Revert "JS: Recognize DomSanitizer from @angular/core"

This reverts commit ff1d0cc4c7.
Remove NoSQL sinks since September 2018
2026-06-03 04:40:14 +02:00 · 2022-04-27 10:31:38 +00:00 · 2022-04-27 10:31:38 +00:00 · 2022-04-27 10:31:38 +00:00 · 2022-04-27 10:31:38 +00:00 · 2022-04-27 10:31:38 +00:00
1098 changed files with 20516 additions and 8526 deletions
--- a/.github/actions/fetch-codeql/action.yml
+++ b/.github/actions/fetch-codeql/action.yml
@@ -3,12 +3,22 @@ description: Fetches the latest version of CodeQL
 runs:
  using: composite
  steps:
+    - name: Select platform - Linux
+      if: runner.os == 'Linux'
+      shell: bash
+      run: echo "GA_CODEQL_CLI_PLATFORM=linux64" >> $GITHUB_ENV
+
+    - name: Select platform - MacOS
+      if: runner.os == 'MacOS'
+      shell: bash
+      run: echo "GA_CODEQL_CLI_PLATFORM=osx64" >> $GITHUB_ENV
+
    - name: Fetch CodeQL
      shell: bash
      run: |
        LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
-        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
-        unzip -q -d "${RUNNER_TEMP}" codeql-linux64.zip
+        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-$GA_CODEQL_CLI_PLATFORM.zip "$LATEST"
+        unzip -q -d "${RUNNER_TEMP}" codeql-$GA_CODEQL_CLI_PLATFORM.zip
        echo "${RUNNER_TEMP}/codeql" >> "${GITHUB_PATH}"
      env:
        GITHUB_TOKEN: ${{ github.token }}
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -21,6 +21,10 @@ Python:
 Ruby:
  - ruby/**/*
  - change-notes/**/*ruby*
+  
+Swift:
+  - swift/**/*
+  - change-notes/**/*swift*

 documentation:
  - "**/*.qhelp"
@@ -28,4 +32,4 @@ documentation:
  - docs/**/*

 "QL-for-QL": 
-  - ql/**/*
+  - ql/**/*
--- a/.github/workflows/check-qldoc.yml
+++ b/.github/workflows/check-qldoc.yml
@@ -30,7 +30,8 @@ jobs:
        shell: bash
        run: |
          EXIT_CODE=0
-          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -o '^[a-z]*/ql/lib' || true; } | sort -u)"
+          # TODO: remove the swift exception from the regex when we fix generated QLdoc
+          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!swift)[a-z]*/ql/lib' || true; } | sort -u)"
          for pack_dir in ${changed_lib_packs}; do
            lang="${pack_dir%/ql/lib}"
            gh codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -49,7 +49,7 @@ jobs:
    #  uses: github/codeql-action/autobuild@main

    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+    # 📚 https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
    #    and modify them (or add more) to build your code if your project
--- a/.github/workflows/post-pr-comment.yml
+++ b/.github/workflows/post-pr-comment.yml
@@ -1,12 +1,17 @@
-name: Post pull-request comment
+# This workflow is the second part of the process described in
+# .github/workflows/qhelp-pr-preview.yml
+# See that file for more info.
+
+name: Post PR comment
 on:
  workflow_run:
-    workflows: ["Query help preview"]
+    workflows: [Render QHelp changes]
    types:
      - completed

 permissions:
  pull-requests: write
+  actions: read

 jobs:
  post_comment:
@@ -17,15 +22,53 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ github.token }}
          WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
-      - run: |
-          PR="$(grep -o '^[0-9]\+$' pr.txt)"
+
+      - name: Check that PR SHA matches workflow SHA
+        run: |
+          PR="$(grep -o '^[0-9]\+$' pr_number.txt)"
          PR_HEAD_SHA="$(gh api "/repos/${GITHUB_REPOSITORY}/pulls/${PR}" --jq .head.sha)"
          # Check that the pull-request head SHA matches the head SHA of the workflow run
          if [ "${WORKFLOW_RUN_HEAD_SHA}" != "${PR_HEAD_SHA}" ]; then
            echo "PR head SHA ${PR_HEAD_SHA} does not match workflow_run event SHA ${WORKFLOW_RUN_HEAD_SHA}. Stopping." 1>&2
            exit 1
          fi
-          gh pr comment "${PR}" --repo "${GITHUB_REPOSITORY}" -F comment.txt
        env:
          GITHUB_TOKEN: ${{ github.token }}
          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_commit.id }}
+
+      - name: Create or update comment
+        run: |
+          COMMENT_PREFIX="QHelp previews"
+          COMMENT_AUTHOR="github-actions[bot]"
+          PR_NUMBER="$(grep -o '^[0-9]\+$' pr_number.txt)"
+
+          # If there is no existing comment, comment_id.txt will contain just a
+          # newline (due to jq & gh behaviour). This will cause grep to fail, so
+          # we catch that.
+          RAW_COMMENT_ID=$(grep -o '^[0-9]\+$' comment_id.txt || true)
+
+          if [ $RAW_COMMENT_ID ]
+          then
+            # Fetch existing comment, and validate:
+            # - comment belongs to the PR with number $PR_NUMBER
+            # - comment starts with the expected prefix ("QHelp previews")
+            # - comment author is github-actions[bot]
+            FILTER='select(.issue_url | endswith($repo+"/issues/"+$pr))
+                  | select(.body | startswith($prefix))
+                  | select(.user.login == $author)
+                  | .id'
+            COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${RAW_COMMENT_ID}" | jq --arg repo "${GITHUB_REPOSITORY}" --arg pr "${PR_NUMBER}" --arg prefix "${COMMENT_PREFIX}" --arg author "${COMMENT_AUTHOR}" "${FILTER}")
+            if [ $COMMENT_ID ]
+            then
+              # Update existing comment
+              jq --rawfile body comment_body.txt '{"body":$body}' -n | gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}" -X PATCH --input -
+            else
+              echo "Comment ${RAW_COMMENT_ID} did not pass validations: not editing." >&2
+              exit 1
+            fi
+          else
+            # Create new comment
+            jq --rawfile body comment_body.txt '{"body":$body}' -n | gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -X POST --input -
+          fi
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -1,7 +1,25 @@
-name: Query help preview
+# This workflow checks for any changes in .qhelp files in pull requests.
+# For any changed files, it renders them to markdown in a file called `comment_body.txt`.
+# It then checks if there's an existing comment on the pull request generated by
+# this workflow, and writes the comment ID to `comment_id.txt`.
+# It also writes the PR number to `pr_number.txt`.
+# These three files are uploaded as an artifact.
+
+# When this workflow completes, the workflow "Post PR comment" runs.
+# It downloads the artifact and adds a comment to the PR with the rendered
+# QHelp.
+
+# The task is split like this because creating PR comments requires extra
+# permissions that we don't want to expose to PRs from external forks.
+
+# For more info see:
+# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+name: Render QHelp changes

 permissions:
  contents: read
+  pull-requests: read

 on:
  pull_request:
@@ -15,12 +33,16 @@ jobs:
  qhelp:
    runs-on: ubuntu-latest
    steps:
-      - run: echo "${{  github.event.number }}" > pr.txt
+      - run: echo "${PR_NUMBER}" > pr_number.txt
+        env:
+          PR_NUMBER: ${{ github.event.number }}
      - uses: actions/upload-artifact@v2
        with:
          name: comment
-          path: pr.txt
+          path: pr_number.txt
+          if-no-files-found: error
          retention-days: 1
+
      - uses: actions/checkout@v2
        with:
          fetch-depth: 2
@@ -36,7 +58,7 @@ jobs:
      - name: QHelp preview
        run: |
          EXIT_CODE=0
-          echo "QHelp previews:" > comment.txt
+          echo "QHelp previews:" > comment_body.txt
          while read -r -d $'\0' path; do
            if [ ! -f "${path}" ]; then
               exit 1
@@ -52,12 +74,29 @@ jobs:
               echo '```'
            fi
            echo "</details>"
-          done < "${RUNNER_TEMP}/paths.txt" >> comment.txt
+          done < "${RUNNER_TEMP}/paths.txt" >> comment_body.txt
          exit "${EXIT_CODE}"

      - if: always()
        uses: actions/upload-artifact@v2
        with:
          name: comment
-          path: comment.txt
+          path: comment_body.txt
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Save ID of existing QHelp comment (if it exists)
+        run: |
+          # Find the latest comment starting with "QHelp previews"
+          COMMENT_PREFIX="QHelp previews"
+          gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" '[.[] | select(.body|startswith($prefix)) | .id] | max' > comment_id.txt
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.number }}
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: comment
+          path: comment_id.txt
+          if-no-files-found: error
          retention-days: 1
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -140,7 +140,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        folder: [cpp, csharp, java, javascript, python, ql, ruby]
+        folder: [cpp, csharp, java, javascript, python, ql, ruby, swift]

    needs:
      - package
--- a/.github/workflows/swift-codegen.yml
+++ b/.github/workflows/swift-codegen.yml
@@ -0,0 +1,27 @@
+name: "Swift: Check code generation"
+
+on:
+  pull_request:
+    paths:
+      - "swift/**"
+      - .github/workflows/swift-codegen.yml
+    branches:
+      - main
+
+jobs:
+  codegen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v3
+        with:
+          python-version: '~3.7'
+          cache: 'pip'
+      - uses: ./.github/actions/fetch-codeql
+      - uses: bazelbuild/setup-bazelisk@v2
+      - name: Check code generation
+        run: |
+          pip install -r swift/codegen/requirements.txt
+          bazel run //swift/codegen
+          git add swift
+          git diff --exit-code --stat HEAD
--- a/.github/workflows/swift-qltest.yml
+++ b/.github/workflows/swift-qltest.yml
@@ -0,0 +1,39 @@
+name: "Swift: Run QL Tests"
+
+on:
+  pull_request:
+    paths:
+      - "swift/**"
+      - .github/workflows/swift-qltest.yml
+    branches:
+      - main
+defaults:
+  run:
+    working-directory: swift
+
+jobs:
+  qlformat:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check QL formatting
+        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
+  qltest:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os : [ubuntu-20.04, macos-latest]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
+      - uses: bazelbuild/setup-bazelisk@v2
+      - name: Build Swift extractor
+        run: |
+          bazel run //swift:create-extractor-pack
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 --ram 5000 --search-path "${{ github.workspace }}/swift/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition ql/test
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -2,28 +2,41 @@
 # See https://pre-commit.com/hooks.html for more hooks
 exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
 repos:
-   repo: https://github.com/pre-commit/pre-commit-hooks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v3.2.0
    hooks:
-    -   id: trailing-whitespace
-    -   id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: end-of-file-fixer

-   repo: local
+  - repo: https://github.com/pre-commit/mirrors-clang-format
+    rev: v13.0.1
    hooks:
-    -   id: codeql-format
+      - id: clang-format
+        files: ^swift/.*\.(h|c|cpp)$
+
+  - repo: local
+    hooks:
+      - id: codeql-format
        name: Fix QL file formatting
        files: \.qll?$
        language: system
        entry: codeql query format --in-place

-    -   id: sync-files
+      - id: sync-files
        name: Fix files required to be identical
        language: system
        entry: python3 config/sync-files.py --latest
        pass_filenames: false

-    -   id: qhelp
+      - id: qhelp
        name: Check query help generation
        files: \.qhelp$
        language: system
        entry: python3 misc/scripts/check-qhelp.py
+
+      - id: swift-codegen
+        name: Run Swift checked in code generation
+        files: ^swift/(codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements))
+        language: system
+        entry: bazel run //swift/codegen
+        pass_filenames: false
--- a/4
+++ b/4
@@ -27,3 +27,7 @@
 # Bazel
 **/*.bazel @github/codeql-ci-reviewers
 **/*.bzl @github/codeql-ci-reviewers
+
+# Documentation etc
+/*.md @github/code-scanning-product
+/LICENSE @github/code-scanning-product
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,7 +2,7 @@

 We welcome contributions to our CodeQL libraries and queries. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).

-There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
+There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries) on [codeql.github.com](https://codeql.github.com).

 ## Change notes

@@ -40,7 +40,7 @@ If you have an idea for a query that you would like to share with other CodeQL u

 3. **Formatting**

-    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/about-codeql-for-vscode.html).
+    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/about-codeql-for-visual-studio-code).

    If you prefer, you can either:
    1. install the [pre-commit framework](https://pre-commit.com/) and install the configured hooks on this repo via `pre-commit install`, or
--- a/README.md
+++ b/README.md
@@ -13,7 +13,9 @@ We welcome contributions to our standard library and standard checks. Do you hav

 ## License

-The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com). The use of CodeQL on open source code is licensed under specific [Terms & Conditions](https://securitylab.github.com/tools/codeql/license/) UNLESS you have a commercial license in place. If you'd like to use CodeQL with a commercial codebase, please [contact us](https://github.com/enterprise/contact) for further help.
+The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
+
+The CodeQL CLI (including the CodeQL engine) is hosted in a [different repository](https://github.com/github/codeql-cli-binaries) and is [licensed separately](https://github.com/github/codeql-cli-binaries/blob/main/LICENSE.md). If you'd like to use the CodeQL CLI to analyze closed-source code, you will need a separate commercial license; please [contact us](https://github.com/enterprise/contact) for further help.

 ## Visual Studio Code integration

--- a/WORKSPACE.bazel
+++ b/WORKSPACE.bazel
@@ -1,12 +1,12 @@
 # Please notice that any bazel targets and definitions in this repository are currently experimental
 # and for internal use only.

-workspace(name = "ql")
+workspace(name = "codeql")

-load("//misc/bazel:workspace.bzl", "ql_workspace")
+load("//misc/bazel:workspace.bzl", "codeql_workspace")

-ql_workspace()
+codeql_workspace()

-load("//misc/bazel:workspace_deps.bzl", "ql_workspace_deps")
+load("//misc/bazel:workspace_deps.bzl", "codeql_workspace_deps")

-ql_workspace_deps()
+codeql_workspace_deps()
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -51,6 +51,7 @@
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -383,7 +384,8 @@
    "csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll"
+    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll"
  ],
  "C++ ExternalAPIs": [
    "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
@@ -549,4 +551,4 @@
    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
  ]
-}
+}
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 0.1.0
+
+### Breaking Changes
+
+* The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
+
+### New Features
+
+* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
+
+### Minor Analysis Improvements
+
+* The `semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
+
 ## 0.0.13

 ## 0.0.12
--- a/cpp/ql/lib/change-notes/2022-03-28-private-data.md
+++ b/cpp/ql/lib/change-notes/2022-03-28-private-data.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
--- a/cpp/ql/lib/change-notes/2022-03-31-sensitive-exprs.md
+++ b/cpp/ql/lib/change-notes/2022-03-31-sensitive-exprs.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
--- a/cpp/ql/lib/change-notes/2022-04-22-no-size-array.md
+++ b/cpp/ql/lib/change-notes/2022-04-22-no-size-array.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `semmle.code.cpp.commons.Buffer` library has been enhanced to handle array members of classes that do not specify a size.
--- a/cpp/ql/lib/change-notes/2022-04-25-allow-implicit-read-signature.md
+++ b/cpp/ql/lib/change-notes/2022-04-25-allow-implicit-read-signature.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
--- a/cpp/ql/lib/change-notes/2022-04-25-windows-pool-allocation-functions.md
+++ b/cpp/ql/lib/change-notes/2022-04-25-windows-pool-allocation-functions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* More Windows pool allocation functions are now detected as `AllocationFunction`s.
--- a/cpp/ql/lib/change-notes/released/0.1.0.md
+++ b/cpp/ql/lib/change-notes/released/0.1.0.md
@@ -0,0 +1,13 @@
+## 0.1.0
+
+### Breaking Changes
+
+* The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
+
+### New Features
+
+* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
+
+### Minor Analysis Improvements
+
+* The `semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.13
+lastReleaseVersion: 0.1.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.1.0-dev
+version: 0.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/AutogeneratedFile.qll
+++ b/cpp/ql/lib/semmle/code/cpp/AutogeneratedFile.qll
@@ -84,6 +84,7 @@ private int fileHeaderLimit(File f) {
    fc = fileFirstComment(f) and
    result =
      min(int line |
+        // code ending the initial comments
        exists(DeclarationEntry de, Location l |
          l = de.getLocation() and
          l.getFile() = f and
@@ -105,7 +106,13 @@ private int fileHeaderLimit(File f) {
          line > fc
        )
        or
+        // end of the file
        line = f.getMetrics().getNumberOfLines()
+        or
+        // rarely, we've seen extremely long sequences of initial comments
+        // (and/or limitations in the above constraints) cause an overflow of
+        // the maximum string length. So don't look past 1000 lines regardless.
+        line = 1000
      )
  )
 }
--- a/cpp/ql/lib/semmle/code/cpp/Element.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Element.qll
@@ -109,10 +109,7 @@ class Element extends ElementBase {
    then
      exists(MacroInvocation mi |
        this = mi.getAGeneratedElement() and
-        not exists(MacroInvocation closer |
-          this = closer.getAGeneratedElement() and
-          mi = closer.getParentInvocation+()
-        ) and
+        not hasCloserMacroInvocation(this, mi) and
        result = mi.getMacro()
      )
    else result = this
@@ -236,6 +233,14 @@ class Element extends ElementBase {
  }
 }

+pragma[noinline]
+private predicate hasCloserMacroInvocation(Element elem, MacroInvocation mi) {
+  exists(MacroInvocation closer |
+    elem = closer.getAGeneratedElement() and
+    mi = closer.getParentInvocation()
+  )
+}
+
 private predicate isFromTemplateInstantiationRec(Element e, Element instantiation) {
  instantiation.(Function).isConstructedFrom(_) and
  e = instantiation
--- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -10,11 +10,18 @@ import semmle.code.cpp.dataflow.DataFlow
 *   char data[1]; // v
 * };
 * ```
- * This requires that `v` is an array of size 0 or 1.
+ * or
+ * ```
+ * struct myStruct { // c
+ *   int amount;
+ *   char data[]; // v
+ * };
+ * ```
+ * This requires that `v` is an array of size 0 or 1, or that the array has no size.
 */
 predicate memberMayBeVarSize(Class c, MemberVariable v) {
  c = v.getDeclaringType() and
-  v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
+  exists(ArrayType t | t = v.getUnspecifiedType() | not t.getArraySize() > 1)
 }

 /**
@@ -27,11 +34,11 @@ int getBufferSize(Expr bufferExpr, Element why) {
    result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
    why = bufferVar and
    not memberMayBeVarSize(_, bufferVar) and
-    not result = 0 // zero sized arrays are likely to have special usage, for example
-    or
+    // zero sized arrays are likely to have special usage, for example
    // behaving a bit like a 'union' overlapping other fields.
-    // buffer is an initialized array
-    //  e.g. int buffer[] = {1, 2, 3};
+    not result = 0
+    or
+    // buffer is an initialized array, e.g., int buffer[] = {1, 2, 3};
    why = bufferVar.getInitializer().getExpr() and
    (
      why instanceof AggregateLiteral or
@@ -40,13 +47,18 @@ int getBufferSize(Expr bufferExpr, Element why) {
    result = why.(Expr).getType().(ArrayType).getSize() and
    not exists(bufferVar.getUnspecifiedType().(ArrayType).getSize())
    or
-    exists(Class parentClass, VariableAccess parentPtr |
+    exists(Class parentClass, VariableAccess parentPtr, int bufferSize |
      // buffer is the parentPtr->bufferVar of a 'variable size struct'
      memberMayBeVarSize(parentClass, bufferVar) and
      why = bufferVar and
      parentPtr = bufferExpr.(VariableAccess).getQualifier() and
      parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
-      result = getBufferSize(parentPtr, _) + bufferVar.getType().getSize() - parentClass.getSize()
+      (
+        if exists(bufferVar.getType().getSize())
+        then bufferSize = bufferVar.getType().getSize()
+        else bufferSize = 0
+      ) and
+      result = getBufferSize(parentPtr, _) + bufferSize - parentClass.getSize()
    )
  )
  or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -326,7 +326,7 @@ private module Cached {
  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }

  cached
-  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }
+  predicate clearsContentCached(Node n, ContentSet c) { clearsContent(n, c) }

  cached
  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
@@ -373,7 +373,7 @@ private module Cached {
    // For reads, `x.f`, we want to check that the tracked type after the read (which
    // is obtained by popping the head of the access path stack) is compatible with
    // the type of `x.f`.
-    read(_, _, n)
+    readSet(_, _, n)
  }

  cached
@@ -469,7 +469,7 @@ private module Cached {
        // read
        exists(Node mid |
          parameterValueFlowCand(p, mid, false) and
-          read(mid, _, node) and
+          readSet(mid, _, node) and
          read = true
        )
        or
@@ -657,8 +657,10 @@ private module Cached {
       * Holds if `arg` flows to `out` through a call using only
       * value-preserving steps and a single read step, not taking call
       * contexts into account, thus representing a getter-step.
+       *
+       * This predicate is exposed for testing only.
       */
-      predicate getterStep(ArgNode arg, Content c, Node out) {
+      predicate getterStep(ArgNode arg, ContentSet c, Node out) {
        argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
      }

@@ -781,28 +783,30 @@ private module Cached {
    parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
  }

+  cached
+  predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
+
  private predicate store(
    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
  ) {
-    storeStep(node1, c, node2) and
-    contentType = getNodeDataFlowType(node1) and
-    containerType = getNodeDataFlowType(node2)
-    or
-    exists(Node n1, Node n2 |
-      n1 = node1.(PostUpdateNode).getPreUpdateNode() and
-      n2 = node2.(PostUpdateNode).getPreUpdateNode()
-    |
-      argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
+    exists(ContentSet cs | c = cs.getAStoreContent() |
+      storeStep(node1, cs, node2) and
+      contentType = getNodeDataFlowType(node1) and
+      containerType = getNodeDataFlowType(node2)
      or
-      read(n2, c, n1) and
-      contentType = getNodeDataFlowType(n1) and
-      containerType = getNodeDataFlowType(n2)
+      exists(Node n1, Node n2 |
+        n1 = node1.(PostUpdateNode).getPreUpdateNode() and
+        n2 = node2.(PostUpdateNode).getPreUpdateNode()
+      |
+        argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, cs, contentType), n1)
+        or
+        readSet(n2, cs, n1) and
+        contentType = getNodeDataFlowType(n1) and
+        containerType = getNodeDataFlowType(n2)
+      )
    )
  }

-  cached
-  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
-
  /**
   * Holds if data can flow from `node1` to `node2` via a direct assignment to
   * `f`.
@@ -932,16 +936,16 @@ class CastingNode extends Node {
 }

 private predicate readStepWithTypes(
-  Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
+  Node n1, DataFlowType container, ContentSet c, Node n2, DataFlowType content
 ) {
-  read(n1, c, n2) and
+  readSet(n1, c, n2) and
  container = getNodeDataFlowType(n1) and
  content = getNodeDataFlowType(n2)
 }

 private newtype TReadStepTypesOption =
  TReadStepTypesNone() or
-  TReadStepTypesSome(DataFlowType container, Content c, DataFlowType content) {
+  TReadStepTypesSome(DataFlowType container, ContentSet c, DataFlowType content) {
    readStepWithTypes(_, container, c, _, content)
  }

@@ -950,7 +954,7 @@ private class ReadStepTypesOption extends TReadStepTypesOption {

  DataFlowType getContainerType() { this = TReadStepTypesSome(result, _, _) }

-  Content getContent() { this = TReadStepTypesSome(_, result, _) }
+  ContentSet getContent() { this = TReadStepTypesSome(_, result, _) }

  DataFlowType getContentType() { this = TReadStepTypesSome(_, _, result) }

@@ -1325,8 +1329,6 @@ abstract class AccessPathFront extends TAccessPathFront {
  abstract boolean toBoolNonEmpty();

  TypedContent getHead() { this = TFrontHead(result) }
-
-  predicate isClearedAt(Node n) { clearsContentCached(n, this.getHead().getContent()) }
 }

 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -821,6 +821,34 @@ private class CollectionContent extends Content, TCollectionContent {
  override string toString() { result = "<element>" }
 }

+/**
+ * An entity that represents a set of `Content`s.
+ *
+ * The set may be interpreted differently depending on whether it is
+ * stored into (`getAStoreContent`) or read from (`getAReadContent`).
+ */
+class ContentSet instanceof Content {
+  /** Gets a content that may be stored into when storing into this set. */
+  Content getAStoreContent() { result = this }
+
+  /** Gets a content that may be read from when reading from this set. */
+  Content getAReadContent() { result = this }
+
+  /** Gets a textual representation of this content set. */
+  string toString() { result = super.toString() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    super.hasLocationInfo(path, sl, sc, el, ec)
+  }
+}
+
 /**
 * A guard that validates some expression.
 *
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -181,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -181,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -49,6 +49,9 @@ class Expr extends StmtParent, @expr {
  /** Gets the enclosing variable of this expression, if any. */
  Variable getEnclosingVariable() { result = exprEnclosingElement(this) }

+  /** Gets the enclosing variable or function of this expression. */
+  Declaration getEnclosingDeclaration() { result = exprEnclosingElement(this) }
+
  /** Gets a child of this expression. */
  Expr getAChild() { exists(int n | result = this.getChild(n)) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -87,21 +87,9 @@ abstract class Configuration extends string {
  /** Holds if data flow into `node` is prohibited. */
  predicate isBarrierIn(Node node) { none() }

-  /**
-   * Holds if data flow into `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierIn(Node node, FlowState state) { none() }
-
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

-  /**
-   * Holds if data flow out of `node` is prohibited when the flow state is
-   * `state`
-   */
-  predicate isBarrierOut(Node node, FlowState state) { none() }
-
  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
  predicate isBarrierGuard(BarrierGuard guard) { none() }

@@ -128,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, Content c) { none() }
+  predicate allowImplicitRead(Node node, ContentSet c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -321,7 +309,7 @@ private class RetNodeEx extends NodeEx {
  ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
 }

-private predicate fullInBarrier(NodeEx node, Configuration config) {
+private predicate inBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierIn(n)
@@ -330,16 +318,7 @@ private predicate fullInBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateInBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierIn(n, state)
-  |
-    config.isSource(n, state)
-  )
-}
-
-private predicate fullOutBarrier(NodeEx node, Configuration config) {
+private predicate outBarrier(NodeEx node, Configuration config) {
  exists(Node n |
    node.asNode() = n and
    config.isBarrierOut(n)
@@ -348,15 +327,6 @@ private predicate fullOutBarrier(NodeEx node, Configuration config) {
  )
 }

-private predicate stateOutBarrier(NodeEx node, FlowState state, Configuration config) {
-  exists(Node n |
-    node.asNode() = n and
-    config.isBarrierOut(n, state)
-  |
-    config.isSink(n, state)
-  )
-}
-
 pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
@@ -382,12 +352,6 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
  exists(Node n | node.asNode() = n |
    config.isBarrier(n, state)
    or
-    config.isBarrierIn(n, state) and
-    not config.isSource(n, state)
-    or
-    config.isBarrierOut(n, state) and
-    not config.isSink(n, state)
-    or
    exists(BarrierGuard g |
      config.isBarrierGuard(g, state) and
      n = g.getAGuardedNode()
@@ -420,8 +384,8 @@ private predicate sinkNode(NodeEx node, FlowState state, Configuration config) {
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 pragma[inline]
 private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not fullOutBarrier(node1, config) and
-  not fullInBarrier(node2, config) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
  not fullBarrier(node1, config) and
  not fullBarrier(node2, config)
 }
@@ -474,8 +438,6 @@ private predicate additionalLocalStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config)
  )
@@ -517,16 +479,15 @@ private predicate additionalJumpStateStep(
    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
-    not stateOutBarrier(node1, s1, config) and
-    not stateInBarrier(node2, s2, config) and
    not stateBarrier(node1, s1, config) and
    not stateBarrier(node2, s2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
+pragma[nomagic]
+private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -536,6 +497,25 @@ private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration conf
  )
 }

+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  exists(ContentSet cs |
+    readSet(node1, cs, node2, config) and
+    c = cs.getAReadContent()
+  )
+}
+
+// inline to reduce fan-out via `getAReadContent`
+pragma[inline]
+private predicate clearsContentEx(NodeEx n, Content c) {
+  exists(ContentSet cs |
+    clearsContentCached(n.asNode(), cs) and
+    c = cs.getAReadContent()
+  )
+}
+
+pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -613,9 +593,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
+    exists(ContentSet c |
+      fwdFlowReadSet(c, node, cc, config) and
+      fwdFlowConsCandSet(c, _, config)
    )
    or
    // flow into a callable
@@ -639,10 +619,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      read(mid, c, node, config)
+      readSet(mid, c, node, config)
    )
  }

@@ -660,6 +640,16 @@ private module Stage1 {
    )
  }

+  /**
+   * Holds if `cs` may be interpreted in a read as the target of some store
+   * into `c`, in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
+    fwdFlowConsCand(c, config) and
+    c = cs.getAReadContent()
+  }
+
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -752,9 +742,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, Content c |
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, ContentSet c |
+      readSet(node, c, mid, config) and
+      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -780,10 +770,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node |
+    exists(NodeEx mid, NodeEx node, ContentSet cs |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      read(node, c, mid, config) and
-      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      readSet(node, cs, mid, config) and
+      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -802,6 +792,7 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
+  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -900,9 +891,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -912,14 +903,17 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
+    revFlow(node, toReturn, pragma[only_bind_into](config)) and
+    exists(state) and
+    exists(returnAp) and
+    exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
    revFlow(node, true, config) and
    fwdFlow(node, true, config) and
-    not fullInBarrier(node, config) and
-    not fullOutBarrier(node, config)
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
  }

  /** Holds if flow may return from `callable`. */
@@ -1014,8 +1008,8 @@ private predicate flowOutOfCallNodeCand1(
 ) {
  viableReturnPosOutNodeCand1(call, ret.getReturnPosition(), out, config) and
  Stage1::revFlow(ret, config) and
-  not fullOutBarrier(ret, config) and
-  not fullInBarrier(out, config)
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
 }

 pragma[nomagic]
@@ -1036,8 +1030,8 @@ private predicate flowIntoCallNodeCand1(
 ) {
  viableParamArgNodeCand1(call, p, arg, config) and
  Stage1::revFlow(p, config) and
-  not fullOutBarrier(arg, config) and
-  not fullInBarrier(p, config)
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
 }

 /**
@@ -1189,7 +1183,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, config) and
+    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1614,7 +1608,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1769,9 +1763,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      store(_, _, node, _, config)
+      Stage2::storeStepCand(_, _, _, node, _, config)
      or
-      read(_, _, node, config)
+      Stage2::readStepCand(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1792,8 +1786,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      store(node, _, next, _, config) or
-      read(node, _, next, config)
+      Stage2::storeStepCand(node, _, _, next, _, config) or
+      Stage2::readStepCand(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1966,7 +1960,24 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }
+  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
+    PrevStage::revFlow(node, config) and
+    clearsContentCached(node.asNode(), c)
+  }
+
+  pragma[nomagic]
+  private predicate clearContent(NodeEx node, Content c, Configuration config) {
+    exists(ContentSet cs |
+      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
+      c = cs.getAReadContent() and
+      clearSet(node, cs, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate clear(NodeEx node, Ap ap, Configuration config) {
+    clearContent(node, ap.getHead().getContent(), config)
+  }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1975,7 +1986,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap) and
+    not clear(node, ap, config) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2403,7 +2414,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3230,7 +3241,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      store(node1, tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4242,7 +4253,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      read(n1, _, n2, _)
+      readSet(n1, _, n2, _)
    )
  }

@@ -4597,7 +4608,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentCached(node.asNode(), ap.getHead()) and
+        not clearsContentEx(node, ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4613,7 +4624,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
@@ -5047,6 +5058,7 @@ private module FlowExploration {
    )
  }

+  pragma[nomagic]
  private predicate revPartialPathStep(
    PartialPathNodeRev mid, NodeEx node, FlowState state, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
    TRevSummaryCtx3 sc3, RevPartialAccessPath ap, Configuration config
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -326,7 +326,7 @@ private module Cached {
  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }

  cached
-  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }
+  predicate clearsContentCached(Node n, ContentSet c) { clearsContent(n, c) }

  cached
  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
@@ -373,7 +373,7 @@ private module Cached {
    // For reads, `x.f`, we want to check that the tracked type after the read (which
    // is obtained by popping the head of the access path stack) is compatible with
    // the type of `x.f`.
-    read(_, _, n)
+    readSet(_, _, n)
  }

  cached
@@ -469,7 +469,7 @@ private module Cached {
        // read
        exists(Node mid |
          parameterValueFlowCand(p, mid, false) and
-          read(mid, _, node) and
+          readSet(mid, _, node) and
          read = true
        )
        or
@@ -657,8 +657,10 @@ private module Cached {
       * Holds if `arg` flows to `out` through a call using only
       * value-preserving steps and a single read step, not taking call
       * contexts into account, thus representing a getter-step.
+       *
+       * This predicate is exposed for testing only.
       */
-      predicate getterStep(ArgNode arg, Content c, Node out) {
+      predicate getterStep(ArgNode arg, ContentSet c, Node out) {
        argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
      }

@@ -781,28 +783,30 @@ private module Cached {
    parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
  }

+  cached
+  predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
+
  private predicate store(
    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
  ) {
-    storeStep(node1, c, node2) and
-    contentType = getNodeDataFlowType(node1) and
-    containerType = getNodeDataFlowType(node2)
-    or
-    exists(Node n1, Node n2 |
-      n1 = node1.(PostUpdateNode).getPreUpdateNode() and
-      n2 = node2.(PostUpdateNode).getPreUpdateNode()
-    |
-      argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
+    exists(ContentSet cs | c = cs.getAStoreContent() |
+      storeStep(node1, cs, node2) and
+      contentType = getNodeDataFlowType(node1) and
+      containerType = getNodeDataFlowType(node2)
      or
-      read(n2, c, n1) and
-      contentType = getNodeDataFlowType(n1) and
-      containerType = getNodeDataFlowType(n2)
+      exists(Node n1, Node n2 |
+        n1 = node1.(PostUpdateNode).getPreUpdateNode() and
+        n2 = node2.(PostUpdateNode).getPreUpdateNode()
+      |
+        argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, cs, contentType), n1)
+        or
+        readSet(n2, cs, n1) and
+        contentType = getNodeDataFlowType(n1) and
+        containerType = getNodeDataFlowType(n2)
+      )
    )
  }

-  cached
-  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
-
  /**
   * Holds if data can flow from `node1` to `node2` via a direct assignment to
   * `f`.
@@ -932,16 +936,16 @@ class CastingNode extends Node {
 }

 private predicate readStepWithTypes(
-  Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
+  Node n1, DataFlowType container, ContentSet c, Node n2, DataFlowType content
 ) {
-  read(n1, c, n2) and
+  readSet(n1, c, n2) and
  container = getNodeDataFlowType(n1) and
  content = getNodeDataFlowType(n2)
 }

 private newtype TReadStepTypesOption =
  TReadStepTypesNone() or
-  TReadStepTypesSome(DataFlowType container, Content c, DataFlowType content) {
+  TReadStepTypesSome(DataFlowType container, ContentSet c, DataFlowType content) {
    readStepWithTypes(_, container, c, _, content)
  }

@@ -950,7 +954,7 @@ private class ReadStepTypesOption extends TReadStepTypesOption {

  DataFlowType getContainerType() { this = TReadStepTypesSome(result, _, _) }

-  Content getContent() { this = TReadStepTypesSome(_, result, _) }
+  ContentSet getContent() { this = TReadStepTypesSome(_, result, _) }

  DataFlowType getContentType() { this = TReadStepTypesSome(_, _, result) }

@@ -1325,8 +1329,6 @@ abstract class AccessPathFront extends TAccessPathFront {
  abstract boolean toBoolNonEmpty();

  TypedContent getHead() { this = TFrontHead(result) }
-
-  predicate isClearedAt(Node n) { clearsContentCached(n, this.getHead().getContent()) }
 }

 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1063,6 +1063,34 @@ private class CollectionContent extends Content, TCollectionContent {
  override string toString() { result = "<element>" }
 }

+/**
+ * An entity that represents a set of `Content`s.
+ *
+ * The set may be interpreted differently depending on whether it is
+ * stored into (`getAStoreContent`) or read from (`getAReadContent`).
+ */
+class ContentSet instanceof Content {
+  /** Gets a content that may be stored into when storing into this set. */
+  Content getAStoreContent() { result = this }
+
+  /** Gets a content that may be read from when reading from this set. */
+  Content getAReadContent() { result = this }
+
+  /** Gets a textual representation of this content set. */
+  string toString() { result = super.toString() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    super.hasLocationInfo(path, sl, sc, el, ec)
+  }
+}
+
 /**
 * A guard that validates some instruction.
 *
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -181,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -181,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -109,16 +109,6 @@ abstract class Configuration extends DataFlow::Configuration {
  /** Holds if taint propagation into `node` is prohibited. */
  predicate isSanitizerIn(DataFlow::Node node) { none() }

-  /**
-   * Holds if taint propagation into `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerIn(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerIn(node, state)
-  }
-
  final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }

  /** Holds if taint propagation out of `node` is prohibited. */
@@ -126,16 +116,6 @@ abstract class Configuration extends DataFlow::Configuration {

  final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }

-  /**
-   * Holds if taint propagation out of `node` is prohibited when the flow state is
-   * `state`.
-   */
-  predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowState state) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowState state) {
-    this.isSanitizerOut(node, state)
-  }
-
  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

@@ -181,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll
@@ -16,7 +16,7 @@ class IRConfiguration extends TIRConfiguration {
  /**
   * Holds if IR should be created for function `func`. By default, holds for all functions.
   */
-  predicate shouldCreateIRForFunction(Language::Function func) { any() }
+  predicate shouldCreateIRForFunction(Language::Declaration func) { any() }

  /**
   * Holds if the strings used as part of an IR dump should be generated for function `func`.
@@ -25,7 +25,7 @@ class IRConfiguration extends TIRConfiguration {
   * of debug strings for IR that will not be dumped. We still generate the actual IR for these
   * functions, however, to preserve the results of any interprocedural analysis.
   */
-  predicate shouldEvaluateDebugStringsForFunction(Language::Function func) { any() }
+  predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) { any() }
 }

 private newtype TIREscapeAnalysisConfiguration = MkIREscapeAnalysisConfiguration()
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll
@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
  /**
   * Gets the `Function` that contains this block.
   */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
    result = getFirstInstruction(this).getEnclosingFunction()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
  /**
   * Gets the function that contains this instruction.
   */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
    result = this.getEnclosingIRFunction().getFunction()
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   * Holds if the IR for `func` should be printed. By default, holds for all
   * functions.
   */
-  predicate shouldPrintFunction(Language::Function func) { any() }
+  predicate shouldPrintFunction(Language::Declaration decl) { any() }
 }

 /**
 * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
 */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
    shouldPrintFunction(func)
  }
 }

-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+private predicate shouldPrintFunction(Language::Declaration decl) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }

 private string getAdditionalInstructionProperty(Instruction instr, string key) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll
@@ -5,23 +5,28 @@
 private import IRFunctionBaseInternal

 private newtype TIRFunction =
-  MkIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) }
+  TFunctionIRFunction(Language::Function func) { IRConstruction::Raw::functionHasIR(func) } or
+  TVarInitIRFunction(Language::GlobalVariable var) { IRConstruction::Raw::varHasIRFunc(var) }

 /**
 * The IR for a function. This base class contains only the predicates that are the same between all
 * phases of the IR. Each instantiation of `IRFunction` extends this class.
 */
 class IRFunctionBase extends TIRFunction {
-  Language::Function func;
+  Language::Declaration decl;

-  IRFunctionBase() { this = MkIRFunction(func) }
+  IRFunctionBase() {
+    this = TFunctionIRFunction(decl)
+    or
+    this = TVarInitIRFunction(decl)
+  }

  /** Gets a textual representation of this element. */
-  final string toString() { result = "IR: " + func.toString() }
+  final string toString() { result = "IR: " + decl.toString() }

  /** Gets the function whose IR is represented. */
-  final Language::Function getFunction() { result = func }
+  final Language::Declaration getFunction() { result = decl }

  /** Gets the location of the function. */
-  final Language::Location getLocation() { result = func.getLocation() }
+  final Language::Location getLocation() { result = decl.getLocation() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll
@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
  /**
   * Gets the `Function` that contains this block.
   */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
    result = getFirstInstruction(this).getEnclosingFunction()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
  /**
   * Gets the function that contains this instruction.
   */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
    result = this.getEnclosingIRFunction().getFunction()
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   * Holds if the IR for `func` should be printed. By default, holds for all
   * functions.
   */
-  predicate shouldPrintFunction(Language::Function func) { any() }
+  predicate shouldPrintFunction(Language::Declaration decl) { any() }
 }

 /**
 * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
 */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
    shouldPrintFunction(func)
  }
 }

-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+private predicate shouldPrintFunction(Language::Declaration decl) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }

 private string getAdditionalInstructionProperty(Instruction instr, string key) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -35,6 +35,9 @@ module Raw {
  cached
  predicate functionHasIR(Function func) { exists(getTranslatedFunction(func)) }

+  cached
+  predicate varHasIRFunc(GlobalOrNamespaceVariable var) { any() } // TODO: restrict?
+
  cached
  predicate hasInstruction(TranslatedElement element, InstructionTag tag) {
    element.hasInstruction(_, tag, _)
@@ -46,18 +49,18 @@ module Raw {
  }

  cached
-  predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, CppType type) {
+  predicate hasTempVariable(Declaration decl, Locatable ast, TempVariableTag tag, CppType type) {
    exists(TranslatedElement element |
      element.getAst() = ast and
-      func = element.getFunction() and
+      decl = element.getFunction() and
      element.hasTempVariable(tag, type)
    )
  }

  cached
-  predicate hasStringLiteral(Function func, Locatable ast, CppType type, StringLiteral literal) {
+  predicate hasStringLiteral(Declaration decl, Locatable ast, CppType type, StringLiteral literal) {
    literal = ast and
-    literal.getEnclosingFunction() = func and
+    literal.getEnclosingDeclaration() = decl and
    getTypeForPRValue(literal.getType()) = type
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -180,7 +180,7 @@ abstract class TranslatedSideEffects extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = getAst() }

-  final override Function getFunction() { result = getExpr().getEnclosingFunction() }
+  final override Declaration getFunction() { result = getExpr().getEnclosingDeclaration() }

  final override TranslatedElement getChild(int i) {
    result =
@@ -375,7 +375,7 @@ abstract class TranslatedSideEffect extends TranslatedElement {
    kind instanceof GotoEdge
  }

-  final override Function getFunction() { result = getParent().getFunction() }
+  final override Declaration getFunction() { result = getParent().getFunction() }

  final override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
    tag = OnlyInstructionTag() and
@@ -436,13 +436,6 @@ abstract class TranslatedArgumentSideEffect extends TranslatedSideEffect {
    result = index
  }

-  /**
-   * Gets the `TranslatedFunction` containing this expression.
-   */
-  final TranslatedFunction getEnclosingFunction() {
-    result = getTranslatedFunction(call.getEnclosingFunction())
-  }
-
  final override predicate sideEffectInstruction(Opcode opcode, CppType type) {
    opcode = sideEffectOpcode and
    (
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -67,7 +67,8 @@ private predicate ignoreExprAndDescendants(Expr expr) {
  exists(Initializer init, StaticStorageDurationVariable var |
    init = var.getInitializer() and
    not var.hasDynamicInitialization() and
-    expr = init.getExpr().getFullyConverted()
+    expr = init.getExpr().getFullyConverted() and
+    not var instanceof GlobalOrNamespaceVariable
  )
  or
  // Ignore descendants of `__assume` expressions, since we translated these to `NoOp`.
@@ -117,7 +118,8 @@ private predicate ignoreExprOnly(Expr expr) {
  // should not be translated.
  exists(NewOrNewArrayExpr new | expr = new.getAllocatorCall().getArgument(0))
  or
-  not translateFunction(expr.getEnclosingFunction())
+  not translateFunction(expr.getEnclosingFunction()) and
+  not expr.getEnclosingVariable() instanceof GlobalOrNamespaceVariable
  or
  // We do not yet translate destructors properly, so for now we ignore the
  // destructor call. We do, however, translate the expression being
@@ -662,7 +664,8 @@ newtype TTranslatedElement =
    opcode = getASideEffectOpcode(call, -1)
  } or
  // The side effect that initializes newly-allocated memory.
-  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) }
+  TTranslatedAllocationSideEffect(AllocationExpr expr) { not ignoreSideEffects(expr) } or
+  TTranslatedGlobalOrNamespaceVarInit(GlobalOrNamespaceVariable var) { var.hasInitializer() }

 /**
 * Gets the index of the first explicitly initialized element in `initList`
@@ -792,7 +795,7 @@ abstract class TranslatedElement extends TTranslatedElement {
  /**
   * Gets the `Function` that contains this element.
   */
-  abstract Function getFunction();
+  abstract Declaration getFunction();

  /**
   * Gets the successor instruction of the instruction that was generated by
@@ -942,3 +945,14 @@ abstract class TranslatedElement extends TTranslatedElement {
   */
  final TranslatedElement getParent() { result.getAChild() = this }
 }
+
+/**
+ * Represents the IR translation of a root element, either a function or a global variable.
+ */
+abstract class TranslatedRootElement extends TranslatedElement {
+  TranslatedRootElement() {
+    this instanceof TTranslatedFunction
+    or
+    this instanceof TTranslatedGlobalOrNamespaceVarInit
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -13,6 +13,7 @@ private import TranslatedFunction
 private import TranslatedInitialization
 private import TranslatedFunction
 private import TranslatedStmt
+private import TranslatedGlobalVar
 import TranslatedCall

 /**
@@ -79,7 +80,7 @@ abstract class TranslatedExpr extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = this.getAst() }

-  final override Function getFunction() { result = expr.getEnclosingFunction() }
+  final override Declaration getFunction() { result = expr.getEnclosingDeclaration() }

  /**
   * Gets the expression from which this `TranslatedExpr` is generated.
@@ -89,8 +90,10 @@ abstract class TranslatedExpr extends TranslatedElement {
  /**
   * Gets the `TranslatedFunction` containing this expression.
   */
-  final TranslatedFunction getEnclosingFunction() {
+  final TranslatedRootElement getEnclosingFunction() {
    result = getTranslatedFunction(expr.getEnclosingFunction())
+    or
+    result = getTranslatedVarInit(expr.getEnclosingVariable())
  }
 }

@@ -788,7 +791,7 @@ class TranslatedThisExpr extends TranslatedNonConstantExpr {

  override IRVariable getInstructionVariable(InstructionTag tag) {
    tag = ThisAddressTag() and
-    result = this.getEnclosingFunction().getThisVariable()
+    result = this.getEnclosingFunction().(TranslatedFunction).getThisVariable()
  }
 }

@@ -2523,7 +2526,7 @@ class TranslatedVarArgsStart extends TranslatedNonConstantExpr {

  final override IRVariable getInstructionVariable(InstructionTag tag) {
    tag = VarArgsStartEllipsisAddressTag() and
-    result = this.getEnclosingFunction().getEllipsisVariable()
+    result = this.getEnclosingFunction().(TranslatedFunction).getEllipsisVariable()
  }

  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -58,7 +58,7 @@ predicate hasReturnValue(Function func) { not func.getUnspecifiedType() instance
 * Represents the IR translation of a function. This is the root elements for
 * all other elements associated with this function.
 */
-class TranslatedFunction extends TranslatedElement, TTranslatedFunction {
+class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
  Function func;

  TranslatedFunction() { this = TTranslatedFunction(func) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll
@@ -0,0 +1,104 @@
+import semmle.code.cpp.ir.implementation.raw.internal.TranslatedElement
+private import cpp
+private import semmle.code.cpp.ir.implementation.IRType
+private import semmle.code.cpp.ir.implementation.Opcode
+private import semmle.code.cpp.ir.implementation.internal.OperandTag
+private import semmle.code.cpp.ir.internal.CppType
+private import TranslatedInitialization
+private import InstructionTag
+
+class TranslatedGlobalOrNamespaceVarInit extends TranslatedRootElement,
+  TTranslatedGlobalOrNamespaceVarInit, InitializationContext {
+  GlobalOrNamespaceVariable var;
+
+  TranslatedGlobalOrNamespaceVarInit() { this = TTranslatedGlobalOrNamespaceVarInit(var) }
+
+  override string toString() { result = var.toString() }
+
+  final override GlobalOrNamespaceVariable getAst() { result = var }
+
+  final override Declaration getFunction() { result = var }
+
+  final Location getLocation() { result = var.getLocation() }
+
+  override Instruction getFirstInstruction() { result = this.getInstruction(EnterFunctionTag()) }
+
+  override TranslatedElement getChild(int n) {
+    n = 1 and
+    result = getTranslatedInitialization(var.getInitializer().getExpr().getFullyConverted())
+  }
+
+  override predicate hasInstruction(Opcode op, InstructionTag tag, CppType type) {
+    op instanceof Opcode::EnterFunction and
+    tag = EnterFunctionTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::AliasedDefinition and
+    tag = AliasedDefinitionTag() and
+    type = getUnknownType()
+    or
+    op instanceof Opcode::VariableAddress and
+    tag = InitializerVariableAddressTag() and
+    type = getTypeForGLValue(var.getType())
+    or
+    op instanceof Opcode::ReturnVoid and
+    tag = ReturnTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::AliasedUse and
+    tag = AliasedUseTag() and
+    type = getVoidType()
+    or
+    op instanceof Opcode::ExitFunction and
+    tag = ExitFunctionTag() and
+    type = getVoidType()
+  }
+
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
+    kind instanceof GotoEdge and
+    (
+      tag = EnterFunctionTag() and
+      result = getInstruction(AliasedDefinitionTag())
+      or
+      tag = AliasedDefinitionTag() and
+      result = getInstruction(InitializerVariableAddressTag())
+      or
+      tag = InitializerVariableAddressTag() and
+      result = getChild(1).getFirstInstruction()
+      or
+      tag = ReturnTag() and
+      result = getInstruction(AliasedUseTag())
+      or
+      tag = AliasedUseTag() and
+      result = getInstruction(ExitFunctionTag())
+    )
+  }
+
+  override Instruction getChildSuccessor(TranslatedElement child) {
+    child = getChild(1) and
+    result = getInstruction(ReturnTag())
+  }
+
+  final override CppType getInstructionMemoryOperandType(
+    InstructionTag tag, TypedOperandTag operandTag
+  ) {
+    tag = AliasedUseTag() and
+    operandTag instanceof SideEffectOperandTag and
+    result = getUnknownType()
+  }
+
+  override IRUserVariable getInstructionVariable(InstructionTag tag) {
+    tag = InitializerVariableAddressTag() and
+    result.getVariable() = var
+  }
+
+  override Instruction getTargetAddress() {
+    result = getInstruction(InitializerVariableAddressTag())
+  }
+
+  override Type getTargetType() { result = var.getUnspecifiedType() }
+}
+
+TranslatedGlobalOrNamespaceVarInit getTranslatedVarInit(GlobalOrNamespaceVariable var) {
+  result.getAst() = var
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
@@ -137,7 +137,10 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn

  final override string toString() { result = "init: " + expr.toString() }

-  final override Function getFunction() { result = expr.getEnclosingFunction() }
+  final override Declaration getFunction() {
+    result = expr.getEnclosingFunction() or
+    result = expr.getEnclosingVariable().(GlobalOrNamespaceVariable)
+  }

  final override Locatable getAst() { result = expr }

@@ -486,7 +489,10 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = getAst() }

-  final override Function getFunction() { result = ast.getEnclosingFunction() }
+  final override Declaration getFunction() {
+    result = ast.getEnclosingFunction() or
+    result = ast.getEnclosingVariable().(GlobalOrNamespaceVariable)
+  }

  final override Instruction getFirstInstruction() { result = getInstruction(getFieldAddressTag()) }

@@ -633,7 +639,11 @@ abstract class TranslatedElementInitialization extends TranslatedElement {
  /** DEPRECATED: Alias for getAst */
  deprecated override Locatable getAST() { result = getAst() }

-  final override Function getFunction() { result = initList.getEnclosingFunction() }
+  final override Declaration getFunction() {
+    result = initList.getEnclosingFunction()
+    or
+    result = initList.getEnclosingVariable().(GlobalOrNamespaceVariable)
+  }

  final override Instruction getFirstInstruction() { result = getInstruction(getElementIndexTag()) }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll
@@ -97,7 +97,7 @@ class IRBlockBase extends TIRBlock {
  /**
   * Gets the `Function` that contains this block.
   */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
    result = getFirstInstruction(this).getEnclosingFunction()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -194,7 +194,7 @@ class Instruction extends Construction::TStageInstruction {
  /**
   * Gets the function that contains this instruction.
   */
-  final Language::Function getEnclosingFunction() {
+  final Language::Declaration getEnclosingFunction() {
    result = this.getEnclosingIRFunction().getFunction()
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll
@@ -26,20 +26,20 @@ class PrintIRConfiguration extends TPrintIRConfiguration {
   * Holds if the IR for `func` should be printed. By default, holds for all
   * functions.
   */
-  predicate shouldPrintFunction(Language::Function func) { any() }
+  predicate shouldPrintFunction(Language::Declaration decl) { any() }
 }

 /**
 * Override of `IRConfiguration` to only evaluate debug strings for the functions that are to be dumped.
 */
 private class FilteredIRConfiguration extends IRConfiguration {
-  override predicate shouldEvaluateDebugStringsForFunction(Language::Function func) {
+  override predicate shouldEvaluateDebugStringsForFunction(Language::Declaration func) {
    shouldPrintFunction(func)
  }
 }

-private predicate shouldPrintFunction(Language::Function func) {
-  exists(PrintIRConfiguration config | config.shouldPrintFunction(func))
+private predicate shouldPrintFunction(Language::Declaration decl) {
+  exists(PrintIRConfiguration config | config.shouldPrintFunction(decl))
 }

 private string getAdditionalInstructionProperty(Instruction instr, string key) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
@@ -141,7 +141,7 @@ private predicate isOpaqueType(Type type) {
 * Holds if an `IROpaqueType` with the specified `tag` and `byteSize` should exist.
 */
 predicate hasOpaqueType(Type tag, int byteSize) {
-  isOpaqueType(tag) and byteSize = getTypeSize(tag)
+  isOpaqueType(tag) and byteSize = getTypeSize(tag.getUnspecifiedType())
  or
  tag instanceof UnknownType and Raw::needsUnknownOpaqueType(byteSize)
 }
@@ -153,17 +153,18 @@ private IRType getIRTypeForPRValue(Type type) {
  exists(Type unspecifiedType | unspecifiedType = type.getUnspecifiedType() |
    isOpaqueType(unspecifiedType) and
    exists(IROpaqueType opaqueType | opaqueType = result |
-      opaqueType.getByteSize() = getTypeSize(type) and
+      opaqueType.getByteSize() = getTypeSize(unspecifiedType) and
      opaqueType.getTag() = unspecifiedType
    )
    or
-    unspecifiedType instanceof BoolType and result.(IRBooleanType).getByteSize() = type.getSize()
+    unspecifiedType instanceof BoolType and
+    result.(IRBooleanType).getByteSize() = unspecifiedType.getSize()
    or
    isSignedIntegerType(unspecifiedType) and
-    result.(IRSignedIntegerType).getByteSize() = type.getSize()
+    result.(IRSignedIntegerType).getByteSize() = unspecifiedType.getSize()
    or
    isUnsignedIntegerType(unspecifiedType) and
-    result.(IRUnsignedIntegerType).getByteSize() = type.getSize()
+    result.(IRUnsignedIntegerType).getByteSize() = unspecifiedType.getSize()
    or
    exists(FloatingPointType floatType, IRFloatingPointType irFloatType |
      floatType = unspecifiedType and
@@ -173,7 +174,8 @@ private IRType getIRTypeForPRValue(Type type) {
      irFloatType.getDomain() = floatType.getDomain()
    )
    or
-    isPointerIshType(unspecifiedType) and result.(IRAddressType).getByteSize() = getTypeSize(type)
+    isPointerIshType(unspecifiedType) and
+    result.(IRAddressType).getByteSize() = getTypeSize(unspecifiedType)
    or
    unspecifiedType instanceof FunctionPointerIshType and
    result.(IRFunctionAddressType).getByteSize() = getTypeSize(type)
--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll
@@ -50,12 +50,16 @@ class AutomaticVariable = Cpp::StackVariable;

 class StaticVariable = Cpp::Variable;

+class GlobalVariable = Cpp::GlobalOrNamespaceVariable;
+
 class Parameter = Cpp::Parameter;

 class Field = Cpp::Field;

 class BuiltInOperation = Cpp::BuiltInOperation;

+class Declaration = Cpp::Declaration;
+
 // TODO: Remove necessity for these.
 class Expr = Cpp::Expr;

--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
@@ -42,10 +42,13 @@ private class MallocAllocationFunction extends AllocationFunction {
    this.hasGlobalName([
        // --- Windows Memory Management for Windows Drivers
        "ExAllocatePool", // ExAllocatePool(type, size)
+        "ExAllocatePool2", // ExAllocatePool2(flags, size, tag)
+        "ExAllocatePool3", // ExAllocatePool3(flags, size, tag, extparams, extparamscount)
        "ExAllocatePoolWithTag", // ExAllocatePool(type, size, tag)
        "ExAllocatePoolWithTagPriority", // ExAllocatePoolWithTagPriority(type, size, tag, priority)
        "ExAllocatePoolWithQuota", // ExAllocatePoolWithQuota(type, size)
        "ExAllocatePoolWithQuotaTag", // ExAllocatePoolWithQuotaTag(type, size, tag)
+        "ExAllocatePoolZero", // ExAllocatePoolZero(type, size, tag)
        "IoAllocateMdl", // IoAllocateMdl(address, size, flag, flag, irp)
        "IoAllocateErrorLogEntry", // IoAllocateErrorLogEntry(object, size)
        // --- Windows Global / Local legacy allocation
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,12 @@
+## 0.1.0
+
+### Minor Analysis Improvements
+
+* The `cpp/cleartext-transmission` query now recognizes additional sources, for sensitive private data such as e-mail addresses and credit card numbers.
+* The `cpp/unused-local-variable` no longer ignores functions that include lambda expressions capturing trivially copyable objects.
+* The `cpp/command-line-injection` query now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations.
+* A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (`cpp/potential-system-data-exposure`) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (`cpp/system-data-exposure`) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
+
 ## 0.0.13

 ## 0.0.12
--- a/cpp/ql/src/Security/CWE/CWE-611/XXE.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXE.qhelp
@@ -0,0 +1,57 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Parsing untrusted XML files with a weakly configured XML parser may lead to an
+XML external entity (XXE) attack. This type of attack uses external entity references
+to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side
+request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible
+and out-of-band data retrieval techniques may allow attackers to steal sensitive data.
+</p>
+</overview>
+
+<recommendation>
+<p>
+The easiest way to prevent XXE attacks is to disable external entity handling when
+parsing untrusted data. How this is done depends on the library being used. Note that some
+libraries, such as recent versions of <code>libxml</code>, disable entity expansion by default,
+so unless you have explicitly enabled entity expansion, no further action needs to be taken.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses the <code>Xerces-C++</code> XML parser to parse a string <code>data</code>.
+If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since
+the parser is constructed in its default state with <code>setDisableDefaultEntityResolution</code>
+set to <code>false</code>:
+</p>
+<sample src="XXEBad.cpp"/>
+
+<p>
+To guard against XXE attacks, the <code>setDisableDefaultEntityResolution</code> option should be
+set to <code>true</code>.
+</p>
+<sample src="XXEGood.cpp"/>
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.
+</li>
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">XML External Entity Prevention Cheat Sheet</a>.
+</li>
+<li>
+Timothy Morgen:
+<a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a>.
+</li>
+<li>
+Timur Yunusov, Alexey Osipov:
+<a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.
+</li>
+</references>
+</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -0,0 +1,209 @@
+/**
+ * @name XML external entity expansion
+ * @description Parsing user-controlled XML documents and allowing expansion of
+ *              external entity references may lead to disclosure of
+ *              confidential data or denial of service.
+ * @kind path-problem
+ * @id cpp/external-entity-expansion
+ * @problem.severity warning
+ * @security-severity 9.1
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-611
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.DataFlow
+import DataFlow::PathGraph
+import semmle.code.cpp.ir.IR
+
+/**
+ * A flow state representing a possible configuration of an XML object.
+ */
+abstract class XXEFlowState extends DataFlow::FlowState {
+  bindingset[this]
+  XXEFlowState() { any() } // required characteristic predicate
+}
+
+/**
+ * An `Expr` that changes the configuration of an XML object, transforming the
+ * `XXEFlowState` that flows through it.
+ */
+abstract class XXEFlowStateTranformer extends Expr {
+  /**
+   * Gets the flow state that `flowstate` is transformed into.
+   *
+   * Due to limitations of the implementation the transformation defined by this
+   * predicate must be idempotent, that is, for any input `x` it must be that:
+   * ```
+   * transform(tranform(x)) = tranform(x)
+   * ```
+   */
+  abstract XXEFlowState transform(XXEFlowState flowstate);
+}
+
+/**
+ * The `AbstractDOMParser` class.
+ */
+class AbstractDOMParserClass extends Class {
+  AbstractDOMParserClass() { this.hasName("AbstractDOMParser") }
+}
+
+/**
+ * The `XercesDOMParser` class.
+ */
+class XercesDOMParserClass extends Class {
+  XercesDOMParserClass() { this.hasName("XercesDOMParser") }
+}
+
+/**
+ * Gets a valid flow state for `XercesDOMParser` flow.
+ *
+ * These flow states take the form `XercesDOM-A-B`, where:
+ *  - A is 1 if `setDisableDefaultEntityResolution` is `true`, 0 otherwise.
+ *  - B is 1 if `setCreateEntityReferenceNodes` is `true`, 0 otherwise.
+ */
+predicate encodeXercesDOMFlowState(
+  string flowstate, int disabledDefaultEntityResolution, int createEntityReferenceNodes
+) {
+  flowstate = "XercesDOM-0-0" and
+  disabledDefaultEntityResolution = 0 and
+  createEntityReferenceNodes = 0
+  or
+  flowstate = "XercesDOM-0-1" and
+  disabledDefaultEntityResolution = 0 and
+  createEntityReferenceNodes = 1
+  or
+  flowstate = "XercesDOM-1-0" and
+  disabledDefaultEntityResolution = 1 and
+  createEntityReferenceNodes = 0
+  or
+  flowstate = "XercesDOM-1-1" and
+  disabledDefaultEntityResolution = 1 and
+  createEntityReferenceNodes = 1
+}
+
+/**
+ * A flow state representing the configuration of a `XercesDOMParser` object.
+ */
+class XercesDOMParserFlowState extends XXEFlowState {
+  XercesDOMParserFlowState() { encodeXercesDOMFlowState(this, _, _) }
+}
+
+/**
+ * Flow state transformer for a call to
+ * `AbstractDOMParser.setDisableDefaultEntityResolution`. Transforms the flow
+ * state through the qualifier according to the setting in the parameter.
+ */
+class DisableDefaultEntityResolutionTranformer extends XXEFlowStateTranformer {
+  Expr newValue;
+
+  DisableDefaultEntityResolutionTranformer() {
+    exists(Call call, Function f |
+      call.getTarget() = f and
+      f.getDeclaringType() instanceof AbstractDOMParserClass and
+      f.hasName("setDisableDefaultEntityResolution") and
+      this = call.getQualifier() and
+      newValue = call.getArgument(0)
+    )
+  }
+
+  final override XXEFlowState transform(XXEFlowState flowstate) {
+    exists(int createEntityReferenceNodes |
+      encodeXercesDOMFlowState(flowstate, _, createEntityReferenceNodes) and
+      (
+        newValue.getValue().toInt() = 1 and // true
+        encodeXercesDOMFlowState(result, 1, createEntityReferenceNodes)
+        or
+        not newValue.getValue().toInt() = 1 and // false or unknown
+        encodeXercesDOMFlowState(result, 0, createEntityReferenceNodes)
+      )
+    )
+  }
+}
+
+/**
+ * Flow state transformer for a call to
+ * `AbstractDOMParser.setCreateEntityReferenceNodes`. Transforms the flow
+ * state through the qualifier according to the setting in the parameter.
+ */
+class CreateEntityReferenceNodesTranformer extends XXEFlowStateTranformer {
+  Expr newValue;
+
+  CreateEntityReferenceNodesTranformer() {
+    exists(Call call, Function f |
+      call.getTarget() = f and
+      f.getDeclaringType() instanceof AbstractDOMParserClass and
+      f.hasName("setCreateEntityReferenceNodes") and
+      this = call.getQualifier() and
+      newValue = call.getArgument(0)
+    )
+  }
+
+  final override XXEFlowState transform(XXEFlowState flowstate) {
+    exists(int disabledDefaultEntityResolution |
+      encodeXercesDOMFlowState(flowstate, disabledDefaultEntityResolution, _) and
+      (
+        newValue.getValue().toInt() = 1 and // true
+        encodeXercesDOMFlowState(result, disabledDefaultEntityResolution, 1)
+        or
+        not newValue.getValue().toInt() = 1 and // false or unknown
+        encodeXercesDOMFlowState(result, disabledDefaultEntityResolution, 0)
+      )
+    )
+  }
+}
+
+/**
+ * The `AbstractDOMParser.parse` method.
+ */
+class ParseFunction extends Function {
+  ParseFunction() { this.getClassAndName("parse") instanceof AbstractDOMParserClass }
+}
+
+/**
+ * Configuration for tracking XML objects and their states.
+ */
+class XXEConfiguration extends DataFlow::Configuration {
+  XXEConfiguration() { this = "XXEConfiguration" }
+
+  override predicate isSource(DataFlow::Node node, string flowstate) {
+    // source is the write on `this` of a call to the `XercesDOMParser`
+    // constructor.
+    exists(CallInstruction call |
+      call.getStaticCallTarget() = any(XercesDOMParserClass c).getAConstructor() and
+      node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
+        call.getThisArgument() and
+      encodeXercesDOMFlowState(flowstate, 0, 1) // default configuration
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node, string flowstate) {
+    // sink is the read of the qualifier of a call to `parse`.
+    exists(Call call |
+      call.getTarget() instanceof ParseFunction and
+      call.getQualifier() = node.asConvertedExpr()
+    ) and
+    flowstate instanceof XercesDOMParserFlowState and
+    not encodeXercesDOMFlowState(flowstate, 1, 1) // safe configuration
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node node1, string state1, DataFlow::Node node2, string state2
+  ) {
+    // create additional flow steps for `XXEFlowStateTranformer`s
+    state2 = node2.asConvertedExpr().(XXEFlowStateTranformer).transform(state1) and
+    DataFlow::simpleLocalFlowStep(node1, node2)
+  }
+
+  override predicate isBarrier(DataFlow::Node node, string flowstate) {
+    // when the flowstate is transformed at a call node, block the original
+    // flowstate value.
+    node.asConvertedExpr().(XXEFlowStateTranformer).transform(flowstate) != flowstate
+  }
+}
+
+from XXEConfiguration conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select sink, source, sink,
+  "This $@ is not configured to prevent an XML external entity (XXE) attack.", source, "XML parser"
--- a/cpp/ql/src/Security/CWE/CWE-611/XXEBad.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXEBad.cpp
@@ -0,0 +1,4 @@
+
+XercesDOMParser *parser = new XercesDOMParser();
+
+parser->parse(data); // BAD (parser is not correctly configured, may expand external entity references)
--- a/cpp/ql/src/Security/CWE/CWE-611/XXEGood.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXEGood.cpp
@@ -0,0 +1,5 @@
+
+XercesDOMParser *parser = new XercesDOMParser();
+
+parser->setDisableDefaultEntityResolution(true);
+parser->parse(data);
--- a/cpp/ql/src/change-notes/2022-03-03-potential-system-data-exposure.md
+++ b/cpp/ql/src/change-notes/2022-03-03-potential-system-data-exposure.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (`cpp/potential-system-data-exposure`) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (`cpp/system-data-exposure`) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
--- a/cpp/ql/src/change-notes/2022-03-21-command-line-injection-with-flow-states.md
+++ b/cpp/ql/src/change-notes/2022-03-21-command-line-injection-with-flow-states.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `cpp/command-line-injection` query now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations.
--- a/cpp/ql/src/change-notes/2022-03-25-unused-lambda-capture.md
+++ b/cpp/ql/src/change-notes/2022-03-25-unused-lambda-capture.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `cpp/unused-local-variable` no longer ignores functions that include lambda expressions capturing trivially copyable objects.
--- a/cpp/ql/src/change-notes/2022-03-28-cleartext-transmission.md
+++ b/cpp/ql/src/change-notes/2022-03-28-cleartext-transmission.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `cpp/cleartext-transmission` query now recognizes additional sources, for sensitive private data such as e-mail addresses and credit card numbers.
--- a/cpp/ql/src/change-notes/2022-04-13-pexternal-entity-expansion.md
+++ b/cpp/ql/src/change-notes/2022-04-13-pexternal-entity-expansion.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* An new query `cpp/external-entity-expansion` has been added. The query detects XML objects that are vulnerable to external entity expansion (XXE) attacks.
--- a/cpp/ql/src/change-notes/released/0.1.0.md
+++ b/cpp/ql/src/change-notes/released/0.1.0.md
@@ -0,0 +1,8 @@
+## 0.1.0
+
+### Minor Analysis Improvements
+
+* The `cpp/cleartext-transmission` query now recognizes additional sources, for sensitive private data such as e-mail addresses and credit card numbers.
+* The `cpp/unused-local-variable` no longer ignores functions that include lambda expressions capturing trivially copyable objects.
+* The `cpp/command-line-injection` query now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations.
+* A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (`cpp/potential-system-data-exposure`) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (`cpp/system-data-exposure`) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.13
+lastReleaseVersion: 0.1.0
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.1.0-dev
+version: 0.1.1-dev
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/controlflow/dominance/bbIDominates.expected
+++ b/cpp/ql/test/library-tests/controlflow/dominance/bbIDominates.expected
@@ -31,4 +31,4 @@
 | test2 | 83 | if (...) ...  | 74 | test2 |
 | test2 | 83 | if (...) ...  | 84 | break; |
 | test2 | 83 | if (...) ...  | 85 | if (...) ...  |
-| test2 | 85 | if (...) ...  | 0 | { ... } |
+| test2 | 85 | if (...) ...  | 86 | { ... } |
--- a/cpp/ql/test/library-tests/controlflow/dominance/dominator.expected
+++ b/cpp/ql/test/library-tests/controlflow/dominance/dominator.expected
@@ -118,7 +118,7 @@
 | test | 44 | ... = ... | 42 | j |
 | test | 44 | ExprStmt | 44 | 10 |
 | test | 44 | w | 44 | ... = ... |
-| test | 47 | ... += ... | 50 | for(...;...;...) ... |
+| test | 47 | ... += ... | 50 | { ... } |
 | test | 47 | ExprStmt | 47 | z |
 | test | 47 | w | 47 | ... += ... |
 | test | 47 | z | 47 | w |
@@ -133,6 +133,7 @@
 | test | 50 | j | 50 | ... ++ |
 | test | 50 | j | 50 | ... = ... |
 | test | 50 | label ...: | 50 | j |
+| test | 50 | { ... } | 50 | for(...;...;...) ... |
 | test | 50 | { ... } | 51 | ExprStmt |
 | test | 51 | 30 | 51 | y |
 | test | 51 | ... = ... | 52 | if (...) ...  |
@@ -181,10 +182,10 @@
 | test | 70 | ExprStmt | 70 | 40 |
 | test | 70 | w | 70 | ... = ... |
 | test | 71 | return ... | 71 | w |
-| test2 | 0 | { ... } | 86 | ExprStmt |
 | test2 | 74 | { ... } | 76 | declaration |
-| test2 | 76 | declaration | 77 | for(...;...;...) ... |
+| test2 | 76 | declaration | 77 | { ... } |
 | test2 | 77 | for(...;...;...) ... | 77 | { ... } |
+| test2 | 77 | { ... } | 77 | for(...;...;...) ... |
 | test2 | 77 | { ... } | 78 | ExprStmt |
 | test2 | 78 | 10 | 78 | b |
 | test2 | 78 | ... = ... | 79 | if (...) ...  |
@@ -211,11 +212,12 @@
 | test2 | 83 | if (...) ...  | 83 | a |
 | test2 | 84 | break; | 87 | label ...: |
 | test2 | 85 | 20 | 85 | ... == ... |
-| test2 | 85 | ... == ... | 0 | { ... } |
+| test2 | 85 | ... == ... | 86 | { ... } |
 | test2 | 85 | a | 85 | 20 |
 | test2 | 85 | if (...) ...  | 85 | a |
 | test2 | 86 | ExprStmt | 86 | c |
 | test2 | 86 | c | 86 | return ... |
+| test2 | 86 | { ... } | 86 | ExprStmt |
 | test2 | 87 | label ...: | 88 | ExprStmt |
 | test2 | 88 | ExprStmt | 88 | b |
 | test2 | 88 | b | 88 | return ... |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
@@ -1,4 +1,18 @@
 uniqueEnclosingCallable
+| globals.cpp:9:5:9:19 | Address | Node should have one enclosing callable but has 0. |
+| globals.cpp:9:5:9:19 | VariableAddress | Node should have one enclosing callable but has 0. |
+| globals.cpp:9:5:9:19 | VariableAddress [post update] | Node should have one enclosing callable but has 0. |
+| globals.cpp:9:23:9:23 | 0 | Node should have one enclosing callable but has 0. |
+| globals.cpp:9:23:9:23 | ChiPartial | Node should have one enclosing callable but has 0. |
+| globals.cpp:9:23:9:23 | Store | Node should have one enclosing callable but has 0. |
+| globals.cpp:9:23:9:23 | StoreValue | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:12:16:26 | Address | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:12:16:26 | VariableAddress | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:12:16:26 | VariableAddress [post update] | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:30:16:30 | 0 | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:30:16:30 | ChiPartial | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:30:16:30 | Store | Node should have one enclosing callable but has 0. |
+| globals.cpp:16:30:16:30 | StoreValue | Node should have one enclosing callable but has 0. |
 uniqueType
 uniqueNodeLocation
 | BarrierGuard.cpp:2:11:2:13 | (unnamed parameter 0) | Node should have one location but has 6. |
@@ -199,7 +213,9 @@ postWithInFlow
 | example.c:28:22:28:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:28:23:28:25 | pos [post update] | PostUpdateNode should not be the target of local flow. |
 | globals.cpp:5:9:5:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| globals.cpp:9:5:9:19 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | globals.cpp:13:5:13:19 | flowTestGlobal1 [post update] | PostUpdateNode should not be the target of local flow. |
+| globals.cpp:16:12:16:26 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | globals.cpp:23:5:23:19 | flowTestGlobal2 [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:8:6:8:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:9:6:9:6 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -218,10 +234,10 @@ postWithInFlow
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:23:3:23:3 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | v [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:23:15:23:15 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:7:28:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
--- a/cpp/ql/test/library-tests/depends_initializers/InitializerAccesses.expected
+++ b/cpp/ql/test/library-tests/depends_initializers/InitializerAccesses.expected
@@ -1,7 +1,7 @@
 | initializers.cpp:18:8:18:15 | initializer for y | initializers.cpp:18:9:18:9 | x |
 | initializers.cpp:19:8:19:21 | initializer for z | initializers.cpp:19:9:19:9 | x |
 | initializers.cpp:23:8:23:9 | initializer for j | initializers.cpp:23:9:23:9 | i |
-| initializers.cpp:27:8:27:10 | initializer for aax | initializers.cpp:27:9:27:10 | ax |
+| initializers.cpp:27:9:27:10 | initializer for aax | initializers.cpp:27:9:27:10 | ax |
 | initializers.cpp:30:20:30:35 | initializer for myIntArray | initializers.cpp:30:22:30:22 | i |
 | template_static.cpp:9:24:9:24 | initializer for static_c | template_static.cpp:9:24:9:24 | c |
 | template_static.cpp:10:22:10:24 | initializer for static_v | template_static.cpp:10:24:10:24 | v |
--- a/cpp/ql/test/library-tests/depends_initializers/InitializerCFG.expected
+++ b/cpp/ql/test/library-tests/depends_initializers/InitializerCFG.expected
@@ -8,7 +8,7 @@
 | initializers.cpp:23:8:23:9 | initializer for j |  |
 | initializers.cpp:25:3:25:3 | initializer for a |  |
 | initializers.cpp:26:7:26:10 | initializer for ax |  |
-| initializers.cpp:27:8:27:10 | initializer for aax |  |
+| initializers.cpp:27:9:27:10 | initializer for aax |  |
 | initializers.cpp:30:20:30:35 | initializer for myIntArray |  |
 | initializers.cpp:31:3:31:15 | initializer for myObjectArray |  |
 | template_static.cpp:2:15:2:15 | initializer for c |  |
--- a/cpp/ql/test/library-tests/floats/float128/errors.expected
+++ b/cpp/ql/test/library-tests/floats/float128/errors.expected
@@ -1,3 +1,4 @@
 | file://:0:0:0:0 | There was an error during this compilation |
 | float128.cpp:1:39:1:39 | 128-bit floating-point types are not supported in this configuration |
-| float128.cpp:2:30:2:30 | 128-bit floating-point types are not supported in this configuration |
+| float128.cpp:2:30:2:30 | an attribute specifies a mode incompatible with '<error-type>' |
+| float128.cpp:2:41:2:41 | invalid combination of type specifiers |
--- a/cpp/ql/test/library-tests/floats/float128/usertypes.expected
+++ b/cpp/ql/test/library-tests/floats/float128/usertypes.expected
@@ -1,5 +1,4 @@
 | float128.cpp:1:50:1:60 | _Complex128 | file://:0:0:0:0 | <error-type> |
-| float128.cpp:2:41:2:49 | _Float128 | file://:0:0:0:0 | <error-type> |
 | float128.cpp:13:29:13:54 | __is_floating_point_helper<T> | float128.cpp:10:8:10:17 | false_type |
 | float128.cpp:14:19:14:51 | __is_floating_point_helper<float> | float128.cpp:11:8:11:16 | true_type |
 | float128.cpp:15:19:15:52 | __is_floating_point_helper<double> | float128.cpp:11:8:11:16 | true_type |
--- a/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
+++ b/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
@@ -12,4 +12,11 @@ predicate locationIsInStandardHeaders(Location loc) {
 *
 * This predicate excludes functions defined in standard headers.
 */
-predicate shouldDumpFunction(Function func) { not locationIsInStandardHeaders(func.getLocation()) }
+predicate shouldDumpFunction(Declaration decl) {
+  not locationIsInStandardHeaders(decl.getLocation()) and
+  (
+    not decl instanceof Variable
+    or
+    decl.(GlobalOrNamespaceVariable).hasInitializer()
+  )
+}
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1754,4 +1754,16 @@ int implicit_copy_constructor_test(
    CopyConstructorTestVirtualClass cy = y;
 }

+int global_1;
+
+int global_2 = 1;
+
+const int global_3 = 2;
+
+constructor_only global_4(1);
+
+constructor_only global_5 = constructor_only(2);
+
+char *global_string = "global string";
+
 // semmle-extractor-options: -std=c++17 --clang
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -4743,6 +4743,16 @@
 | ir.cpp:1034:6:1034:20 | ChiTotal | total:m1034_2 |
 | ir.cpp:1034:6:1034:20 | SideEffect | m1034_3 |
 | ir.cpp:1035:15:1035:15 | Address | &:r1035_1 |
+| ir.cpp:1038:6:1038:8 | Address | &:r1038_3 |
+| ir.cpp:1038:6:1038:8 | SideEffect | ~m1038_9 |
+| ir.cpp:1038:12:1038:18 | Address | &:r1038_4 |
+| ir.cpp:1038:12:1038:18 | Address | &:r1038_4 |
+| ir.cpp:1038:12:1038:18 | ChiPartial | partial:m1038_5 |
+| ir.cpp:1038:12:1038:18 | ChiPartial | partial:m1038_8 |
+| ir.cpp:1038:12:1038:18 | ChiTotal | total:m1038_2 |
+| ir.cpp:1038:12:1038:18 | ChiTotal | total:m1038_6 |
+| ir.cpp:1038:12:1038:18 | Load | ~m1038_6 |
+| ir.cpp:1038:12:1038:18 | StoreValue | r1038_7 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
 | ir.cpp:1038:14:1038:14 | Address | &:r1038_5 |
@@ -4833,9 +4843,6 @@
 | ir.cpp:1043:24:1043:24 | SideEffect | ~m1043_20 |
 | ir.cpp:1043:31:1043:31 | Address | &:r1043_9 |
 | ir.cpp:1043:36:1043:55 | Address | &:r1043_11 |
-| ir.cpp:1043:43:1043:43 | Address | &:r1043_16 |
-| ir.cpp:1043:43:1043:43 | Arg(this) | this:r1043_16 |
-| ir.cpp:1043:43:1043:43 | SideEffect | ~m1043_20 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_22 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_24 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_25 |
@@ -4856,8 +4863,11 @@
 | ir.cpp:1043:45:1043:49 | SideEffect | ~m1043_4 |
 | ir.cpp:1043:45:1043:49 | Unary | r1043_13 |
 | ir.cpp:1043:45:1043:49 | Unary | r1043_15 |
-| ir.cpp:1043:53:1043:53 | Load | ~m1043_20 |
-| ir.cpp:1043:53:1043:53 | Right | r1043_26 |
+| ir.cpp:1043:52:1043:52 | Address | &:r1043_16 |
+| ir.cpp:1043:52:1043:52 | Arg(this) | this:r1043_16 |
+| ir.cpp:1043:52:1043:52 | SideEffect | ~m1043_20 |
+| ir.cpp:1043:54:1043:54 | Load | ~m1043_20 |
+| ir.cpp:1043:54:1043:54 | Right | r1043_26 |
 | ir.cpp:1043:58:1043:58 | ChiPartial | partial:m1043_9 |
 | ir.cpp:1043:58:1043:58 | ChiTotal | total:m1043_3 |
 | ir.cpp:1043:58:1043:58 | StoreValue | r1043_8 |
@@ -4972,9 +4982,6 @@
 | ir.cpp:1047:34:1047:34 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:41:1047:41 | Address | &:r1047_9 |
 | ir.cpp:1047:46:1047:65 | Address | &:r1047_11 |
-| ir.cpp:1047:53:1047:53 | Address | &:r1047_16 |
-| ir.cpp:1047:53:1047:53 | Arg(this) | this:r1047_16 |
-| ir.cpp:1047:53:1047:53 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:53:1047:64 | Address | &:r1047_23 |
 | ir.cpp:1047:53:1047:64 | Load | ~m1047_20 |
 | ir.cpp:1047:53:1047:64 | StoreValue | r1047_24 |
@@ -4989,6 +4996,9 @@
 | ir.cpp:1047:55:1047:59 | SideEffect | ~m1047_4 |
 | ir.cpp:1047:55:1047:59 | Unary | r1047_13 |
 | ir.cpp:1047:55:1047:59 | Unary | r1047_15 |
+| ir.cpp:1047:62:1047:62 | Address | &:r1047_16 |
+| ir.cpp:1047:62:1047:62 | Arg(this) | this:r1047_16 |
+| ir.cpp:1047:62:1047:62 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:63:1047:63 | Right | r1047_22 |
 | ir.cpp:1047:68:1047:68 | StoreValue | r1047_8 |
 | ir.cpp:1047:68:1047:68 | Unary | r1047_7 |
@@ -5097,9 +5107,6 @@
 | ir.cpp:1051:39:1051:39 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:46:1051:46 | Address | &:r1051_9 |
 | ir.cpp:1051:51:1051:70 | Address | &:r1051_11 |
-| ir.cpp:1051:58:1051:58 | Address | &:r1051_16 |
-| ir.cpp:1051:58:1051:58 | Arg(this) | this:r1051_16 |
-| ir.cpp:1051:58:1051:58 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_22 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_24 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_26 |
@@ -5120,6 +5127,9 @@
 | ir.cpp:1051:60:1051:64 | SideEffect | ~m1051_4 |
 | ir.cpp:1051:60:1051:64 | Unary | r1051_13 |
 | ir.cpp:1051:60:1051:64 | Unary | r1051_15 |
+| ir.cpp:1051:67:1051:67 | Address | &:r1051_16 |
+| ir.cpp:1051:67:1051:67 | Arg(this) | this:r1051_16 |
+| ir.cpp:1051:67:1051:67 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:73:1051:73 | ChiPartial | partial:m1051_9 |
 | ir.cpp:1051:73:1051:73 | ChiTotal | total:m1051_3 |
 | ir.cpp:1051:73:1051:73 | StoreValue | r1051_8 |
@@ -5184,9 +5194,6 @@
 | ir.cpp:1054:49:1054:49 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:56:1054:56 | Address | &:r1054_9 |
 | ir.cpp:1054:61:1054:88 | Address | &:r1054_11 |
-| ir.cpp:1054:68:1054:68 | Address | &:r1054_16 |
-| ir.cpp:1054:68:1054:68 | Arg(this) | this:r1054_16 |
-| ir.cpp:1054:68:1054:68 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:68:1054:87 | Address | &:r1054_37 |
 | ir.cpp:1054:68:1054:87 | Load | ~m1054_20 |
 | ir.cpp:1054:68:1054:87 | StoreValue | r1054_38 |
@@ -5201,6 +5208,9 @@
 | ir.cpp:1054:70:1054:74 | SideEffect | ~m1054_4 |
 | ir.cpp:1054:70:1054:74 | Unary | r1054_13 |
 | ir.cpp:1054:70:1054:74 | Unary | r1054_15 |
+| ir.cpp:1054:77:1054:77 | Address | &:r1054_16 |
+| ir.cpp:1054:77:1054:77 | Arg(this) | this:r1054_16 |
+| ir.cpp:1054:77:1054:77 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:78:1054:82 | Address | &:r1054_22 |
 | ir.cpp:1054:78:1054:82 | Address | &:r1054_24 |
 | ir.cpp:1054:78:1054:82 | Left | r1054_25 |
@@ -8215,6 +8225,43 @@
 | ir.cpp:1754:42:1754:42 | SideEffect | ~m1752_4 |
 | ir.cpp:1754:42:1754:42 | Unary | r1754_5 |
 | ir.cpp:1754:42:1754:42 | Unary | r1754_6 |
+| ir.cpp:1759:5:1759:12 | Address | &:r1759_3 |
+| ir.cpp:1759:5:1759:12 | SideEffect | ~m1759_6 |
+| ir.cpp:1759:16:1759:16 | ChiPartial | partial:m1759_5 |
+| ir.cpp:1759:16:1759:16 | ChiTotal | total:m1759_2 |
+| ir.cpp:1759:16:1759:16 | StoreValue | r1759_4 |
+| ir.cpp:1761:11:1761:18 | Address | &:r1761_3 |
+| ir.cpp:1761:11:1761:18 | SideEffect | ~m1761_6 |
+| ir.cpp:1761:22:1761:22 | ChiPartial | partial:m1761_5 |
+| ir.cpp:1761:22:1761:22 | ChiTotal | total:m1761_2 |
+| ir.cpp:1761:22:1761:22 | StoreValue | r1761_4 |
+| ir.cpp:1763:18:1763:25 | Address | &:r1763_3 |
+| ir.cpp:1763:18:1763:25 | Arg(this) | this:r1763_3 |
+| ir.cpp:1763:18:1763:25 | SideEffect | ~m1763_10 |
+| ir.cpp:1763:27:1763:27 | Arg(0) | 0:r1763_5 |
+| ir.cpp:1763:27:1763:28 | CallTarget | func:r1763_4 |
+| ir.cpp:1763:27:1763:28 | ChiPartial | partial:m1763_7 |
+| ir.cpp:1763:27:1763:28 | ChiPartial | partial:m1763_9 |
+| ir.cpp:1763:27:1763:28 | ChiTotal | total:m1763_2 |
+| ir.cpp:1763:27:1763:28 | ChiTotal | total:m1763_8 |
+| ir.cpp:1763:27:1763:28 | SideEffect | ~m1763_2 |
+| ir.cpp:1765:18:1765:25 | Address | &:r1765_3 |
+| ir.cpp:1765:18:1765:25 | Arg(this) | this:r1765_3 |
+| ir.cpp:1765:18:1765:25 | SideEffect | ~m1765_10 |
+| ir.cpp:1765:28:1765:47 | CallTarget | func:r1765_4 |
+| ir.cpp:1765:28:1765:47 | ChiPartial | partial:m1765_7 |
+| ir.cpp:1765:28:1765:47 | ChiPartial | partial:m1765_9 |
+| ir.cpp:1765:28:1765:47 | ChiTotal | total:m1765_2 |
+| ir.cpp:1765:28:1765:47 | ChiTotal | total:m1765_8 |
+| ir.cpp:1765:28:1765:47 | SideEffect | ~m1765_2 |
+| ir.cpp:1765:46:1765:46 | Arg(0) | 0:r1765_5 |
+| ir.cpp:1767:7:1767:19 | Address | &:r1767_3 |
+| ir.cpp:1767:7:1767:19 | SideEffect | ~m1767_8 |
+| ir.cpp:1767:23:1767:37 | ChiPartial | partial:m1767_7 |
+| ir.cpp:1767:23:1767:37 | ChiTotal | total:m1767_2 |
+| ir.cpp:1767:23:1767:37 | StoreValue | r1767_6 |
+| ir.cpp:1767:23:1767:37 | Unary | r1767_4 |
+| ir.cpp:1767:23:1767:37 | Unary | r1767_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |
@@ -8458,6 +8505,34 @@
 | smart_ptr.cpp:47:43:47:63 | SideEffect | ~m47_16 |
 | smart_ptr.cpp:47:43:47:63 | Unary | r47_5 |
 | smart_ptr.cpp:47:43:47:63 | Unary | r47_6 |
+| struct_init.cpp:9:13:9:25 | Left | r9_3 |
+| struct_init.cpp:9:13:9:25 | Left | r9_3 |
+| struct_init.cpp:9:13:9:25 | SideEffect | ~m11_10 |
+| struct_init.cpp:9:31:12:1 | Right | r9_4 |
+| struct_init.cpp:9:31:12:1 | Right | r9_6 |
+| struct_init.cpp:9:31:12:1 | Unary | r9_5 |
+| struct_init.cpp:9:31:12:1 | Unary | r9_5 |
+| struct_init.cpp:9:31:12:1 | Unary | r9_7 |
+| struct_init.cpp:9:31:12:1 | Unary | r9_7 |
+| struct_init.cpp:10:5:10:21 | Address | &:r10_1 |
+| struct_init.cpp:10:5:10:21 | Address | &:r10_6 |
+| struct_init.cpp:10:7:10:9 | ChiPartial | partial:m10_4 |
+| struct_init.cpp:10:7:10:9 | ChiTotal | total:m9_2 |
+| struct_init.cpp:10:7:10:9 | StoreValue | r10_3 |
+| struct_init.cpp:10:7:10:9 | Unary | r10_2 |
+| struct_init.cpp:10:12:10:19 | ChiPartial | partial:m10_8 |
+| struct_init.cpp:10:12:10:19 | ChiTotal | total:m10_5 |
+| struct_init.cpp:10:12:10:19 | StoreValue | r10_7 |
+| struct_init.cpp:11:5:11:22 | Address | &:r11_1 |
+| struct_init.cpp:11:5:11:22 | Address | &:r11_6 |
+| struct_init.cpp:11:7:11:9 | ChiPartial | partial:m11_4 |
+| struct_init.cpp:11:7:11:9 | ChiTotal | total:m10_9 |
+| struct_init.cpp:11:7:11:9 | StoreValue | r11_3 |
+| struct_init.cpp:11:7:11:9 | Unary | r11_2 |
+| struct_init.cpp:11:12:11:20 | ChiPartial | partial:m11_9 |
+| struct_init.cpp:11:12:11:20 | ChiTotal | total:m11_5 |
+| struct_init.cpp:11:12:11:20 | StoreValue | r11_8 |
+| struct_init.cpp:11:13:11:20 | Unary | r11_7 |
 | struct_init.cpp:16:6:16:20 | ChiPartial | partial:m16_3 |
 | struct_init.cpp:16:6:16:20 | ChiTotal | total:m16_2 |
 | struct_init.cpp:16:6:16:20 | SideEffect | ~m17_5 |
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -5650,6 +5650,19 @@ ir.cpp:
 # 1034|     v1034_5(void)               = AliasedUse         : ~m?
 # 1034|     v1034_6(void)               = ExitFunction       : 

+# 1038| (lambda [] type at line 1038, col. 12) lam
+# 1038|   Block 0
+# 1038|     v1038_1(void)                             = EnterFunction     : 
+# 1038|     mu1038_2(unknown)                         = AliasedDefinition : 
+# 1038|     r1038_3(glval<decltype([...](...){...})>) = VariableAddress   : 
+# 1038|     r1038_4(glval<decltype([...](...){...})>) = VariableAddress   : 
+# 1038|     mu1038_5(decltype([...](...){...}))       = Uninitialized     : &:r1038_4
+# 1038|     r1038_6(decltype([...](...){...}))        = Load[?]           : &:r1038_4, ~m?
+# 1038|     mu1038_7(decltype([...](...){...}))       = Store[?]          : &:r1038_3, r1038_6
+# 1038|     v1038_8(void)                             = ReturnVoid        : 
+# 1038|     v1038_9(void)                             = AliasedUse        : ~m?
+# 1038|     v1038_10(void)                            = ExitFunction      : 
+
 # 1038| void (lambda [] type at line 1038, col. 12)::operator()() const
 # 1038|   Block 0
 # 1038|     v1038_1(void)                              = EnterFunction                : 
@@ -9418,6 +9431,69 @@ ir.cpp:
 # 1750|     v1750_6(void)       = AliasedUse               : ~m?
 # 1750|     v1750_7(void)       = ExitFunction             : 

+# 1759| int global_2
+# 1759|   Block 0
+# 1759|     v1759_1(void)       = EnterFunction     : 
+# 1759|     mu1759_2(unknown)   = AliasedDefinition : 
+# 1759|     r1759_3(glval<int>) = VariableAddress   : 
+# 1759|     r1759_4(int)        = Constant[1]       : 
+# 1759|     mu1759_5(int)       = Store[?]          : &:r1759_3, r1759_4
+# 1759|     v1759_6(void)       = ReturnVoid        : 
+# 1759|     v1759_7(void)       = AliasedUse        : ~m?
+# 1759|     v1759_8(void)       = ExitFunction      : 
+
+# 1761| int const global_3
+# 1761|   Block 0
+# 1761|     v1761_1(void)       = EnterFunction     : 
+# 1761|     mu1761_2(unknown)   = AliasedDefinition : 
+# 1761|     r1761_3(glval<int>) = VariableAddress   : 
+# 1761|     r1761_4(int)        = Constant[2]       : 
+# 1761|     mu1761_5(int)       = Store[?]          : &:r1761_3, r1761_4
+# 1761|     v1761_6(void)       = ReturnVoid        : 
+# 1761|     v1761_7(void)       = AliasedUse        : ~m?
+# 1761|     v1761_8(void)       = ExitFunction      : 
+
+# 1763| constructor_only global_4
+# 1763|   Block 0
+# 1763|     v1763_1(void)                    = EnterFunction                     : 
+# 1763|     mu1763_2(unknown)                = AliasedDefinition                 : 
+# 1763|     r1763_3(glval<constructor_only>) = VariableAddress                   : 
+# 1763|     r1763_4(glval<unknown>)          = FunctionAddress[constructor_only] : 
+# 1763|     r1763_5(int)                     = Constant[1]                       : 
+# 1763|     v1763_6(void)                    = Call[constructor_only]            : func:r1763_4, this:r1763_3, 0:r1763_5
+# 1763|     mu1763_7(unknown)                = ^CallSideEffect                   : ~m?
+# 1763|     mu1763_8(constructor_only)       = ^IndirectMayWriteSideEffect[-1]   : &:r1763_3
+# 1763|     v1763_9(void)                    = ReturnVoid                        : 
+# 1763|     v1763_10(void)                   = AliasedUse                        : ~m?
+# 1763|     v1763_11(void)                   = ExitFunction                      : 
+
+# 1765| constructor_only global_5
+# 1765|   Block 0
+# 1765|     v1765_1(void)                    = EnterFunction                     : 
+# 1765|     mu1765_2(unknown)                = AliasedDefinition                 : 
+# 1765|     r1765_3(glval<constructor_only>) = VariableAddress                   : 
+# 1765|     r1765_4(glval<unknown>)          = FunctionAddress[constructor_only] : 
+# 1765|     r1765_5(int)                     = Constant[2]                       : 
+# 1765|     v1765_6(void)                    = Call[constructor_only]            : func:r1765_4, this:r1765_3, 0:r1765_5
+# 1765|     mu1765_7(unknown)                = ^CallSideEffect                   : ~m?
+# 1765|     mu1765_8(constructor_only)       = ^IndirectMayWriteSideEffect[-1]   : &:r1765_3
+# 1765|     v1765_9(void)                    = ReturnVoid                        : 
+# 1765|     v1765_10(void)                   = AliasedUse                        : ~m?
+# 1765|     v1765_11(void)                   = ExitFunction                      : 
+
+# 1767| char* global_string
+# 1767|   Block 0
+# 1767|     v1767_1(void)            = EnterFunction     : 
+# 1767|     mu1767_2(unknown)        = AliasedDefinition : 
+# 1767|     r1767_3(glval<char *>)   = VariableAddress   : 
+# 1767|     r1767_4(glval<char[14]>) = StringConstant    : 
+# 1767|     r1767_5(char *)          = Convert           : r1767_4
+# 1767|     r1767_6(char *)          = Convert           : r1767_5
+# 1767|     mu1767_7(char *)         = Store[?]          : &:r1767_3, r1767_6
+# 1767|     v1767_8(void)            = ReturnVoid        : 
+# 1767|     v1767_9(void)            = AliasedUse        : ~m?
+# 1767|     v1767_10(void)           = ExitFunction      : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0
@@ -9639,6 +9715,34 @@ smart_ptr.cpp:
 #   28|     v28_6(void)                                           = ExitFunction                                           : 

 struct_init.cpp:
+#    9| Info infos_in_file[]
+#    9|   Block 0
+#    9|     v9_1(void)              = EnterFunction             : 
+#    9|     mu9_2(unknown)          = AliasedDefinition         : 
+#    9|     r9_3(glval<Info[]>)     = VariableAddress           : 
+#    9|     r9_4(int)               = Constant[0]               : 
+#    9|     r9_5(glval<Info>)       = PointerAdd[16]            : r9_3, r9_4
+#   10|     r10_1(glval<char *>)    = FieldAddress[name]        : r9_5
+#   10|     r10_2(glval<char[2]>)   = StringConstant            : 
+#   10|     r10_3(char *)           = Convert                   : r10_2
+#   10|     mu10_4(char *)          = Store[?]                  : &:r10_1, r10_3
+#   10|     r10_5(glval<..(*)(..)>) = FieldAddress[handler]     : r9_5
+#   10|     r10_6(..(*)(..))        = FunctionAddress[handler1] : 
+#   10|     mu10_7(..(*)(..))       = Store[?]                  : &:r10_5, r10_6
+#    9|     r9_6(int)               = Constant[1]               : 
+#    9|     r9_7(glval<Info>)       = PointerAdd[16]            : r9_3, r9_6
+#   11|     r11_1(glval<char *>)    = FieldAddress[name]        : r9_7
+#   11|     r11_2(glval<char[2]>)   = StringConstant            : 
+#   11|     r11_3(char *)           = Convert                   : r11_2
+#   11|     mu11_4(char *)          = Store[?]                  : &:r11_1, r11_3
+#   11|     r11_5(glval<..(*)(..)>) = FieldAddress[handler]     : r9_7
+#   11|     r11_6(glval<..()(..)>)  = FunctionAddress[handler2] : 
+#   11|     r11_7(..(*)(..))        = CopyValue                 : r11_6
+#   11|     mu11_8(..(*)(..))       = Store[?]                  : &:r11_5, r11_7
+#    9|     v9_8(void)              = ReturnVoid                : 
+#    9|     v9_9(void)              = AliasedUse                : ~m?
+#    9|     v9_10(void)             = ExitFunction              : 
+
 #   16| void let_info_escape(Info*)
 #   16|   Block 0
 #   16|     v16_1(void)          = EnterFunction                   : 
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.ql
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.ql
@@ -7,5 +7,5 @@ private import semmle.code.cpp.ir.implementation.raw.PrintIR
 private import PrintConfig

 private class PrintConfig extends PrintIRConfiguration {
-  override predicate shouldPrintFunction(Function func) { shouldDumpFunction(func) }
+  override predicate shouldPrintFunction(Declaration decl) { shouldDumpFunction(decl) }
 }
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -1234,6 +1234,8 @@ ssa.cpp:
 #  268|     v268_14(void)          = AliasedUse                         : ~m269_7
 #  268|     v268_15(void)          = ExitFunction                       : 

+#  274| Point* pp
+
 #  275| void EscapedButNotConflated(bool, Point, int)
 #  275|   Block 0
 #  275|     v275_1(void)           = EnterFunction           : 
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -1229,6 +1229,8 @@ ssa.cpp:
 #  268|     v268_14(void)          = AliasedUse                         : ~m269_7
 #  268|     v268_15(void)          = ExitFunction                       : 

+#  274| Point* pp
+
 #  275| void EscapedButNotConflated(bool, Point, int)
 #  275|   Block 0
 #  275|     v275_1(void)           = EnterFunction           : 
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
@@ -1140,6 +1140,8 @@ ssa.cpp:
 #  268|     v268_13(void)          = AliasedUse                         : ~m?
 #  268|     v268_14(void)          = ExitFunction                       : 

+#  274| Point* pp
+
 #  275| void EscapedButNotConflated(bool, Point, int)
 #  275|   Block 0
 #  275|     v275_1(void)           = EnterFunction           : 
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
@@ -1140,6 +1140,8 @@ ssa.cpp:
 #  268|     v268_13(void)          = AliasedUse                         : ~m?
 #  268|     v268_14(void)          = ExitFunction                       : 

+#  274| Point* pp
+
 #  275| void EscapedButNotConflated(bool, Point, int)
 #  275|   Block 0
 #  275|     v275_1(void)           = EnterFunction           : 
--- a/cpp/ql/test/library-tests/lambdas/captures/elements.expected
+++ b/cpp/ql/test/library-tests/lambdas/captures/elements.expected
@@ -156,10 +156,10 @@
 | captures.cpp:23:12:23:16 | x |
 | captures.cpp:23:12:23:16 | y |
 | captures.cpp:23:12:23:20 | ... + ... |
-| captures.cpp:23:16:23:16 | (reference dereference) |
 | captures.cpp:23:16:23:16 | definition of y |
 | captures.cpp:23:16:23:16 | y |
 | captures.cpp:23:16:23:16 | y |
+| captures.cpp:23:18:23:18 | (reference dereference) |
 | captures.cpp:23:20:23:20 | z |
 | captures.cpp:26:3:26:24 | return ... |
 | captures.cpp:26:10:26:17 | (const lambda [] type at line 22, col. 19)... |
--- a/cpp/ql/test/library-tests/sideEffects/stmts/stmts.expected
+++ b/cpp/ql/test/library-tests/sideEffects/stmts/stmts.expected
@@ -2,6 +2,7 @@
 | stmts.c:3:5:3:10 | declaration | true | true |
 | stmts.c:4:5:4:18 | declaration | true | true |
 | stmts.c:5:5:5:16 | declaration | false | true |
+| stmts.c:7:5:7:5 | { ... } | true | true |
 | stmts.c:7:5:14:5 | switch (...) ...  | true | true |
 | stmts.c:7:15:14:5 | { ... } | true | true |
 | stmts.c:8:9:8:15 | case ...: | true | true |
--- a/cpp/ql/test/library-tests/switch/blocks.expected
+++ b/cpp/ql/test/library-tests/switch/blocks.expected
@@ -1,12 +1,9 @@
-| switch.c:2:5:2:5 | f | switch.c:2:14:12:1 | { ... } | switch.c:3:5:10:5 | switch (...) ...  |
-| switch.c:2:5:2:5 | f | switch.c:2:14:12:1 | { ... } | switch.c:10:5:10:5 | label ...: |
+| switch.c:2:5:2:5 | f | switch.c:2:14:12:1 | { ... } | switch.c:3:5:3:5 | { ... } |
 | switch.c:2:5:2:5 | f | switch.c:2:14:12:1 | { ... } | switch.c:11:5:11:13 | return ... |
 | switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:15:2:15:7 | declaration |
-| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:17:5:26:5 | switch (...) ...  |
-| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:26:5:26:5 | label ...: |
+| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:17:5:17:5 | { ... } |
 | switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:28:5:29:5 | switch (...) ...  |
-| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:31:5:44:2 | switch (...) ...  |
-| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:44:2:44:2 | label ...: |
+| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:31:5:31:5 | { ... } |
 | switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:46:2:51:2 | switch (...) ...  |
 | switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:52:1:52:1 | return ... |
 | switch.cpp:4:5:4:5 | f | switch.cpp:4:14:9:1 | { ... } | switch.cpp:5:5:8:5 | switch (...) ...  |
--- a/cpp/ql/test/library-tests/switch_cfg/cfg.expected
+++ b/cpp/ql/test/library-tests/switch_cfg/cfg.expected
@@ -1,87 +1,89 @@
-| 10 | 1 | { ... } | 12 switch (...) ...  |
-| 10 | 43 | f | <no successors> |
-| 12 | 2 | switch (...) ...  | 12 cond |
-| 12 | 3 | cond | 12 { ... } |
-| 12 | 4 | { ... } | 13 case ...: |
-| 12 | 4 | { ... } | 16 case ...: |
-| 12 | 4 | { ... } | 18 case ...: |
-| 12 | 4 | { ... } | 21 case ...: |
-| 12 | 4 | { ... } | 22 case ...: |
-| 12 | 4 | { ... } | 24 case ...: |
-| 12 | 4 | { ... } | 25 default:  |
-| 12 | 4 | { ... } | 26 case ...: |
-| 12 | 4 | { ... } | 28 case ...: |
+| 10 | 1 | { ... } | 12 { ... } |
+| 10 | 44 | f | <no successors> |
+| 12 | 2 | { ... } | 12 switch (...) ...  |
+| 12 | 3 | switch (...) ...  | 12 cond |
+| 12 | 4 | cond | 12 { ... } |
+| 12 | 5 | { ... } | 13 case ...: |
+| 12 | 5 | { ... } | 16 case ...: |
+| 12 | 5 | { ... } | 18 case ...: |
+| 12 | 5 | { ... } | 21 case ...: |
+| 12 | 5 | { ... } | 22 case ...: |
+| 12 | 5 | { ... } | 24 case ...: |
+| 12 | 5 | { ... } | 25 default:  |
+| 12 | 5 | { ... } | 26 case ...: |
+| 12 | 5 | { ... } | 28 case ...: |
 | 13 | 1 | 1 | <no successors> |
-| 13 | 5 | case ...: | 14 ExprStmt |
-| 14 | 6 | ExprStmt | 14 111 |
-| 14 | 7 | 111 | 14 x |
-| 14 | 8 | x | 14 ... = ... |
-| 14 | 9 | ... = ... | 15 break; |
-| 15 | 10 | break; | 31 label ...: |
+| 13 | 6 | case ...: | 14 ExprStmt |
+| 14 | 7 | ExprStmt | 14 111 |
+| 14 | 8 | 111 | 14 x |
+| 14 | 9 | x | 14 ... = ... |
+| 14 | 10 | ... = ... | 15 break; |
+| 15 | 11 | break; | 31 label ...: |
 | 16 | 1 | 1 | <no successors> |
 | 16 | 1 | 2 | <no successors> |
 | 16 | 1 | ... + ... | <no successors> |
-| 16 | 5 | case ...: | 17 ExprStmt |
-| 17 | 6 | ExprStmt | 17 333 |
-| 17 | 7 | 333 | 17 x |
-| 17 | 8 | x | 17 ... = ... |
-| 17 | 9 | ... = ... | 18 case ...: |
+| 16 | 6 | case ...: | 17 ExprStmt |
+| 17 | 7 | ExprStmt | 17 333 |
+| 17 | 8 | 333 | 17 x |
+| 17 | 9 | x | 17 ... = ... |
+| 17 | 10 | ... = ... | 18 case ...: |
 | 18 | 1 | 4 | <no successors> |
-| 18 | 10 | case ...: | 19 ExprStmt |
-| 19 | 11 | ExprStmt | 19 444 |
-| 19 | 12 | 444 | 19 x |
-| 19 | 13 | x | 19 ... = ... |
-| 19 | 14 | ... = ... | 20 break; |
-| 20 | 15 | break; | 31 label ...: |
+| 18 | 11 | case ...: | 19 ExprStmt |
+| 19 | 12 | ExprStmt | 19 444 |
+| 19 | 13 | 444 | 19 x |
+| 19 | 14 | x | 19 ... = ... |
+| 19 | 15 | ... = ... | 20 break; |
+| 20 | 16 | break; | 31 label ...: |
 | 21 | 1 | 5 | <no successors> |
-| 21 | 5 | case ...: | 22 case ...: |
+| 21 | 6 | case ...: | 22 case ...: |
 | 22 | 1 | 6 | <no successors> |
-| 22 | 6 | case ...: | 23 ExprStmt |
-| 23 | 7 | ExprStmt | 23 777 |
-| 23 | 8 | 777 | 23 x |
-| 23 | 9 | x | 23 ... = ... |
-| 23 | 10 | ... = ... | 24 case ...: |
+| 22 | 7 | case ...: | 23 ExprStmt |
+| 23 | 8 | ExprStmt | 23 777 |
+| 23 | 9 | 777 | 23 x |
+| 23 | 10 | x | 23 ... = ... |
+| 23 | 11 | ... = ... | 24 case ...: |
 | 24 | 1 | 7 | <no successors> |
-| 24 | 11 | case ...: | 25 default:  |
-| 25 | 12 | default:  | 26 case ...: |
+| 24 | 12 | case ...: | 25 default:  |
+| 25 | 13 | default:  | 26 case ...: |
 | 26 | 1 | 8 | <no successors> |
-| 26 | 13 | case ...: | 27 ExprStmt |
-| 27 | 14 | ExprStmt | 27 888 |
-| 27 | 15 | 888 | 27 x |
-| 27 | 16 | x | 27 ... = ... |
-| 27 | 17 | ... = ... | 28 case ...: |
+| 26 | 14 | case ...: | 27 ExprStmt |
+| 27 | 15 | ExprStmt | 27 888 |
+| 27 | 16 | 888 | 27 x |
+| 27 | 17 | x | 27 ... = ... |
+| 27 | 18 | ... = ... | 28 case ...: |
 | 28 | 1 | 9 | <no successors> |
-| 28 | 18 | case ...: | 29 ExprStmt |
-| 29 | 19 | ExprStmt | 29 999 |
-| 29 | 20 | 999 | 29 x |
-| 29 | 21 | x | 29 ... = ... |
-| 29 | 22 | ... = ... | 30 break; |
-| 30 | 23 | break; | 31 label ...: |
-| 31 | 41 | label ...: | 33 return ... |
-| 33 | 42 | return ... | 10 f |
-| 36 | 1 | { ... } | 38 switch (...) ...  |
-| 36 | 22 | g | <no successors> |
-| 38 | 2 | switch (...) ...  | 38 cond |
-| 38 | 3 | cond | 38 { ... } |
-| 38 | 4 | { ... } | 39 case ...: |
-| 38 | 4 | { ... } | 42 case ...: |
-| 38 | 4 | { ... } | 45 label ...: |
+| 28 | 19 | case ...: | 29 ExprStmt |
+| 29 | 20 | ExprStmt | 29 999 |
+| 29 | 21 | 999 | 29 x |
+| 29 | 22 | x | 29 ... = ... |
+| 29 | 23 | ... = ... | 30 break; |
+| 30 | 24 | break; | 31 label ...: |
+| 31 | 42 | label ...: | 33 return ... |
+| 33 | 43 | return ... | 10 f |
+| 36 | 1 | { ... } | 38 { ... } |
+| 36 | 23 | g | <no successors> |
+| 38 | 2 | { ... } | 38 switch (...) ...  |
+| 38 | 3 | switch (...) ...  | 38 cond |
+| 38 | 4 | cond | 38 { ... } |
+| 38 | 5 | { ... } | 39 case ...: |
+| 38 | 5 | { ... } | 42 case ...: |
+| 38 | 5 | { ... } | 45 label ...: |
 | 39 | 1 | 1 | <no successors> |
-| 39 | 5 | case ...: | 40 ExprStmt |
-| 40 | 6 | ExprStmt | 40 111 |
-| 40 | 7 | 111 | 40 x |
-| 40 | 8 | x | 40 ... = ... |
-| 40 | 9 | ... = ... | 41 break; |
-| 41 | 10 | break; | 45 label ...: |
+| 39 | 6 | case ...: | 40 ExprStmt |
+| 40 | 7 | ExprStmt | 40 111 |
+| 40 | 8 | 111 | 40 x |
+| 40 | 9 | x | 40 ... = ... |
+| 40 | 10 | ... = ... | 41 break; |
+| 41 | 11 | break; | 45 label ...: |
 | 42 | 1 | 2 | <no successors> |
-| 42 | 5 | case ...: | 43 ExprStmt |
-| 43 | 6 | ExprStmt | 43 222 |
-| 43 | 7 | 222 | 43 x |
-| 43 | 8 | x | 43 ... = ... |
-| 43 | 9 | ... = ... | 45 label ...: |
-| 45 | 16 | label ...: | 46 ExprStmt |
-| 46 | 17 | ExprStmt | 46 999 |
-| 46 | 18 | 999 | 46 x |
-| 46 | 19 | x | 46 ... = ... |
-| 46 | 20 | ... = ... | 48 return ... |
-| 48 | 21 | return ... | 36 g |
+| 42 | 6 | case ...: | 43 ExprStmt |
+| 43 | 7 | ExprStmt | 43 222 |
+| 43 | 8 | 222 | 43 x |
+| 43 | 9 | x | 43 ... = ... |
+| 43 | 10 | ... = ... | 45 label ...: |
+| 45 | 17 | label ...: | 46 ExprStmt |
+| 46 | 18 | ExprStmt | 46 999 |
+| 46 | 19 | 999 | 46 x |
+| 46 | 20 | x | 46 ... = ... |
+| 46 | 21 | ... = ... | 48 return ... |
+| 48 | 22 | return ... | 36 g |
--- a/Show More
+++ b/Show More