() and
-    receiverCfn = receiver.getControlFlowNode() and
-    fc.getControlFlowNode() = call.getControlFlowNode()
+  exists(LambdaConfiguration x, LocalFunctionCall fc |
+    x.hasExprPath(fc.getAChild(), receiver, fc, call.getControlFlowNode())
  )
 }

 /** Holds if `call` is a lambda call where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
  (
-    lambdaCallExpr(call, receiver.asExpr(), _) and
+    lambdaCallExpr(call, receiver.(ExprNode).getControlFlowNode()) and
    // local function calls can be resolved directly without a flow analysis
    not call.getControlFlowNode().getAstNode() instanceof LocalFunctionCall
    or
@@ -2774,9 +3028,9 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 }

 private predicate delegateCreationStep(Node nodeFrom, Node nodeTo) {
-  exists(DelegateCreation dc |
-    dc.getArgument() = nodeFrom.asExpr() and
-    dc = nodeTo.asExpr()
+  exists(LambdaConfiguration x, DelegateCreation dc |
+    x.hasExprPath(dc.getArgument(), nodeFrom.(ExprNode).getControlFlowNode(), dc,
+      nodeTo.(ExprNode).getControlFlowNode())
  )
 }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -4,6 +4,7 @@ private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.Caching
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import semmle.code.csharp.dataflow.internal.ControlFlowReachability
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.commons.ComparisonTest
 // import `TaintedMember` definitions from other files to avoid potential reevaluation
@@ -44,58 +45,82 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c)
  )
 }

-private predicate localTaintExprStep(Expr e1, Expr e2) {
-  e1 = e2.(ElementAccess).getQualifier()
-  or
-  e1 = e2.(AddExpr).getAnOperand()
-  or
-  // A comparison expression where taint can flow from one of the
-  // operands if the other operand is a constant value.
-  exists(ComparisonTest ct, Expr other |
-    ct.getExpr() = e2 and
-    e1 = ct.getAnArgument() and
-    other = ct.getAnArgument() and
-    other.stripCasts().hasValue() and
-    e1 != other
+private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityConfiguration {
+  LocalTaintExprStepConfiguration() { this = "LocalTaintExprStepConfiguration" }
+
+  override predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    exactScope = false and
+    isSuccessor = true and
+    (
+      e1 = e2.(ElementAccess).getQualifier() and
+      scope = e2
+      or
+      e1 = e2.(AddExpr).getAnOperand() and
+      scope = e2
+      or
+      // A comparison expression where taint can flow from one of the
+      // operands if the other operand is a constant value.
+      exists(ComparisonTest ct, Expr other |
+        ct.getExpr() = e2 and
+        e1 = ct.getAnArgument() and
+        other = ct.getAnArgument() and
+        other.stripCasts().hasValue() and
+        e1 != other and
+        scope = e2
+      )
+      or
+      e1 = e2.(UnaryLogicalOperation).getAnOperand() and
+      scope = e2
+      or
+      e1 = e2.(BinaryLogicalOperation).getAnOperand() and
+      scope = e2
+      or
+      e1 = e2.(InterpolatedStringExpr).getAChild() and
+      scope = e2
+      or
+      e1 = e2.(InterpolatedStringInsertExpr).getInsert() and
+      scope = e2
+      or
+      e2 =
+        any(OperatorCall oc |
+          oc.getTarget().(ConversionOperator).fromLibrary() and
+          e1 = oc.getAnArgument() and
+          scope = e2
+        )
+      or
+      e1 = e2.(AwaitExpr).getExpr() and
+      scope = e2
+      or
+      // Taint flows from the operand of a cast to the cast expression if the cast is to an interpolated string handler.
+      e2 =
+        any(CastExpr ce |
+          e1 = ce.getExpr() and
+          scope = ce and
+          ce.getTargetType()
+              .(Attributable)
+              .getAnAttribute()
+              .getType()
+              .hasFullyQualifiedName("System.Runtime.CompilerServices",
+                "InterpolatedStringHandlerAttribute")
+        )
+    )
+  }
+}
+
+private ControlFlow::Nodes::ExprNode getALastEvalNode(ControlFlow::Nodes::ExprNode cfn) {
+  exists(OperatorCall oc | any(LocalTaintExprStepConfiguration x).hasExprPath(_, result, oc, cfn) |
+    oc.getTarget() instanceof ImplicitConversionOperator
  )
-  or
-  e1 = e2.(UnaryLogicalOperation).getAnOperand()
-  or
-  e1 = e2.(BinaryLogicalOperation).getAnOperand()
-  or
-  e1 = e2.(InterpolatedStringExpr).getAChild()
-  or
-  e1 = e2.(InterpolatedStringInsertExpr).getInsert()
-  or
-  e2 =
-    any(OperatorCall oc |
-      oc.getTarget().(ConversionOperator).fromLibrary() and
-      e1 = oc.getAnArgument()
-    )
-  or
-  e1 = e2.(AwaitExpr).getExpr()
-  or
-  // Taint flows from the operand of a cast to the cast expression if the cast is to an interpolated string handler.
-  e2 =
-    any(CastExpr ce |
-      e1 = ce.getExpr() and
-      ce.getTargetType()
-          .(Attributable)
-          .getAnAttribute()
-          .getType()
-          .hasFullyQualifiedName("System.Runtime.CompilerServices",
-            "InterpolatedStringHandlerAttribute")
-    )
 }

-private Expr getALastEvalNode(OperatorCall oc) {
-  localTaintExprStep(result, oc) and oc.getTarget() instanceof ImplicitConversionOperator
+private ControlFlow::Nodes::ExprNode getPostUpdateReverseStep(ControlFlow::Nodes::ExprNode e) {
+  result = getALastEvalNode(e)
 }

-private Expr getPostUpdateReverseStep(Expr e) { result = getALastEvalNode(e) }
-
 private predicate localTaintStepCommon(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  localTaintExprStep(nodeFrom.asExpr(), nodeTo.asExpr())
+  hasNodePath(any(LocalTaintExprStepConfiguration x), nodeFrom, nodeTo)
 }

 cached
@@ -166,8 +191,12 @@ private module Cached {
      // Allow reverse update flow for implicit conversion operator calls.
      // This is needed to support flow out of method call arguments, where an implicit conversion is applied
      // to a call argument.
-      nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() =
-        getPostUpdateReverseStep(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr())
+      nodeTo.(PostUpdateNode).getPreUpdateNode().(DataFlow::ExprNode).getControlFlowNode() =
+        getPostUpdateReverseStep(nodeFrom
+              .(PostUpdateNode)
+              .getPreUpdateNode()
+              .(DataFlow::ExprNode)
+              .getControlFlowNode())
    ) and
    model = ""
    or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll
@@ -0,0 +1,246 @@
+import csharp
+
+private class ControlFlowScope extends ControlFlowElement {
+  private boolean exactScope;
+
+  ControlFlowScope() {
+    exists(ControlFlowReachabilityConfiguration c |
+      c.candidate(_, _, this, exactScope, _) or
+      c.candidateDef(_, _, this, exactScope, _)
+    )
+  }
+
+  predicate isExact() { exactScope = true }
+
+  predicate isNonExact() { exactScope = false }
+}
+
+private newtype TControlFlowElementOrBasicBlock =
+  TControlFlowElement(ControlFlowElement cfe) or
+  TBasicBlock(ControlFlow::BasicBlock bb)
+
+class ControlFlowElementOrBasicBlock extends TControlFlowElementOrBasicBlock {
+  ControlFlowElement asControlFlowElement() { this = TControlFlowElement(result) }
+
+  ControlFlow::BasicBlock asBasicBlock() { this = TBasicBlock(result) }
+
+  string toString() {
+    result = this.asControlFlowElement().toString()
+    or
+    result = this.asBasicBlock().toString()
+  }
+
+  Location getLocation() {
+    result = this.asControlFlowElement().getLocation()
+    or
+    result = this.asBasicBlock().getLocation()
+  }
+}
+
+private predicate isBasicBlock(ControlFlowElementOrBasicBlock c) { c instanceof TBasicBlock }
+
+private predicate isNonExactScope(ControlFlowElementOrBasicBlock c) {
+  c.asControlFlowElement().(ControlFlowScope).isNonExact()
+}
+
+private predicate step(ControlFlowElementOrBasicBlock pred, ControlFlowElementOrBasicBlock succ) {
+  pred.asBasicBlock().getANode().getAstNode() = succ.asControlFlowElement()
+  or
+  pred.asControlFlowElement() = succ.asControlFlowElement().getAChild()
+}
+
+private predicate basicBlockInNonExactScope(
+  ControlFlowElementOrBasicBlock bb, ControlFlowElementOrBasicBlock scope
+) = doublyBoundedFastTC(step/2, isBasicBlock/1, isNonExactScope/1)(bb, scope)
+
+pragma[noinline]
+private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowScope scope, boolean exactScope) {
+  basicBlockInNonExactScope(TBasicBlock(result), TControlFlowElement(scope)) and
+  exactScope = false
+  or
+  scope.isExact() and
+  result.getANode().getAstNode() = scope and
+  exactScope = true
+}
+
+/**
+ * A helper class for determining control-flow reachability for pairs of
+ * elements.
+ *
+ * This is useful when defining for example expression-based data-flow steps in
+ * the presence of control-flow splitting, where a data-flow step should make
+ * sure to stay in the same split.
+ *
+ * For example, in
+ *
+ * ```csharp
+ * if (b)
+ *     ....
+ * var x = "foo";
+ * if (b)
+ *     ....
+ * ```
+ *
+ * there should only be steps from `[b = true] "foo"` to `[b = true] SSA def(x)`
+ * and `[b = false] "foo"` to `[b = false] SSA def(x)`, and for example not from
+ * `[b = true] "foo"` to `[b = false] SSA def(x)`
+ */
+abstract class ControlFlowReachabilityConfiguration extends string {
+  bindingset[this]
+  ControlFlowReachabilityConfiguration() { any() }
+
+  /**
+   * Holds if `e1` and `e2` are expressions for which we want to find a
+   * control-flow path that follows control flow successors (resp.
+   * predecessors, as specified by `isSuccessor`) inside the syntactic scope
+   * `scope`. The Boolean `exactScope` indicates whether a transitive child
+   * of `scope` is allowed (`exactScope = false`).
+   */
+  predicate candidate(
+    Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+  ) {
+    none()
+  }
+
+  /**
+   * Holds if `e` and `def` are elements for which we want to find a
+   * control-flow path that follows control flow successors (resp.
+   * predecessors, as specified by `isSuccessor`) inside the syntactic scope
+   * `scope`. The Boolean `exactScope` indicates whether a transitive child
+   * of `scope` is allowed (`exactScope = false`).
+   */
+  predicate candidateDef(
+    Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
+    boolean isSuccessor
+  ) {
+    none()
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExprBase(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1, int i,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.candidate(e1, e2, _, _, isSuccessor) and
+    cfn1 = e1.getAControlFlowNode() and
+    bb.getNode(i) = cfn1
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExprRec(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1,
+    ControlFlow::BasicBlock bb
+  ) {
+    exists(ControlFlow::BasicBlock mid |
+      this.reachesBasicBlockExpr(e1, e2, isSuccessor, cfn1, mid)
+    |
+      isSuccessor = true and
+      bb = mid.getASuccessor()
+      or
+      isSuccessor = false and
+      bb = mid.getAPredecessor()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockExpr(
+    Expr e1, Expr e2, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn1,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.reachesBasicBlockExprBase(e1, e2, isSuccessor, cfn1, _, bb)
+    or
+    exists(ControlFlowElement scope, boolean exactScope |
+      this.candidate(e1, e2, scope, exactScope, isSuccessor) and
+      this.reachesBasicBlockExprRec(e1, e2, isSuccessor, cfn1, bb) and
+      bb = getABasicBlockInScope(scope, exactScope)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinitionBase(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    int i, ControlFlow::BasicBlock bb
+  ) {
+    this.candidateDef(e, def, _, _, isSuccessor) and
+    cfn = e.getAControlFlowNode() and
+    bb.getNode(i) = cfn
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinitionRec(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    ControlFlow::BasicBlock bb
+  ) {
+    exists(ControlFlow::BasicBlock mid |
+      this.reachesBasicBlockDefinition(e, def, isSuccessor, cfn, mid)
+    |
+      isSuccessor = true and
+      bb = mid.getASuccessor()
+      or
+      isSuccessor = false and
+      bb = mid.getAPredecessor()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate reachesBasicBlockDefinition(
+    Expr e, AssignableDefinition def, boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn,
+    ControlFlow::BasicBlock bb
+  ) {
+    this.reachesBasicBlockDefinitionBase(e, def, isSuccessor, cfn, _, bb)
+    or
+    exists(ControlFlowElement scope, boolean exactScope |
+      this.candidateDef(e, def, scope, exactScope, isSuccessor) and
+      this.reachesBasicBlockDefinitionRec(e, def, isSuccessor, cfn, bb) and
+      bb = getABasicBlockInScope(scope, exactScope)
+    )
+  }
+
+  /**
+   * Holds if there is a control-flow path from `cfn1` to `cfn2`, where `cfn1` is a
+   * control-flow node for `e1` and `cfn2` is a control-flow node for `e2`.
+   */
+  pragma[nomagic]
+  predicate hasExprPath(Expr e1, ControlFlow::Node cfn1, Expr e2, ControlFlow::Node cfn2) {
+    exists(ControlFlow::BasicBlock bb, boolean isSuccessor, int i, int j |
+      this.reachesBasicBlockExprBase(e1, e2, isSuccessor, cfn1, i, bb) and
+      cfn2 = bb.getNode(j) and
+      cfn2 = e2.getAControlFlowNode()
+    |
+      isSuccessor = true and j >= i
+      or
+      isSuccessor = false and i >= j
+    )
+    or
+    exists(ControlFlow::BasicBlock bb |
+      this.reachesBasicBlockExprRec(e1, e2, _, cfn1, bb) and
+      cfn2 = bb.getANode() and
+      cfn2 = e2.getAControlFlowNode()
+    )
+  }
+
+  /**
+   * Holds if there is a control-flow path from `cfn` to `cfnDef`, where `cfn` is a
+   * control-flow node for `e` and `cfnDef` is a control-flow node for `def`.
+   */
+  pragma[nomagic]
+  predicate hasDefPath(
+    Expr e, ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef
+  ) {
+    exists(ControlFlow::BasicBlock bb, boolean isSuccessor, int i, int j |
+      this.reachesBasicBlockDefinitionBase(e, def, isSuccessor, cfn, i, bb) and
+      cfnDef = bb.getNode(j) and
+      def.getExpr().getAControlFlowNode() = cfnDef
+    |
+      isSuccessor = true and j >= i
+      or
+      isSuccessor = false and i >= j
+    )
+    or
+    exists(ControlFlow::BasicBlock bb |
+      this.reachesBasicBlockDefinitionRec(e, def, _, cfn, bb) and
+      def.getExpr().getAControlFlowNode() = cfnDef and
+      cfnDef = bb.getANode()
+    )
+  }
+}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
@@ -8,14 +8,26 @@ private module Impl {
  private import ConstantUtils
  private import SsaReadPositionCommon
  private import semmle.code.csharp.controlflow.Guards as G
+  private import ControlFlowReachability

  private class ExprNode = ControlFlow::Nodes::ExprNode;

+  private class ExprChildReachability extends ControlFlowReachabilityConfiguration {
+    ExprChildReachability() { this = "ExprChildReachability" }
+
+    override predicate candidate(
+      Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
+    ) {
+      e2 = e1.getAChild() and
+      scope = e1 and
+      exactScope = false and
+      isSuccessor in [false, true]
+    }
+  }
+
  /** Holds if `parent` having child `child` implies `parentNode` having child `childNode`. */
  predicate hasChild(Expr parent, Expr child, ExprNode parentNode, ExprNode childNode) {
-    parent.getAChild() = child and
-    parentNode = parent.getControlFlowNode() and
-    childNode = child.getControlFlowNode()
+    any(ExprChildReachability x).hasExprPath(parent, parentNode, child, childNode)
  }

  /** Holds if SSA definition `def` equals `e + delta`. */
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.6.4
-
-No user-facing changes.
-
 ## 1.6.3

 No user-facing changes.
--- a/Features/CWE-079/XSS.ql
+++ b/Features/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
 * @precision high
 * @id cs/web/xss
 * @tags security
--- a/Features/CWE-117/LogForging.ql
+++ b/Features/CWE-117/LogForging.ql
@@ -4,7 +4,7 @@
 *              insertion of forged log entries by a malicious user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id cs/log-forging
 * @tags security
--- a/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -1,5 +0,0 @@
---
-category: queryMetadata
---
-* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/csharp/ql/src/change-notes/released/1.6.4.md
+++ b/csharp/ql/src/change-notes/released/1.6.4.md
@@ -1,3 +0,0 @@
-## 1.6.4
-
-No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.4
+lastReleaseVersion: 1.6.3
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.6.5-dev
+version: 1.6.4-dev
 groups:
  - csharp
  - queries
--- a/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
+++ b/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
@@ -26,7 +26,6 @@
 | CSharp7.cs:31:16:31:16 | access to parameter i | CSharp7.cs:31:16:31:20 | ... > ... |
 | CSharp7.cs:31:16:31:16 | access to parameter i | CSharp7.cs:31:24:31:24 | access to parameter i |
 | CSharp7.cs:31:24:31:24 | access to parameter i | CSharp7.cs:31:16:31:59 | ... ? ... : ... |
-| CSharp7.cs:31:28:31:59 | throw ... | CSharp7.cs:31:16:31:59 | ... ? ... : ... |
 | CSharp7.cs:35:7:35:18 | this | CSharp7.cs:35:7:35:18 | this access |
 | CSharp7.cs:39:9:39:9 | access to parameter x | CSharp7.cs:39:9:39:21 | SSA def(x) |
 | CSharp7.cs:39:13:39:21 | "tainted" | CSharp7.cs:39:9:39:9 | access to parameter x |
@@ -254,7 +253,6 @@
 | CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:235:13:235:42 | [input] SSA phi read(o) |
 | CSharp7.cs:233:13:233:13 | access to local variable o | CSharp7.cs:237:18:237:18 | access to local variable o |
 | CSharp7.cs:233:13:233:23 | [false] ... is ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
-| CSharp7.cs:233:13:233:23 | [false] ... is ... | CSharp7.cs:233:13:233:33 | [true] ... && ... |
 | CSharp7.cs:233:13:233:23 | [true] ... is ... | CSharp7.cs:233:13:233:33 | [false] ... && ... |
 | CSharp7.cs:233:13:233:23 | [true] ... is ... | CSharp7.cs:233:13:233:33 | [true] ... && ... |
 | CSharp7.cs:233:18:233:23 | Int32 i1 | CSharp7.cs:233:18:233:23 | SSA def(i1) |
@@ -340,8 +338,6 @@
 | CSharp7.cs:297:35:297:35 | access to local variable x | CSharp7.cs:297:40:297:44 | Int32 y |
 | CSharp7.cs:297:35:297:35 | access to local variable x | CSharp7.cs:297:49:297:49 | access to local variable x |
 | CSharp7.cs:297:35:297:44 | [false] ... is ... | CSharp7.cs:297:25:297:44 | [false] ... && ... |
-| CSharp7.cs:297:35:297:44 | [false] ... is ... | CSharp7.cs:297:25:297:44 | [true] ... && ... |
-| CSharp7.cs:297:35:297:44 | [true] ... is ... | CSharp7.cs:297:25:297:44 | [false] ... && ... |
 | CSharp7.cs:297:35:297:44 | [true] ... is ... | CSharp7.cs:297:25:297:44 | [true] ... && ... |
 | CSharp7.cs:297:40:297:44 | Int32 y | CSharp7.cs:297:40:297:44 | SSA def(y) |
 | CSharp7.cs:297:40:297:44 | SSA def(y) | CSharp7.cs:299:31:299:31 | access to local variable y |
--- a/csharp/ql/test/library-tests/dispatch/CallGraph.expected
+++ b/csharp/ql/test/library-tests/dispatch/CallGraph.expected
@@ -24,7 +24,6 @@
 | ExactCallable.cs:15:25:15:35 | Run`2 | ExactCallable.cs:172:21:172:33 | MethodWithOut |
 | ExactCallable.cs:15:25:15:35 | Run`2 | ExactCallable.cs:177:21:177:34 | MethodWithOut2 |
 | ExactCallable.cs:182:21:182:22 | M1 | ExactCallable.cs:187:21:187:22 | M2 |
-| TypeFlow.cs:3:7:3:14 | <object initializer> | TypeFlow.cs:22:20:22:22 | set_Prop |
 | TypeFlow.cs:5:5:5:12 | TypeFlow | TypeFlow.cs:24:10:24:12 | Run |
 | TypeFlow.cs:24:10:24:12 | Run | TypeFlow.cs:12:29:12:34 | Method |
 | TypeFlow.cs:24:10:24:12 | Run | TypeFlow.cs:17:30:17:35 | Method |
--- a/csharp/ql/test/library-tests/structuralcomparison/structuralComparison.expected
+++ b/csharp/ql/test/library-tests/structuralcomparison/structuralComparison.expected
@@ -56,11 +56,11 @@ gvn
 | StructuralComparison.cs:3:14:3:18 | this access | (kind:Expr(12),false,Class) |
 | StructuralComparison.cs:3:14:3:18 | {...} | (kind:Stmt(1)) |
 | StructuralComparison.cs:5:26:5:26 | access to field x | (kind:Expr(16),true,x) |
-| StructuralComparison.cs:5:26:5:26 | this access | (kind:Expr(12),false,Class) |
+| StructuralComparison.cs:5:26:5:26 | this access | (kind:Expr(12)) |
 | StructuralComparison.cs:5:26:5:30 | ... = ... | ((kind:Expr(16),true,x) :: (0 :: (kind:Expr(63)))) |
 | StructuralComparison.cs:5:30:5:30 | 0 | 0 |
 | StructuralComparison.cs:6:26:6:26 | access to field y | (kind:Expr(16),true,y) |
-| StructuralComparison.cs:6:26:6:26 | this access | (kind:Expr(12),false,Class) |
+| StructuralComparison.cs:6:26:6:26 | this access | (kind:Expr(12)) |
 | StructuralComparison.cs:6:26:6:30 | ... = ... | ((kind:Expr(16),true,y) :: (1 :: (kind:Expr(63)))) |
 | StructuralComparison.cs:6:30:6:30 | 1 | 1 |
 | StructuralComparison.cs:8:24:8:24 | 0 | 0 |
--- a/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst
@@ -406,7 +406,7 @@ Adds a new taint source. Most taint-tracking queries will use the new source.

 - **type**: Name of a type from which to evaluate **path**.
 - **path**: Access path leading to the source.
- **kind**: Kind of source to add. See the section on source kinds for a list of supported kinds.
+- **kind**: Kind of source to add. Currently only **remote** is used.

 Example:

@@ -553,16 +553,7 @@ Kinds
 Source kinds
 ~~~~~~~~~~~~

- **remote**: A general source of remote flow.
- **browser**: A source in the browser environment that does not fit a more specific browser kind.
- **browser-url-query**: A source derived from the query parameters of the browser URL, such as ``location.search``.
- **browser-url-fragment**: A source derived from the fragment part of the browser URL, such as ``location.hash``.
- **browser-url-path**: A source derived from the pathname of the browser URL, such as ``location.pathname``.
- **browser-url**: A source derived from the browser URL, where the untrusted part is prefixed by trusted data such as the scheme and hostname.
- **browser-window-name**: A source derived from the window name, such as ``window.name``.
- **browser-message-event**: A source derived from cross-window message passing, such as ``event`` in ``window.onmessage = event => {...}``.
-
-See also :ref:`Threat models <threat-models-javascript>`.
+See documentation below for :ref:`Threat models <threat-models-javascript>`.

 Sink kinds
 ~~~~~~~~~~
--- a/go/extractor/go.mod
+++ b/go/extractor/go.mod
@@ -9,8 +9,8 @@ toolchain go1.26.0
 // when adding or removing dependencies, run
 //    bazel mod tidy
 require (
-	golang.org/x/mod v0.34.0
-	golang.org/x/tools v0.43.0
+	golang.org/x/mod v0.33.0
+	golang.org/x/tools v0.42.0
 )

 require github.com/stretchr/testify v1.11.1
@@ -18,6 +18,6 @@ require github.com/stretchr/testify v1.11.1
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go/extractor/go.sum
+++ b/go/extractor/go.sum
@@ -6,12 +6,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.0.44
-
-No user-facing changes.
-
 ## 1.0.43

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.44.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.44.md
@@ -1,3 +0,0 @@
-## 1.0.44
-
-No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.44
+lastReleaseVersion: 1.0.43
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.45-dev
+version: 1.0.44-dev
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 7.0.2
-
-### Minor Analysis Improvements
-
-* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
-
 ## 7.0.1

 No user-facing changes.
--- a/go/ql/lib/Customizations.qll
+++ b/go/ql/lib/Customizations.qll
@@ -8,7 +8,5 @@
 * `FileSystemAccess`, or the `Source` and `Sink` classes associated with the security queries
 * to model frameworks that are not covered by the standard library.
 */
-overlay[local?]
-module;

 import go
--- a/go/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/go/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,9 +1,4 @@
-## 6.3.0
-
-### Major Analysis Improvements
-
-* Upgraded to allow analysis of Swift 6.2.4.
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.2
+lastReleaseVersion: 7.0.1
--- a/go/ql/lib/go.qll
+++ b/go/ql/lib/go.qll
@@ -1,8 +1,6 @@
 /**
 * Provides classes for working with Go programs.
 */
-overlay[local?]
-module;

 import Customizations
 import semmle.go.Architectures
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Taus	3e6e7295c2	Python: Remove some FPs for ContainsNonContainer.ql First fix handles the case where there's interference from a class-based decorator on a function. In this case, _technically_ we have an instance of the decorator class, but in practice this decorator will (hopefully) forward all accesses to the thing it wraps. The second fix has to do with methods that are added dynamically using `setattr`. In this case, we cannot be sure that the relevant methods are actually missing.	2026-03-16 14:36:29 +00:00
Taus	c6a7aa2c06	Python: Exclude iterators guarded by `isinstance` checks A common pattern is to check `isinstance(it, (list, tuple)` before proceeding with the iteration.	2026-03-16 14:33:59 +00:00
Taus	db8b9905cd	Python: Add change note	2026-03-13 16:36:36 +00:00
Taus	1a1f083383	Python: Add `DuckTyping::hasUnreliableMro` The relative simplicity of the MRO computation in `DataFlowDispatch` was causing quite a lot of FPs to appear for the "wrong number/name of arguments in class instantiation" queries. The easiest fix was to just exclude cases where we know the MRO computation will be imprecise -- when there are superclasses with multiple inheritance or unknown bases.	2026-03-11 16:59:22 +00:00
Taus	b9ad2b6bd9	Python: Port DocStrings.ql	2026-03-11 16:59:21 +00:00
Taus	db2132a5b5	Python: Port DeprecatedSliceMethod.ql Only trivial test changes.	2026-03-11 16:59:21 +00:00
Taus	3f16ca7016	Python: Extend DuckTyping module Adds `overridesMethod` and `isPropertyAccessor`.	2026-03-11 16:59:21 +00:00
Taus	f1dca5d072	Python: Remove missing results These results are missing because we no longer (unlike the points-to analysis) track how many elements a given tuple has. This is something we might want to implement in the future (most likely through an `int`-indexed type tracker).	2026-03-11 16:59:21 +00:00
Taus	6cbb26e8cb	Python: Port WrongNumberArgumentsInClassInstantiation.ql Included test changes are trivial `toString` changes.	2026-03-11 16:59:21 +00:00
Taus	ccf02e8ead	Python: Port WrongNameForArgumentInClassInstantiation.ql	2026-03-11 16:59:21 +00:00
Taus	7ef9119042	Python: Port ShouldBeContextManager.ql Only trivial test changes.	2026-03-11 16:59:20 +00:00
Taus	ebeff95cdf	Python: Port UselessClass.ql No test changes.	2026-03-11 16:59:20 +00:00
Taus	f953cca6d8	Python: Port HashedButNoHash.ql This one is a bit more involved. Of note is the fact that it at present only uses local flow when determining the origin of some value (whereas the points-to version used global flow). It may be desirable to rewrite this query to use global data-flow, but this should be done with some care (as using "all unhashable objects" as the set of sources is somewhat iffy with respect to performance). For that reason, I'm sticking to mostly local flow (except for well behaved things like types and built-ins).	2026-03-11 16:59:20 +00:00
Taus	d06224b066	Python: Port InconsistentMRO.ql For this one we actually lose a test result. However, this is kind of to be expected since we no longer have the "precise" MRO that the points-to analysis computes. Honestly, I'm on the fence about even keeping this query at all. It seems like it might be superfluous in a world with good Python type checking.	2026-03-11 16:59:20 +00:00
Taus	2f6896395f	Python: Port PropertyInOldStyleClass.ql Only trivial test changes.	2026-03-11 16:59:19 +00:00
Taus	dfdfefd688	Python: Port SuperInOldStyleClass.ql	2026-03-11 16:59:19 +00:00
Taus	bae74a5245	Python: Port SlotsInOldStyleClass.ql Only trivial test changes.	2026-03-11 16:59:19 +00:00
Taus	0105ec4df5	Python: Add declares/getAttribute API These could arguably be moved to `Class` itself, but for now I'm choosing to limit the changes to the `DuckTyping` module (until we decide on a proper API).	2026-03-11 16:59:19 +00:00
Taus	9adaf671c9	Python: Add `DuckTyping::isNewStyle` Approximates the behaviour of `Types::isNewStyle` but without depending on points-to	2026-03-11 16:59:19 +00:00
Taus	79e4685a6d	Python: Port UnusedExceptionObject.ql Depending on whether other queries depend on this, we may end up moving the exception utility functions to a more central location.	2026-03-11 16:59:19 +00:00
Taus	53f5da825d	Python: Port ShouldUseWithStatement.ql Only trivial test changes.	2026-03-11 16:59:19 +00:00
Taus	117057c233	Python: Port NonIteratorInForLoop.ql Same comment as for the preceding commit. We lose one test result due to the fact that we don't know what to do about `for ... in 1` (because `1` is an instance of a built-in). I'm going to defer addressing this until we get some modelling of built-in types.	2026-03-11 16:59:19 +00:00
Taus	bfbfb1523f	Python: Port ContainsNonContainer.ql Uses the new `DuckTyping` module to handle recognising whether a class is a container or not. Only trivial test changes (one version uses "class", the other "Class"). Note that the ported query has no understanding of built-in classes. At some point we'll likely want to replace `hasUnresolvedBase` (which will hold for any class that extends a built-in) with something that's aware of the built-in classes.	2026-03-11 16:59:18 +00:00
Taus	4e86c1e03f	Python: Introduce `DuckTyping` module This module (which for convenience currently resides inside `DataFlowDispatch`, but this may change later) contains convenience predicates for bridging the gap between the data-flow layer and the old points-to analysis.	2026-03-11 16:59:18 +00:00
Taus	e36dbea7b4	Python: Port `py/print-during-import` Uses a (perhaps) slightly coarser approximation of what modules are imported, but it's probably fine.	2026-03-11 16:59:18 +00:00
Taus	33c2be2a2d	Python: Use API graphs instead of points-to for simple built-ins Removes the use of points-to for accessing various built-ins from three of the queries. In order for this to work I had to extend the lists of known built-ins slightly.	2026-03-11 16:59:18 +00:00