Update qhelp for py/path-injection.

.github/dependabot.yml

@@ -31,12 +31,3 @@ updates:
           - "golang.org/x/*"
     reviewers:
       - "github/codeql-go"
-
-  - package-ecosystem: "gomod"
-    directory: "go/ql/test"
-    schedule:
-      interval: "monthly"
-    ignore:
-      - dependency-name: "*"
-    reviewers:
-      - "github/codeql-go"

.github/workflows/check-change-note.yml

@@ -9,42 +9,26 @@ on:
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
       - "*/ql/lib/**/*.yml"
-      - "shared/**/*.ql"
-      - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:
-    env: 
-      REPO: ${{ github.repository }}
-      PULL_REQUEST_NUMBER: ${{ github.event.number }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     runs-on: ubuntu-latest
     steps:
-
       - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
         if: |
           github.event.pull_request.draft == false &&
           !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
-          
-          if [ -z "$change_note_files" ]; then
-            echo "No change note found. Either add one, or add the 'no-change-note-required' label."
-            exit 1
-          fi
-
-          echo "Change notes found:"
-          echo "$change_note_files"
-
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
+          grep true -c
       - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          bad_change_note_file_names=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))][] | select((test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$")) | not)')
-
-          if [ -n "$bad_change_note_file_names" ]; then
-            echo "The following change note file names are invalid:"
-            echo "$bad_change_note_file_names"
-            exit 1
-          fi
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
+          grep true -c

.github/workflows/codeql-analysis.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Setup dotnet
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v3
       with:
         dotnet-version: 7.0.102
 

.github/workflows/csharp-qltest.yml

@@ -72,7 +72,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Setup dotnet
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@v3
         with:
           dotnet-version: 7.0.102
       - name: Extractor unit tests
@@ -91,7 +91,7 @@ jobs:
         run: |
           # Generate (Asp)NetCore stubs
           STUBS_PATH=stubs_output
-          python3 scripts/stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
+          python3 ql/src/Stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
           rm -rf ql/test/resources/stubs/_frameworks
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -89,32 +89,9 @@ jobs:
       - name: Save PR number
         run: |
           mkdir -p pr
-          echo ${PR_NUMBER} > pr/NR
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+          echo ${{ github.event.pull_request.number }} > pr/NR
       - name: Upload PR number
         uses: actions/upload-artifact@v3
         with:
           name: pr
           path: pr/
-      - name: Save comment ID (if it exists)
-        run: |
-          # Find the latest comment starting with COMMENT_PREFIX
-          COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports."
-          COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty')
-          if [[ -z ${COMMENT_ID} ]]
-          then
-            echo "Comment not found. Not uploading 'comment/ID' artifact."
-          else
-            mkdir -p comment
-            echo ${COMMENT_ID} > comment/ID
-          fi
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-      - name: Upload comment ID (if it exists)
-        uses: actions/upload-artifact@v3
-        with:
-          name: comment
-          path: comment/
-          if-no-files-found: ignore

.github/workflows/labeler.yml

@@ -9,6 +9,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v5
+    - uses: actions/labeler@v4
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"

CODEOWNERS

@@ -8,8 +8,6 @@
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
-/java/ql/test-kotlin1/ @github/codeql-kotlin
-/java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # ML-powered queries
 /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers

codeql-workspace.yml

@@ -1,12 +1,12 @@
 provide:
   - "*/ql/src/qlpack.yml"
   - "*/ql/lib/qlpack.yml"
-  - "*/ql/test*/qlpack.yml"
+  - "*/ql/test/qlpack.yml"
   - "*/ql/examples/qlpack.yml"
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"
   - "*/ql/automodel/test/qlpack.yml"
-  - "shared/**/qlpack.yml"
+  - "shared/*/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
   - "go/build/codeql-extractor-go/codeql-extractor.yml"
@@ -29,7 +29,6 @@ provide:
   - "swift/extractor-pack/codeql-extractor.yml"
   - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
-  - ".github/codeql/extensions/**/codeql-pack.yml"
 
 versionPolicies:
   default:

config/identical-files.json

@@ -462,6 +462,10 @@
     "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
     "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
   ],
+  "TypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
+  ],
   "SummaryTypeTracker": [
     "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
     "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
@@ -530,4 +534,4 @@
     "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
   ]
-}
+}

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -145,9 +145,9 @@ namespace Semmle.Autobuild.Cpp.Tests
 
         bool IBuildActions.IsMacOs() => IsMacOs;
 
-        public bool IsRunningOnAppleSilicon { get; set; }
+        public bool IsArm { get; set; }
 
-        bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
+        bool IBuildActions.IsArm() => IsArm;
 
         string IBuildActions.PathCombine(params string[] parts)
         {

cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties

@@ -1,3 +0,0 @@
-description: Expose whether a function was prototyped or not
-compatibility: backwards
-function_prototyped.rel: delete

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/builtintypes.ql

@@ -1,19 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
-where
-  builtintypes(type, name, kind, size, sign, alignment) and
-  if
-    type instanceof @fp16 or
-    type instanceof @std_bfloat16 or
-    type instanceof @std_float16 or
-    type instanceof @complex_std_float32 or
-    type instanceof @complex_float32x or
-    type instanceof @complex_std_float64 or
-    type instanceof @complex_float64x or
-    type instanceof @complex_std_float128
-  then kind_new = 2
-  else kind_new = kind
-select type, name, kind_new, size, sign, alignment

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce new floating-point types from C23 and C++23
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/downgrades/8cba93a44180e0d50a80a660950800d822b981fc/upgrade.properties

@@ -1,2 +0,0 @@
-description: Removed @assignpaddexpr and @assignpsubexpr from @assign_bitwise_expr
-compatibility: full

cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce extractor version numbers
-compatibility: breaking
-extractor_version.rel: delete

cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/upgrade.properties

@@ -1,2 +0,0 @@
-description: Revert removal of uniqueness constraint on link_targets/2
-compatibility: backwards

cpp/ql/lib/CHANGELOG.md

@@ -1,39 +1,3 @@
-## 0.12.0
-
-### Breaking Changes
-
-* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
-
-### Minor Analysis Improvements
-
-* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
-* Added models for `strlcpy` and `strlcat`.
-* Added models for the `sprintf` variants from the `StrSafe.h` header.
-* Added SQL API models for `ODBC`.
-* Added taint models for `realloc` and related functions.
-
-## 0.11.0
-
-### Breaking Changes
-
-* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
-
-### New Features
-
-* Added a new class `AdditionalCallTarget` for specifying additional call targets.
-
-### Minor Analysis Improvements
-
-* More field accesses are identified as `ImplicitThisFieldAccess`.
-* Added support for new floating-point types in C23 and C++23.
-
-## 0.10.1
-
-### Minor Analysis Improvements
-
-* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
-* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
-
 ## 0.10.0
 
 ### Minor Analysis Improvements

cpp/ql/lib/change-notes/2023-10-09-outdated-deprecations.md

@@ -1,6 +1,5 @@
-## 0.10.1
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
 * Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.

cpp/ql/lib/change-notes/2023-11-28-prototyped.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.

cpp/ql/lib/change-notes/2023-11-30-as-definition.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.

cpp/ql/lib/change-notes/released/0.11.0.md

@@ -1,14 +0,0 @@
-## 0.11.0
-
-### Breaking Changes
-
-* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
-
-### New Features
-
-* Added a new class `AdditionalCallTarget` for specifying additional call targets.
-
-### Minor Analysis Improvements
-
-* More field accesses are identified as `ImplicitThisFieldAccess`.
-* Added support for new floating-point types in C23 and C++23.

cpp/ql/lib/change-notes/released/0.12.0.md

@@ -1,13 +0,0 @@
-## 0.12.0
-
-### Breaking Changes
-
-* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
-
-### Minor Analysis Improvements
-
-* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
-* Added models for `strlcpy` and `strlcat`.
-* Added models for the `sprintf` variants from the `StrSafe.h` header.
-* Added SQL API models for `ODBC`.
-* Added taint models for `realloc` and related functions.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.0
+lastReleaseVersion: 0.10.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.1-dev
+version: 0.10.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,7 +7,6 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/dataflow: ${workspace}
-  codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -32,7 +32,7 @@ private module Input implements InputSig {
 private module Impl = Make<Input>;
 
 /** A file or folder. */
-class Container extends ElementBase, Impl::Container {
+class Container extends Locatable, Impl::Container {
   override string toString() { result = Impl::Container.super.toString() }
 }
 
@@ -47,6 +47,11 @@ class Container extends ElementBase, Impl::Container {
  * To get the full path, use `getAbsolutePath`.
  */
 class Folder extends Container, Impl::Folder {
+  override Location getLocation() {
+    result.getContainer() = this and
+    result.hasLocationInfo(_, 0, 0, 0, 0)
+  }
+
   override string getAPrimaryQlClass() { result = "Folder" }
 }
 
@@ -62,7 +67,7 @@ class Folder extends Container, Impl::Folder {
  * The base name further decomposes into the _stem_ and _extension_ -- see
  * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
  */
-class File extends Container, Locatable, Impl::File {
+class File extends Container, Impl::File {
   override string getAPrimaryQlClass() { result = "File" }
 
   override Location getLocation() {

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -112,16 +112,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   predicate isDeleted() { function_deleted(underlyingElement(this)) }
 
-  /**
-   * Holds if this function has a prototyped interface.
-   *
-   * Functions generally have a prototyped interface, unless they are
-   * K&R-style functions either without any forward function declaration,
-   * or with all the forward declarations omitting the parameters of the
-   * function.
-   */
-  predicate isPrototyped() { function_prototyped(underlyingElement(this)) }
-
   /**
    * Holds if this function is explicitly defaulted with the `= default`
    * specifier.

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -819,30 +819,6 @@ private predicate floatingPointTypeMapping(
   or
   // _Complex _Float16
   kind = 53 and base = 2 and domain = TComplexDomain() and realKind = 52 and extended = false
-  or
-  // __fp16
-  kind = 54 and base = 2 and domain = TRealDomain() and realKind = 54 and extended = false
-  or
-  // __bf16
-  kind = 55 and base = 2 and domain = TRealDomain() and realKind = 55 and extended = false
-  or
-  // std::float16_t
-  kind = 56 and base = 2 and domain = TRealDomain() and realKind = 56 and extended = false
-  or
-  // _Complex _Float32
-  kind = 57 and base = 2 and domain = TComplexDomain() and realKind = 45 and extended = false
-  or
-  // _Complex _Float32x
-  kind = 58 and base = 2 and domain = TComplexDomain() and realKind = 46 and extended = true
-  or
-  // _Complex _Float64
-  kind = 59 and base = 2 and domain = TComplexDomain() and realKind = 47 and extended = false
-  or
-  // _Complex _Float64x
-  kind = 60 and base = 2 and domain = TComplexDomain() and realKind = 48 and extended = true
-  or
-  // _Complex _Float128
-  kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -5,8 +5,6 @@
 
 import cpp
 import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
-private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
 
 /**
  * Holds if `block` consists of an `UnreachedInstruction`.
@@ -32,6 +30,11 @@ class GuardCondition extends Expr {
     or
     // no binary operators in the IR
     this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
+    or
+    // the IR short-circuits if(!x)
+    // don't produce a guard condition for `y = !x` and other non-short-circuited cases
+    not exists(Instruction inst | this.getFullyConverted() = inst.getAst()) and
+    exists(IRGuardCondition ir | this.(NotExpr).getOperand() = ir.getAst())
   }
 
   /**
@@ -137,6 +140,39 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
   }
 }
 
+/**
+ * A `!` operator in the AST that guards one or more basic blocks, and does not have a corresponding
+ * IR instruction.
+ */
+private class GuardConditionFromShortCircuitNot extends GuardCondition, NotExpr {
+  GuardConditionFromShortCircuitNot() {
+    not exists(Instruction inst | this.getFullyConverted() = inst.getAst()) and
+    exists(IRGuardCondition ir | this.getOperand() = ir.getAst())
+  }
+
+  override predicate controls(BasicBlock controlled, boolean testIsTrue) {
+    this.getOperand().(GuardCondition).controls(controlled, testIsTrue.booleanNot())
+  }
+
+  override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
+    this.getOperand()
+        .(GuardCondition)
+        .comparesLt(left, right, k, isLessThan, testIsTrue.booleanNot())
+  }
+
+  override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
+    this.getOperand().(GuardCondition).ensuresLt(left, right, k, block, isLessThan.booleanNot())
+  }
+
+  override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
+    this.getOperand().(GuardCondition).comparesEq(left, right, k, areEqual, testIsTrue.booleanNot())
+  }
+
+  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
+    this.getOperand().(GuardCondition).ensuresEq(left, right, k, block, areEqual.booleanNot())
+  }
+}
+
 /**
  * A Boolean condition in the AST that guards one or more basic blocks and has a corresponding IR
  * instruction.
@@ -203,25 +239,10 @@ private class GuardConditionFromIR extends GuardCondition {
    * `&&` and `||`. See the detailed explanation on predicate `controls`.
    */
   private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
-    exists(IRBlock irb, Instruction instr |
+    exists(IRBlock irb |
       ir.controls(irb, testIsTrue) and
-      instr = irb.getAnInstruction() and
-      instr.getAst().(ControlFlowNode).getBasicBlock() = controlled and
-      not isUnreachedBlock(irb) and
-      not this.excludeAsControlledInstruction(instr)
-    )
-  }
-
-  private predicate excludeAsControlledInstruction(Instruction instr) {
-    // Exclude the temporaries generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      instr = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      instr = tce.getInstruction(ConditionValueTrueStoreTag())
-      or
-      instr = tce.getInstruction(ConditionValueTrueTempAddressTag())
-      or
-      instr = tce.getInstruction(ConditionValueFalseTempAddressTag())
+      irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
+      not isUnreachedBlock(irb)
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -306,13 +306,15 @@ private predicate exprHasReferenceConversion(Expr e) { referenceConversion(e.get
  *   }
  * };
  * ```
+ * Note: the C++ front-end often automatically desugars `field` to
+ * `this->field`, so most accesses of `this->field` are instances
+ * of `PointerFieldAccess` (with `ThisExpr` as the qualifier), not
+ * `ImplicitThisFieldAccess`.
  */
 class ImplicitThisFieldAccess extends FieldAccess {
   override string getAPrimaryQlClass() { result = "ImplicitThisFieldAccess" }
 
-  ImplicitThisFieldAccess() {
-    this.getQualifier().(ThisExpr).isCompilerGenerated() or not exists(this.getQualifier())
-  }
+  ImplicitThisFieldAccess() { not exists(this.getQualifier()) }
 }
 
 /**
@@ -330,7 +332,7 @@ class PointerToFieldLiteral extends ImplicitThisFieldAccess {
     // access without a qualifier. The only other unqualified field accesses it
     // emits are for compiler-generated constructors and destructors. When we
     // filter those out, there are only pointer-to-field literals left.
-    not this.isCompilerGenerated() and not exists(this.getQualifier())
+    not this.isCompilerGenerated()
   }
 
   override predicate isConstant() { any() }

cpp/ql/lib/semmle/code/cpp/internal/ExtractorVersion.qll

@@ -1,15 +0,0 @@
-/**
- * INTERNAL: Do not use. Provides predicates for getting the CodeQL and frontend
- * version used during database extraction.
- */
-
-/** Get the extractor CodeQL version */
-string getExtractorCodeQLVersion() { extractor_version(result, _) }
-
-/** Get the extractor frontend version */
-string getExtractorFrontendVersion() { extractor_version(_, result) }
-
-predicate isExtractorFrontendVersion65OrHigher() {
-  // Version numbers we not included in the database before 6.5.
-  exists(getExtractorCodeQLVersion())
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll

@@ -31,11 +31,6 @@ abstract class MustFlowConfiguration extends string {
    */
   abstract predicate isSink(Operand sink);
 
-  /**
-   * Holds if data flow through `instr` is prohibited.
-   */
-  predicate isBarrier(Instruction instr) { none() }
-
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -53,21 +48,18 @@ abstract class MustFlowConfiguration extends string {
    */
   final predicate hasFlowPath(MustFlowPathNode source, MustFlowPathSink sink) {
     this.isSource(source.getInstruction()) and
-    source.getASuccessor*() = sink
+    source.getASuccessor+() = sink
   }
 }
 
 /** Holds if `node` flows from a source. */
 pragma[nomagic]
 private predicate flowsFromSource(Instruction node, MustFlowConfiguration config) {
-  not config.isBarrier(node) and
-  (
-    config.isSource(node)
-    or
-    exists(Instruction mid |
-      step(mid, node, config) and
-      flowsFromSource(mid, pragma[only_bind_into](config))
-    )
+  config.isSource(node)
+  or
+  exists(Instruction mid |
+    step(mid, node, config) and
+    flowsFromSource(mid, pragma[only_bind_into](config))
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -7,12 +7,9 @@ private import DataFlowImplCommon as DataFlowImplCommon
 
 /**
  * Gets a function that might be called by `call`.
- *
- * This predicate does not take additional call targets
- * from `AdditionalCallTarget` into account.
  */
 cached
-DataFlowCallable defaultViableCallable(DataFlowCall call) {
+DataFlowCallable viableCallable(DataFlowCall call) {
   DataFlowImplCommon::forceCachingInSameStage() and
   result = call.getStaticCallTarget()
   or
@@ -32,17 +29,6 @@ DataFlowCallable defaultViableCallable(DataFlowCall call) {
   result = call.(VirtualDispatch::DataSensitiveCall).resolve()
 }
 
-/**
- * Gets a function that might be called by `call`.
- */
-cached
-DataFlowCallable viableCallable(DataFlowCall call) {
-  result = defaultViableCallable(call)
-  or
-  // Additional call targets
-  result = any(AdditionalCallTarget additional).viableTarget(call.getUnconvertedResultExpression())
-}
-
 /**
  * Provides virtual dispatch support compatible with the original
  * implementation of `semmle.code.cpp.security.TaintTracking`.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -81,14 +81,6 @@ class Node0Impl extends TIRDataFlowNode0 {
   /** Gets the operands corresponding to this node, if any. */
   Operand asOperand() { result = this.(OperandNode0).getOperand() }
 
-  /** Gets the location of this node. */
-  final Location getLocation() { result = this.getLocationImpl() }
-
-  /** INTERNAL: Do not use. */
-  Location getLocationImpl() {
-    none() // overridden by subclasses
-  }
-
   /** INTERNAL: Do not use. */
   string toStringImpl() {
     none() // overridden by subclasses
@@ -139,15 +131,9 @@ abstract class InstructionNode0 extends Node0Impl {
   override DataFlowType getType() { result = getInstructionType(instr, _) }
 
   override string toStringImpl() {
-    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = instr.getAst().toString()
-  }
-
-  override Location getLocationImpl() {
-    if exists(instr.getAst().getLocation())
-    then result = instr.getAst().getLocation()
-    else result instanceof UnknownDefaultLocation
+    // This predicate is overridden in subclasses. This default implementation
+    // does not use `Instruction.toString` because that's expensive to compute.
+    result = instr.getOpcode().toString()
   }
 
   final override predicate isGLValue() { exists(getInstructionType(instr, true)) }
@@ -187,17 +173,7 @@ abstract class OperandNode0 extends Node0Impl {
 
   override DataFlowType getType() { result = getOperandType(op, _) }
 
-  override string toStringImpl() {
-    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = op.getDef().getAst().toString()
-  }
-
-  override Location getLocationImpl() {
-    if exists(op.getDef().getAst().getLocation())
-    then result = op.getDef().getAst().getLocation()
-    else result instanceof UnknownDefaultLocation
-  }
+  override string toStringImpl() { result = op.toString() }
 
   final override predicate isGLValue() { exists(getOperandType(op, true)) }
 }
@@ -645,24 +621,6 @@ class GlobalLikeVariable extends Variable {
   }
 }
 
-/**
- * Returns the smallest indirection for the type `t`.
- *
- * For most types this is `1`, but for `ArrayType`s (which are allocated on
- * the stack) this is `0`
- */
-int getMinIndirectionsForType(Type t) {
-  if t.getUnspecifiedType() instanceof Cpp::ArrayType then result = 0 else result = 1
-}
-
-private int getMinIndirectionForGlobalUse(Ssa::GlobalUse use) {
-  result = getMinIndirectionsForType(use.getUnspecifiedType())
-}
-
-private int getMinIndirectionForGlobalDef(Ssa::GlobalDef def) {
-  result = getMinIndirectionsForType(def.getUnspecifiedType())
-}
-
 /**
  * Holds if data can flow from `node1` to `node2` in a way that loses the
  * calling context. For example, this would happen with flow through a
@@ -674,20 +632,20 @@ predicate jumpStep(Node n1, Node n2) {
       v = globalUse.getVariable() and
       n1.(FinalGlobalValue).getGlobalUse() = globalUse
     |
-      globalUse.getIndirection() = getMinIndirectionForGlobalUse(globalUse) and
+      globalUse.getIndirectionIndex() = 1 and
       v = n2.asVariable()
       or
-      v = n2.asIndirectVariable(globalUse.getIndirection())
+      v = n2.asIndirectVariable(globalUse.getIndirectionIndex())
     )
     or
     exists(Ssa::GlobalDef globalDef |
       v = globalDef.getVariable() and
       n2.(InitialGlobalValue).getGlobalDef() = globalDef
     |
-      globalDef.getIndirection() = getMinIndirectionForGlobalDef(globalDef) and
+      globalDef.getIndirectionIndex() = 1 and
       v = n1.asVariable()
       or
-      v = n1.asIndirectVariable(globalDef.getIndirection())
+      v = n1.asIndirectVariable(globalDef.getIndirectionIndex())
     )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -14,7 +14,6 @@ private import DataFlowPrivate
 private import ModelUtil
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
-private import codeql.util.Unit
 
 /**
  * The IR dataflow graph consists of the following nodes:
@@ -34,8 +33,7 @@ cached
 private newtype TIRDataFlowNode =
   TNode0(Node0Impl node) { DataFlowImplCommon::forceCachingInSameStage() } or
   TVariableNode(Variable var, int indirectionIndex) {
-    indirectionIndex =
-      [getMinIndirectionsForType(var.getUnspecifiedType()) .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
+    indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(var.getUnspecifiedType())]
   } or
   TPostFieldUpdateNode(FieldAddress operand, int indirectionIndex) {
     indirectionIndex =
@@ -45,12 +43,11 @@ private newtype TIRDataFlowNode =
   TIndirectArgumentOutNode(ArgumentOperand operand, int indirectionIndex) {
     Ssa::isModifiableByCall(operand, indirectionIndex)
   } or
-  TRawIndirectOperand0(Node0Impl node, int indirectionIndex) {
-    Ssa::hasRawIndirectOperand(node.asOperand(), indirectionIndex)
+  TRawIndirectOperand(Operand op, int indirectionIndex) {
+    Ssa::hasRawIndirectOperand(op, indirectionIndex)
   } or
-  TRawIndirectInstruction0(Node0Impl node, int indirectionIndex) {
-    not exists(node.asOperand()) and
-    Ssa::hasRawIndirectInstruction(node.asInstruction(), indirectionIndex)
+  TRawIndirectInstruction(Instruction instr, int indirectionIndex) {
+    Ssa::hasRawIndirectInstruction(instr, indirectionIndex)
   } or
   TFinalParameterNode(Parameter p, int indirectionIndex) {
     exists(Ssa::FinalParameterUse use |
@@ -260,71 +257,6 @@ class Node extends TIRDataFlowNode {
    */
   Expr asDefiningArgument() { result = this.asDefiningArgument(_) }
 
-  /**
-   * Gets the definition associated with this node, if any.
-   *
-   * For example, consider the following example
-   * ```cpp
-   * int x = 42;     // 1
-   * x = 34;         // 2
-   * ++x;            // 3
-   * x++;            // 4
-   * x += 1;         // 5
-   * int y = x += 2; // 6
-   * ```
-   * - For (1) the result is `42`.
-   * - For (2) the result is `x = 34`.
-   * - For (3) the result is `++x`.
-   * - For (4) the result is `x++`.
-   * - For (5) the result is `x += 1`.
-   * - For (6) there are two results:
-   *   - For the definition generated by `x += 2` the result is `x += 2`
-   *   - For the definition generated by `int y = ...` the result is
-   *     also `x += 2`.
-   *
-   * For assignments, `node.asDefinition()` and `node.asExpr()` will both exist
-   * for the same dataflow node. However, for expression such as `x++` that
-   * both write to `x` and read the current value of `x`, `node.asDefinition()`
-   * will give the node corresponding to the value after the increment, and
-   * `node.asExpr()` will give the node corresponding to the value before the
-   * increment. For an example of this, consider the following:
-   *
-   * ```cpp
-   * sink(x++);
-   * ```
-   * in the above program, there will not be flow from a node `n` such that
-   * `n.asDefinition() instanceof IncrementOperation` to the argument of `sink`
-   * since the value passed to `sink` is the value before to the increment.
-   * However, there will be dataflow from a node `n` such that
-   * `n.asExpr() instanceof IncrementOperation` since the result of evaluating
-   * the expression `x++` is passed to `sink`.
-   */
-  Expr asDefinition() {
-    exists(StoreInstruction store |
-      store = this.asInstruction() and
-      result = asDefinitionImpl(store)
-    )
-  }
-
-  /**
-   * Gets the indirect definition at a given indirection corresponding to this
-   * node, if any.
-   *
-   * See the comments on `Node.asDefinition` for examples.
-   */
-  Expr asIndirectDefinition(int indirectionIndex) {
-    exists(StoreInstruction store |
-      this.(IndirectInstruction).hasInstructionAndIndirectionIndex(store, indirectionIndex) and
-      result = asDefinitionImpl(store)
-    )
-  }
-
-  /**
-   * Gets the indirect definition at some indirection corresponding to this
-   * node, if any.
-   */
-  Expr asIndirectDefinition() { result = this.asIndirectDefinition(_) }
-
   /**
    * Gets the argument that defines this `DefinitionByReferenceNode`, if any.
    *
@@ -412,9 +344,7 @@ class Node extends TIRDataFlowNode {
    * Gets the variable corresponding to this node, if any. This can be used for
    * modeling flow in and out of global variables.
    */
-  Variable asVariable() {
-    this = TVariableNode(result, getMinIndirectionsForType(result.getUnspecifiedType()))
-  }
+  Variable asVariable() { this = TVariableNode(result, 1) }
 
   /**
    * Gets the `indirectionIndex`'th indirection of this node's underlying variable, if any.
@@ -422,7 +352,7 @@ class Node extends TIRDataFlowNode {
    * This can be used for modeling flow in and out of global variables.
    */
   Variable asIndirectVariable(int indirectionIndex) {
-    indirectionIndex > getMinIndirectionsForType(result.getUnspecifiedType()) and
+    indirectionIndex > 1 and
     this = TVariableNode(result, indirectionIndex)
   }
 
@@ -500,10 +430,6 @@ private class Node0 extends Node, TNode0 {
 
   override Declaration getFunction() { result = node.getFunction() }
 
-  override Location getLocationImpl() { result = node.getLocation() }
-
-  override string toStringImpl() { result = node.toString() }
-
   override DataFlowType getType() { result = node.getType() }
 
   override predicate isGLValue() { node.isGLValue() }
@@ -520,6 +446,18 @@ class InstructionNode extends Node0 {
 
   /** Gets the instruction corresponding to this node. */
   Instruction getInstruction() { result = instr }
+
+  override Location getLocationImpl() {
+    if exists(instr.getAst().getLocation())
+    then result = instr.getAst().getLocation()
+    else result instanceof UnknownDefaultLocation
+  }
+
+  override string toStringImpl() {
+    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = instr.getAst().toString()
+  }
 }
 
 /**
@@ -533,6 +471,18 @@ class OperandNode extends Node, Node0 {
 
   /** Gets the operand corresponding to this node. */
   Operand getOperand() { result = op }
+
+  override Location getLocationImpl() {
+    if exists(op.getDef().getAst().getLocation())
+    then result = op.getDef().getAst().getLocation()
+    else result instanceof UnknownDefaultLocation
+  }
+
+  override string toStringImpl() {
+    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = op.getDef().getAst().toString()
+  }
 }
 
 /**
@@ -967,146 +917,48 @@ Type getTypeImpl(Type t, int indirectionIndex) {
   result instanceof UnknownType
 }
 
-private module RawIndirectNodes {
-  /**
-   * INTERNAL: Do not use.
-   *
-   * A node that represents the indirect value of an operand in the IR
-   * after `index` number of loads.
-   */
-  private class RawIndirectOperand0 extends Node, TRawIndirectOperand0 {
-    Node0Impl node;
-    int indirectionIndex;
+/**
+ * INTERNAL: Do not use.
+ *
+ * A node that represents the indirect value of an operand in the IR
+ * after `index` number of loads.
+ */
+class RawIndirectOperand extends Node, TRawIndirectOperand {
+  Operand operand;
+  int indirectionIndex;
 
-    RawIndirectOperand0() { this = TRawIndirectOperand0(node, indirectionIndex) }
+  RawIndirectOperand() { this = TRawIndirectOperand(operand, indirectionIndex) }
 
-    /** Gets the underlying instruction. */
-    Operand getOperand() { result = node.asOperand() }
+  /** Gets the underlying instruction. */
+  Operand getOperand() { result = operand }
 
-    /** Gets the underlying indirection index. */
-    int getIndirectionIndex() { result = indirectionIndex }
+  /** Gets the underlying indirection index. */
+  int getIndirectionIndex() { result = indirectionIndex }
 
-    override Declaration getFunction() {
-      result = this.getOperand().getDef().getEnclosingFunction()
-    }
+  override Declaration getFunction() { result = this.getOperand().getDef().getEnclosingFunction() }
 
-    override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
-        type = getOperandType(this.getOperand(), isGLValue) and
-        if isGLValue = true then sub = 1 else sub = 0
-      |
-        result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
-      )
-    }
-
-    final override Location getLocationImpl() {
-      if exists(this.getOperand().getLocation())
-      then result = this.getOperand().getLocation()
-      else result instanceof UnknownDefaultLocation
-    }
-
-    override string toStringImpl() {
-      result = operandNode(this.getOperand()).toStringImpl() + " indirection"
-    }
+  override DataFlowType getType() {
+    exists(int sub, DataFlowType type, boolean isGLValue |
+      type = getOperandType(operand, isGLValue) and
+      if isGLValue = true then sub = 1 else sub = 0
+    |
+      result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
+    )
   }
 
-  /**
-   * INTERNAL: Do not use.
-   *
-   * A node that represents the indirect value of an instruction in the IR
-   * after `index` number of loads.
-   */
-  private class RawIndirectInstruction0 extends Node, TRawIndirectInstruction0 {
-    Node0Impl node;
-    int indirectionIndex;
-
-    RawIndirectInstruction0() { this = TRawIndirectInstruction0(node, indirectionIndex) }
-
-    /** Gets the underlying instruction. */
-    Instruction getInstruction() { result = node.asInstruction() }
-
-    /** Gets the underlying indirection index. */
-    int getIndirectionIndex() { result = indirectionIndex }
-
-    override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
-
-    override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
-        type = getInstructionType(this.getInstruction(), isGLValue) and
-        if isGLValue = true then sub = 1 else sub = 0
-      |
-        result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
-      )
-    }
-
-    final override Location getLocationImpl() {
-      if exists(this.getInstruction().getLocation())
-      then result = this.getInstruction().getLocation()
-      else result instanceof UnknownDefaultLocation
-    }
-
-    override string toStringImpl() {
-      result = instructionNode(this.getInstruction()).toStringImpl() + " indirection"
-    }
+  final override Location getLocationImpl() {
+    if exists(this.getOperand().getLocation())
+    then result = this.getOperand().getLocation()
+    else result instanceof UnknownDefaultLocation
   }
 
-  /**
-   * INTERNAL: Do not use.
-   *
-   * A node that represents the indirect value of an operand in the IR
-   * after a number of loads.
-   */
-  class RawIndirectOperand extends Node {
-    int indirectionIndex;
-    Operand operand;
-
-    RawIndirectOperand() {
-      exists(Node0Impl node | operand = node.asOperand() |
-        this = TRawIndirectOperand0(node, indirectionIndex)
-        or
-        this = TRawIndirectInstruction0(node, indirectionIndex)
-      )
-    }
-
-    /** Gets the operand associated with this node. */
-    Operand getOperand() { result = operand }
-
-    /** Gets the underlying indirection index. */
-    int getIndirectionIndex() { result = indirectionIndex }
-  }
-
-  /**
-   * INTERNAL: Do not use.
-   *
-   * A node that represents the indirect value of an instruction in the IR
-   * after a number of loads.
-   */
-  class RawIndirectInstruction extends Node {
-    int indirectionIndex;
-    Instruction instr;
-
-    RawIndirectInstruction() {
-      exists(Node0Impl node | instr = node.asInstruction() |
-        this = TRawIndirectOperand0(node, indirectionIndex)
-        or
-        this = TRawIndirectInstruction0(node, indirectionIndex)
-      )
-    }
-
-    /** Gets the instruction associated with this node. */
-    Instruction getInstruction() { result = instr }
-
-    /** Gets the underlying indirection index. */
-    int getIndirectionIndex() { result = indirectionIndex }
+  override string toStringImpl() {
+    result = operandNode(this.getOperand()).toStringImpl() + " indirection"
   }
 }
 
-import RawIndirectNodes
-
 /**
  * INTERNAL: do not use.
  *
@@ -1168,6 +1020,48 @@ class UninitializedNode extends Node {
   LocalVariable getLocalVariable() { result = v }
 }
 
+/**
+ * INTERNAL: Do not use.
+ *
+ * A node that represents the indirect value of an instruction in the IR
+ * after `index` number of loads.
+ */
+class RawIndirectInstruction extends Node, TRawIndirectInstruction {
+  Instruction instr;
+  int indirectionIndex;
+
+  RawIndirectInstruction() { this = TRawIndirectInstruction(instr, indirectionIndex) }
+
+  /** Gets the underlying instruction. */
+  Instruction getInstruction() { result = instr }
+
+  /** Gets the underlying indirection index. */
+  int getIndirectionIndex() { result = indirectionIndex }
+
+  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override DataFlowType getType() {
+    exists(int sub, DataFlowType type, boolean isGLValue |
+      type = getInstructionType(instr, isGLValue) and
+      if isGLValue = true then sub = 1 else sub = 0
+    |
+      result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
+    )
+  }
+
+  final override Location getLocationImpl() {
+    if exists(this.getInstruction().getLocation())
+    then result = this.getInstruction().getLocation()
+    else result instanceof UnknownDefaultLocation
+  }
+
+  override string toStringImpl() {
+    result = instructionNode(this.getInstruction()).toStringImpl() + " indirection"
+  }
+}
+
 private module GetConvertedResultExpression {
   private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
   private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
@@ -1207,6 +1101,22 @@ private module GetConvertedResultExpression {
   }
 
   private Expr getConvertedResultExpressionImpl0(Instruction instr) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedAssignOperation tao |
+      result = tao.getExpr() and
+      instr = tao.getInstruction(any(AssignmentStoreTag tag))
+    )
+    or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedCrementOperation tco |
+      result = tco.getExpr() and
+      instr = tco.getInstruction(any(CrementStoreTag tag))
+    )
+    or
     // IR construction inserts an additional cast to a `size_t` on the extent
     // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
     // a result for `getConvertedResultExpression`. We remap this here so that
@@ -1214,7 +1124,7 @@ private module GetConvertedResultExpression {
     // represents the extent.
     exists(TranslatedNonConstantAllocationSize tas |
       result = tas.getExtent().getExpr() and
-      instr = tas.getInstruction(AllocationExtentConvertTag())
+      instr = tas.getInstruction(any(AllocationExtentConvertTag tag))
     )
     or
     // There's no instruction that returns `ParenthesisExpr`, but some queries
@@ -1223,39 +1133,6 @@ private module GetConvertedResultExpression {
       result = ttc.getExpr().(ParenthesisExpr) and
       instr = ttc.getResult()
     )
-    or
-    // Certain expressions generate `CopyValueInstruction`s only when they
-    // are needed. Examples of this include crement operations and compound
-    // assignment operations. For example:
-    // ```cpp
-    // int x = ...
-    // int y = x++;
-    // ```
-    // this generate IR like:
-    // ```
-    // r1(glval<int>) = VariableAddress[x] :
-    // r2(int)        = Constant[0]        :
-    // m3(int)        = Store[x]           : &:r1, r2
-    // r4(glval<int>) = VariableAddress[y] :
-    // r5(glval<int>) = VariableAddress[x] :
-    // r6(int)        = Load[x]            : &:r5, m3
-    // r7(int)        = Constant[1]        :
-    // r8(int)        = Add                : r6, r7
-    // m9(int)        = Store[x]           : &:r5, r8
-    // r11(int)       = CopyValue         : r6
-    // m12(int)       = Store[y]          : &:r4, r11
-    // ```
-    // When the `CopyValueInstruction` is not generated there is no instruction
-    // whose `getConvertedResultExpression` maps back to the expression. When
-    // such an instruction doesn't exist it means that the old value is not
-    // needed, and in that case the only value that will propagate forward in
-    // the program is the value that's been updated. So in those cases we just
-    // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
-    exists(TranslatedCoreExpr tco |
-      tco.getInstruction(_) = instr and
-      tco.producesExprResult() and
-      result = asDefinitionImpl0(instr)
-    )
   }
 
   private Expr getConvertedResultExpressionImpl(Instruction instr) {
@@ -1264,75 +1141,6 @@ private module GetConvertedResultExpression {
     not exists(getConvertedResultExpressionImpl0(instr)) and
     result = instr.getConvertedResultExpression()
   }
-
-  /**
-   * Gets the result for `node.asDefinition()` (when `node` is the instruction
-   * node that wraps `store`) in the cases where `store.getAst()` should not be
-   * used to define the result of `node.asDefinition()`.
-   */
-  private Expr asDefinitionImpl0(StoreInstruction store) {
-    // For an expression such as `i += 2` we pretend that the generated
-    // `StoreInstruction` contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedAssignOperation tao |
-      store = tao.getInstruction(AssignmentStoreTag()) and
-      result = tao.getExpr()
-    )
-    or
-    // Similarly for `i++` and `++i` we pretend that the generated
-    // `StoreInstruction` is contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedCrementOperation tco |
-      store = tco.getInstruction(CrementStoreTag()) and
-      result = tco.getExpr()
-    )
-  }
-
-  /**
-   * Holds if the expression returned by `store.getAst()` should not be
-   * returned as the result of `node.asDefinition()` when `node` is the
-   * instruction node that wraps `store`.
-   */
-  private predicate excludeAsDefinitionResult(StoreInstruction store) {
-    // Exclude the store to the temporary generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      store = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      store = tce.getInstruction(ConditionValueTrueStoreTag())
-    )
-  }
-
-  /**
-   * Gets the expression that represents the result of `StoreInstruction` for
-   * dataflow purposes.
-   *
-   * For example, consider the following example
-   * ```cpp
-   * int x = 42;     // 1
-   * x = 34;         // 2
-   * ++x;            // 3
-   * x++;            // 4
-   * x += 1;         // 5
-   * int y = x += 2; // 6
-   * ```
-   * For (1) the result is `42`.
-   * For (2) the result is `x = 34`.
-   * For (3) the result is `++x`.
-   * For (4) the result is `x++`.
-   * For (5) the result is `x += 1`.
-   * For (6) there are two results:
-   *   - For the `StoreInstruction` generated by `x += 2` the result
-   *     is `x += 2`
-   *   - For the `StoreInstruction` generated by `int y = ...` the result
-   *     is also `x += 2`
-   */
-  Expr asDefinitionImpl(StoreInstruction store) {
-    not exists(asDefinitionImpl0(store)) and
-    not excludeAsDefinitionResult(store) and
-    result = store.getAst().(Expr).getUnconverted()
-    or
-    result = asDefinitionImpl0(store)
-  }
 }
 
 private import GetConvertedResultExpression
@@ -1427,90 +1235,31 @@ abstract private class IndirectExprNodeBase extends Node {
   }
 }
 
-/** A signature for converting an indirect node to an expression. */
-private signature module IndirectNodeToIndirectExprSig {
-  /** The indirect node class to be converted to an expression */
-  class IndirectNode;
-
-  /**
-   * Holds if the indirect expression at indirection index `indirectionIndex`
-   * of `node` is `e`. The integer `n` specifies how many conversions has been
-   * applied to `node`.
-   */
-  predicate indirectNodeHasIndirectExpr(IndirectNode node, Expr e, int n, int indirectionIndex);
-}
-
-/**
- * A module that implements the logic for deciding whether an indirect node
- * should be an `IndirectExprNode`.
- */
-private module IndirectNodeToIndirectExpr<IndirectNodeToIndirectExprSig Sig> {
-  import Sig
-
-  /**
-   * This predicate shifts the indirection index by one when `conv` is a
-   * `ReferenceDereferenceExpr`.
-   *
-   * This is necessary because `ReferenceDereferenceExpr` is a conversion
-   * in the AST, but appears as a `LoadInstruction` in the IR.
-   */
-  bindingset[e, indirectionIndex]
-  private predicate adjustForReference(
-    Expr e, int indirectionIndex, Expr conv, int adjustedIndirectionIndex
-  ) {
-    conv.(ReferenceDereferenceExpr).getExpr() = e and
-    adjustedIndirectionIndex = indirectionIndex - 1
-    or
-    not conv instanceof ReferenceDereferenceExpr and
-    conv = e and
-    adjustedIndirectionIndex = indirectionIndex
-  }
-
-  /** Holds if `node` should be an `IndirectExprNode`. */
-  predicate charpred(IndirectNode node) {
-    exists(Expr e, int n, int indirectionIndex |
-      indirectNodeHasIndirectExpr(node, e, n, indirectionIndex) and
-      not exists(Expr conv, int adjustedIndirectionIndex |
-        adjustForReference(e, indirectionIndex, conv, adjustedIndirectionIndex) and
-        indirectNodeHasIndirectExpr(_, conv, n + 1, adjustedIndirectionIndex)
-      )
-    )
-  }
-}
-
-private module IndirectOperandIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
-  class IndirectNode = IndirectOperand;
-
-  predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectOperand/4;
-}
-
-module IndirectOperandToIndirectExpr =
-  IndirectNodeToIndirectExpr<IndirectOperandIndirectExprNodeImpl>;
-
 private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
 {
-  IndirectOperandIndirectExprNode() { IndirectOperandToIndirectExpr::charpred(this) }
+  IndirectOperandIndirectExprNode() {
+    exists(Expr e, int n, int indirectionIndex |
+      indirectExprNodeShouldBeIndirectOperand(this, e, n, indirectionIndex) and
+      not indirectExprNodeShouldBeIndirectOperand(_, e, n + 1, indirectionIndex)
+    )
+  }
 
   final override Expr getConvertedExpr(int n, int index) {
-    IndirectOperandToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
+    indirectExprNodeShouldBeIndirectOperand(this, result, n, index)
   }
 }
 
-private module IndirectInstructionIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
-  class IndirectNode = IndirectInstruction;
-
-  predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectInstruction/4;
-}
-
-module IndirectInstructionToIndirectExpr =
-  IndirectNodeToIndirectExpr<IndirectInstructionIndirectExprNodeImpl>;
-
 private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
 {
-  IndirectInstructionIndirectExprNode() { IndirectInstructionToIndirectExpr::charpred(this) }
+  IndirectInstructionIndirectExprNode() {
+    exists(Expr e, int n, int indirectionIndex |
+      indirectExprNodeShouldBeIndirectInstruction(this, e, n, indirectionIndex) and
+      not indirectExprNodeShouldBeIndirectInstruction(_, e, n + 1, indirectionIndex)
+    )
+  }
 
   final override Expr getConvertedExpr(int n, int index) {
-    IndirectInstructionToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
+    indirectExprNodeShouldBeIndirectInstruction(this, result, n, index)
   }
 }
 
@@ -1850,29 +1599,26 @@ private module Cached {
   predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFrom, nodeTo) }
 
   private predicate indirectionOperandFlow(RawIndirectOperand nodeFrom, Node nodeTo) {
-    nodeFrom != nodeTo and
-    (
-      // Reduce the indirection count by 1 if we're passing through a `LoadInstruction`.
-      exists(int ind, LoadInstruction load |
-        hasOperandAndIndex(nodeFrom, load.getSourceAddressOperand(), ind) and
-        nodeHasInstruction(nodeTo, load, ind - 1)
-      )
-      or
-      // If an operand flows to an instruction, then the indirection of
-      // the operand also flows to the indirection of the instruction.
-      exists(Operand operand, Instruction instr, int indirectionIndex |
-        simpleInstructionLocalFlowStep(operand, instr) and
-        hasOperandAndIndex(nodeFrom, operand, pragma[only_bind_into](indirectionIndex)) and
-        hasInstructionAndIndex(nodeTo, instr, pragma[only_bind_into](indirectionIndex))
-      )
-      or
-      // If there's indirect flow to an operand, then there's also indirect
-      // flow to the operand after applying some pointer arithmetic.
-      exists(PointerArithmeticInstruction pointerArith, int indirectionIndex |
-        hasOperandAndIndex(nodeFrom, pointerArith.getAnOperand(),
-          pragma[only_bind_into](indirectionIndex)) and
-        hasInstructionAndIndex(nodeTo, pointerArith, pragma[only_bind_into](indirectionIndex))
-      )
+    // Reduce the indirection count by 1 if we're passing through a `LoadInstruction`.
+    exists(int ind, LoadInstruction load |
+      hasOperandAndIndex(nodeFrom, load.getSourceAddressOperand(), ind) and
+      nodeHasInstruction(nodeTo, load, ind - 1)
+    )
+    or
+    // If an operand flows to an instruction, then the indirection of
+    // the operand also flows to the indirection of the instruction.
+    exists(Operand operand, Instruction instr, int indirectionIndex |
+      simpleInstructionLocalFlowStep(operand, instr) and
+      hasOperandAndIndex(nodeFrom, operand, pragma[only_bind_into](indirectionIndex)) and
+      hasInstructionAndIndex(nodeTo, instr, pragma[only_bind_into](indirectionIndex))
+    )
+    or
+    // If there's indirect flow to an operand, then there's also indirect
+    // flow to the operand after applying some pointer arithmetic.
+    exists(PointerArithmeticInstruction pointerArith, int indirectionIndex |
+      hasOperandAndIndex(nodeFrom, pointerArith.getAnOperand(),
+        pragma[only_bind_into](indirectionIndex)) and
+      hasInstructionAndIndex(nodeTo, pointerArith, pragma[only_bind_into](indirectionIndex))
     )
   }
 
@@ -1898,7 +1644,6 @@ private module Cached {
   private predicate indirectionInstructionFlow(
     RawIndirectInstruction nodeFrom, IndirectOperand nodeTo
   ) {
-    nodeFrom != nodeTo and
     // If there's flow from an instruction to an operand, then there's also flow from the
     // indirect instruction to the indirect operand.
     exists(Operand operand, Instruction instr, int indirectionIndex |
@@ -2492,43 +2237,3 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
     )
   }
 }
-
-/**
- * A unit class for adding additional call steps.
- *
- * Extend this class to add additional call steps to the data flow graph.
- *
- * For example, if the following subclass is added:
- * ```ql
- * class MyAdditionalCallTarget extends DataFlow::AdditionalCallTarget {
- *   override Function viableTarget(Call call) {
- *     call.getTarget().hasName("f") and
- *     result.hasName("g")
- *   }
- * }
- * ```
- * then flow from `source()` to `x` in `sink(x)` is reported in the following example:
- * ```cpp
- * void sink(int);
- * int source();
- * void f(int);
- *
- * void g(int x) {
- *   sink(x);
- * }
- *
- * void test() {
- *   int x = source();
- *   f(x);
- * }
- * ```
- *
- * Note: To prevent reevaluation of cached dataflow-related predicates any
- * subclass of `AdditionalCallTarget` must be imported in all dataflow queries.
- */
-class AdditionalCallTarget extends Unit {
-  /**
-   * Gets a viable target for `call`.
-   */
-  abstract DataFlowCallable viableTarget(Call call);
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -31,35 +31,26 @@ DataFlow::Node callInput(CallInstruction call, FunctionInput input) {
   )
 }
 
-/**
- * Gets the node that represents the output of `call` with kind `output` at
- * indirection index `indirectionIndex`.
- */
-private Node callOutputWithIndirectionIndex(
-  CallInstruction call, FunctionOutput output, int indirectionIndex
-) {
-  // The return value
-  simpleOutNode(result, call) and
-  output.isReturnValue() and
-  indirectionIndex = 0
-  or
-  // The side effect of a call on the value pointed to by an argument or qualifier
-  exists(int index |
-    result.(IndirectArgumentOutNode).getArgumentIndex() = index and
-    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex - 1 and
-    result.(IndirectArgumentOutNode).getCallInstruction() = call and
-    output.isParameterDerefOrQualifierObject(index, indirectionIndex - 1)
-  )
-  or
-  result = getIndirectReturnOutNode(call, indirectionIndex) and
-  output.isReturnValueDeref(indirectionIndex)
-}
-
 /**
  * Gets the instruction that holds the `output` for `call`.
  */
 Node callOutput(CallInstruction call, FunctionOutput output) {
-  result = callOutputWithIndirectionIndex(call, output, _)
+  // The return value
+  simpleOutNode(result, call) and
+  output.isReturnValue()
+  or
+  // The side effect of a call on the value pointed to by an argument or qualifier
+  exists(int index, int indirectionIndex |
+    result.(IndirectArgumentOutNode).getArgumentIndex() = index and
+    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex and
+    result.(IndirectArgumentOutNode).getCallInstruction() = call and
+    output.isParameterDerefOrQualifierObject(index, indirectionIndex)
+  )
+  or
+  exists(int ind |
+    result = getIndirectReturnOutNode(call, ind) and
+    output.isReturnValueDeref(ind)
+  )
 }
 
 DataFlow::Node callInput(CallInstruction call, FunctionInput input, int d) {
@@ -85,15 +76,19 @@ private IndirectReturnOutNode getIndirectReturnOutNode(CallInstruction call, int
  */
 bindingset[d]
 Node callOutput(CallInstruction call, FunctionOutput output, int d) {
-  exists(DataFlow::Node n, int indirectionIndex |
-    n = callOutputWithIndirectionIndex(call, output, indirectionIndex) and d > 0
-  |
+  exists(DataFlow::Node n | n = callOutput(call, output) and d > 0 |
     // The return value
-    result = callOutputWithIndirectionIndex(call, output, indirectionIndex + d)
+    result = getIndirectReturnOutNode(n.asInstruction(), d)
     or
     // If there isn't an indirect out node for the call with indirection `d` then
     // we conflate this with the underlying `CallInstruction`.
-    not exists(getIndirectReturnOutNode(call, indirectionIndex + d)) and
+    not exists(getIndirectReturnOutNode(call, d)) and
     n = result
+    or
+    // The side effect of a call on the value pointed to by an argument or qualifier
+    exists(Operand operand, int indirectionIndex |
+      Ssa::outNodeHasAddressAndIndex(n, operand, indirectionIndex) and
+      Ssa::outNodeHasAddressAndIndex(result, operand, indirectionIndex + d)
+    )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -59,9 +59,6 @@ private module SourceVariables {
       then result = base.getType()
       else result = getTypeImpl(base.getType(), ind - 1)
     }
-
-    /** Gets the location of this variable. */
-    Location getLocation() { result = this.getBaseVariable().getLocation() }
   }
 }
 
@@ -116,12 +113,22 @@ private newtype TDefOrUseImpl =
   TGlobalUse(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
     // Represents a final "use" of a global variable to ensure that
     // the assignment to a global variable isn't ruled out as dead.
-    isGlobalUse(v, f, _, indirectionIndex)
+    exists(VariableAddressInstruction vai, int defIndex |
+      vai.getEnclosingIRFunction() = f and
+      vai.getAstVariable() = v and
+      isDef(_, _, _, vai, _, defIndex) and
+      indirectionIndex = [0 .. defIndex] + 1
+    )
   } or
   TGlobalDefImpl(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
     // Represents the initial "definition" of a global variable when entering
     // a function body.
-    isGlobalDefImpl(v, f, _, indirectionIndex)
+    exists(VariableAddressInstruction vai |
+      vai.getEnclosingIRFunction() = f and
+      vai.getAstVariable() = v and
+      isUse(_, _, vai, _, indirectionIndex) and
+      not isDef(_, _, vai.getAUse(), _, _, _)
+    )
   } or
   TIteratorDef(
     Operand iteratorDerefAddress, BaseSourceVariableInstruction container, int indirectionIndex
@@ -143,27 +150,6 @@ private newtype TDefOrUseImpl =
     )
   }
 
-private predicate isGlobalUse(
-  GlobalLikeVariable v, IRFunction f, int indirection, int indirectionIndex
-) {
-  exists(VariableAddressInstruction vai |
-    vai.getEnclosingIRFunction() = f and
-    vai.getAstVariable() = v and
-    isDef(_, _, _, vai, indirection, indirectionIndex)
-  )
-}
-
-private predicate isGlobalDefImpl(
-  GlobalLikeVariable v, IRFunction f, int indirection, int indirectionIndex
-) {
-  exists(VariableAddressInstruction vai |
-    vai.getEnclosingIRFunction() = f and
-    vai.getAstVariable() = v and
-    isUse(_, _, vai, indirection, indirectionIndex) and
-    not isDef(_, _, _, vai, _, indirectionIndex)
-  )
-}
-
 private predicate unspecifiedTypeIsModifiableAt(Type unspecified, int indirectionIndex) {
   indirectionIndex = [1 .. getIndirectionForUnspecifiedType(unspecified).getNumberOfIndirections()] and
   exists(CppType cppType |
@@ -452,7 +438,7 @@ class GlobalUse extends UseImpl, TGlobalUse {
 
   override FinalGlobalValue getNode() { result.getGlobalUse() = this }
 
-  override int getIndirection() { isGlobalUse(global, f, result, ind) }
+  override int getIndirection() { result = ind + 1 }
 
   /** Gets the global variable associated with this use. */
   GlobalLikeVariable getVariable() { result = global }
@@ -474,9 +460,7 @@ class GlobalUse extends UseImpl, TGlobalUse {
     )
   }
 
-  override SourceVariable getSourceVariable() {
-    sourceVariableIsGlobal(result, global, f, this.getIndirection())
-  }
+  override SourceVariable getSourceVariable() { sourceVariableIsGlobal(result, global, f, ind) }
 
   final override Cpp::Location getLocation() { result = f.getLocation() }
 
@@ -517,18 +501,16 @@ class GlobalDefImpl extends DefOrUseImpl, TGlobalDefImpl {
 
   /** Gets the global variable associated with this definition. */
   override SourceVariable getSourceVariable() {
-    sourceVariableIsGlobal(result, global, f, this.getIndirection())
+    sourceVariableIsGlobal(result, global, f, indirectionIndex)
   }
 
-  int getIndirection() { result = indirectionIndex }
-
   /**
    * Gets the type of this use after specifiers have been deeply stripped
    * and typedefs have been resolved.
    */
   Type getUnspecifiedType() { result = global.getUnspecifiedType() }
 
-  override string toString() { result = "Def of " + this.getSourceVariable() }
+  override string toString() { result = "GlobalDef" }
 
   override Location getLocation() { result = f.getLocation() }
 
@@ -872,7 +854,7 @@ private predicate sourceVariableIsGlobal(
   )
 }
 
-private module SsaInput implements SsaImplCommon::InputSig<Location> {
+private module SsaInput implements SsaImplCommon::InputSig {
   import InputSigCommon
   import SourceVariables
 
@@ -998,7 +980,7 @@ class GlobalDef extends TGlobalDef, SsaDefOrUse {
   final override Location getLocation() { result = global.getLocation() }
 
   /** Gets a textual representation of this definition. */
-  override string toString() { result = global.toString() }
+  override string toString() { result = "GlobalDef" }
 
   /**
    * Holds if this definition has index `index` in block `block`, and
@@ -1008,9 +990,6 @@ class GlobalDef extends TGlobalDef, SsaDefOrUse {
     global.hasIndexInBlock(block, index, sv)
   }
 
-  /** Gets the indirection index of this definition. */
-  int getIndirection() { result = global.getIndirection() }
-
   /** Gets the indirection index of this definition. */
   int getIndirectionIndex() { result = global.getIndirectionIndex() }
 
@@ -1095,7 +1074,7 @@ class Def extends DefOrUse {
   predicate isCertain() { defOrUse.isCertain() }
 }
 
-private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
+private module SsaImpl = SsaImplCommon::Make<SsaInput>;
 
 class PhiNode extends SsaImpl::DefinitionExt {
   PhiNode() {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -228,7 +228,7 @@ private class PointerWrapperTypeIndirection extends Indirection instanceof Point
   override predicate isAdditionalDereference(Instruction deref, Operand address) {
     exists(CallInstruction call |
       operandForFullyConvertedCall(getAUse(deref), call) and
-      this = call.getStaticCallTarget().getClassAndName(["operator*", "operator->", "get"]) and
+      this = call.getStaticCallTarget().getClassAndName("operator*") and
       address = call.getThisArgumentOperand()
     )
   }
@@ -377,9 +377,6 @@ abstract private class AbstractBaseSourceVariable extends TBaseSourceVariable {
   /** Gets a textual representation of this element. */
   abstract string toString();
 
-  /** Gets the location of this variable. */
-  abstract Location getLocation();
-
   /** Gets the type of this base source variable. */
   final DataFlowType getType() { this.getLanguageType().hasUnspecifiedType(result, _) }
 
@@ -398,8 +395,6 @@ class BaseIRVariable extends AbstractBaseSourceVariable, TBaseIRVariable {
 
   override string toString() { result = var.toString() }
 
-  override Location getLocation() { result = var.getLocation() }
-
   override CppType getLanguageType() { result = var.getLanguageType() }
 }
 
@@ -412,8 +407,6 @@ class BaseCallVariable extends AbstractBaseSourceVariable, TBaseCallVariable {
 
   override string toString() { result = call.toString() }
 
-  override Location getLocation() { result = call.getLocation() }
-
   override CppType getLanguageType() { result = getResultLanguageType(call) }
 }
 
@@ -879,7 +872,7 @@ private module Cached {
       upper = countIndirectionsForCppType(type) and
       ind = ind0 + [lower .. upper] and
       indirectionIndex = ind - (ind0 + lower) and
-      lower = getMinIndirectionsForType(any(Type t | type.hasUnspecifiedType(t, _)))
+      (if type.hasType(any(Cpp::ArrayType arrayType), true) then lower = 0 else lower = 1)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -72,16 +72,6 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
     or
     instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
   )
-  or
-  // Taint from int to boolean casts. This ensures that we have flow to `!x` in:
-  // ```cpp
-  // x = integer_source();
-  // if(!x) { ... }
-  // ```
-  exists(Operand zero |
-    zero.getDef().(ConstantValueInstruction).getValue() = "0" and
-    instrTo.(CompareNEInstruction).hasOperands(opFrom, zero)
-  )
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll

@@ -229,7 +229,7 @@ private class FinalParameterUse extends UseImpl, TFinalParameterUse {
   override predicate isCertain() { any() }
 }
 
-private module SsaInput implements SsaImplCommon::InputSig<Location> {
+private module SsaInput implements SsaImplCommon::InputSig {
   import InputSigCommon
   import SourceVariables
 
@@ -335,7 +335,7 @@ class Def extends DefOrUse {
   predicate isIteratorDef() { defOrUse instanceof IteratorDef }
 }
 
-private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
+private module SsaImpl = SsaImplCommon::Make<SsaInput>;
 
 class PhiNode extends SsaImpl::DefinitionExt {
   PhiNode() {

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll

@@ -12,9 +12,6 @@ int getConstantValue(Instruction instr) {
   or
   result = getConstantValue(instr.(CopyInstruction).getSourceValue())
   or
-  getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
-  result = 0
-  or
   exists(PhiInstruction phi |
     phi = instr and
     result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
@@ -29,25 +26,28 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i
 
 pragma[noinline]
 private int getBinaryInstructionValue(BinaryInstruction instr) {
-  exists(int left, int right | binaryInstructionOperands(instr, left, right) |
-    instr instanceof AddInstruction and result = add(left, right)
-    or
-    instr instanceof SubInstruction and result = sub(left, right)
-    or
-    instr instanceof MulInstruction and result = mul(left, right)
-    or
-    instr instanceof DivInstruction and result = div(left, right)
-    or
-    instr instanceof CompareEQInstruction and result = compareEQ(left, right)
-    or
-    instr instanceof CompareNEInstruction and result = compareNE(left, right)
-    or
-    instr instanceof CompareLTInstruction and result = compareLT(left, right)
-    or
-    instr instanceof CompareGTInstruction and result = compareGT(left, right)
-    or
-    instr instanceof CompareLEInstruction and result = compareLE(left, right)
-    or
-    instr instanceof CompareGEInstruction and result = compareGE(left, right)
+  exists(int left, int right |
+    binaryInstructionOperands(instr, left, right) and
+    (
+      instr instanceof AddInstruction and result = add(left, right)
+      or
+      instr instanceof SubInstruction and result = sub(left, right)
+      or
+      instr instanceof MulInstruction and result = mul(left, right)
+      or
+      instr instanceof DivInstruction and result = div(left, right)
+      or
+      instr instanceof CompareEQInstruction and result = compareEQ(left, right)
+      or
+      instr instanceof CompareNEInstruction and result = compareNE(left, right)
+      or
+      instr instanceof CompareLTInstruction and result = compareLT(left, right)
+      or
+      instr instanceof CompareGTInstruction and result = compareGT(left, right)
+      or
+      instr instanceof CompareLEInstruction and result = compareLE(left, right)
+      or
+      instr instanceof CompareGEInstruction and result = compareGE(left, right)
+    )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll

@@ -23,8 +23,9 @@ private module Internal {
   newtype TOperand =
     // RAW
     TRegisterOperand(TRawInstruction useInstr, RegisterOperandTag tag, TRawInstruction defInstr) {
-      defInstr = unique( | | RawConstruction::getRegisterOperandDefinition(useInstr, tag)) and
-      not RawConstruction::isInCycle(useInstr)
+      defInstr = RawConstruction::getRegisterOperandDefinition(useInstr, tag) and
+      not RawConstruction::isInCycle(useInstr) and
+      strictcount(RawConstruction::getRegisterOperandDefinition(useInstr, tag)) = 1
     } or
     // Placeholder for Phi and Chi operands in stages that don't have the corresponding instructions
     TNoOperand() { none() } or

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll

@@ -12,9 +12,6 @@ int getConstantValue(Instruction instr) {
   or
   result = getConstantValue(instr.(CopyInstruction).getSourceValue())
   or
-  getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
-  result = 0
-  or
   exists(PhiInstruction phi |
     phi = instr and
     result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
@@ -29,25 +26,28 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i
 
 pragma[noinline]
 private int getBinaryInstructionValue(BinaryInstruction instr) {
-  exists(int left, int right | binaryInstructionOperands(instr, left, right) |
-    instr instanceof AddInstruction and result = add(left, right)
-    or
-    instr instanceof SubInstruction and result = sub(left, right)
-    or
-    instr instanceof MulInstruction and result = mul(left, right)
-    or
-    instr instanceof DivInstruction and result = div(left, right)
-    or
-    instr instanceof CompareEQInstruction and result = compareEQ(left, right)
-    or
-    instr instanceof CompareNEInstruction and result = compareNE(left, right)
-    or
-    instr instanceof CompareLTInstruction and result = compareLT(left, right)
-    or
-    instr instanceof CompareGTInstruction and result = compareGT(left, right)
-    or
-    instr instanceof CompareLEInstruction and result = compareLE(left, right)
-    or
-    instr instanceof CompareGEInstruction and result = compareGE(left, right)
+  exists(int left, int right |
+    binaryInstructionOperands(instr, left, right) and
+    (
+      instr instanceof AddInstruction and result = add(left, right)
+      or
+      instr instanceof SubInstruction and result = sub(left, right)
+      or
+      instr instanceof MulInstruction and result = mul(left, right)
+      or
+      instr instanceof DivInstruction and result = div(left, right)
+      or
+      instr instanceof CompareEQInstruction and result = compareEQ(left, right)
+      or
+      instr instanceof CompareNEInstruction and result = compareNE(left, right)
+      or
+      instr instanceof CompareLTInstruction and result = compareLT(left, right)
+      or
+      instr instanceof CompareGTInstruction and result = compareGT(left, right)
+      or
+      instr instanceof CompareLEInstruction and result = compareLE(left, right)
+      or
+      instr instanceof CompareGEInstruction and result = compareGE(left, right)
+    )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll

@@ -77,6 +77,24 @@ class TranslatedParenthesisCondition extends TranslatedFlexibleCondition {
   }
 }
 
+class TranslatedNotCondition extends TranslatedFlexibleCondition {
+  override NotExpr expr;
+
+  override Instruction getChildTrueSuccessor(TranslatedCondition child) {
+    child = this.getOperand() and
+    result = this.getConditionContext().getChildFalseSuccessor(this)
+  }
+
+  override Instruction getChildFalseSuccessor(TranslatedCondition child) {
+    child = this.getOperand() and
+    result = this.getConditionContext().getChildTrueSuccessor(this)
+  }
+
+  override TranslatedCondition getOperand() {
+    result = getTranslatedCondition(expr.getOperand().getFullyConverted())
+  }
+}
+
 abstract class TranslatedNativeCondition extends TranslatedCondition, TTranslatedNativeCondition {
   TranslatedNativeCondition() { this = TTranslatedNativeCondition(expr) }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -1,6 +1,5 @@
 private import cpp
 import semmle.code.cpp.ir.implementation.raw.IR
-private import semmle.code.cpp.internal.ExtractorVersion
 private import semmle.code.cpp.ir.IRConfiguration
 private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
@@ -190,7 +189,10 @@ private predicate isNativeCondition(Expr expr) {
  * depending on context.
  */
 private predicate isFlexibleCondition(Expr expr) {
-  expr instanceof ParenthesisExpr and
+  (
+    expr instanceof ParenthesisExpr or
+    expr instanceof NotExpr
+  ) and
   usedAsCondition(expr) and
   not isIRConstant(expr)
 }
@@ -215,6 +217,11 @@ private predicate usedAsCondition(Expr expr) {
     condExpr.getCondition().getFullyConverted() = expr and not condExpr.isTwoOperand()
   )
   or
+  exists(NotExpr notExpr |
+    notExpr.getOperand().getFullyConverted() = expr and
+    usedAsCondition(notExpr)
+  )
+  or
   exists(ParenthesisExpr paren |
     paren.getExpr() = expr and
     usedAsCondition(paren)
@@ -354,12 +361,6 @@ predicate ignoreLoad(Expr expr) {
     or
     expr instanceof FunctionAccess
     or
-    // The load is duplicated from the operand.
-    isExtractorFrontendVersion65OrHigher() and expr instanceof ParenthesisExpr
-    or
-    // The load is duplicated from the right operand.
-    isExtractorFrontendVersion65OrHigher() and expr instanceof CommaExpr
-    or
     expr.(PointerDereferenceExpr).getOperand().getFullyConverted().getType().getUnspecifiedType()
       instanceof FunctionPointerType
     or

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -1,5 +1,4 @@
 private import cpp
-private import semmle.code.cpp.internal.ExtractorVersion
 private import semmle.code.cpp.ir.implementation.IRType
 private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
@@ -650,9 +649,7 @@ class TranslatedPrefixCrementOperation extends TranslatedCrementOperation {
   override PrefixCrementOperation expr;
 
   override Instruction getResult() {
-    // The following distinction is needed to work around extractor limitations
-    // in old versions of the extractor.
-    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
+    if expr.isPRValueCategory()
     then
       // If this is C, then the result of a prefix crement is a prvalue for the
       // new value assigned to the operand. If this is C++, then the result is
@@ -1507,9 +1504,7 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
   }
 
   final override Instruction getResult() {
-    // The following distinction is needed to work around extractor limitations
-    // in old versions of the extractor.
-    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
+    if expr.isPRValueCategory()
     then
       // If this is C, then the result of an assignment is a prvalue for the new
       // value assigned to the left operand. If this is C++, then the result is
@@ -1647,9 +1642,7 @@ class TranslatedAssignOperation extends TranslatedNonConstantExpr {
   }
 
   final override Instruction getResult() {
-    // The following distinction is needed to work around extractor limitations
-    // in old versions of the extractor.
-    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
+    if expr.isPRValueCategory()
     then
       // If this is C, then the result of an assignment is a prvalue for the new
       // value assigned to the left operand. If this is C++, then the result is
@@ -2198,16 +2191,8 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
         not this.elseIsVoid() and tag = ConditionValueFalseStoreTag()
       ) and
       opcode instanceof Opcode::Store and
-      if isExtractorFrontendVersion65OrHigher()
-      then
-        not expr.hasLValueToRValueConversion() and
-        resultType = this.getResultType()
-        or
-        expr.hasLValueToRValueConversion() and
-        resultType = getTypeForPRValue(expr.getType())
-      else resultType = this.getResultType()
+      resultType = this.getResultType()
       or
-      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
       opcode instanceof Opcode::Load and
       resultType = this.getResultType()
@@ -2237,16 +2222,8 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
       )
       or
       tag = ConditionValueResultTempAddressTag() and
-      if isExtractorFrontendVersion65OrHigher()
-      then
-        not expr.hasLValueToRValueConversion() and
-        result = this.getInstruction(ConditionValueResultLoadTag())
-        or
-        expr.hasLValueToRValueConversion() and
-        result = this.getParent().getChildSuccessor(this)
-      else result = this.getInstruction(ConditionValueResultLoadTag())
+      result = this.getInstruction(ConditionValueResultLoadTag())
       or
-      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
       result = this.getParent().getChildSuccessor(this)
     )
@@ -2275,24 +2252,18 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
         result = this.getElse().getResult()
       )
       or
-      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
-      operandTag instanceof AddressOperandTag and
-      result = this.getInstruction(ConditionValueResultTempAddressTag())
+      (
+        operandTag instanceof AddressOperandTag and
+        result = this.getInstruction(ConditionValueResultTempAddressTag())
+      )
     )
   }
 
   final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
     not this.resultIsVoid() and
     tag = ConditionValueTempVar() and
-    if isExtractorFrontendVersion65OrHigher()
-    then
-      not expr.hasLValueToRValueConversion() and
-      type = this.getResultType()
-      or
-      expr.hasLValueToRValueConversion() and
-      type = getTypeForPRValue(expr.getType())
-    else type = this.getResultType()
+    type = this.getResultType()
   }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {
@@ -2307,14 +2278,7 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
 
   final override Instruction getResult() {
     not this.resultIsVoid() and
-    if isExtractorFrontendVersion65OrHigher()
-    then
-      expr.hasLValueToRValueConversion() and
-      result = this.getInstruction(ConditionValueResultTempAddressTag())
-      or
-      not expr.hasLValueToRValueConversion() and
-      result = this.getInstruction(ConditionValueResultLoadTag())
-    else result = this.getInstruction(ConditionValueResultLoadTag())
+    result = this.getInstruction(ConditionValueResultLoadTag())
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
@@ -3274,18 +3238,10 @@ predicate exprNeedsCopyIfNotLoaded(Expr expr) {
     expr instanceof AssignExpr
     or
     expr instanceof AssignOperation and
-    (
-      not expr.isPRValueCategory() // is C++
-      or
-      isExtractorFrontendVersion65OrHigher()
-    )
+    not expr.isPRValueCategory() // is C++
     or
     expr instanceof PrefixCrementOperation and
-    (
-      not expr.isPRValueCategory() // is C++
-      or
-      isExtractorFrontendVersion65OrHigher()
-    )
+    not expr.isPRValueCategory() // is C++
     or
     // Because the load is on the `e` in `e++`.
     expr instanceof PostfixCrementOperation

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll

@@ -12,9 +12,6 @@ int getConstantValue(Instruction instr) {
   or
   result = getConstantValue(instr.(CopyInstruction).getSourceValue())
   or
-  getConstantValue(instr.(LogicalNotInstruction).getUnary()) != 0 and
-  result = 0
-  or
   exists(PhiInstruction phi |
     phi = instr and
     result = unique(Operand op | op = phi.getAnInputOperand() | getConstantValue(op.getDef()))
@@ -29,25 +26,28 @@ private predicate binaryInstructionOperands(BinaryInstruction instr, int left, i
 
 pragma[noinline]
 private int getBinaryInstructionValue(BinaryInstruction instr) {
-  exists(int left, int right | binaryInstructionOperands(instr, left, right) |
-    instr instanceof AddInstruction and result = add(left, right)
-    or
-    instr instanceof SubInstruction and result = sub(left, right)
-    or
-    instr instanceof MulInstruction and result = mul(left, right)
-    or
-    instr instanceof DivInstruction and result = div(left, right)
-    or
-    instr instanceof CompareEQInstruction and result = compareEQ(left, right)
-    or
-    instr instanceof CompareNEInstruction and result = compareNE(left, right)
-    or
-    instr instanceof CompareLTInstruction and result = compareLT(left, right)
-    or
-    instr instanceof CompareGTInstruction and result = compareGT(left, right)
-    or
-    instr instanceof CompareLEInstruction and result = compareLE(left, right)
-    or
-    instr instanceof CompareGEInstruction and result = compareGE(left, right)
+  exists(int left, int right |
+    binaryInstructionOperands(instr, left, right) and
+    (
+      instr instanceof AddInstruction and result = add(left, right)
+      or
+      instr instanceof SubInstruction and result = sub(left, right)
+      or
+      instr instanceof MulInstruction and result = mul(left, right)
+      or
+      instr instanceof DivInstruction and result = div(left, right)
+      or
+      instr instanceof CompareEQInstruction and result = compareEQ(left, right)
+      or
+      instr instanceof CompareNEInstruction and result = compareNE(left, right)
+      or
+      instr instanceof CompareLTInstruction and result = compareLT(left, right)
+      or
+      instr instanceof CompareGTInstruction and result = compareGT(left, right)
+      or
+      instr instanceof CompareLEInstruction and result = compareLE(left, right)
+      or
+      instr instanceof CompareGEInstruction and result = compareGE(left, right)
+    )
   )
 }

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -19,7 +19,6 @@ private import implementations.Strtok
 private import implementations.Strset
 private import implementations.Strcrement
 private import implementations.Strnextc
-private import implementations.Strtol
 private import implementations.StdContainer
 private import implementations.StdPair
 private import implementations.StdMap
@@ -35,7 +34,6 @@ private import implementations.Accept
 private import implementations.Poll
 private import implementations.Select
 private import implementations.MySql
-private import implementations.ODBC
 private import implementations.SqLite3
 private import implementations.PostgreSql
 private import implementations.System

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -5,7 +5,6 @@
  */
 
 import semmle.code.cpp.models.interfaces.Allocation
-import semmle.code.cpp.models.interfaces.Taint
 
 /**
  * An allocation function (such as `malloc`) that has an argument for the size
@@ -122,7 +121,7 @@ private class CallocAllocationFunction extends AllocationFunction {
  * An allocation function (such as `realloc`) that has an argument for the size
  * in bytes, and an argument for an existing pointer that is to be reallocated.
  */
-private class ReallocAllocationFunction extends AllocationFunction, TaintFunction {
+private class ReallocAllocationFunction extends AllocationFunction {
   int sizeArg;
   int reallocArg;
 
@@ -152,10 +151,6 @@ private class ReallocAllocationFunction extends AllocationFunction, TaintFunctio
   override int getSizeArg() { result = sizeArg }
 
   override int getReallocPtrArg() { result = reallocArg }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(this.getReallocPtrArg()) and output.isReturnValueDeref()
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/models/implementations/Getenv.qll

@@ -16,7 +16,10 @@ class Getenv extends LocalFlowSourceFunction {
   }
 
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    output.isReturnValueDeref() and
+    (
+      output.isReturnValueDeref() or
+      output.isReturnValue()
+    ) and
     description = "an environment variable"
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

@@ -49,10 +49,10 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
   }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    (
-      output.isParameterDeref(0) or
-      output.isReturnValueDeref()
-    ) and
+    output.isParameterDeref(0) and
+    description = "string read by " + this.getName()
+    or
+    output.isReturnValue() and
     description = "string read by " + this.getName()
   }
 
@@ -101,6 +101,7 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
     (
       output.isParameterDeref(0) or
+      output.isReturnValue() or
       output.isReturnValueDeref()
     ) and
     description = "string read by " + this.getName()

cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll

@@ -157,7 +157,7 @@ private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSource
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(3, 2) and
+    output.isParameterDeref(3) and
     description = "address returned by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll

@@ -9,17 +9,18 @@ import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
-private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,
+/**
+ * The standard function `memset` and its assorted variants
+ */
+private class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction,
   SideEffectFunction
 {
-  MemsetFunctionModel() {
+  MemsetFunction() {
     this.hasGlobalOrStdOrBslName("memset")
     or
     this.hasGlobalOrStdName("wmemset")
     or
-    this.hasGlobalName([
-        bzero(), "__builtin_memset", "__builtin_memset_chk", "RtlZeroMemory", "RtlSecureZeroMemory"
-      ])
+    this.hasGlobalName([bzero(), "__builtin_memset", "__builtin_memset_chk"])
   }
 
   override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
@@ -59,8 +60,3 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
 }
 
 private string bzero() { result = ["bzero", "explicit_bzero"] }
-
-/**
- * The standard function `memset` and its assorted variants
- */
-class MemsetFunction extends Function instanceof MemsetFunctionModel { }

cpp/ql/lib/semmle/code/cpp/models/implementations/ODBC.qll

@@ -1,28 +0,0 @@
-/**
- * Provides implementation classes modeling the ODBC C/C++ API.
- * See `semmle.code.cpp.models.Models` for usage information.
- */
-
-private import semmle.code.cpp.models.interfaces.Sql
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
-
-/**
- * The `SQLExecDirect`, and `SQLPrepare` from the ODBC C/C++ API:
- * https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlexecdirect-function?view=sql-server-ver16
- * https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlprepare-function?view=sql-server-ver16
- *
- * Note, `SQLExecute` is not included because it operates on a SQLHSTMT type, not a string.
- * The SQLHSTMT parameter for `SQLExecute` is set through a `SQLPrepare`, which is modeled.
- * The other source of input to a `SQLExecute` is via a `SQLBindParameter`, which sanitizes user input,
- * and would be considered a barrier to SQL injection.
- */
-private class ODBCExecutionFunction extends SqlExecutionFunction {
-  ODBCExecutionFunction() { this.hasGlobalName(["SQLExecDirect", "SQLPrepare"]) }
-
-  override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
-}
-// NOTE: no need to define a barrier explicitly.
-// `SQLBindParameter` is the typical means for sanitizing user input.
-//       https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlbindparameter-function?view=sql-server-ver16
-// First a query is establisehed via `SQLPrepare`, then parameters are bound via `SQLBindParameter`, before
-// the query is executed via `SQLExecute`. We are not modeling SQLExecute, so we do not need to model SQLBindParameter.

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -147,32 +147,19 @@ private class SnprintfImpl extends Snprintf {
 
 /**
  * The Microsoft `StringCchPrintf` function and variants.
- * See: https://learn.microsoft.com/en-us/windows/win32/api/strsafe/
- *      and
- *      https://learn.microsoft.com/en-us/previous-versions/windows/embedded/ms860435(v=msdn.10)
  */
 private class StringCchPrintf extends FormattingFunction {
   StringCchPrintf() {
     this instanceof TopLevelFunction and
-    exists(string baseName |
-      baseName in [
-          "StringCchPrintf", //StringCchPrintf(pszDest, cchDest, pszFormat, ...)
-          "StringCchPrintfEx", //StringCchPrintfEx(pszDest,cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, ...)
-          "StringCchPrintf_l", //StringCchPrintf_l(pszDest, cbDest, pszFormat, locale, ...)
-          "StringCchPrintf_lEx", //StringCchPrintf_lEx(pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, locale, ...)
-          "StringCbPrintf", //StringCbPrintf(pszDest, cbDest, pszFormat, ...)
-          "StringCbPrintfEx", //StringCbPrintfEx(pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, ...)
-          "StringCbPrintf_l", //StringCbPrintf_l(pszDest, cbDest, pszFormat, locale, ...)
-          "StringCbPrintf_lEx" //StringCbPrintf_lEx(pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, locale, ...)
-        ]
-    |
-      this.hasGlobalName(baseName + ["", "A", "W"])
-    ) and
+    this.hasGlobalName([
+        "StringCchPrintf", "StringCchPrintfEx", "StringCchPrintf_l", "StringCchPrintf_lEx",
+        "StringCbPrintf", "StringCbPrintfEx", "StringCbPrintf_l", "StringCbPrintf_lEx"
+      ]) and
     not exists(this.getDefinition().getFile().getRelativePath())
   }
 
   override int getFormatParameterIndex() {
-    if this.getName().matches("%Ex" + ["", "A", "W"]) then result = 5 else result = 2
+    if this.getName().matches("%Ex") then result = 5 else result = 2
   }
 
   override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = false }

cpp/ql/lib/semmle/code/cpp/models/implementations/Pure.qll

@@ -13,7 +13,7 @@ private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunctio
   PureStrFunction() {
     this.hasGlobalOrStdOrBslName([
         atoi(), "strcasestr", "strchnul", "strchr", "strchrnul", "strstr", "strpbrk", "strrchr",
-        "strspn", strrev(), strcmp(), strlwr(), strupr()
+        "strspn", strtol(), strrev(), strcmp(), strlwr(), strupr()
       ])
   }
 
@@ -70,6 +70,8 @@ private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunctio
 
 private string atoi() { result = ["atof", "atoi", "atol", "atoll"] }
 
+private string strtol() { result = ["strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"] }
+
 private string strlwr() {
   result = ["_strlwr", "_wcslwr", "_mbslwr", "_strlwr_l", "_wcslwr_l", "_mbslwr_l"]
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll

@@ -58,7 +58,7 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
 
   override predicate hasRemoteFlowSink(FunctionInput input, string description) {
-    input.isParameterDeref(1, 1) and description = "buffer sent by " + this.getName()
+    input.isParameterDeref(1) and description = "buffer sent by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -123,7 +123,7 @@ private class StdSequenceContainerData extends TaintFunction {
 /**
  * The standard container functions `push_back` and `push_front`.
  */
-class StdSequenceContainerPush extends MemberFunction {
+private class StdSequenceContainerPush extends TaintFunction {
   StdSequenceContainerPush() {
     this.getClassAndName("push_back") instanceof Vector or
     this.getClassAndName(["push_back", "push_front"]) instanceof Deque or
@@ -131,17 +131,6 @@ class StdSequenceContainerPush extends MemberFunction {
     this.getClassAndName(["push_back", "push_front"]) instanceof List
   }
 
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-}
-
-private class StdSequenceContainerPushModel extends StdSequenceContainerPush, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to qualifier
     input.isParameterDeref(0) and
@@ -171,7 +160,7 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
 /**
  * The standard container functions `insert` and `insert_after`.
  */
-class StdSequenceContainerInsert extends MemberFunction {
+private class StdSequenceContainerInsert extends TaintFunction {
   StdSequenceContainerInsert() {
     this.getClassAndName("insert") instanceof Deque or
     this.getClassAndName("insert") instanceof List or
@@ -192,9 +181,7 @@ class StdSequenceContainerInsert extends MemberFunction {
    * Gets the index of a parameter to this function that is an iterator.
    */
   int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
-}
 
-private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to container itself (qualifier) and return value
     (
@@ -266,28 +253,11 @@ private class StdSequenceContainerAt extends TaintFunction {
 }
 
 /**
- * The standard `emplace` function.
+ * The standard vector `emplace` function.
  */
-class StdSequenceEmplace extends MemberFunction {
-  StdSequenceEmplace() {
-    this.getClassAndName("emplace") instanceof Vector
-    or
-    this.getClassAndName("emplace") instanceof List
-    or
-    this.getClassAndName("emplace") instanceof Deque
-  }
+class StdVectorEmplace extends TaintFunction {
+  StdVectorEmplace() { this.getClassAndName("emplace") instanceof Vector }
 
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-}
-
-private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
     // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -299,36 +269,12 @@ private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction
   }
 }
 
-/**
- * The standard vector `emplace` function.
- */
-class StdVectorEmplace extends StdSequenceEmplace {
-  StdVectorEmplace() { this.getDeclaringType() instanceof Vector }
-}
-
 /**
  * The standard vector `emplace_back` function.
  */
-class StdSequenceEmplaceBack extends MemberFunction {
-  StdSequenceEmplaceBack() {
-    this.getClassAndName("emplace_back") instanceof Vector
-    or
-    this.getClassAndName("emplace_back") instanceof List
-    or
-    this.getClassAndName("emplace_back") instanceof Deque
-  }
+class StdVectorEmplaceBack extends TaintFunction {
+  StdVectorEmplaceBack() { this.getClassAndName("emplace_back") instanceof Vector }
 
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-}
-
-private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier
     // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -336,10 +282,3 @@ private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintF
     output.isQualifierObject()
   }
 }
-
-/**
- * The standard vector `emplace_back` function.
- */
-class StdVectorEmplaceBack extends StdSequenceEmplaceBack {
-  StdVectorEmplaceBack() { this.getDeclaringType() instanceof Vector }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

@@ -99,11 +99,9 @@ private class StdStringConstructor extends Constructor, StdStringTaintFunction {
 /**
  * The `std::string` function `c_str`.
  */
-class StdStringCStr extends MemberFunction {
+private class StdStringCStr extends StdStringTaintFunction {
   StdStringCStr() { this.getClassAndName("c_str") instanceof StdBasicString }
-}
 
-private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and
@@ -114,11 +112,9 @@ private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
 /**
  * The `std::string` function `data`.
  */
-class StdStringData extends MemberFunction {
+private class StdStringData extends StdStringTaintFunction {
   StdStringData() { this.getClassAndName("data") instanceof StdBasicString }
-}
 
-private class StdStringDataModel extends StdStringData, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll

@@ -10,8 +10,6 @@ import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
  * The standard function `strcat` and its wide, sized, and Microsoft variants.
- *
- * Does not include `strlcat`, which is covered by `StrlcatFunction`
  */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
   StrcatFunction() {
@@ -92,64 +90,3 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
     buffer = true
   }
 }
-
-/**
- * The `strlcat` function.
- */
-class StrlcatFunction extends TaintFunction, ArrayFunction, SideEffectFunction {
-  StrlcatFunction() {
-    this.hasGlobalName("strlcat") // strlcat(dst, src, dst_size)
-  }
-
-  /**
-   * Gets the index of the parameter that is the size of the copy (in characters).
-   */
-  int getParamSize() { result = 2 }
-
-  /**
-   * Gets the index of the parameter that is the source of the copy.
-   */
-  int getParamSrc() { result = 1 }
-
-  /**
-   * Gets the index of the parameter that is the destination to be appended to.
-   */
-  int getParamDest() { result = 0 }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    (
-      input.isParameter(2)
-      or
-      input.isParameterDeref(0)
-      or
-      input.isParameterDeref(1)
-    ) and
-    output.isParameterDeref(0)
-  }
-
-  override predicate hasArrayInput(int param) {
-    param = 0 or
-    param = 1
-  }
-
-  override predicate hasArrayOutput(int param) { param = 0 }
-
-  override predicate hasArrayWithNullTerminator(int param) { param = 1 }
-
-  override predicate hasArrayWithUnknownSize(int param) { param = 0 }
-
-  override predicate hasOnlySpecificReadSideEffects() { any() }
-
-  override predicate hasOnlySpecificWriteSideEffects() { any() }
-
-  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
-    i = 0 and
-    buffer = true and
-    mustWrite = false
-  }
-
-  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
-    (i = 0 or i = 1) and
-    buffer = true
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll

@@ -32,8 +32,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
         "wcsxfrm_l", // _strxfrm_l(dest, src, max_amount, locale)
         "_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount)
         "stpcpy", // stpcpy(dest, src)
-        "stpncpy", // stpncpy(dest, src, max_amount)
-        "strlcpy" // strlcpy(dst, src, dst_size)
+        "stpncpy" // stpcpy(dest, src, max_amount)
       ])
     or
     (
@@ -54,11 +53,6 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    */
   private predicate isSVariant() { this.getName().matches("%\\_s") }
 
-  /**
-   * Holds if the function returns the total length the string would have had if the size was unlimited.
-   */
-  private predicate returnsTotalLength() { this.getName() = "strlcpy" }
-
   /**
    * Gets the index of the parameter that is the maximum size of the copy (in characters).
    */
@@ -66,7 +60,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
     if this.isSVariant()
     then result = 1
     else (
-      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and
+      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%"]) and
       result = 2
     )
   }
@@ -106,7 +100,6 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
     input.isParameterDeref(this.getParamSrc()) and
     output.isReturnValueDeref()
     or
-    not this.returnsTotalLength() and
     input.isParameter(this.getParamDest()) and
     output.isReturnValue()
   }
@@ -117,9 +110,8 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
     exists(this.getParamSize()) and
     input.isParameterDeref(this.getParamSrc()) and
     (
-      output.isParameterDeref(this.getParamDest())
-      or
-      not this.returnsTotalLength() and output.isReturnValueDeref()
+      output.isParameterDeref(this.getParamDest()) or
+      output.isReturnValueDeref()
     )
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll

@@ -32,8 +32,6 @@ private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEf
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and output.isReturnValue()
-    or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 
   override predicate hasOnlySpecificReadSideEffects() { none() }

cpp/ql/lib/semmle/code/cpp/models/implementations/Strtol.qll

@@ -1,54 +0,0 @@
-import semmle.code.cpp.models.interfaces.ArrayFunction
-import semmle.code.cpp.models.interfaces.Taint
-import semmle.code.cpp.models.interfaces.Alias
-import semmle.code.cpp.models.interfaces.SideEffect
-
-private string strtol() { result = ["strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"] }
-
-/**
- * The standard function `strtol` and its assorted variants
- */
-private class Strtol extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
-  Strtol() { this.hasGlobalOrStdOrBslName(strtol()) }
-
-  override predicate hasArrayInput(int bufParam) {
-    // All the functions given by `strtol()` takes a `const char*` input as the first parameter
-    bufParam = 0
-  }
-
-  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    (
-      input.isParameter(0)
-      or
-      input.isParameterDeref(0)
-    ) and
-    output.isReturnValue()
-    or
-    input.isParameter(0) and
-    output.isParameterDeref(1)
-  }
-
-  override predicate parameterNeverEscapes(int i) {
-    // Parameter 0 does escape into parameter 1.
-    i = 1
-  }
-
-  override predicate parameterEscapesOnlyViaReturn(int i) { none() }
-
-  override predicate parameterIsAlwaysReturned(int i) { none() }
-
-  override predicate hasOnlySpecificReadSideEffects() { any() }
-
-  override predicate hasOnlySpecificWriteSideEffects() { any() }
-
-  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
-    i = 0 and
-    buffer = true
-  }
-
-  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
-    i = 1 and buffer = false and mustWrite = false
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll

@@ -8,7 +8,7 @@ import semmle.code.cpp.Parameter
 
 private newtype TFunctionInput =
   TInParameter(ParameterIndex i) or
-  TInParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or
+  TInParameterDeref(ParameterIndex i) or
   TInQualifierObject() or
   TInQualifierAddress() or
   TInReturnValueDeref()
@@ -245,18 +245,15 @@ class InParameter extends FunctionInput, TInParameter {
  */
 class InParameterDeref extends FunctionInput, TInParameterDeref {
   ParameterIndex index;
-  int indirectionIndex;
 
-  InParameterDeref() { this = TInParameterDeref(index, indirectionIndex) }
+  InParameterDeref() { this = TInParameterDeref(index) }
 
   override string toString() { result = "InParameterDeref " + index.toString() }
 
   /** Gets the zero-based index of the parameter. */
   ParameterIndex getIndex() { result = index }
 
-  override predicate isParameterDeref(ParameterIndex i, int indirection) {
-    i = index and indirectionIndex = indirection
-  }
+  override predicate isParameterDeref(ParameterIndex i) { i = index }
 }
 
 /**
@@ -324,10 +321,10 @@ class InReturnValueDeref extends FunctionInput, TInReturnValueDeref {
 }
 
 private newtype TFunctionOutput =
-  TOutParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or
+  TOutParameterDeref(ParameterIndex i) or
   TOutQualifierObject() or
   TOutReturnValue() or
-  TOutReturnValueDeref(int indirections) { indirections = [1, 2] }
+  TOutReturnValueDeref()
 
 /**
  * An output from a function. This can be:
@@ -501,16 +498,17 @@ class FunctionOutput extends TFunctionOutput {
  */
 class OutParameterDeref extends FunctionOutput, TOutParameterDeref {
   ParameterIndex index;
-  int indirectionIndex;
 
-  OutParameterDeref() { this = TOutParameterDeref(index, indirectionIndex) }
+  OutParameterDeref() { this = TOutParameterDeref(index) }
 
   override string toString() { result = "OutParameterDeref " + index.toString() }
 
   ParameterIndex getIndex() { result = index }
 
+  override predicate isParameterDeref(ParameterIndex i) { i = index }
+
   override predicate isParameterDeref(ParameterIndex i, int ind) {
-    i = index and ind = indirectionIndex
+    this.isParameterDeref(i) and ind = 1
   }
 }
 
@@ -574,8 +572,4 @@ class OutReturnValueDeref extends FunctionOutput, TOutReturnValueDeref {
   override string toString() { result = "OutReturnValueDeref" }
 
   override predicate isReturnValueDeref() { any() }
-
-  override predicate isReturnValueDeref(int indirectionIndex) {
-    this = TOutReturnValueDeref(indirectionIndex)
-  }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/RangeAnalysis.qll

@@ -17,7 +17,9 @@ private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
  * `upper` is true, and can be traced back to a guard represented by `reason`.
  */
 predicate bounded(Expr e, Bound b, float delta, boolean upper, Reason reason) {
-  exists(SemanticExprConfig::Expr semExpr | semExpr.getUnconvertedResultExpression() = e |
+  exists(SemanticExprConfig::Expr semExpr |
+    semExpr.getUnconverted().getUnconvertedResultExpression() = e
+  |
     semBounded(semExpr, b, delta, upper, reason)
   )
 }
@@ -28,7 +30,9 @@ predicate bounded(Expr e, Bound b, float delta, boolean upper, Reason reason) {
  * The `Expr` may be a conversion.
  */
 predicate convertedBounded(Expr e, Bound b, float delta, boolean upper, Reason reason) {
-  exists(SemanticExprConfig::Expr semExpr | semExpr.getConvertedResultExpression() = e |
+  exists(SemanticExprConfig::Expr semExpr |
+    semExpr.getConverted().getConvertedResultExpression() = e
+  |
     semBounded(semExpr, b, delta, upper, reason)
   )
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/SimpleRangeAnalysis.qll

@@ -100,7 +100,7 @@ predicate exprMightOverflowNegatively(Expr expr) {
   lowerBound(expr) < exprMinVal(expr)
   or
   exists(SemanticExprConfig::Expr semExpr |
-    semExpr.getAst() = expr and
+    semExpr.getUnconverted().getAst() = expr and
     ConstantStage::potentiallyOverflowingExpr(false, semExpr) and
     not ConstantStage::initialBounded(semExpr, _, _, false, _, _, _)
   )
@@ -126,7 +126,7 @@ predicate exprMightOverflowPositively(Expr expr) {
   upperBound(expr) > exprMaxVal(expr)
   or
   exists(SemanticExprConfig::Expr semExpr |
-    semExpr.getAst() = expr and
+    semExpr.getUnconverted().getAst() = expr and
     ConstantStage::potentiallyOverflowingExpr(true, semExpr) and
     not ConstantStage::initialBounded(semExpr, _, _, true, _, _, _)
   )

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticCFG.qll

@@ -12,6 +12,9 @@ class SemBasicBlock extends Specific::BasicBlock {
   /** Holds if this block (transitively) dominates `otherblock`. */
   final predicate bbDominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
 
+  /** Holds if this block has dominance information. */
+  final predicate hasDominanceInformation() { Specific::hasDominanceInformation(this) }
+
   /** Gets an expression that is evaluated in this basic block. */
   final SemExpr getAnExpr() { result.getBasicBlock() = this }
 

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll

@@ -4,7 +4,6 @@
 
 private import Semantic
 private import SemanticExprSpecific::SemanticExprConfig as Specific
-private import SemanticType
 
 /**
  * An language-neutral expression.
@@ -242,21 +241,8 @@ class SemConvertExpr extends SemUnaryExpr {
   SemConvertExpr() { opcode instanceof Opcode::Convert }
 }
 
-private import semmle.code.cpp.ir.IR as IR
-
-/** A conversion instruction which is guaranteed to not overflow. */
-private class SafeConversion extends IR::ConvertInstruction {
-  SafeConversion() {
-    exists(SemType tFrom, SemType tTo |
-      tFrom = getSemanticType(super.getUnary().getResultIRType()) and
-      tTo = getSemanticType(super.getResultIRType()) and
-      conversionCannotOverflow(tFrom, tTo)
-    )
-  }
-}
-
 class SemCopyValueExpr extends SemUnaryExpr {
-  SemCopyValueExpr() { opcode instanceof Opcode::CopyValue or this instanceof SafeConversion }
+  SemCopyValueExpr() { opcode instanceof Opcode::CopyValue }
 }
 
 class SemNegateExpr extends SemUnaryExpr {

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll

@@ -12,10 +12,87 @@ private import semmle.code.cpp.ir.ValueNumbering
 module SemanticExprConfig {
   class Location = Cpp::Location;
 
+  /** A `ConvertInstruction` or a `CopyValueInstruction`. */
+  private class Conversion extends IR::UnaryInstruction {
+    Conversion() {
+      this instanceof IR::CopyValueInstruction
+      or
+      this instanceof IR::ConvertInstruction
+    }
+
+    /** Holds if this instruction converts a value of type `tFrom` to a value of type `tTo`. */
+    predicate converts(SemType tFrom, SemType tTo) {
+      tFrom = getSemanticType(this.getUnary().getResultIRType()) and
+      tTo = getSemanticType(this.getResultIRType())
+    }
+  }
+
+  /**
+   * Gets a conversion-like instruction that consumes `op`, and
+   * which is guaranteed to not overflow.
+   */
+  private IR::Instruction safeConversion(IR::Operand op) {
+    exists(Conversion conv, SemType tFrom, SemType tTo |
+      conv.converts(tFrom, tTo) and
+      conversionCannotOverflow(tFrom, tTo) and
+      conv.getUnaryOperand() = op and
+      result = conv
+    )
+  }
+
+  /** Holds if `i1 = i2` or if `i2` is a safe conversion that consumes `i1`. */
+  private predicate idOrSafeConversion(IR::Instruction i1, IR::Instruction i2) {
+    not i1.getResultIRType() instanceof IR::IRVoidType and
+    (
+      i1 = i2
+      or
+      i2 = safeConversion(i1.getAUse()) and
+      i1.getBlock() = i2.getBlock()
+    )
+  }
+
+  module Equiv = QlBuiltins::EquivalenceRelation<IR::Instruction, idOrSafeConversion/2>;
+
   /**
    * The expressions on which we perform range analysis.
    */
-  class Expr = IR::Instruction;
+  class Expr extends Equiv::EquivalenceClass {
+    /** Gets the n'th instruction in this equivalence class. */
+    private IR::Instruction getInstruction(int n) {
+      result =
+        rank[n + 1](IR::Instruction instr, int i, IR::IRBlock block |
+          this = Equiv::getEquivalenceClass(instr) and block.getInstruction(i) = instr
+        |
+          instr order by i
+        )
+    }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = this.getUnconverted().toString() }
+
+    /** Gets the basic block of this expression. */
+    IR::IRBlock getBlock() { result = this.getUnconverted().getBlock() }
+
+    /** Gets the unconverted instruction associated with this expression. */
+    IR::Instruction getUnconverted() { result = this.getInstruction(0) }
+
+    /**
+     * Gets the final instruction associated with this expression. This
+     * represents the result after applying all the safe conversions.
+     */
+    IR::Instruction getConverted() {
+      exists(int n |
+        result = this.getInstruction(n) and
+        not exists(this.getInstruction(n + 1))
+      )
+    }
+
+    /** Gets the type of the result produced by this instruction. */
+    IR::IRType getResultIRType() { result = this.getConverted().getResultIRType() }
+
+    /** Gets the location of the source code for this expression. */
+    Location getLocation() { result = this.getUnconverted().getLocation() }
+  }
 
   SemBasicBlock getExprBasicBlock(Expr e) { result = getSemanticBasicBlock(e.getBlock()) }
 
@@ -62,12 +139,12 @@ module SemanticExprConfig {
 
   predicate stringLiteral(Expr expr, SemType type, string value) {
     anyConstantExpr(expr, type, value) and
-    expr instanceof IR::StringConstantInstruction
+    expr.getUnconverted() instanceof IR::StringConstantInstruction
   }
 
   predicate binaryExpr(Expr expr, Opcode opcode, SemType type, Expr leftOperand, Expr rightOperand) {
     exists(IR::BinaryInstruction instr |
-      instr = expr and
+      instr = expr.getUnconverted() and
       type = getSemanticType(instr.getResultIRType()) and
       leftOperand = getSemanticExpr(instr.getLeft()) and
       rightOperand = getSemanticExpr(instr.getRight()) and
@@ -77,14 +154,14 @@ module SemanticExprConfig {
   }
 
   predicate unaryExpr(Expr expr, Opcode opcode, SemType type, Expr operand) {
-    exists(IR::UnaryInstruction instr | instr = expr |
+    exists(IR::UnaryInstruction instr | instr = expr.getUnconverted() |
       type = getSemanticType(instr.getResultIRType()) and
       operand = getSemanticExpr(instr.getUnary()) and
       // REVIEW: Merge the two operand types.
       opcode.toString() = instr.getOpcode().toString()
     )
     or
-    exists(IR::StoreInstruction instr | instr = expr |
+    exists(IR::StoreInstruction instr | instr = expr.getUnconverted() |
       type = getSemanticType(instr.getResultIRType()) and
       operand = getSemanticExpr(instr.getSourceValue()) and
       opcode instanceof Opcode::Store
@@ -93,13 +170,13 @@ module SemanticExprConfig {
 
   predicate nullaryExpr(Expr expr, Opcode opcode, SemType type) {
     exists(IR::LoadInstruction load |
-      load = expr and
+      load = expr.getUnconverted() and
       type = getSemanticType(load.getResultIRType()) and
       opcode instanceof Opcode::Load
     )
     or
     exists(IR::InitializeParameterInstruction init |
-      init = expr and
+      init = expr.getUnconverted() and
       type = getSemanticType(init.getResultIRType()) and
       opcode instanceof Opcode::InitializeParameter
     )
@@ -122,6 +199,8 @@ module SemanticExprConfig {
     dominator.dominates(dominated)
   }
 
+  predicate hasDominanceInformation(BasicBlock block) { any() }
+
   private predicate id(Cpp::Locatable x, Cpp::Locatable y) { x = y }
 
   private predicate idOf(Cpp::Locatable x, int y) = equivalenceRelation(id/2)(x, y)
@@ -130,7 +209,17 @@ module SemanticExprConfig {
 
   newtype TSsaVariable =
     TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
-    TSsaOperand(IR::PhiInputOperand op) { op.isDefinitionInexact() }
+    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() } or
+    TSsaPointerArithmeticGuard(ValueNumber instr) {
+      exists(Guard g, IR::Operand use |
+        use = instr.getAUse() and use.getIRType() instanceof IR::IRAddressType
+      |
+        g.comparesLt(use, _, _, _, _) or
+        g.comparesLt(_, use, _, _, _) or
+        g.comparesEq(use, _, _, _, _) or
+        g.comparesEq(_, use, _, _, _)
+      )
+    }
 
   class SsaVariable extends TSsaVariable {
     string toString() { none() }
@@ -139,7 +228,9 @@ module SemanticExprConfig {
 
     IR::Instruction asInstruction() { none() }
 
-    IR::PhiInputOperand asOperand() { none() }
+    ValueNumber asPointerArithGuard() { none() }
+
+    IR::Operand asOperand() { none() }
   }
 
   class SsaInstructionVariable extends SsaVariable, TSsaInstruction {
@@ -154,8 +245,20 @@ module SemanticExprConfig {
     final override IR::Instruction asInstruction() { result = instr }
   }
 
+  class SsaPointerArithmeticGuard extends SsaVariable, TSsaPointerArithmeticGuard {
+    ValueNumber vn;
+
+    SsaPointerArithmeticGuard() { this = TSsaPointerArithmeticGuard(vn) }
+
+    final override string toString() { result = vn.toString() }
+
+    final override Location getLocation() { result = vn.getLocation() }
+
+    final override ValueNumber asPointerArithGuard() { result = vn }
+  }
+
   class SsaOperand extends SsaVariable, TSsaOperand {
-    IR::PhiInputOperand op;
+    IR::Operand op;
 
     SsaOperand() { this = TSsaOperand(op) }
 
@@ -163,7 +266,7 @@ module SemanticExprConfig {
 
     final override Location getLocation() { result = op.getLocation() }
 
-    final override IR::PhiInputOperand asOperand() { result = op }
+    final override IR::Operand asOperand() { result = op }
   }
 
   predicate explicitUpdate(SsaVariable v, Expr sourceExpr) {
@@ -186,29 +289,97 @@ module SemanticExprConfig {
     )
   }
 
-  Expr getAUse(SsaVariable v) { result.(IR::LoadInstruction).getSourceValue() = v.asInstruction() }
+  Expr getAUse(SsaVariable v) {
+    result.getUnconverted().(IR::LoadInstruction).getSourceValue() = v.asInstruction()
+    or
+    result.getUnconverted() = v.asPointerArithGuard().getAnInstruction()
+  }
 
   SemType getSsaVariableType(SsaVariable v) {
     result = getSemanticType(v.asInstruction().getResultIRType())
-    or
-    result = getSemanticType(v.asOperand().getUse().getResultIRType())
   }
 
   BasicBlock getSsaVariableBasicBlock(SsaVariable v) {
     result = v.asInstruction().getBlock()
     or
-    result = v.asOperand().getAnyDef().getBlock()
+    result = v.asOperand().getUse().getBlock()
   }
 
-  /** Holds if `inp` is an input to the phi node along the edge originating in `bb`. */
-  predicate phiInputFromBlock(SsaVariable phi, SsaVariable inp, BasicBlock bb) {
+  private newtype TReadPosition =
+    TReadPositionBlock(IR::IRBlock block) or
+    TReadPositionPhiInputEdge(IR::IRBlock pred, IR::IRBlock succ) {
+      exists(IR::PhiInputOperand input |
+        pred = input.getPredecessorBlock() and
+        succ = input.getUse().getBlock()
+      )
+    }
+
+  class SsaReadPosition extends TReadPosition {
+    string toString() { none() }
+
+    Location getLocation() { none() }
+
+    predicate hasRead(SsaVariable v) { none() }
+  }
+
+  private class SsaReadPositionBlock extends SsaReadPosition, TReadPositionBlock {
+    IR::IRBlock block;
+
+    SsaReadPositionBlock() { this = TReadPositionBlock(block) }
+
+    final override string toString() { result = block.toString() }
+
+    final override Location getLocation() { result = block.getLocation() }
+
+    final override predicate hasRead(SsaVariable v) {
+      exists(IR::Operand operand |
+        operand.getDef() = v.asInstruction() or
+        operand.getDef() = v.asPointerArithGuard().getAnInstruction()
+      |
+        not operand instanceof IR::PhiInputOperand and
+        operand.getUse().getBlock() = block
+      )
+    }
+  }
+
+  private class SsaReadPositionPhiInputEdge extends SsaReadPosition, TReadPositionPhiInputEdge {
+    IR::IRBlock pred;
+    IR::IRBlock succ;
+
+    SsaReadPositionPhiInputEdge() { this = TReadPositionPhiInputEdge(pred, succ) }
+
+    final override string toString() { result = pred.toString() + "->" + succ.toString() }
+
+    final override Location getLocation() { result = succ.getLocation() }
+
+    final override predicate hasRead(SsaVariable v) {
+      exists(IR::PhiInputOperand operand |
+        operand.getDef() = v.asInstruction() or
+        operand.getDef() = v.asPointerArithGuard().getAnInstruction()
+      |
+        operand.getPredecessorBlock() = pred and
+        operand.getUse().getBlock() = succ
+      )
+    }
+  }
+
+  predicate hasReadOfSsaVariable(SsaReadPosition pos, SsaVariable v) { pos.hasRead(v) }
+
+  predicate readBlock(SsaReadPosition pos, BasicBlock block) { pos = TReadPositionBlock(block) }
+
+  predicate phiInputEdge(SsaReadPosition pos, BasicBlock origBlock, BasicBlock phiBlock) {
+    pos = TReadPositionPhiInputEdge(origBlock, phiBlock)
+  }
+
+  predicate phiInput(SsaReadPosition pos, SsaVariable phi, SsaVariable input) {
     exists(IR::PhiInputOperand operand |
-      bb = operand.getPredecessorBlock() and
+      pos = TReadPositionPhiInputEdge(operand.getPredecessorBlock(), operand.getUse().getBlock())
+    |
       phi.asInstruction() = operand.getUse() and
       (
-        inp.asInstruction() = operand.getDef()
+        input.asInstruction() = operand.getDef()
         or
-        inp.asOperand() = operand
+        input.asOperand() = operand
       )
     )
   }
@@ -262,7 +433,7 @@ module SemanticExprConfig {
   }
 
   /** Gets the expression associated with `instr`. */
-  SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
+  SemExpr getSemanticExpr(IR::Instruction instr) { result = Equiv::getEquivalenceClass(instr) }
 }
 
 predicate getSemanticExpr = SemanticExprConfig::getSemanticExpr/1;

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticGuard.qll

@@ -35,4 +35,32 @@ predicate semImplies_v2(SemGuard g1, boolean b1, SemGuard g2, boolean b2) {
   Specific::implies_v2(g1, b1, g2, b2)
 }
 
+/**
+ * Holds if `guard` directly controls the position `controlled` with the
+ * value `testIsTrue`.
+ */
+pragma[nomagic]
+predicate semGuardDirectlyControlsSsaRead(
+  SemGuard guard, SemSsaReadPosition controlled, boolean testIsTrue
+) {
+  guard.directlyControls(controlled.(SemSsaReadPositionBlock).getBlock(), testIsTrue)
+  or
+  exists(SemSsaReadPositionPhiInputEdge controlledEdge | controlledEdge = controlled |
+    guard.directlyControls(controlledEdge.getOrigBlock(), testIsTrue) or
+    guard.hasBranchEdge(controlledEdge.getOrigBlock(), controlledEdge.getPhiBlock(), testIsTrue)
+  )
+}
+
+/**
+ * Holds if `guard` controls the position `controlled` with the value `testIsTrue`.
+ */
+predicate semGuardControlsSsaRead(SemGuard guard, SemSsaReadPosition controlled, boolean testIsTrue) {
+  semGuardDirectlyControlsSsaRead(guard, controlled, testIsTrue)
+  or
+  exists(SemGuard guard0, boolean testIsTrue0 |
+    semImplies_v2(guard0, testIsTrue0, guard, testIsTrue) and
+    semGuardControlsSsaRead(guard0, controlled, testIsTrue0)
+  )
+}
+
 SemGuard semGetComparisonGuard(SemRelationalExpr e) { result = Specific::comparisonGuard(e) }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticLocation.qll

@@ -8,18 +8,6 @@ class SemLocation instanceof Location {
    */
   string toString() { result = super.toString() }
 
-  /** Gets the 1-based line number (inclusive) where this location starts. */
-  int getStartLine() { result = super.getStartLine() }
-
-  /** Gets the 1-based column number (inclusive) where this location starts. */
-  int getStartColumn() { result = super.getStartColumn() }
-
-  /** Gets the 1-based line number (inclusive) where this location ends. */
-  int getEndLine() { result = super.getEndLine() }
-
-  /** Gets the 1-based column number (inclusive) where this location ends. */
-  int getEndColumn() { result = super.getEndColumn() }
-
   /**
    * Holds if this element is at the specified location.
    * The location spans column `startcolumn` of line `startline` to

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll

@@ -22,15 +22,75 @@ class SemSsaExplicitUpdate extends SemSsaVariable {
 
   SemSsaExplicitUpdate() { Specific::explicitUpdate(this, sourceExpr) }
 
-  final SemExpr getDefiningExpr() { result = sourceExpr }
+  final SemExpr getSourceExpr() { result = sourceExpr }
 }
 
 class SemSsaPhiNode extends SemSsaVariable {
   SemSsaPhiNode() { Specific::phi(this) }
 
   final SemSsaVariable getAPhiInput() { result = Specific::getAPhiInput(this) }
-
-  final predicate hasInputFromBlock(SemSsaVariable inp, SemBasicBlock bb) {
-    Specific::phiInputFromBlock(this, inp, bb)
-  }
+}
+
+class SemSsaReadPosition instanceof Specific::SsaReadPosition {
+  final string toString() { result = super.toString() }
+
+  final Specific::Location getLocation() { result = super.getLocation() }
+
+  final predicate hasReadOfVar(SemSsaVariable var) { Specific::hasReadOfSsaVariable(this, var) }
+}
+
+class SemSsaReadPositionPhiInputEdge extends SemSsaReadPosition {
+  SemBasicBlock origBlock;
+  SemBasicBlock phiBlock;
+
+  SemSsaReadPositionPhiInputEdge() { Specific::phiInputEdge(this, origBlock, phiBlock) }
+
+  predicate phiInput(SemSsaPhiNode phi, SemSsaVariable inp) { Specific::phiInput(this, phi, inp) }
+
+  SemBasicBlock getOrigBlock() { result = origBlock }
+
+  SemBasicBlock getPhiBlock() { result = phiBlock }
+}
+
+class SemSsaReadPositionBlock extends SemSsaReadPosition {
+  SemBasicBlock block;
+
+  SemSsaReadPositionBlock() { Specific::readBlock(this, block) }
+
+  SemBasicBlock getBlock() { result = block }
+
+  SemExpr getAnExpr() { result = this.getBlock().getAnExpr() }
+}
+
+/**
+ * Holds if `inp` is an input to `phi` along a back edge.
+ */
+predicate semBackEdge(SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge) {
+  edge.phiInput(phi, inp) and
+  // Conservatively assume that every edge is a back edge if we don't have dominance information.
+  (
+    phi.getBasicBlock().bbDominates(edge.getOrigBlock()) or
+    irreducibleSccEdge(edge.getOrigBlock(), phi.getBasicBlock()) or
+    not edge.getOrigBlock().hasDominanceInformation()
+  )
+}
+
+/**
+ * Holds if the edge from b1 to b2 is part of a multiple-entry cycle in an irreducible control flow
+ * graph.
+ *
+ * An ireducible control flow graph is one where the usual dominance-based back edge detection does
+ * not work, because there is a cycle with multiple entry points, meaning there are
+ * mutually-reachable basic blocks where neither dominates the other. For such a graph, we first
+ * remove all detectable back-edges using the normal condition that the predecessor block is
+ * dominated by the successor block, then mark all edges in a cycle in the resulting graph as back
+ * edges.
+ */
+private predicate irreducibleSccEdge(SemBasicBlock b1, SemBasicBlock b2) {
+  trimmedEdge(b1, b2) and trimmedEdge+(b2, b1)
+}
+
+private predicate trimmedEdge(SemBasicBlock pred, SemBasicBlock succ) {
+  pred.getASuccessor() = succ and
+  not succ.bbDominates(pred)
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ConstantAnalysis.qll

@@ -14,7 +14,7 @@ private predicate constantIntegerExpr(SemExpr e, int val) {
   // Copy of another constant
   exists(SemSsaExplicitUpdate v, SemExpr src |
     e = v.getAUse() and
-    src = v.getDefiningExpr() and
+    src = v.getSourceExpr() and
     constantIntegerExpr(src, val)
   )
   or

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/FloatDelta.qll

@@ -1,7 +1,5 @@
+private import RangeAnalysisStage
 private import RangeAnalysisImpl
-private import codeql.rangeanalysis.RangeAnalysis
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticType
 
 module FloatDelta implements DeltaSig {
   class Delta = float;
@@ -22,7 +20,7 @@ module FloatDelta implements DeltaSig {
   Delta fromFloat(float f) { result = f }
 }
 
-module FloatOverflow implements OverflowSig<Sem, FloatDelta> {
+module FloatOverflow implements OverflowSig<FloatDelta> {
   predicate semExprDoesNotOverflow(boolean positively, SemExpr expr) {
     exists(float lb, float ub, float delta |
       typeBounds(expr.getSemType(), lb, ub) and

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/IntDelta.qll

@@ -0,0 +1,29 @@
+private import RangeAnalysisStage
+
+module IntDelta implements DeltaSig {
+  class Delta = int;
+
+  bindingset[d]
+  bindingset[result]
+  float toFloat(Delta d) { result = d }
+
+  bindingset[d]
+  bindingset[result]
+  int toInt(Delta d) { result = d }
+
+  bindingset[n]
+  bindingset[result]
+  Delta fromInt(int n) { result = n }
+
+  bindingset[f]
+  Delta fromFloat(float f) {
+    result =
+      min(float diff, float res |
+        diff = (res - f) and res = f.ceil()
+        or
+        diff = (f - res) and res = f.floor()
+      |
+        res order by diff
+      )
+  }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysis.qll

@@ -0,0 +1,326 @@
+/**
+ * Provides inferences of the form: `e` equals `b + v` modulo `m` where `e` is
+ * an expression, `b` is a `Bound` (typically zero or the value of an SSA
+ * variable), and `v` is an integer in the range `[0 .. m-1]`.
+ */
+
+/*
+ * The main recursion has base cases in both `ssaModulus` (for guarded reads) and `semExprModulus`
+ * (for constant values). The most interesting recursive case is `phiModulusRankStep`, which
+ * handles phi inputs.
+ */
+
+private import ModulusAnalysisSpecific::Private
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import ConstantAnalysis
+private import RangeUtils
+private import RangeAnalysisStage
+
+module ModulusAnalysis<DeltaSig D, BoundSig<D> Bounds, UtilSig<D> U> {
+  pragma[nomagic]
+  private predicate valueFlowStepSsaEqFlowCond(
+    SemSsaReadPosition pos, SemSsaVariable v, SemExpr e, int delta
+  ) {
+    exists(SemGuard guard, boolean testIsTrue |
+      guard = U::semEqFlowCond(v, e, D::fromInt(delta), true, testIsTrue) and
+      semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue)
+    )
+  }
+
+  /**
+   * Holds if `e + delta` equals `v` at `pos`.
+   */
+  pragma[nomagic]
+  private predicate valueFlowStepSsa(SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta) {
+    U::semSsaUpdateStep(v, e, D::fromInt(delta)) and pos.hasReadOfVar(v)
+    or
+    pos.hasReadOfVar(v) and
+    valueFlowStepSsaEqFlowCond(pos, v, e, delta)
+  }
+
+  /**
+   * Holds if `add` is the addition of `larg` and `rarg`, neither of which are
+   * `ConstantIntegerExpr`s.
+   */
+  private predicate nonConstAddition(SemExpr add, SemExpr larg, SemExpr rarg) {
+    exists(SemAddExpr a | a = add |
+      larg = a.getLeftOperand() and
+      rarg = a.getRightOperand()
+    ) and
+    not larg instanceof SemConstantIntegerExpr and
+    not rarg instanceof SemConstantIntegerExpr
+  }
+
+  /**
+   * Holds if `sub` is the subtraction of `larg` and `rarg`, where `rarg` is not
+   * a `ConstantIntegerExpr`.
+   */
+  private predicate nonConstSubtraction(SemExpr sub, SemExpr larg, SemExpr rarg) {
+    exists(SemSubExpr s | s = sub |
+      larg = s.getLeftOperand() and
+      rarg = s.getRightOperand()
+    ) and
+    not rarg instanceof SemConstantIntegerExpr
+  }
+
+  /** Gets an expression that is the remainder modulo `mod` of `arg`. */
+  private SemExpr modExpr(SemExpr arg, int mod) {
+    exists(SemRemExpr rem |
+      result = rem and
+      arg = rem.getLeftOperand() and
+      rem.getRightOperand().(SemConstantIntegerExpr).getIntValue() = mod and
+      mod >= 2
+    )
+    or
+    exists(SemConstantIntegerExpr c |
+      mod = 2.pow([1 .. 30]) and
+      c.getIntValue() = mod - 1 and
+      result.(SemBitAndExpr).hasOperands(arg, c)
+    )
+  }
+
+  /**
+   * Gets a guard that tests whether `v` is congruent with `val` modulo `mod` on
+   * its `testIsTrue` branch.
+   */
+  private SemGuard moduloCheck(SemSsaVariable v, int val, int mod, boolean testIsTrue) {
+    exists(SemExpr rem, SemConstantIntegerExpr c, int r, boolean polarity |
+      result.isEquality(rem, c, polarity) and
+      c.getIntValue() = r and
+      rem = modExpr(v.getAUse(), mod) and
+      (
+        testIsTrue = polarity and val = r
+        or
+        testIsTrue = polarity.booleanNot() and
+        mod = 2 and
+        val = 1 - r and
+        (r = 0 or r = 1)
+      )
+    )
+  }
+
+  /**
+   * Holds if a guard ensures that `v` at `pos` is congruent with `val` modulo `mod`.
+   */
+  private predicate moduloGuardedRead(SemSsaVariable v, SemSsaReadPosition pos, int val, int mod) {
+    exists(SemGuard guard, boolean testIsTrue |
+      pos.hasReadOfVar(v) and
+      guard = moduloCheck(v, val, mod, testIsTrue) and
+      semGuardControlsSsaRead(guard, pos, testIsTrue)
+    )
+  }
+
+  /** Holds if `factor` is a power of 2 that divides `mask`. */
+  bindingset[mask]
+  private predicate andmaskFactor(int mask, int factor) {
+    mask % factor = 0 and
+    factor = 2.pow([1 .. 30])
+  }
+
+  /** Holds if `e` is evenly divisible by `factor`. */
+  private predicate evenlyDivisibleExpr(SemExpr e, int factor) {
+    exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() |
+      e.(SemMulExpr).getAnOperand() = c and factor = k.abs() and factor >= 2
+      or
+      e.(SemShiftLeftExpr).getRightOperand() = c and factor = 2.pow(k) and k > 0
+      or
+      e.(SemBitAndExpr).getAnOperand() = c and factor = max(int f | andmaskFactor(k, f))
+    )
+  }
+
+  /**
+   * Gets the remainder of `val` modulo `mod`.
+   *
+   * For `mod = 0` the result equals `val` and for `mod > 1` the result is within
+   * the range `[0 .. mod-1]`.
+   */
+  bindingset[val, mod]
+  private int remainder(int val, int mod) {
+    mod = 0 and result = val
+    or
+    mod > 1 and result = ((val % mod) + mod) % mod
+  }
+
+  /**
+   * Holds if `inp` is an input to `phi` and equals `phi` modulo `mod` along `edge`.
+   */
+  private predicate phiSelfModulus(
+    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int mod
+  ) {
+    exists(Bounds::SemSsaBound phibound, int v, int m |
+      edge.phiInput(phi, inp) and
+      phibound.getAVariable() = phi and
+      ssaModulus(inp, edge, phibound, v, m) and
+      mod = m.gcd(v) and
+      mod != 1
+    )
+  }
+
+  /**
+   * Holds if `b + val` modulo `mod` is a candidate congruence class for `phi`.
+   */
+  private predicate phiModulusInit(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+      edge.phiInput(phi, inp) and
+      ssaModulus(inp, edge, b, val, mod)
+    )
+  }
+
+  /**
+   * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
+   */
+  pragma[nomagic]
+  private predicate phiModulusRankStep(
+    SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod, int rix
+  ) {
+    /*
+     * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
+     * class for the phi node.
+     */
+
+    rix = 0 and
+    phiModulusInit(phi, b, val, mod)
+    or
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
+      mod != 1 and
+      val = remainder(v1, mod)
+    |
+      /*
+       * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
+       * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
+       * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
+       */
+
+      exists(int v2, int m2 |
+        rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
+        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+        ssaModulus(inp, edge, b, v2, m2) and
+        mod = m1.gcd(m2).gcd(v1 - v2)
+      )
+      or
+      /*
+       * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
+       * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
+       * common denominator of `m1` and `m2`.
+       */
+
+      exists(int m2 |
+        rankedPhiInput(phi, inp, edge, rix) and
+        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+        phiSelfModulus(phi, inp, edge, m2) and
+        mod = m1.gcd(m2)
+      )
+    )
+  }
+
+  /**
+   * Holds if `phi` is equal to `b + val` modulo `mod`.
+   */
+  private predicate phiModulus(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
+    exists(int r |
+      maxPhiInputRank(phi, r) and
+      phiModulusRankStep(phi, b, val, mod, r)
+    )
+  }
+
+  /**
+   * Holds if `v` at `pos` is equal to `b + val` modulo `mod`.
+   */
+  private predicate ssaModulus(
+    SemSsaVariable v, SemSsaReadPosition pos, Bounds::SemBound b, int val, int mod
+  ) {
+    phiModulus(v, b, val, mod) and pos.hasReadOfVar(v)
+    or
+    b.(Bounds::SemSsaBound).getAVariable() = v and pos.hasReadOfVar(v) and val = 0 and mod = 0
+    or
+    exists(SemExpr e, int val0, int delta |
+      semExprModulus(e, b, val0, mod) and
+      valueFlowStepSsa(v, pos, e, delta) and
+      val = remainder(val0 + delta, mod)
+    )
+    or
+    moduloGuardedRead(v, pos, val, mod) and b instanceof Bounds::SemZeroBound
+  }
+
+  /**
+   * Holds if `e` is equal to `b + val` modulo `mod`.
+   *
+   * There are two cases for the modulus:
+   * - `mod = 0`: The equality `e = b + val` is an ordinary equality.
+   * - `mod > 1`: `val` lies within the range `[0 .. mod-1]`.
+   */
+  cached
+  predicate semExprModulus(SemExpr e, Bounds::SemBound b, int val, int mod) {
+    not ignoreExprModulus(e) and
+    (
+      e = b.getExpr(D::fromInt(val)) and mod = 0
+      or
+      evenlyDivisibleExpr(e, mod) and
+      val = 0 and
+      b instanceof Bounds::SemZeroBound
+      or
+      exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
+        ssaModulus(v, bb, b, val, mod) and
+        e = v.getAUse() and
+        bb.getAnExpr() = e
+      )
+      or
+      exists(SemExpr mid, int val0, int delta |
+        semExprModulus(mid, b, val0, mod) and
+        U::semValueFlowStep(e, mid, D::fromInt(delta)) and
+        val = remainder(val0 + delta, mod)
+      )
+      or
+      exists(SemConditionalExpr cond, int v1, int v2, int m1, int m2 |
+        cond = e and
+        condExprBranchModulus(cond, true, b, v1, m1) and
+        condExprBranchModulus(cond, false, b, v2, m2) and
+        mod = m1.gcd(m2).gcd(v1 - v2) and
+        mod != 1 and
+        val = remainder(v1, mod)
+      )
+      or
+      exists(Bounds::SemBound b1, Bounds::SemBound b2, int v1, int v2, int m1, int m2 |
+        addModulus(e, true, b1, v1, m1) and
+        addModulus(e, false, b2, v2, m2) and
+        mod = m1.gcd(m2) and
+        mod != 1 and
+        val = remainder(v1 + v2, mod)
+      |
+        b = b1 and b2 instanceof Bounds::SemZeroBound
+        or
+        b = b2 and b1 instanceof Bounds::SemZeroBound
+      )
+      or
+      exists(int v1, int v2, int m1, int m2 |
+        subModulus(e, true, b, v1, m1) and
+        subModulus(e, false, any(Bounds::SemZeroBound zb), v2, m2) and
+        mod = m1.gcd(m2) and
+        mod != 1 and
+        val = remainder(v1 - v2, mod)
+      )
+    )
+  }
+
+  private predicate condExprBranchModulus(
+    SemConditionalExpr cond, boolean branch, Bounds::SemBound b, int val, int mod
+  ) {
+    semExprModulus(cond.getBranchExpr(branch), b, val, mod)
+  }
+
+  private predicate addModulus(SemExpr add, boolean isLeft, Bounds::SemBound b, int val, int mod) {
+    exists(SemExpr larg, SemExpr rarg | nonConstAddition(add, larg, rarg) |
+      semExprModulus(larg, b, val, mod) and isLeft = true
+      or
+      semExprModulus(rarg, b, val, mod) and isLeft = false
+    )
+  }
+
+  private predicate subModulus(SemExpr sub, boolean isLeft, Bounds::SemBound b, int val, int mod) {
+    exists(SemExpr larg, SemExpr rarg | nonConstSubtraction(sub, larg, rarg) |
+      semExprModulus(larg, b, val, mod) and isLeft = true
+      or
+      semExprModulus(rarg, b, val, mod) and isLeft = false
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysisSpecific.qll

@@ -0,0 +1,8 @@
+/**
+ * C++-specific implementation of modulus analysis.
+ */
+module Private {
+  private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+
+  predicate ignoreExprModulus(SemExpr e) { none() }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll

@@ -3,11 +3,18 @@
  */
 
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import RangeAnalysisStage
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
-private import RangeAnalysisImpl
-private import codeql.rangeanalysis.RangeAnalysis
 
-module CppLangImplConstant implements LangSig<Sem, FloatDelta> {
+module CppLangImplConstant implements LangSig<FloatDelta> {
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadCopy(SemExpr e) { none() }
+
   /**
    * Ignore the bound on this expression.
    *
@@ -16,13 +23,70 @@ module CppLangImplConstant implements LangSig<Sem, FloatDelta> {
    */
   predicate ignoreExprBound(SemExpr e) { none() }
 
+  /**
+   * Ignore any inferred zero lower bound on this expression.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreZeroLowerBound(SemExpr e) { none() }
+
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
+
+  /**
+   * Holds if the specified variable should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
+
+  /**
+   * Adds additional results to `ssaRead()` that are specific to Java.
+   *
+   * This predicate handles propagation of offsets for post-increment and post-decrement expressions
+   * in exactly the same way as the old Java implementation. Once the new implementation matches the
+   * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
+   * or not they come from a post-increment/decrement expression.
+   */
+  SemExpr specificSsaRead(SemSsaVariable v, float delta) { none() }
+
   /**
    * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
    */
   predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
 
   /**
-   * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
+   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
    */
-  predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }
+  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
+
+  /**
+   * Holds if the value of `dest` is known to be `src + delta`.
+   */
+  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
+
+  /**
+   * Gets the type that range analysis should use to track the result of the specified expression,
+   * if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateType(SemExpr e) { none() }
+
+  /**
+   * Gets the type that range analysis should use to track the result of the specified source
+   * variable, if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll

@@ -1,115 +1,13 @@
+private import RangeAnalysisStage
 private import RangeAnalysisConstantSpecific
 private import RangeAnalysisRelativeSpecific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticCFG
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticGuard
+private import RangeUtils
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticBound as SemanticBound
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticSSA
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticType as SemanticType
-private import SemanticType
-private import codeql.rangeanalysis.RangeAnalysis
-private import ConstantAnalysis as ConstantAnalysis
 
-module Sem implements Semantic {
-  class Expr = SemExpr;
-
-  class ConstantIntegerExpr = ConstantAnalysis::SemConstantIntegerExpr;
-
-  class BinaryExpr = SemBinaryExpr;
-
-  class AddExpr = SemAddExpr;
-
-  class SubExpr = SemSubExpr;
-
-  class MulExpr = SemMulExpr;
-
-  class DivExpr = SemDivExpr;
-
-  class RemExpr = SemRemExpr;
-
-  class BitAndExpr = SemBitAndExpr;
-
-  class BitOrExpr = SemBitOrExpr;
-
-  class ShiftLeftExpr = SemShiftLeftExpr;
-
-  class ShiftRightExpr = SemShiftRightExpr;
-
-  class ShiftRightUnsignedExpr = SemShiftRightUnsignedExpr;
-
-  class RelationalExpr = SemRelationalExpr;
-
-  class UnaryExpr = SemUnaryExpr;
-
-  class ConvertExpr = SemConvertExpr;
-
-  class BoxExpr = SemBoxExpr;
-
-  class UnboxExpr = SemUnboxExpr;
-
-  class NegateExpr = SemNegateExpr;
-
-  class PreIncExpr = SemAddOneExpr;
-
-  class PreDecExpr = SemSubOneExpr;
-
-  class PostIncExpr extends SemUnaryExpr {
-    PostIncExpr() { none() }
-  }
-
-  class PostDecExpr extends SemUnaryExpr {
-    PostDecExpr() { none() }
-  }
-
-  class CopyValueExpr extends SemUnaryExpr {
-    CopyValueExpr() { this instanceof SemCopyValueExpr or this instanceof SemStoreExpr }
-  }
-
-  class ConditionalExpr = SemConditionalExpr;
-
-  class BasicBlock = SemBasicBlock;
-
-  BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
-
-  int getBlockId1(BasicBlock bb) { result = bb.getUniqueId() }
-
-  class Guard = SemGuard;
-
-  predicate implies_v2 = semImplies_v2/4;
-
-  class Type = SemType;
-
-  class IntegerType = SemIntegerType;
-
-  class FloatingPointType = SemFloatingPointType;
-
-  class AddressType = SemAddressType;
-
-  SemType getExprType(SemExpr e) { result = e.getSemType() }
-
-  SemType getSsaType(SemSsaVariable var) { result = var.getType() }
-
-  class SsaVariable = SemSsaVariable;
-
-  class SsaPhiNode = SemSsaPhiNode;
-
-  class SsaExplicitUpdate = SemSsaExplicitUpdate;
-
-  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, int delta) { none() }
-
-  predicate conversionCannotOverflow(Type fromType, Type toType) {
-    SemanticType::conversionCannotOverflow(fromType, toType)
-  }
-}
-
-module SignAnalysis implements SignAnalysisSig<Sem> {
-  private import SignAnalysisCommon as SA
-  import SA::SignAnalysis<FloatDelta>
-}
-
-module ConstantBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
+module ConstantBounds implements BoundSig<FloatDelta> {
   class SemBound instanceof SemanticBound::SemBound {
     SemBound() {
       this instanceof SemanticBound::SemZeroBound
@@ -127,11 +25,11 @@ module ConstantBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
   class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
 
   class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
+    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
   }
 }
 
-module RelativeBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
+module RelativeBounds implements BoundSig<FloatDelta> {
   class SemBound instanceof SemanticBound::SemBound {
     SemBound() { not this instanceof SemanticBound::SemZeroBound }
 
@@ -145,40 +43,17 @@ module RelativeBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
   class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
 
   class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
+    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
   }
 }
 
-module AllBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
-  class SemBound instanceof SemanticBound::SemBound {
-    string toString() { result = super.toString() }
-
-    SemLocation getLocation() { result = super.getLocation() }
-
-    SemExpr getExpr(float delta) { result = super.getExpr(delta) }
-  }
-
-  class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
-
-  class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
-  }
-}
-
-private module ModulusAnalysisInstantiated implements ModulusAnalysisSig<Sem> {
-  class ModBound = AllBounds::SemBound;
-
-  private import codeql.rangeanalysis.ModulusAnalysis as MA
-  import MA::ModulusAnalysis<SemLocation, Sem, FloatDelta, AllBounds>
-}
-
 module ConstantStage =
-  RangeStage<SemLocation, Sem, FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
-    SignAnalysis, ModulusAnalysisInstantiated>;
+  RangeStage<FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
+    RangeUtil<FloatDelta, CppLangImplConstant>>;
 
 module RelativeStage =
-  RangeStage<SemLocation, Sem, FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
-    SignAnalysis, ModulusAnalysisInstantiated>;
+  RangeStage<FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
+    RangeUtil<FloatDelta, CppLangImplRelative>>;
 
 private newtype TSemReason =
   TSemNoReason() or

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll

@@ -3,12 +3,21 @@
  */
 
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import RangeAnalysisStage
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.IntDelta
 private import RangeAnalysisImpl
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
-private import codeql.rangeanalysis.RangeAnalysis
 
-module CppLangImplRelative implements LangSig<Sem, FloatDelta> {
+module CppLangImplRelative implements LangSig<FloatDelta> {
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadCopy(SemExpr e) { none() }
+
   /**
    * Ignore the bound on this expression.
    *
@@ -48,13 +57,70 @@ module CppLangImplRelative implements LangSig<Sem, FloatDelta> {
     t instanceof SemFloatingPointType and lb = -(1.0 / 0.0) and ub = 1.0 / 0.0
   }
 
+  /**
+   * Ignore any inferred zero lower bound on this expression.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreZeroLowerBound(SemExpr e) { none() }
+
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
+
+  /**
+   * Holds if the specified variable should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
+
+  /**
+   * Adds additional results to `ssaRead()` that are specific to Java.
+   *
+   * This predicate handles propagation of offsets for post-increment and post-decrement expressions
+   * in exactly the same way as the old Java implementation. Once the new implementation matches the
+   * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
+   * or not they come from a post-increment/decrement expression.
+   */
+  SemExpr specificSsaRead(SemSsaVariable v, float delta) { none() }
+
   /**
    * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
    */
   predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
 
   /**
-   * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
+   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
    */
-  predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }
+  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
+
+  /**
+   * Holds if the value of `dest` is known to be `src + delta`.
+   */
+  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
+
+  /**
+   * Gets the type that range analysis should use to track the result of the specified expression,
+   * if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateType(SemExpr e) { none() }
+
+  /**
+   * Gets the type that range analysis should use to track the result of the specified source
+   * variable, if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeUtils.qll

@@ -0,0 +1,164 @@
+/**
+ * Provides utility predicates for range analysis.
+ */
+
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import RangeAnalysisRelativeSpecific
+private import RangeAnalysisStage as Range
+private import ConstantAnalysis
+
+module RangeUtil<Range::DeltaSig D, Range::LangSig<D> Lang> implements Range::UtilSig<D> {
+  /**
+   * Gets an expression that equals `v - d`.
+   */
+  SemExpr semSsaRead(SemSsaVariable v, D::Delta delta) {
+    // There are various language-specific extension points that can be removed once we no longer
+    // expect to match the original Java implementation's results exactly.
+    result = v.getAUse() and delta = D::fromInt(0)
+    or
+    exists(D::Delta d1, SemConstantIntegerExpr c |
+      result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
+      delta = D::fromFloat(D::toFloat(d1) - c.getIntValue()) and
+      not Lang::ignoreSsaReadArithmeticExpr(result)
+    )
+    or
+    exists(SemSubExpr sub, D::Delta d1, SemConstantIntegerExpr c |
+      result = sub and
+      sub.getLeftOperand() = semSsaRead(v, d1) and
+      sub.getRightOperand() = c and
+      delta = D::fromFloat(D::toFloat(d1) + c.getIntValue()) and
+      not Lang::ignoreSsaReadArithmeticExpr(result)
+    )
+    or
+    result = v.(SemSsaExplicitUpdate).getSourceExpr() and
+    delta = D::fromFloat(0) and
+    not Lang::ignoreSsaReadAssignment(v)
+    or
+    result = Lang::specificSsaRead(v, delta)
+    or
+    result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta) and
+    not Lang::ignoreSsaReadCopy(result)
+    or
+    result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
+  }
+
+  /**
+   * Gets a condition that tests whether `v` equals `e + delta`.
+   *
+   * If the condition evaluates to `testIsTrue`:
+   * - `isEq = true`  : `v == e + delta`
+   * - `isEq = false` : `v != e + delta`
+   */
+  pragma[nomagic]
+  SemGuard semEqFlowCond(
+    SemSsaVariable v, SemExpr e, D::Delta delta, boolean isEq, boolean testIsTrue
+  ) {
+    exists(boolean eqpolarity |
+      result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
+      (testIsTrue = true or testIsTrue = false) and
+      eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
+    )
+    or
+    exists(boolean testIsTrue0 |
+      semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
+    )
+  }
+
+  /**
+   * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
+   */
+  predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, D::Delta delta) {
+    exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
+      defExpr.(SemCopyValueExpr).getOperand() = e and delta = D::fromFloat(0)
+      or
+      defExpr.(SemStoreExpr).getOperand() = e and delta = D::fromFloat(0)
+      or
+      defExpr.(SemAddOneExpr).getOperand() = e and delta = D::fromFloat(1)
+      or
+      defExpr.(SemSubOneExpr).getOperand() = e and delta = D::fromFloat(-1)
+      or
+      e = defExpr and
+      not (
+        defExpr instanceof SemCopyValueExpr or
+        defExpr instanceof SemStoreExpr or
+        defExpr instanceof SemAddOneExpr or
+        defExpr instanceof SemSubOneExpr
+      ) and
+      delta = D::fromFloat(0)
+    )
+  }
+
+  /**
+   * Holds if `e1 + delta` equals `e2`.
+   */
+  predicate semValueFlowStep(SemExpr e2, SemExpr e1, D::Delta delta) {
+    e2.(SemCopyValueExpr).getOperand() = e1 and delta = D::fromFloat(0)
+    or
+    e2.(SemStoreExpr).getOperand() = e1 and delta = D::fromFloat(0)
+    or
+    e2.(SemAddOneExpr).getOperand() = e1 and delta = D::fromFloat(1)
+    or
+    e2.(SemSubOneExpr).getOperand() = e1 and delta = D::fromFloat(-1)
+    or
+    Lang::additionalValueFlowStep(e2, e1, delta)
+    or
+    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
+      D::fromInt(x.(SemConstantIntegerExpr).getIntValue()) = delta
+    )
+    or
+    exists(SemExpr x, SemSubExpr sub |
+      e2 = sub and
+      sub.getLeftOperand() = e1 and
+      sub.getRightOperand() = x
+    |
+      D::fromInt(-x.(SemConstantIntegerExpr).getIntValue()) = delta
+    )
+  }
+
+  /**
+   * Gets the type used to track the specified expression's range information.
+   *
+   * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
+   * primitive types as the underlying primitive type.
+   */
+  SemType getTrackedType(SemExpr e) {
+    result = Lang::getAlternateType(e)
+    or
+    not exists(Lang::getAlternateType(e)) and result = e.getSemType()
+  }
+
+  /**
+   * Gets the type used to track the specified source variable's range information.
+   *
+   * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
+   * primitive types as the underlying primitive type.
+   */
+  SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
+    result = Lang::getAlternateTypeForSsaVariable(var)
+    or
+    not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
+  }
+}
+
+/**
+ * Holds if `rix` is the number of input edges to `phi`.
+ */
+predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
+  rix = max(int r | rankedPhiInput(phi, _, _, r))
+}
+
+/**
+ * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
+ * in an arbitrary 1-based numbering of the input edges to `phi`.
+ */
+predicate rankedPhiInput(
+  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
+) {
+  edge.phiInput(phi, inp) and
+  edge =
+    rank[r](SemSsaReadPositionPhiInputEdge e |
+      e.phiInput(phi, _)
+    |
+      e order by e.getOrigBlock().getUniqueId()
+    )
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll

@@ -6,16 +6,14 @@
  * three-valued domain `{negative, zero, positive}`.
  */
 
-private import codeql.rangeanalysis.RangeAnalysis
-private import RangeAnalysisImpl
+private import RangeAnalysisStage
 private import SignAnalysisSpecific as Specific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 private import ConstantAnalysis
+private import RangeUtils
 private import Sign
 
-module SignAnalysis<DeltaSig D> {
-  private import codeql.rangeanalysis.internal.RangeUtils::MakeUtils<Sem, D>
-
+module SignAnalysis<DeltaSig D, UtilSig<D> Utils> {
   /**
    * An SSA definition for which the analysis can compute the sign.
    *
@@ -38,13 +36,13 @@ module SignAnalysis<DeltaSig D> {
 
   /** An SSA definition whose sign is determined by the sign of that definitions source expression. */
   private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
-    final override Sign getSign() { result = semExprSign(super.getDefiningExpr()) }
+    final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
   }
 
   /** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
   private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
     final override Sign getSign() {
-      exists(SemSsaVariable inp, SsaReadPositionPhiInputEdge edge |
+      exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
         edge.phiInput(this, inp) and
         result = semSsaSign(inp, edge)
       )
@@ -147,7 +145,7 @@ module SignAnalysis<DeltaSig D> {
       not this instanceof ConstantSignExpr and
       (
         // Only track numeric types.
-        Sem::getExprType(this) instanceof SemNumericType
+        Utils::getTrackedType(this) instanceof SemNumericType
         or
         // Unless the language says to track this expression anyway.
         Specific::trackUnknownNonNumericExpr(this)
@@ -169,11 +167,11 @@ module SignAnalysis<DeltaSig D> {
     override Sign getSignRestriction() {
       // Propagate via SSA
       // Propagate the sign from the def of `v`, incorporating any inference from guards.
-      result = semSsaSign(v, any(SsaReadPositionBlock bb | bb.getBlock().getAnExpr() = this))
+      result = semSsaSign(v, any(SemSsaReadPositionBlock bb | bb.getAnExpr() = this))
       or
       // No block for this read. Just use the sign of the def.
       // REVIEW: How can this happen?
-      not exists(SsaReadPositionBlock bb | bb.getBlock().getAnExpr() = this) and
+      not exists(SemSsaReadPositionBlock bb | bb.getAnExpr() = this) and
       result = semSsaDefSign(v)
     }
   }
@@ -202,7 +200,7 @@ module SignAnalysis<DeltaSig D> {
 
   /** An expression of an unsigned type. */
   private class UnsignedExpr extends FlowSignExpr {
-    UnsignedExpr() { Sem::getExprType(this) instanceof SemUnsignedIntegerType }
+    UnsignedExpr() { Utils::getTrackedType(this) instanceof SemUnsignedIntegerType }
 
     override Sign getSignRestriction() {
       result = TPos() or
@@ -275,7 +273,7 @@ module SignAnalysis<DeltaSig D> {
     override SemUnboxExpr cast;
 
     UnboxSignExpr() {
-      exists(SemType fromType | fromType = Sem::getExprType(cast.getOperand()) |
+      exists(SemType fromType | fromType = Utils::getTrackedType(cast.getOperand()) |
         // Only numeric source types are handled here.
         fromType instanceof SemNumericType
       )
@@ -289,21 +287,21 @@ module SignAnalysis<DeltaSig D> {
    * to only include bounds for which we might determine a sign.
    */
   private predicate lowerBound(
-    SemExpr lowerbound, SemSsaVariable v, SsaReadPosition pos, boolean isStrict
+    SemExpr lowerbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
   ) {
     exists(boolean testIsTrue, SemRelationalExpr comp |
       pos.hasReadOfVar(v) and
-      guardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
       not unknownSign(lowerbound)
     |
       testIsTrue = true and
       comp.getLesserOperand() = lowerbound and
-      comp.getGreaterOperand() = ssaRead(v, D::fromInt(0)) and
+      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
       (if comp.isStrict() then isStrict = true else isStrict = false)
       or
       testIsTrue = false and
       comp.getGreaterOperand() = lowerbound and
-      comp.getLesserOperand() = ssaRead(v, D::fromInt(0)) and
+      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
       (if comp.isStrict() then isStrict = false else isStrict = true)
     )
   }
@@ -313,21 +311,21 @@ module SignAnalysis<DeltaSig D> {
    * to only include bounds for which we might determine a sign.
    */
   private predicate upperBound(
-    SemExpr upperbound, SemSsaVariable v, SsaReadPosition pos, boolean isStrict
+    SemExpr upperbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
   ) {
     exists(boolean testIsTrue, SemRelationalExpr comp |
       pos.hasReadOfVar(v) and
-      guardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
       not unknownSign(upperbound)
     |
       testIsTrue = true and
       comp.getGreaterOperand() = upperbound and
-      comp.getLesserOperand() = ssaRead(v, D::fromInt(0)) and
+      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
       (if comp.isStrict() then isStrict = true else isStrict = false)
       or
       testIsTrue = false and
       comp.getLesserOperand() = upperbound and
-      comp.getGreaterOperand() = ssaRead(v, D::fromInt(0)) and
+      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
       (if comp.isStrict() then isStrict = false else isStrict = true)
     )
   }
@@ -339,11 +337,11 @@ module SignAnalysis<DeltaSig D> {
    *  - `isEq = true` : `v = eqbound`
    *  - `isEq = false` : `v != eqbound`
    */
-  private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SsaReadPosition pos, boolean isEq) {
+  private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isEq) {
     exists(SemGuard guard, boolean testIsTrue, boolean polarity, SemExpr e |
       pos.hasReadOfVar(pragma[only_bind_into](v)) and
-      guardControlsSsaRead(guard, pragma[only_bind_into](pos), testIsTrue) and
-      e = ssaRead(pragma[only_bind_into](v), D::fromInt(0)) and
+      semGuardControlsSsaRead(guard, pragma[only_bind_into](pos), testIsTrue) and
+      e = Utils::semSsaRead(pragma[only_bind_into](v), D::fromInt(0)) and
       guard.isEquality(eqbound, e, polarity) and
       isEq = polarity.booleanXor(testIsTrue).booleanNot() and
       not unknownSign(eqbound)
@@ -354,7 +352,7 @@ module SignAnalysis<DeltaSig D> {
    * Holds if `bound` is a bound for `v` at `pos` that needs to be positive in
    * order for `v` to be positive.
    */
-  private predicate posBound(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate posBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     upperBound(bound, v, pos, _) or
     eqBound(bound, v, pos, true)
   }
@@ -363,7 +361,7 @@ module SignAnalysis<DeltaSig D> {
    * Holds if `bound` is a bound for `v` at `pos` that needs to be negative in
    * order for `v` to be negative.
    */
-  private predicate negBound(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate negBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     lowerBound(bound, v, pos, _) or
     eqBound(bound, v, pos, true)
   }
@@ -372,24 +370,24 @@ module SignAnalysis<DeltaSig D> {
    * Holds if `bound` is a bound for `v` at `pos` that can restrict whether `v`
    * can be zero.
    */
-  private predicate zeroBound(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate zeroBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     lowerBound(bound, v, pos, _) or
     upperBound(bound, v, pos, _) or
     eqBound(bound, v, pos, _)
   }
 
   /** Holds if `bound` allows `v` to be positive at `pos`. */
-  private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     posBound(bound, v, pos) and TPos() = semExprSign(bound)
   }
 
   /** Holds if `bound` allows `v` to be negative at `pos`. */
-  private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     negBound(bound, v, pos) and TNeg() = semExprSign(bound)
   }
 
   /** Holds if `bound` allows `v` to be zero at `pos`. */
-  private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     lowerBound(bound, v, pos, _) and TNeg() = semExprSign(bound)
     or
     lowerBound(bound, v, pos, false) and TZero() = semExprSign(bound)
@@ -407,7 +405,7 @@ module SignAnalysis<DeltaSig D> {
    * Holds if there is a bound that might restrict whether `v` has the sign `s`
    * at `pos`.
    */
-  private predicate hasGuard(SemSsaVariable v, SsaReadPosition pos, Sign s) {
+  private predicate hasGuard(SemSsaVariable v, SemSsaReadPosition pos, Sign s) {
     s = TPos() and posBound(_, v, pos)
     or
     s = TNeg() and negBound(_, v, pos)
@@ -420,7 +418,7 @@ module SignAnalysis<DeltaSig D> {
    * might be ruled out by a guard.
    */
   pragma[noinline]
-  private Sign guardedSsaSign(SemSsaVariable v, SsaReadPosition pos) {
+  private Sign guardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
     result = semSsaDefSign(v) and
     pos.hasReadOfVar(v) and
     hasGuard(v, pos, result)
@@ -431,7 +429,7 @@ module SignAnalysis<DeltaSig D> {
    * can rule it out.
    */
   pragma[noinline]
-  private Sign unguardedSsaSign(SemSsaVariable v, SsaReadPosition pos) {
+  private Sign unguardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
     result = semSsaDefSign(v) and
     pos.hasReadOfVar(v) and
     not hasGuard(v, pos, result)
@@ -442,7 +440,7 @@ module SignAnalysis<DeltaSig D> {
    * ruled out the sign but does not.
    * This does not check that the definition of `v` also allows the sign.
    */
-  private Sign guardedSsaSignOk(SemSsaVariable v, SsaReadPosition pos) {
+  private Sign guardedSsaSignOk(SemSsaVariable v, SemSsaReadPosition pos) {
     result = TPos() and
     forex(SemExpr bound | posBound(bound, v, pos) | posBoundOk(bound, v, pos))
     or
@@ -454,7 +452,7 @@ module SignAnalysis<DeltaSig D> {
   }
 
   /** Gets a possible sign for `v` at `pos`. */
-  private Sign semSsaSign(SemSsaVariable v, SsaReadPosition pos) {
+  private Sign semSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
     result = unguardedSsaSign(v, pos)
     or
     result = guardedSsaSign(v, pos) and
@@ -470,7 +468,7 @@ module SignAnalysis<DeltaSig D> {
   Sign semExprSign(SemExpr e) {
     exists(Sign s | s = e.(SignExpr).getSign() |
       if
-        Sem::getExprType(e) instanceof SemUnsignedIntegerType and
+        Utils::getTrackedType(e) instanceof SemUnsignedIntegerType and
         s = TNeg() and
         not Specific::ignoreTypeRestrictions(e)
       then result = TPos()
@@ -509,16 +507,4 @@ module SignAnalysis<DeltaSig D> {
     not semExprSign(e) = TPos() and
     not semExprSign(e) = TZero()
   }
-
-  /**
-   * Holds if `e` may have positive values. This does not rule out the
-   * possibility for negative values.
-   */
-  predicate semMayBePositive(SemExpr e) { semExprSign(e) = TPos() }
-
-  /**
-   * Holds if `e` may have negative values. This does not rule out the
-   * possibility for positive values.
-   */
-  predicate semMayBeNegative(SemExpr e) { semExprSign(e) = TNeg() }
 }

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

@@ -23,7 +23,9 @@
  * configuration (see `InvalidPointerToDerefConfig`).
  *
  * The dataflow traversal defines the set of sources as any dataflow node `n` such that there exists a pointer-arithmetic
- * instruction `pai` found by `AllocationToInvalidPointer.qll` and a `n.asInstruction() = pai`.
+ * instruction `pai` found by `AllocationToInvalidPointer.qll` and a `n.asInstruction() >= pai + deltaDerefSourceAndPai`.
+ * Here, `deltaDerefSourceAndPai` is the constant difference between the source we track for finding a dereference and the
+ * pointer-arithmetic instruction.
  *
  * The set of sinks is defined as any dataflow node `n` such that `addr <= n.asInstruction() + deltaDerefSinkAndDerefAddress`
  * for some address operand `addr` and constant difference `deltaDerefSinkAndDerefAddress`. Since an address operand is
@@ -35,8 +37,9 @@
  * `deltaDerefSinkAndDerefAddress >= 0`. The load attached to `*p` is the "operation". To ensure that the path makes
  * intuitive sense, we only pick operations that are control-flow reachable from the dereference sink.
  *
- * We use the `deltaDerefSinkAndDerefAddress` to compute how many elements the dereference is beyond the end position of
- * the allocation. This is done in the `operationIsOffBy` predicate (which is the only predicate exposed by this file).
+ * To compute how many elements the dereference is beyond the end position of the allocation, we sum the two deltas
+ * `deltaDerefSourceAndPai` and `deltaDerefSinkAndDerefAddress`. This is done in the `operationIsOffBy` predicate
+ * (which is the only predicate exposed by this file).
  *
  * Handling false positives:
  *
@@ -93,7 +96,7 @@ int invalidPointerToDereferenceFieldFlowBranchLimit() { result = 0 }
 private module InvalidPointerToDerefBarrier {
   private module BarrierConfig implements DataFlow::ConfigSig {
     additional predicate isSource(DataFlow::Node source, PointerArithmeticInstruction pai) {
-      invalidPointerToDerefSource(_, pai, _) and
+      invalidPointerToDerefSource(_, pai, _, _) and
       // source <= pai
       bounded2(source.asInstruction(), pai, any(int d | d <= 0))
     }
@@ -166,11 +169,11 @@ private module InvalidPointerToDerefBarrier {
  */
 private module InvalidPointerToDerefConfig implements DataFlow::StateConfigSig {
   class FlowState extends PointerArithmeticInstruction {
-    FlowState() { invalidPointerToDerefSource(_, this, _) }
+    FlowState() { invalidPointerToDerefSource(_, this, _, _) }
   }
 
   predicate isSource(DataFlow::Node source, FlowState pai) {
-    invalidPointerToDerefSource(_, pai, source)
+    invalidPointerToDerefSource(_, pai, source, _)
   }
 
   pragma[inline]
@@ -195,17 +198,24 @@ private import DataFlow::GlobalWithState<InvalidPointerToDerefConfig>
 
 /**
  * Holds if `allocSource` is dataflow node that represents an allocation that flows to the
- * left-hand side of the pointer-arithmetic instruction represented by `derefSource`.
+ * left-hand side of the pointer-arithmetic `pai`, and `derefSource <= pai + derefSourcePaiDelta`.
+ *
+ * For example, if `pai` is a pointer-arithmetic operation `p + size` in an expression such
+ * as `(p + size) + 1` and `derefSource` is the node representing `(p + size) + 1`. In this
+ * case `derefSourcePaiDelta` is 1.
  */
 private predicate invalidPointerToDerefSource(
-  DataFlow::Node allocSource, PointerArithmeticInstruction pai, DataFlow::Node derefSource
+  DataFlow::Node allocSource, PointerArithmeticInstruction pai, DataFlow::Node derefSource,
+  int deltaDerefSourceAndPai
 ) {
   // Note that `deltaDerefSourceAndPai` is not necessarily equal to `rhsSizeDelta`:
   // `rhsSizeDelta` is the constant offset added to the size of the allocation, and
   // `deltaDerefSourceAndPai` is the constant difference between the pointer-arithmetic instruction
   // and the instruction computing the address for which we will search for a dereference.
   AllocToInvalidPointer::pointerAddInstructionHasBounds(allocSource, pai, _, _) and
-  derefSource.asInstruction() = pai
+  // derefSource <= pai + deltaDerefSourceAndPai
+  bounded2(derefSource.asInstruction(), pai, deltaDerefSourceAndPai) and
+  deltaDerefSourceAndPai >= 0
 }
 
 /**
@@ -248,9 +258,11 @@ private Instruction getASuccessor(Instruction instr) {
   instr.getBlock().getASuccessor+() = result.getBlock()
 }
 
-private predicate paiForDereferenceSink(PointerArithmeticInstruction pai, DataFlow::Node derefSink) {
+private predicate paiForDereferenceSink(
+  PointerArithmeticInstruction pai, DataFlow::Node derefSink, int deltaDerefSourceAndPai
+) {
   exists(DataFlow::Node derefSource |
-    invalidPointerToDerefSource(_, pai, derefSource) and
+    invalidPointerToDerefSource(_, pai, derefSource, deltaDerefSourceAndPai) and
     flow(derefSource, derefSink)
   )
 }
@@ -262,10 +274,10 @@ private predicate paiForDereferenceSink(PointerArithmeticInstruction pai, DataFl
  */
 private predicate derefSinkToOperation(
   DataFlow::Node derefSink, PointerArithmeticInstruction pai, DataFlow::Node operation,
-  string description, int deltaDerefSinkAndDerefAddress
+  string description, int deltaDerefSourceAndPai, int deltaDerefSinkAndDerefAddress
 ) {
   exists(Instruction operationInstr, AddressOperand addr |
-    paiForDereferenceSink(pai, pragma[only_bind_into](derefSink)) and
+    paiForDereferenceSink(pai, pragma[only_bind_into](derefSink), deltaDerefSourceAndPai) and
     isInvalidPointerDerefSink(derefSink, addr, operationInstr, description,
       deltaDerefSinkAndDerefAddress) and
     operationInstr = getASuccessor(derefSink.asInstruction()) and
@@ -286,7 +298,11 @@ predicate operationIsOffBy(
   DataFlow::Node allocation, PointerArithmeticInstruction pai, DataFlow::Node derefSource,
   DataFlow::Node derefSink, string description, DataFlow::Node operation, int delta
 ) {
-  invalidPointerToDerefSource(allocation, pai, derefSource) and
-  flow(derefSource, derefSink) and
-  derefSinkToOperation(derefSink, pai, operation, description, delta)
+  exists(int deltaDerefSourceAndPai, int deltaDerefSinkAndDerefAddress |
+    invalidPointerToDerefSource(allocation, pai, derefSource, deltaDerefSourceAndPai) and
+    flow(derefSource, derefSink) and
+    derefSinkToOperation(derefSink, pai, operation, description, deltaDerefSourceAndPai,
+      deltaDerefSinkAndDerefAddress) and
+    delta = deltaDerefSourceAndPai + deltaDerefSinkAndDerefAddress
+  )
 }

cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll

@@ -372,8 +372,7 @@ private predicate analyzablePointerFieldAccess(PointerFieldAccess access) {
 private predicate mk_PointerFieldAccess(HashCons qualifier, Field target, PointerFieldAccess access) {
   analyzablePointerFieldAccess(access) and
   target = access.getTarget() and
-  qualifier = hashCons(access.getQualifier().getFullyConverted()) and
-  not access instanceof ImplicitThisFieldAccess
+  qualifier = hashCons(access.getQualifier().getFullyConverted())
 }
 
 private predicate analyzableImplicitThisFieldAccess(ImplicitThisFieldAccess access) {

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -197,11 +197,6 @@ svnchurn(
  * C++ dbscheme
  */
 
-extractor_version(
-    string codeql_version: string ref,
-    string frontend_version: string ref
-)
-
 @location = @location_stmt | @location_expr | @location_default ;
 
 /**
@@ -405,8 +400,6 @@ function_deleted(unique int id: @function ref);
 
 function_defaulted(unique int id: @function ref);
 
-function_prototyped(unique int id: @function ref)
-
 member_function_this_type(
     unique int id: @function ref,
     int this_type: @type ref
@@ -619,14 +612,6 @@ case @builtintype.kind of
 | 51 = @char8_t
 | 52 = @float16               // _Float16
 | 53 = @complex_float16       // _Complex _Float16
-| 54 = @fp16                  // __fp16
-| 55 = @std_bfloat16          // __bf16
-| 56 = @std_float16           // std::float16_t
-| 57 = @complex_std_float32   // _Complex _Float32
-| 58 = @complex_float32x      // _Complex _Float32x
-| 59 = @complex_std_float64   // _Complex _Float64
-| 60 = @complex_float64x      // _Complex _Float64x
-| 61 = @complex_std_float128  // _Complex _Float128
 ;
 
 builtintypes(
@@ -1336,16 +1321,11 @@ funbind(
                      | @assignxorexpr
                      | @assignlshiftexpr
                      | @assignrshiftexpr
-                     ;
-
-@assign_pointer_expr = @assignpaddexpr
+                     | @assignpaddexpr
                      | @assignpsubexpr
                      ;
 
-@assign_op_expr = @assign_arith_expr
-                | @assign_bitwise_expr
-                | @assign_pointer_expr
-                ;
+@assign_op_expr = @assign_arith_expr | @assign_bitwise_expr
 
 @assign_expr = @assignexpr | @assign_op_expr | @blockassignexpr
 
@@ -2149,7 +2129,7 @@ includes(
 );
 
 link_targets(
-    int id: @link_target,
+    unique int id: @link_target,
     int binary: @file ref
 );
 

cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties

@@ -1,2 +0,0 @@
-description: Remove uniqueness constraint on link_targets/2
-compatibility: full