Swift: use git-lfs devcontainer feature

.bazelrc

@@ -24,6 +24,5 @@ common --registry=file:///%workspace%/misc/bazel/registry
 common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-common --experimental_isolated_extension_usages
 
 try-import %workspace%/local.bazelrc

.bazelrc.internal

@@ -8,4 +8,3 @@ common --registry=https://bcr.bazel.build
 # its implementation packages without providing any code itself.
 # We either can depend on internal implementation details, or turn of strict deps.
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-common --experimental_isolated_extension_usages

.bazelversion

@@ -1 +1 @@
-5f5d70b6c4d2fb1a889479569107f1692239e8a7
+7.2.1

.devcontainer/swift/devcontainer.json

@@ -1,25 +1,28 @@
 {
-	"extensions": [
-		"github.vscode-codeql",
-		"hbenl.vscode-test-explorer",
-		"ms-vscode.test-adapter-converter",
-		"slevesque.vscode-zipexplorer",
-		"ms-vscode.cpptools"
-	],
-	"settings": {
-		"files.watcherExclude": {
-			"**/target/**": true
-		},
-		"codeQL.runningQueries.memory": 2048
-	},
-	"build": {
-		"dockerfile": "Dockerfile",
-	},
-	"runArgs": [
-		"--cap-add=SYS_PTRACE",
-		"--security-opt",
-		"seccomp=unconfined"
-	],
-	"remoteUser": "vscode",
-	"onCreateCommand": ".devcontainer/swift/user.sh"
+  "extensions": [
+    "github.vscode-codeql",
+    "hbenl.vscode-test-explorer",
+    "ms-vscode.test-adapter-converter",
+    "slevesque.vscode-zipexplorer",
+    "ms-vscode.cpptools"
+  ],
+  "features": {
+    "git-lfs": "latest"
+  },
+  "settings": {
+    "files.watcherExclude": {
+      "**/target/**": true
+    },
+    "codeQL.runningQueries.memory": 2048
+  },
+  "build": {
+    "dockerfile": "Dockerfile",
+  },
+  "runArgs": [
+    "--cap-add=SYS_PTRACE",
+    "--security-opt",
+    "seccomp=unconfined"
+  ],
+  "remoteUser": "vscode",
+  "onCreateCommand": ".devcontainer/swift/user.sh"
 }

.devcontainer/swift/root.sh

@@ -3,9 +3,6 @@ set -xe
 BAZELISK_VERSION=v1.12.0
 BAZELISK_DOWNLOAD_SHA=6b0bcb2ea15bca16fffabe6fda75803440375354c085480fe361d2cbf32501db
 
-# install git lfs apt source
-curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
-
 # install gh apt source
 (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) \
 && sudo mkdir -p -m 755 /etc/apt/keyrings \
@@ -21,7 +18,6 @@ apt-get -y install --no-install-recommends \
     python3-distutils \
     python3-pip \
     bash-completion \
-    git-lfs \
     gh
 
 # Install Bazel

.devcontainer/swift/user.sh

@@ -1,7 +1,5 @@
 set -xe
 
-git lfs install
-
 # add the workspace to the codeql search path
 mkdir -p /home/vscode/.config/codeql
 echo "--search-path /workspaces/codeql" > /home/vscode/.config/codeql/config

.github/labeler.yml

@@ -30,10 +30,6 @@ Ruby:
   - ruby/**/*
   - change-notes/**/*ruby*
 
-Rust:
-  - rust/**/*
-  - change-notes/**/*rust*
-
 Swift:
   - swift/**/*
   - change-notes/**/*swift*

.github/pull_request_template.md

@@ -1,14 +0,0 @@
-### Pull Request checklist
-
-#### All query authors
-
-- [ ] A change note is added if necessary. See [the documentation](https://github.com/github/codeql/blob/main/docs/change-notes.md) in this repository.
-- [ ] All new queries have appropriate `.qhelp`. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md) in this repository.
-- [ ] QL tests are added if necessary. See [Testing custom queries](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries) in the GitHub documentation.
-- [ ] New and changed queries have correct query metadata. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md) in this repository.
-
-#### Internal query authors only
-
-- [ ] Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to `.ql`, `.qll`, or `.qhelp` files. See [the documentation](https://github.com/github/codeql-team/blob/main/docs/best-practices/validating-autofix-for-query-changes.md) (internal access required).
-- [ ] Changes are validated [at scale](https://github.com/github/codeql-dca/) (internal access required).
-- [ ] Adding a new query? Consider also [adding the query to autofix](https://github.com/github/codeml-autofix/blob/main/docs/updating-query-support.md#adding-a-new-query-to-the-query-suite).

.github/workflows/buildifier.yml

@@ -24,5 +24,5 @@ jobs:
           extra_args: >
             buildifier --all-files 2>&1 ||
             (
-              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel/buildifier"; exit 1
+              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel:buildifier"; exit 1
             )

.github/workflows/check-change-note.yml

@@ -16,12 +16,11 @@ on:
       - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
-      - "!rust/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:
-    env:
+    env: 
       REPO: ${{ github.repository }}
       PULL_REQUEST_NUMBER: ${{ github.event.number }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -34,7 +33,7 @@ jobs:
           !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
         run: |
           change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
-
+          
           if [ -z "$change_note_files" ]; then
             echo "No change note found. Either add one, or add the 'no-change-note-required' label."
             exit 1

.github/workflows/compile-queries.yml

@@ -29,6 +29,8 @@ jobs:
           key: all-queries
       - name: check formatting
         run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+      - name: Omit DatabaseQualityDiagnostics.ql from compile checking # Remove me once CodeQL 2.18.0 is released!
+        run: mv java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql{,.hidden}
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
@@ -39,3 +41,6 @@ jobs:
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
         run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
+      - name: Restore DatabaseQualityDiagnostics.ql after compile checking # Remove me once CodeQL 2.18.0 is released
+        run: mv java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql{.hidden,}
+

.github/workflows/cpp-swift-analysis.yml

@@ -37,7 +37,7 @@ jobs:
       with:
         languages: cpp
         config-file: ./.github/codeql/codeql-config.yml
-
+  
     - name: "[Ubuntu] Remove GCC 13 from runner image"
       shell: bash
       run: |
@@ -48,7 +48,7 @@ jobs:
     - name: "Build Swift extractor using Bazel"
       run: |
         bazel clean --expunge
-        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local
+        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
         bazel shutdown
 
     - name: Perform CodeQL Analysis

.github/workflows/csharp-qltest.yml

@@ -29,6 +29,45 @@ permissions:
   contents: read
 
 jobs:
+  qlupgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check DB upgrade scripts
+        run: |
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
+      - name: Check DB downgrade scripts
+        run: |
+          echo >empty.trap
+          rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
+           --dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
+           xargs codeql execute upgrades testdb
+          diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
+  qltest:
+    if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        slice: ["1/2", "2/2"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: csharp-qltest-${{ matrix.slice }}
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
     strategy:
       matrix:

.github/workflows/go-tests.yml

@@ -3,7 +3,6 @@ on:
   push:
     paths:
       - "go/**"
-      - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
@@ -13,7 +12,6 @@ on:
   pull_request:
     paths:
       - "go/**"
-      - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml

.github/workflows/ruby-build.yml

@@ -65,8 +65,8 @@ jobs:
         id: cache-extractor
         with:
           path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
+            ruby/extractor/target/release/codeql-extractor-ruby
+            ruby/extractor/target/release/codeql-extractor-ruby.exe
             ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
       - uses: actions/cache@v3
@@ -75,7 +75,7 @@ jobs:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
-            target
+            ruby/target
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
       - name: Check formatting
         if: steps.cache-extractor.outputs.cache-hit != 'true'
@@ -91,7 +91,7 @@ jobs:
         run: cd extractor && cargo build --release
       - name: Generate dbscheme
         if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
-        run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+        run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
       - uses: actions/upload-artifact@v3
         if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
@@ -106,8 +106,8 @@ jobs:
         with:
           name: extractor-${{ matrix.os }}
           path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
+            ruby/extractor/target/release/codeql-extractor-ruby
+            ruby/extractor/target/release/codeql-extractor-ruby.exe
           retention-days: 1
   compile-queries:
     if: github.repository_owner == 'github'
@@ -140,7 +140,6 @@ jobs:
           path: |
             ${{ runner.temp }}/query-packs/*
           retention-days: 1
-          include-hidden-files: true
 
   package:
     runs-on: ubuntu-latest
@@ -177,7 +176,6 @@ jobs:
           name: codeql-ruby-pack
           path: ruby/codeql-ruby.zip
           retention-days: 1
-          include-hidden-files: true
       - uses: actions/download-artifact@v3
         with:
           name: codeql-ruby-queries
@@ -195,7 +193,6 @@ jobs:
           name: codeql-ruby-bundle
           path: ruby/codeql-ruby-bundle.zip
           retention-days: 1
-          include-hidden-files: true
 
   test:
     defaults:

.github/workflows/rust.yml

@@ -1,58 +0,0 @@
-name: "Rust"
-
-on:
-  pull_request:
-    paths:
-      - "rust/**"
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "shared/**"
-      - "MODULE.bazel"
-      - .github/workflows/rust.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - "!**/*.md"
-      - "!**/*.qhelp"
-    branches:
-      - rust-experiment
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  rust-code:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Format
-        working-directory: rust/extractor
-        shell: bash
-        run: |
-          cargo fmt --check
-      - name: Compilation
-        working-directory: rust/extractor
-        shell: bash
-        run: cargo check
-      - name: Clippy
-        working-directory: rust/extractor
-        shell: bash
-        run: |
-          cargo clippy --fix
-          git diff --exit-code
-  rust-codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install CodeQL
-        uses: ./.github/actions/fetch-codeql
-      - name: Code generation
-        shell: bash
-        run: |
-          bazel run //rust/codegen
-          git add .
-          git diff --exit-code HEAD

.gitignore

@@ -7,8 +7,8 @@
 .cache
 
 # qltest projects and artifacts
-*.actual
 */ql/test/**/*.testproj
+*/ql/test/**/*.actual
 */ql/test/**/go.sum
 
 # Visual studio temporaries, except a file used by QL4VS
@@ -65,9 +65,3 @@ node_modules/
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
-
-# Jetbrains IDE files
-.idea
-
-# cargo build directory
-/target

.pre-commit-config.yaml

@@ -5,9 +5,9 @@ repos:
     rev: v3.2.0
     hooks:
       - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
       - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6
@@ -15,7 +15,7 @@ repos:
       - id: clang-format
 
   - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v2.0.4
+    rev: v1.6.0
     hooks:
       - id: autopep8
         files: ^misc/codegen/.*\.py
@@ -26,7 +26,7 @@ repos:
         name: Format bazel files
         files: \.(bazel|bzl)
         language: system
-        entry: bazel run //misc/bazel/buildifier
+        entry: bazel run //misc/bazel:buildifier
         pass_filenames: false
 
 #      DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
@@ -45,7 +45,7 @@ repos:
 
       - id: sync-files
         name: Fix files required to be identical
-        files: \.(qll?|qhelp|swift|toml)$|^config/identical-files\.json$
+        files: \.(qll?|qhelp|swift)$|^config/identical-files\.json$
         language: system
         entry: python3 config/sync-files.py --latest
         pass_filenames: false
@@ -58,7 +58,7 @@ repos:
 
       - id: swift-codegen
         name: Run Swift checked in code generation
-        files: ^misc/codegen/|^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
+        files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
         language: system
         entry: bazel run //swift/codegen -- --quiet
         pass_filenames: false
@@ -69,17 +69,3 @@ repos:
         language: system
         entry: bazel test //misc/codegen/test
         pass_filenames: false
-
-      - id: rust-codegen
-        name: Run Rust checked in code generation
-        files: ^misc/codegen/|^rust/(schema.py$|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
-        language: system
-        entry: bazel run //rust/codegen -- --quiet
-        pass_filenames: false
-
-      - id: rust-lint
-        name: Run fmt and clippy on Rust code
-        files: ^rust/extractor/(.*rs|Cargo.toml)$
-        language: system
-        entry: python3 rust/lint.py
-        pass_filenames: false

Cargo.toml

@@ -1,16 +0,0 @@
-# This is the shared workspace file for extractor using shared/tree-sitter/extractor
-[workspace]
-
-resolver = "2"
-members = [
-    "shared/tree-sitter-extractor",
-    "ruby/extractor",
-    "rust/extractor",
-    "rust/extractor/macros",
-    "rust/generate-schema",
-]
-
-[patch.crates-io]
-# patch for build script bug preventing bazel build
-# see https://github.com/rust-lang/rustc_apfloat/pull/17
-rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }

MODULE.bazel

@@ -1,7 +1,6 @@
 module(
-    name = "ql",
+    name = "codeql",
     version = "0.0",
-    repo_name = "codeql",
 )
 
 # this points to our internal repository when `codeql` is checked out as a submodule thereof
@@ -15,29 +14,27 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.50.0")
-bazel_dep(name = "rules_pkg", version = "1.0.1")
+bazel_dep(name = "rules_go", version = "0.48.0")
+bazel_dep(name = "rules_pkg", version = "0.10.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.35.0")
+bazel_dep(name = "rules_python", version = "0.32.2")
 bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
-bazel_dep(name = "gazelle", version = "0.38.0")
+bazel_dep(name = "gazelle", version = "0.37.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.50.0")
+bazel_dep(name = "rules_rust", version = "0.46.0")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
-# crate_py but shortened due to Windows file path considerations
-cp = use_extension(
+crate = use_extension(
     "@rules_rust//crate_universe:extension.bzl",
     "crate",
-    isolate = True,
 )
-cp.from_cargo(
+crate.from_cargo(
     name = "py_deps",
     cargo_lockfile = "//python/extractor/tsg-python:Cargo.lock",
     manifests = [
@@ -45,27 +42,15 @@ cp.from_cargo(
         "//python/extractor/tsg-python/tsp:Cargo.toml",
     ],
 )
-use_repo(cp, "py_deps")
-
-# deps for ruby+rust, but shortened due to windows file paths
-r = use_extension(
-    "@rules_rust//crate_universe:extension.bzl",
-    "crate",
-    isolate = True,
-)
-r.from_cargo(
-    name = "r",
-    cargo_lockfile = "//:Cargo.lock",
+crate.from_cargo(
+    name = "ruby_deps",
+    cargo_lockfile = "//ruby/extractor:Cargo.lock",
     manifests = [
-        "//:Cargo.toml",
         "//ruby/extractor:Cargo.toml",
-        "//rust/extractor:Cargo.toml",
-        "//rust/extractor/macros:Cargo.toml",
-        "//rust/generate-schema:Cargo.toml",
-        "//shared/tree-sitter-extractor:Cargo.toml",
+        "//ruby/extractor/codeql-extractor-fake-crate:Cargo.toml",
     ],
 )
-use_repo(r, tree_sitter_extractors_deps = "r")
+use_repo(crate, "py_deps", "ruby_deps")
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
 dotnet.toolchain(dotnet_version = "8.0.101")
@@ -127,7 +112,6 @@ use_repo(
     "kotlin-compiler-1.9.0-Beta",
     "kotlin-compiler-1.9.20-Beta",
     "kotlin-compiler-2.0.0-RC1",
-    "kotlin-compiler-2.0.20-Beta2",
     "kotlin-compiler-embeddable-1.5.0",
     "kotlin-compiler-embeddable-1.5.10",
     "kotlin-compiler-embeddable-1.5.20",
@@ -140,7 +124,6 @@ use_repo(
     "kotlin-compiler-embeddable-1.9.0-Beta",
     "kotlin-compiler-embeddable-1.9.20-Beta",
     "kotlin-compiler-embeddable-2.0.0-RC1",
-    "kotlin-compiler-embeddable-2.0.20-Beta2",
     "kotlin-stdlib-1.5.0",
     "kotlin-stdlib-1.5.10",
     "kotlin-stdlib-1.5.20",
@@ -153,15 +136,10 @@ use_repo(
     "kotlin-stdlib-1.9.0-Beta",
     "kotlin-stdlib-1.9.20-Beta",
     "kotlin-stdlib-2.0.0-RC1",
-    "kotlin-stdlib-2.0.20-Beta2",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.23.1")
-
-go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
-go_deps.from_file(go_mod = "//go/extractor:go.mod")
-use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
+go_sdk.download(version = "1.22.2")
 
 lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
 

config/identical-files.json

@@ -355,5 +355,9 @@
   "Python model summaries test extension": [
     "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
+  ],
+  "shared tree-sitter extractor cargo.toml": [
+    "shared/tree-sitter-extractor/Cargo.toml",
+    "ruby/extractor/codeql-extractor-fake-crate/Cargo.toml"
   ]
 }

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/exprs.ql

@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 385 <= kind and kind <= 388)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/sizeof_bind.ql

@@ -1,14 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-from Expr expr, Type type, int kind
-where
-  sizeof_bind(expr, type) and
-  exprs(expr, kind, _) and
-  (kind = 93 or kind = 94)
-select expr, type

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/upgrade.properties

@@ -1,4 +0,0 @@
-description: Add new builtin operations
-compatibility: partial
-exprs.rel: run exprs.qlo
-sizeof_bind.rel: run sizeof_bind.qlo

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/downgrades.ql

@@ -1,32 +0,0 @@
-/*
- * Approach: replace conversion expressions of kind 389 (= @c11_generic) by
- * conversion expressions of kind 12 (= @parexpr), i.e., a `ParenthesisExpr`,
- * and drop the relation which its child expressions, which are just syntactic
- * sugar. Parenthesis expressions are equally benign as C11 _Generic expressions,
- * and behave similarly in the context of the IR.
- */
-
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location {
-  string toString() { none() }
-}
-
-class ExprParent extends @exprparent {
-  string toString() { none() }
-}
-
-query predicate new_exprs(Expr expr, int new_kind, Location loc) {
-  exists(int kind | exprs(expr, kind, loc) | if kind = 389 then new_kind = 12 else new_kind = kind)
-}
-
-query predicate new_exprparents(Expr expr, int index, ExprParent expr_parent) {
-  exprparents(expr, index, expr_parent) and
-  (
-    not expr_parent instanceof @expr
-    or
-    exists(int kind | exprs(expr_parent.(Expr), kind, _) | kind != 389)
-  )
-}

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties

@@ -1,4 +0,0 @@
-description: Expose C11 _Generics
-compatibility: partial
-exprs.rel: run downgrades.ql new_exprs
-exprparents.rel: run downgrades.ql new_exprparents

cpp/downgrades/25e365d1e8147df0f759b604f96eb4bffea48271/upgrade.properties

@@ -1,4 +0,0 @@
-description: Revert support for using-enum declarations.
-compatibility: partial
-usings.rel: run usings.qlo
-using_container.rel: run using_container.qlo

cpp/downgrades/25e365d1e8147df0f759b604f96eb4bffea48271/using_container.ql

@@ -1,14 +0,0 @@
-class UsingEntry extends @using {
-  string toString() { none() }
-}
-
-class Element extends @element {
-  string toString() { none() }
-}
-
-from UsingEntry u, Element parent, int kind
-where
-  usings(u, _, _, kind) and
-  using_container(parent, u) and
-  kind != 3
-select parent, u

cpp/downgrades/25e365d1e8147df0f759b604f96eb4bffea48271/usings.ql

@@ -1,17 +0,0 @@
-class UsingEntry extends @using {
-  string toString() { none() }
-}
-
-class Element extends @element {
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-from UsingEntry u, Element target, Location loc, int kind
-where
-  usings(u, target, loc, kind) and
-  kind != 3
-select u, target, loc

cpp/downgrades/3d35dd6b50edfc540c14c6757e0c7b3c5b7b04dd/exprs.ql

@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 364 <= kind and kind <= 384)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location

cpp/downgrades/3d35dd6b50edfc540c14c6757e0c7b3c5b7b04dd/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add new builtin operations
-compatibility: partial
-exprs.rel: run exprs.qlo

cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/upgrade.properties

@@ -1,3 +0,0 @@
-description: description: Support explicit(bool) specifiers
-compatibility: full
-explicit_specifier_exprs.rel: delete

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/coroutine.ql

@@ -1,18 +0,0 @@
-class Function extends @function {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-class Variable extends @variable {
-  string toString() { none() }
-}
-
-from Function func, Type traits, Variable handle, Variable promise
-where
-  coroutine(func, traits) and
-  coroutine_placeholder_variable(handle, 1, func) and
-  coroutine_placeholder_variable(promise, 2, func)
-select func, traits, handle, promise

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties

@@ -1,4 +0,0 @@
-description: Improve handling of coroutine placeholder variables
-compatibility: full
-coroutine.rel: run coroutine.qlo
-coroutine_placeholder_variable.rel: delete

cpp/downgrades/9629fc87dab7dbed0771bf5ce22bce4d7f943b52/upgrade.properties

@@ -1,2 +0,0 @@
-description: Support destroying deletes
-compatibility: full

cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add relation between deduction guides and class templates
-compatibility: full
-deduction_guide_for_class.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,58 +1,3 @@
-## 2.0.0
-
-### Breaking Changes
-
-* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
-* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
-* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
-* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
-* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
-* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
-* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
-
-### New Features
-
-* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
-* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
-* Added a subclass of `Expr` for `__datasizeof` expressions.
-
-### Minor Analysis Improvements
-
-* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
-* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.
-
-## 1.4.2
-
-No user-facing changes.
-
-## 1.4.1
-
-No user-facing changes.
-
-## 1.4.0
-
-### New Features
-
-* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
-* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
-* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
-* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
-
-### Minor Analysis Improvements
-
-* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
-* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
-* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.
-
-## 1.3.0
-
-### New Features
-
-* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
-* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
-* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.
-
 ## 1.2.0
 
 ### New Features

cpp/ql/lib/change-notes/released/1.3.0.md

@@ -1,7 +0,0 @@
-## 1.3.0
-
-### New Features
-
-* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
-* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
-* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.

cpp/ql/lib/change-notes/released/1.4.0.md

@@ -1,14 +0,0 @@
-## 1.4.0
-
-### New Features
-
-* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
-* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
-* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
-* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
-
-### Minor Analysis Improvements
-
-* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
-* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
-* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.

cpp/ql/lib/change-notes/released/1.4.1.md

@@ -1,3 +0,0 @@
-## 1.4.1
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/1.4.2.md

@@ -1,3 +0,0 @@
-## 1.4.2
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/2.0.0.md

@@ -1,23 +0,0 @@
-## 2.0.0
-
-### Breaking Changes
-
-* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
-* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
-* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
-* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
-* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
-* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
-* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
-
-### New Features
-
-* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
-* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
-* Added a subclass of `Expr` for `__datasizeof` expressions.
-
-### Minor Analysis Improvements
-
-* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
-* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.0.0
+lastReleaseVersion: 1.2.0

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -36,6 +36,16 @@ module PrivateCleartextWrite {
     }
   }
 
+  deprecated class WriteConfig extends TaintTracking::Configuration {
+    WriteConfig() { this = "Write configuration" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+  }
+
   private module WriteConfig implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) { source instanceof Source }
 

cpp/ql/lib/ext/std.format.model.yml

@@ -1,14 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*1]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*2]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*3]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*4]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*5]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*6]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*7]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*8]", "ReturnValue", "taint", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 2.0.1-dev
+version: 1.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -60,6 +60,18 @@ class Declaration extends Locatable, @declaration {
    */
   string getQualifiedName() { result = underlyingElement(this).(Q::Declaration).getQualifiedName() }
 
+  /**
+   * DEPRECATED: Prefer `hasGlobalName` or the 2-argument or 3-argument
+   * `hasQualifiedName` predicates. To get the exact same results as this
+   * predicate in all edge cases, use `getQualifiedName()`.
+   *
+   * Holds if this declaration has the fully-qualified name `qualifiedName`.
+   * See `getQualifiedName`.
+   */
+  deprecated predicate hasQualifiedName(string qualifiedName) {
+    this.getQualifiedName() = qualifiedName
+  }
+
   /**
    * Holds if this declaration has a fully-qualified name with a name-space
    * component of `namespaceQualifier`, a declaring type of `typeQualifier`,
@@ -173,6 +185,9 @@ class Declaration extends Locatable, @declaration {
   /** Holds if the declaration has a definition. */
   predicate hasDefinition() { exists(this.getDefinition()) }
 
+  /** DEPRECATED: Use `hasDefinition` instead. */
+  deprecated predicate isDefined() { this.hasDefinition() }
+
   /** Gets the preferred location of this declaration, if any. */
   override Location getLocation() { none() }
 

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -30,6 +30,46 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
 
   override string getName() { functions(underlyingElement(this), result, _) }
 
+  /**
+   * DEPRECATED: Use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+   * Gets the full signature of this function, including return type, parameter
+   * types, and template arguments.
+   *
+   * For example, in the following code:
+   * ```
+   * template<typename T> T min(T x, T y);
+   * int z = min(5, 7);
+   * ```
+   * The full signature of the function called on the last line would be
+   * `min<int>(int, int) -> int`, and the full signature of the uninstantiated
+   * template on the first line would be `min<T>(T, T) -> T`.
+   */
+  deprecated string getFullSignature() {
+    exists(string name, string templateArgs, string args |
+      result = name + templateArgs + args + " -> " + this.getType().toString() and
+      name = this.getQualifiedName() and
+      (
+        if exists(this.getATemplateArgument())
+        then
+          templateArgs =
+            "<" +
+              concat(int i |
+                exists(this.getTemplateArgument(i))
+              |
+                this.getTemplateArgument(i).toString(), ", " order by i
+              ) + ">"
+        else templateArgs = ""
+      ) and
+      args =
+        "(" +
+          concat(int i |
+            exists(this.getParameter(i))
+          |
+            this.getParameter(i).getType().toString(), ", " order by i
+          ) + ")"
+    )
+  }
+
   /** Gets a specifier of this function. */
   override Specifier getASpecifier() {
     funspecifiers(underlyingElement(this), unresolveElement(result)) or
@@ -118,26 +158,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   predicate isConsteval() { this.hasSpecifier("is_consteval") }
 
-  /**
-   * Holds if this function is declared to be `explicit`.
-   */
-  predicate isExplicit() { this.hasSpecifier("explicit") }
-
-  /**
-   * Gets the constant expression that determines whether the function is explicit.
-   *
-   * For example, for the following code the result is the expression `sizeof(T) == 1`:
-   * ```
-   * template<typename T> struct C {
-   *   explicit(sizeof(T) == 1)
-   *   C(const T);
-   * };
-   * ```
-   */
-  Expr getExplicitExpr() {
-    explicit_specifier_exprs(underlyingElement(this), unresolveElement(result))
-  }
-
   /**
    * Holds if this function is declared with `__attribute__((naked))` or
    * `__declspec(naked)`.
@@ -878,11 +898,4 @@ class UserDefinedLiteral extends Function {
  */
 class DeductionGuide extends Function {
   DeductionGuide() { functions(underlyingElement(this), _, 8) }
-
-  /**
-   * Gets the class template for which this is a deduction guide.
-   */
-  TemplateClass getTemplateClass() {
-    deduction_guide_for_class(underlyingElement(this), unresolveElement(result))
-  }
 }

cpp/ql/lib/semmle/code/cpp/Namespace.qll

@@ -156,7 +156,7 @@ class NamespaceDeclarationEntry extends Locatable, @namespace_decl {
  * A C++ `using` directive or `using` declaration.
  */
 class UsingEntry extends Locatable, @using {
-  override Location getLocation() { usings(underlyingElement(this), _, result, _) }
+  override Location getLocation() { usings(underlyingElement(this), _, result) }
 }
 
 /**
@@ -166,13 +166,15 @@ class UsingEntry extends Locatable, @using {
  * ```
  */
 class UsingDeclarationEntry extends UsingEntry {
-  UsingDeclarationEntry() { usings(underlyingElement(this), _, _, 1) }
+  UsingDeclarationEntry() {
+    not exists(Namespace n | usings(underlyingElement(this), unresolveElement(n), _))
+  }
 
   /**
    * Gets the declaration that is referenced by this using declaration. For
    * example, `std::string` in `using std::string`.
    */
-  Declaration getDeclaration() { usings(underlyingElement(this), unresolveElement(result), _, _) }
+  Declaration getDeclaration() { usings(underlyingElement(this), unresolveElement(result), _) }
 
   override string toString() { result = "using " + this.getDeclaration().getDescription() }
 }
@@ -184,36 +186,19 @@ class UsingDeclarationEntry extends UsingEntry {
  * ```
  */
 class UsingDirectiveEntry extends UsingEntry {
-  UsingDirectiveEntry() { usings(underlyingElement(this), _, _, 2) }
+  UsingDirectiveEntry() {
+    exists(Namespace n | usings(underlyingElement(this), unresolveElement(n), _))
+  }
 
   /**
    * Gets the namespace that is referenced by this using directive. For
    * example, `std` in `using namespace std`.
    */
-  Namespace getNamespace() { usings(underlyingElement(this), unresolveElement(result), _, _) }
+  Namespace getNamespace() { usings(underlyingElement(this), unresolveElement(result), _) }
 
   override string toString() { result = "using namespace " + this.getNamespace().getFriendlyName() }
 }
 
-/**
- * A C++ `using enum` declaration. For example:
- * ```
- * enum class Foo { a, b };
- * using enum Foo;
- * ```
- */
-class UsingEnumDeclarationEntry extends UsingEntry {
-  UsingEnumDeclarationEntry() { usings(underlyingElement(this), _, _, 3) }
-
-  /**
-   * Gets the enumeration that is referenced by this using directive. For
-   * example, `Foo` in `using enum Foo`.
-   */
-  Enum getEnum() { usings(underlyingElement(this), unresolveElement(result), _, _) }
-
-  override string toString() { result = "using enum " + this.getEnum().getQualifiedName() }
-}
-
 /**
  * Holds if `g` is an instance of `GlobalNamespace`. This predicate
  * is used suppress a warning in `GlobalNamespace.getADeclaration()`

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -286,6 +286,9 @@ abstract class BaseAstNode extends PrintAstNode {
    * Gets the AST represented by this node.
    */
   final Locatable getAst() { result = ast }
+
+  /** DEPRECATED: Alias for getAst */
+  deprecated Locatable getAST() { result = this.getAst() }
 }
 
 /**
@@ -382,21 +385,6 @@ class CastNode extends ConversionNode {
   }
 }
 
-/**
- * A node representing a `C11GenericExpr`.
- */
-class C11GenericNode extends ConversionNode {
-  C11GenericExpr generic;
-
-  C11GenericNode() { generic = conv }
-
-  override AstNode getChildInternal(int childIndex) {
-    result = super.getChildInternal(childIndex - count(generic.getAChild()))
-    or
-    result.getAst() = generic.getChild(childIndex)
-  }
-}
-
 /**
  * A node representing a `StmtExpr`.
  */
@@ -872,15 +860,6 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(BuiltInVarArgsStart).getLastNamedParameter() = ele and pred = "getLastNamedParameter()"
     or
-    expr.(C11GenericExpr).getControllingExpr() = ele and pred = "getControllingExpr()"
-    or
-    exists(int n |
-      expr.(C11GenericExpr).getAssociationType(n) = ele.(TypeName).getType() and
-      pred = "getAssociationType(" + n + ")"
-      or
-      expr.(C11GenericExpr).getAssociationExpr(n) = ele and pred = "getAssociationExpr(" + n + ")"
-    )
-    or
     expr.(Call).getQualifier() = ele and pred = "getQualifier()"
     or
     exists(int n | expr.(Call).getArgument(n) = ele and pred = "getArgument(" + n.toString() + ")")

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -409,18 +409,11 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
     exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
     or
     orphaned_variables(underlyingElement(this), unresolveElement(result))
-    or
-    coroutine_placeholder_variable(underlyingElement(this), _, unresolveElement(result))
   }
 
   override predicate isStatic() {
     super.isStatic() or orphaned_variables(underlyingElement(this), _)
   }
-
-  override predicate isCompilerGenerated() {
-    super.isCompilerGenerated() or
-    coroutine_placeholder_variable(underlyingElement(this), _, _)
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll

@@ -7,6 +7,15 @@ import semmle.code.cpp.models.interfaces.Deallocation
  */
 predicate freeFunction(Function f, int argNum) { argNum = f.(DeallocationFunction).getFreedArg() }
 
+/**
+ * A call to a library routine that frees memory.
+ *
+ * DEPRECATED: Use `DeallocationExpr` instead (this also includes `delete` expressions).
+ */
+deprecated predicate freeCall(FunctionCall fc, Expr arg) {
+  arg = fc.(DeallocationExpr).getFreedExpr()
+}
+
 /**
  * Is e some kind of allocation or deallocation (`new`, `alloc`, `realloc`, `delete`, `free` etc)?
  */

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -57,7 +57,7 @@ private int isSource(Expr bufferExpr, Element why) {
   exists(Type bufferType |
     // buffer is the address of a variable
     why = bufferExpr.(AddressOfExpr).getAddressable() and
-    bufferType = why.(Variable).getUnspecifiedType() and
+    bufferType = why.(Variable).getType() and
     result = bufferType.getSize() and
     not bufferType instanceof ReferenceType and
     not any(Union u).getAMemberVariable() = why

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -146,7 +146,7 @@ predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance, string model
+  string output, string kind, string provenance
 ) {
   exists(string row |
     sourceModel(row) and
@@ -160,20 +160,16 @@ predicate sourceModel(
     row.splitAt(";", 6) = output and
     row.splitAt(";", 7) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
-      provenance, madId) and
-    model = "MaD:" + madId.toString()
-  )
+  Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance,
+    _)
 }
 
 /** Holds if a sink model exists for the given parameters. */
 predicate sinkModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance, string model
+  string input, string kind, string provenance
 ) {
   exists(string row |
     sinkModel(row) and
@@ -187,14 +183,9 @@ predicate sinkModel(
     row.splitAt(";", 6) = input and
     row.splitAt(";", 7) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
-      madId) and
-    model = "MaD:" + madId.toString()
-  )
+  Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance, _)
 }
 
 /**
@@ -204,7 +195,7 @@ predicate sinkModel(
  */
 private predicate summaryModel0(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, string model
+  string input, string output, string kind, string provenance
 ) {
   exists(string row |
     summaryModel(row) and
@@ -219,14 +210,10 @@ private predicate summaryModel0(
     row.splitAt(";", 7) = output and
     row.splitAt(";", 8) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-      provenance, madId) and
-    model = "MaD:" + madId.toString()
-  )
+  Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
+    provenance, _)
 }
 
 /**
@@ -247,20 +234,19 @@ private predicate expandInputAndOutput(
  */
 predicate summaryModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, string model
+  string input, string output, string kind, string provenance
 ) {
   exists(string input0, string output0 |
-    summaryModel0(namespace, type, subtypes, name, signature, ext, input0, output0, kind,
-      provenance, model) and
+    summaryModel0(namespace, type, subtypes, name, signature, ext, input0, output0, kind, provenance) and
     expandInputAndOutput(input0, input, output0, output,
       [0 .. Private::getMaxElementContentIndirectionIndex() - 1])
   )
 }
 
 private predicate relevantNamespace(string namespace) {
-  sourceModel(namespace, _, _, _, _, _, _, _, _, _) or
-  sinkModel(namespace, _, _, _, _, _, _, _, _, _) or
-  summaryModel(namespace, _, _, _, _, _, _, _, _, _, _)
+  sourceModel(namespace, _, _, _, _, _, _, _, _) or
+  sinkModel(namespace, _, _, _, _, _, _, _, _) or
+  summaryModel(namespace, _, _, _, _, _, _, _, _, _)
 }
 
 private predicate namespaceLink(string shortns, string longns) {
@@ -290,17 +276,17 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
     part = "source" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string output, string provenance, string model |
+        string ext, string output, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance, model)
+        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance)
       )
     or
     part = "sink" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string provenance, string model |
+        string ext, string input, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance, model)
+        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance)
       )
     or
     part = "summary" and
@@ -308,7 +294,7 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
         string ext, string input, string output, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance, _)
+        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance)
       )
   )
 }
@@ -317,9 +303,9 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
 module CsvValidation {
   private string getInvalidModelInput() {
     exists(string pred, AccessPath input, string part |
-      sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
+      sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
       or
-      summaryModel(_, _, _, _, _, _, input, _, _, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
     |
       (
         invalidSpecComponent(input, part) and
@@ -336,9 +322,9 @@ module CsvValidation {
 
   private string getInvalidModelOutput() {
     exists(string pred, string output, string part |
-      sourceModel(_, _, _, _, _, _, output, _, _, _) and pred = "source"
+      sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
       or
-      summaryModel(_, _, _, _, _, _, _, output, _, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
     |
       invalidSpecComponent(output, part) and
       not part = "" and
@@ -348,11 +334,11 @@ module CsvValidation {
   }
 
   private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
-    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _, _) }
+    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _) }
 
-    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _, _) }
+    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _) }
 
-    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _, _) }
+    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _) }
   }
 
   private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
@@ -393,11 +379,11 @@ module CsvValidation {
 
   private string getInvalidModelSignature() {
     exists(string pred, string namespace, string type, string name, string signature, string ext |
-      sourceModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "source"
+      sourceModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "source"
       or
-      sinkModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "sink"
+      sinkModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "sink"
       or
-      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _, _) and pred = "summary"
+      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
     |
       not namespace.regexpMatch("[a-zA-Z0-9_\\.:]*") and
       result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
@@ -429,23 +415,18 @@ module CsvValidation {
 private predicate elementSpec(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
-  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _, _) or
-  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _, _) or
-  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _, _)
+  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
 }
 
 /** Gets the fully templated version of `f`. */
-private Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedMemberFunction(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
-  (
-    exists(Class c, Class templateClass, int i |
-      c.isConstructedFrom(templateClass) and
-      f = c.getAMember(i) and
-      result = templateClass.getCanonicalMember(i)
-    )
-    or
-    not exists(f.getDeclaringType()) and
-    f.isConstructedFrom(result)
+  exists(Class c, Class templateClass, int i |
+    c.isConstructedFrom(templateClass) and
+    f = c.getAMember(i) and
+    result = templateClass.getCanonicalMember(i)
   )
 }
 
@@ -469,14 +450,14 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n) {
  */
 private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remaining) {
   exists(Function templateFunction |
-    templateFunction = getFullyTemplatedFunction(f) and
+    templateFunction = getFullyTemplatedMemberFunction(f) and
     remaining = templateFunction.getNumberOfTemplateArguments() and
     result = getParameterTypeWithoutTemplateArguments(templateFunction, n)
   )
   or
   exists(string mid, TemplateParameter tp, Function templateFunction |
     mid = getTypeNameWithoutFunctionTemplates(f, n, remaining + 1) and
-    templateFunction = getFullyTemplatedFunction(f) and
+    templateFunction = getFullyTemplatedMemberFunction(f) and
     tp = templateFunction.getTemplateArgument(remaining) and
     result = mid.replaceAll(tp.getName(), "func:" + remaining.toString())
   )
@@ -487,18 +468,12 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain
  * with `class:N` (where `N` is the index of the template).
  */
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
-  // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
     f.getDeclaringType().isConstructedFrom(template) and
     remaining = template.getNumberOfTemplateArguments() and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
   or
-  // If there is no declaring type we're done after expanding the function templates
-  not exists(f.getDeclaringType()) and
-  remaining = 0 and
-  result = getTypeNameWithoutFunctionTemplates(f, n, 0)
-  or
   exists(string mid, TemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
     f.getDeclaringType().isConstructedFrom(template) and
@@ -581,6 +556,38 @@ private string getSignatureWithoutFunctionTemplateNames(
   )
 }
 
+private string paramsStringPart(Function c, int i) {
+  not c.isFromUninstantiatedTemplate(_) and
+  (
+    i = -1 and result = "(" and exists(c)
+    or
+    exists(int n, string p | getParameterTypeName(c, n) = p |
+      i = 2 * n and result = p
+      or
+      i = 2 * n - 1 and result = "," and n != 0
+    )
+    or
+    i = 2 * c.getNumberOfParameters() and result = ")"
+  )
+}
+
+/**
+ * Gets a parenthesized string containing all parameter types of this callable, separated by a comma.
+ *
+ * Returns the empty string if the callable has no parameters.
+ * Parameter types are represented by their type erasure.
+ */
+cached
+private string paramsString(Function c) {
+  result = concat(int i | | paramsStringPart(c, i) order by i)
+}
+
+bindingset[func]
+private predicate matchesSignature(Function func, string signature) {
+  signature = "" or
+  paramsString(func) = signature
+}
+
 /**
  * Holds if `elementSpec(_, type, _, name, signature, _)` holds and
  * - `typeArgs` represents the named template parameters supplied to `type`, and
@@ -729,17 +736,17 @@ private predicate elementSpecWithArguments0(
 
 /**
  * Holds if `elementSpec(namespace, type, subtypes, name, signature, _)` and
- * `func`'s signature matches `signature`.
+ * `method`'s signature matches `signature`.
  *
  * `signature` may contain template parameter names that are bound by `type` and `name`.
  */
 pragma[nomagic]
 private predicate elementSpecMatchesSignature(
-  Function func, string namespace, string type, boolean subtypes, string name, string signature
+  Function method, string namespace, string type, boolean subtypes, string name, string signature
 ) {
   elementSpec(namespace, pragma[only_bind_into](type), subtypes, pragma[only_bind_into](name),
     pragma[only_bind_into](signature), _) and
-  signatureMatches(func, signature, type, name, 0)
+  signatureMatches(method, signature, type, name, 0)
 }
 
 /**
@@ -755,22 +762,13 @@ private predicate hasClassAndName(Class classWithMethod, Function method, string
   )
 }
 
-bindingset[name]
-pragma[inline_late]
-private predicate funcHasQualifiedName(Function func, string namespace, string name) {
-  exists(string nameWithoutArgs |
-    parseAngles(name, nameWithoutArgs, _, "") and
-    func.hasQualifiedName(namespace, nameWithoutArgs)
-  )
-}
-
 /**
  * Holds if `namedClass` is in namespace `namespace` and has
  * name `type` (excluding any template parameters).
  */
 bindingset[type, namespace]
 pragma[inline_late]
-private predicate classHasQualifiedName(Class namedClass, string namespace, string type) {
+private predicate hasQualifiedName(Class namedClass, string namespace, string type) {
   exists(string typeWithoutArgs |
     parseAngles(type, typeWithoutArgs, _, "") and
     namedClass.hasQualifiedName(namespace, typeWithoutArgs)
@@ -792,16 +790,15 @@ private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
   (
-    // Non-member functions
     elementSpec(namespace, type, subtypes, name, signature, _) and
-    subtypes = false and
-    type = "" and
-    (
-      elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
-      or
-      signature = "" and
-      elementSpec(namespace, type, subtypes, name, "", _) and
-      funcHasQualifiedName(result, namespace, name)
+    // Non-member functions
+    exists(Function func |
+      func.hasQualifiedName(namespace, name) and
+      type = "" and
+      matchesSignature(func, signature) and
+      subtypes = false and
+      not exists(func.getDeclaringType()) and
+      result = func
     )
     or
     // Member functions
@@ -814,7 +811,7 @@ private Element interpretElement0(
         elementSpec(namespace, type, subtypes, name, "", _) and
         hasClassAndName(classWithMethod, result, name)
       ) and
-      classHasQualifiedName(namedClass, namespace, type) and
+      hasQualifiedName(namedClass, namespace, type) and
       (
         // member declared in the named type or a subtype of it
         subtypes = true and
@@ -870,9 +867,9 @@ private module Cached {
    * model.
    */
   cached
-  predicate sourceNode(DataFlow::Node node, string kind, string model) {
+  predicate sourceNode(DataFlow::Node node, string kind) {
     exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSourceNode(n, kind, model) and n.asNode() = node
+      isSourceNode(n, kind, _) and n.asNode() = node // TODO
     )
   }
 
@@ -881,57 +878,40 @@ private module Cached {
    * model.
    */
   cached
-  predicate sinkNode(DataFlow::Node node, string kind, string model) {
+  predicate sinkNode(DataFlow::Node node, string kind) {
     exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSinkNode(n, kind, model) and n.asNode() = node
+      isSinkNode(n, kind, _) and n.asNode() = node // TODO
     )
   }
 }
 
 import Cached
 
-/**
- * Holds if `node` is specified as a source with the given kind in a MaD flow
- * model.
- */
-predicate sourceNode(DataFlow::Node node, string kind) { sourceNode(node, kind, _) }
-
-/**
- * Holds if `node` is specified as a sink with the given kind in a MaD flow
- * model.
- */
-predicate sinkNode(DataFlow::Node node, string kind) { sinkNode(node, kind, _) }
-
 private predicate interpretSummary(
-  Function f, string input, string output, string kind, string provenance, string model
+  Function f, string input, string output, string kind, string provenance
 ) {
   exists(
     string namespace, string type, boolean subtypes, string name, string signature, string ext
   |
-    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance,
-      model) and
+    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and
     f = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }
 
 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends SummarizedCallable {
-  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _, _) }
+  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _) }
 
-  private predicate relevantSummaryElementManual(
-    string input, string output, string kind, string model
-  ) {
+  private predicate relevantSummaryElementManual(string input, string output, string kind) {
     exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
+      interpretSummary(this, input, output, kind, provenance) and
       provenance.isManual()
     )
   }
 
-  private predicate relevantSummaryElementGenerated(
-    string input, string output, string kind, string model
-  ) {
+  private predicate relevantSummaryElementGenerated(string input, string output, string kind) {
     exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
+      interpretSummary(this, input, output, kind, provenance) and
       provenance.isGenerated()
     )
   }
@@ -940,16 +920,35 @@ private class SummarizedCallableAdapter extends SummarizedCallable {
     string input, string output, boolean preservesValue, string model
   ) {
     exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind, model)
+      this.relevantSummaryElementManual(input, output, kind)
       or
-      not this.relevantSummaryElementManual(_, _, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind, model)
+      not this.relevantSummaryElementManual(_, _, _) and
+      this.relevantSummaryElementGenerated(input, output, kind)
     |
       if kind = "value" then preservesValue = true else preservesValue = false
-    )
+    ) and
+    model = "" // TODO
   }
 
   override predicate hasProvenance(Provenance provenance) {
-    interpretSummary(this, _, _, _, provenance, _)
+    interpretSummary(this, _, _, _, provenance)
   }
 }
+
+// adapter class for converting Mad neutrals to `NeutralCallable`s
+private class NeutralCallableAdapter extends NeutralCallable {
+  string kind;
+  string provenance_;
+
+  NeutralCallableAdapter() {
+    // Neutral models have not been implemented for CPP.
+    none() and
+    exists(this) and
+    exists(kind) and
+    exists(provenance_)
+  }
+
+  override string getKind() { result = kind }
+
+  override predicate hasProvenance(Provenance provenance) { provenance = provenance_ }
+}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -215,16 +215,19 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
 predicate localMustFlowStep(Node node1, Node node2) { none() }
 
 /** Gets the type of `n` used for type pruning. */
-DataFlowType getNodeType(Node n) {
+Type getNodeType(Node n) {
   exists(n) and
   result instanceof VoidType // stub implementation
 }
 
+/** Gets a string representation of a type returned by `getNodeType`. */
+string ppReprType(Type t) { none() } // stub implementation
+
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
-predicate compatibleTypes(DataFlowType t1, DataFlowType t2) {
+predicate compatibleTypes(Type t1, Type t2) {
   t1 instanceof VoidType and t2 instanceof VoidType // stub implementation
 }
 
@@ -236,15 +239,21 @@ class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
-class DataFlowCallable extends Function { }
+class DataFlowCallable extends Function {
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCallable c, string file, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(file, startline, startcolumn, _, _)
+      |
+        c order by file, startline, startcolumn
+      )
+  }
+}
 
 class DataFlowExpr = Expr;
 
-final private class TypeFinal = Type;
-
-class DataFlowType extends TypeFinal {
-  string toString() { result = "" }
-}
+class DataFlowType = Type;
 
 /** A function call relevant for data flow. */
 class DataFlowCall extends Expr instanceof Call {
@@ -260,12 +269,24 @@ class DataFlowCall extends Expr instanceof Call {
 
   /** Gets the enclosing callable of this call. */
   DataFlowCallable getEnclosingCallable() { result = this.getEnclosingFunction() }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCall c, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+      |
+        c order by startline, startcolumn
+      )
+  }
 }
 
 class NodeRegion instanceof Unit {
   string toString() { result = "NodeRegion" }
 
   predicate contains(Node n) { none() }
+
+  int totalOrder() { result = 1 }
 }
 
 predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() } // stub implementation

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -112,8 +112,9 @@ module SourceSinkInterpretationInput implements
     exists(
       string namespace, string type, boolean subtypes, string name, string signature, string ext
     |
-      sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance, model) and
-      e = interpretElement(namespace, type, subtypes, name, signature, ext)
+      sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance) and
+      e = interpretElement(namespace, type, subtypes, name, signature, ext) and
+      model = "" // TODO
     )
   }
 
@@ -127,8 +128,9 @@ module SourceSinkInterpretationInput implements
     exists(
       string package, string type, boolean subtypes, string name, string signature, string ext
     |
-      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, model) and
-      e = interpretElement(package, type, subtypes, name, signature, ext)
+      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance) and
+      e = interpretElement(package, type, subtypes, name, signature, ext) and
+      model = "" // TODO
     )
   }
 

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -383,37 +383,6 @@ class BuiltInOperationIsConvertibleTo extends BuiltInOperation, @isconvtoexpr {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsConvertibleTo" }
 }
 
-/**
- * A C++ `__is_convertible` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if the first type can be converted to the second type.
- * ```
- * bool v = __is_convertible(MyType, OtherType);
- * ```
- */
-class BuiltInOperationIsConvertible extends BuiltInOperation, @isconvertible {
-  override string toString() { result = "__is_convertible" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsConvertible" }
-}
-
-/**
- * A C++ `__is_nothrow_convertible` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if the first type can be converted to the second type and the
- * conversion operator has an empty exception specification.
- * ```
- * bool v = __is_nothrow_convertible(MyType, OtherType);
- * ```
- */
-class BuiltInOperationIsNothrowConvertible extends BuiltInOperation, @isnothrowconvertible {
-  override string toString() { result = "__is_nothrow_convertible" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowConvertible" }
-}
-
 /**
  * A C++ `__is_empty` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -678,7 +647,8 @@ class BuiltInOperationIsTriviallyAssignable extends BuiltInOperation, @istrivial
  * The `__is_nothrow_assignable` built-in operation (used by some
  * implementations of the `<type_traits>` header).
  *
- * Returns true if there exists an assignment operator with an empty exception specification.
+ * Returns true if there exists a `C::operator =(const D& d) nothrow`
+ * assignment operator (i.e, with an empty exception specification).
  * ```
  * bool v = __is_nothrow_assignable(MyType1, MyType2);
  * ```
@@ -693,7 +663,8 @@ class BuiltInOperationIsNothrowAssignable extends BuiltInOperation, @isnothrowas
  * The `__is_assignable` built-in operation (used by some implementations
  * of the `<type_traits>` header).
  *
- * Returns true if there exists an assignment operator.
+ * Returns true if there exists a `C::operator =(const D& d)` assignment
+ * operator.
  * ```
  * bool v = __is_assignable(MyType1, MyType2);
  * ```
@@ -704,25 +675,6 @@ class BuiltInOperationIsAssignable extends BuiltInOperation, @isassignable {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsAssignable" }
 }
 
-/**
- * The `__is_assignable_no_precondition_check` built-in operation (used by some
- * implementations of the `<type_traits>` header).
- *
- * Returns true if there exists an assignment operator.
- * ```
- * bool v = __is_assignable_no_precondition_check(MyType1, MyType2);
- * ```
- */
-class BuiltInOperationIsAssignableNoPreconditionCheck extends BuiltInOperation,
-  @isassignablenopreconditioncheck
-{
-  override string toString() { result = "__is_assignable_no_precondition_check" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationIsAssignableNoPreconditionCheck"
-  }
-}
-
 /**
  * The `__is_standard_layout` built-in operation (used by some implementations
  * of the `<type_traits>` header).
@@ -756,20 +708,6 @@ class BuiltInOperationIsTriviallyCopyable extends BuiltInOperation, @istrivially
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyCopyable" }
 }
 
-/**
- * The `__is_trivially_copy_assignable` built-in operation (used by some
- * implementations of the `<type_traits>` header).
- *
- * Returns `true` if instances of this type can be copied using a trivial
- * copy operator.
- */
-class BuiltInOperationIsTriviallyCopyAssignable extends BuiltInOperation, @istriviallycopyassignable
-{
-  override string toString() { result = "__is_trivially_copy_assignable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyCopyAssignable" }
-}
-
 /**
  * The `__is_literal_type` built-in operation (used by some implementations of
  * the `<type_traits>` header).
@@ -1124,24 +1062,6 @@ class BuiltInOperationIsSame extends BuiltInOperation, @issame {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsSame" }
 }
 
-/**
- * A C++ `__is_same_as` built-in operation (used by some implementations of the
- * `<type_traits>` header).
- *
- * Returns `true` if two types are the same.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct is_same
- *   : public integral_constant<bool, __is_same_as(_Tp, _Up)>
- *   { };
- * ```
- */
-class BuiltInOperationIsSameAs extends BuiltInOperation, @issameas {
-  override string toString() { result = "__is_same_as" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsSameAs" }
-}
-
 /**
  * A C++ `__is_function` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1200,87 +1120,6 @@ class BuiltInOperationIsPointerInterconvertibleBaseOf extends BuiltInOperation,
   }
 }
 
-/**
- * A C++ `__is_pointer_interconvertible_with_class` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a member pointer is pointer-interconvertible with a
- * class type.
- * ```
- * template<typename _Tp, typename _Up>
- * constexpr bool is_pointer_interconvertible_with_class(_Up _Tp::*mp) noexcept
- *   = __is_pointer_interconvertible_with_class(_Tp, mp);
- * ```
- */
-class BuiltInOperationIsPointerInterconvertibleWithClass extends BuiltInOperation,
-  @ispointerinterconvertiblewithclass
-{
-  override string toString() { result = "__is_pointer_interconvertible_with_class" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationIsPointerInterconvertibleWithClass"
-  }
-}
-
-/**
- * A C++ `__builtin_is_pointer_interconvertible_with_class` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a member pointer is pointer-interconvertible with a class type.
- * ```
- * template<typename _Tp, typename _Up>
- * constexpr bool is_pointer_interconvertible_with_class(_Up _Tp::*mp) noexcept
- *   = __builtin_is_pointer_interconvertible_with_class(mp);
- * ```
- */
-class BuiltInOperationBuiltInIsPointerInterconvertible extends BuiltInOperation,
-  @builtinispointerinterconvertiblewithclass
-{
-  override string toString() { result = "__builtin_is_pointer_interconvertible_with_class" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationBuiltInIsPointerInterconvertible"
-  }
-}
-
-/**
- * A C++ `__is_corresponding_member` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if two member pointers refer to corresponding
- * members in the initial sequences of two class types.
- * ```
- * template<typename _Tp1, typename _Tp2, typename _Up1, typename _Up2>
- * constexpr bool is_corresponding_member(_Up1 _Tp1::*mp1, _Up2 _Tp2::*mp2 ) noexcept
- *   = __is_corresponding_member(_Tp1, _Tp2, mp1, mp2);
- * ```
- */
-class BuiltInOperationIsCorrespondingMember extends BuiltInOperation, @iscorrespondingmember {
-  override string toString() { result = "__is_corresponding_member" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsCorrespondingMember" }
-}
-
-/**
- * A C++ `__builtin_is_corresponding_member` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if two member pointers refer to corresponding
- * members in the initial sequences of two class types.
- * ```
- * template<typename _Tp1, typename _Tp2, typename _Up1, typename _Up2>
- * constexpr bool is_corresponding_member(_Up1 _Tp1::*mp1, _Up2 _Tp2::*mp2 ) noexcept
- *   = __builtin_is_corresponding_member(mp1, mp2);
- * ```
- */
-class BuiltInOperationBuiltInIsCorrespondingMember extends BuiltInOperation,
-  @builtiniscorrespondingmember
-{
-  override string toString() { result = "__builtin_is_corresponding_member" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationBuiltInIsCorrespondingMember" }
-}
-
 /**
  * A C++ `__is_array` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1299,42 +1138,6 @@ class BuiltInOperationIsArray extends BuiltInOperation, @isarray {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsArray" }
 }
 
-/**
- * A C++ `__is_bounded_array` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is a bounded array type.
- * ```
- * template<typename _Tp>
- *   struct is_bounded_array
- *   : public integral_constant<bool, __is_bounded_array(_Tp)>
- *   { };
- * ```
- */
-class BuiltInOperationIsBoundedArray extends BuiltInOperation, @isboundedarray {
-  override string toString() { result = "__is_bounded_array" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsBoundedArray" }
-}
-
-/**
- * A C++ `__is_unbounded_array` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is an unbounded array type.
- * ```
- * template<typename _Tp>
- *   struct is_bounded_array
- *   : public integral_constant<bool, __is_unbounded_array(_Tp)>
- *   { };
- * ```
- */
-class BuiltInOperationIsUnboundedArray extends BuiltInOperation, @isunboundedarray {
-  override string toString() { result = "__is_unbounded_array" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsUnboundedArray" }
-}
-
 /**
  * A C++ `__array_rank` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1751,10 +1554,10 @@ class BuiltInBitCast extends BuiltInOperation, @builtinbitcast {
  *
  * Returns `true` if a type is a trivial type.
  * ```
- * template<typename _Tp>
- *   struct is_trivial
- *   : public integral_constant<bool, __is_trivial(_Tp)>
- *   {};
+ *  template<typename _Tp>
+ *    struct is_trivial
+ *    : public integral_constant<bool, __is_trivial(_Tp)>
+ *    {};
  * ```
  */
 class BuiltInIsTrivial extends BuiltInOperation, @istrivialexpr {
@@ -1762,182 +1565,3 @@ class BuiltInIsTrivial extends BuiltInOperation, @istrivialexpr {
 
   override string getAPrimaryQlClass() { result = "BuiltInIsTrivial" }
 }
-
-/**
- * A C++ `__reference_constructs_from_temporary` built-in operation
- * (used by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a reference type `_Tp` is bound to an expression of
- * type `_Up` in direct-initialization, and a temporary object is bound.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct reference_constructs_from_temporary
- *   : public integral_constant<bool, __reference_constructs_from_temporary(_Tp, _Up)>
- *   {};
- * ```
- */
-class BuiltInOperationReferenceConstructsFromTemporary extends BuiltInOperation,
-  @referenceconstructsfromtemporary
-{
-  override string toString() { result = "__reference_constructs_from_temporary" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationReferenceConstructsFromTemporary"
-  }
-}
-
-/**
- * A C++ `__reference_converts_from_temporary` built-in operation
- * (used by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a reference type `_Tp` is bound to an expression of
- * type `_Up` in copy-initialization, and a temporary object is bound.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct reference_converts_from_temporary
- *   : public integral_constant<bool, __reference_converts_from_temporary(_Tp, _Up)>
- *   {};
- * ```
- */
-class BuiltInOperationReferenceCovertsFromTemporary extends BuiltInOperation,
-  @referenceconvertsfromtemporary
-{
-  override string toString() { result = "__reference_converts_from_temporary" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationReferenceCovertsFromTemporary" }
-}
-
-/**
- * A C++ `__reference_binds_to_temporary` built-in operation (used by some
- * implementations of the `<tuple>` header).
- *
- * Returns `true` if a reference of type `Type1` is bound to an expression of
- * type `Type1`, and a temporary object is bound.
- * ```
- * __reference_binds_to_temporary(Type1, Type2)
- */
-class BuiltInOperationReferenceBindsToTemporary extends BuiltInOperation, @referencebindstotemporary
-{
-  override string toString() { result = "__reference_binds_to_temporary" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationReferenceBindsToTemporary" }
-}
-
-/**
- * A C++ `__builtin_has_attribute` built-in operation.
- *
- * Returns `true` if a type or expression has been declared with the
- * specified attribute.
- * ```
- * __attribute__ ((aligned(8))) int v;
- * bool has_attribute = __builtin_has_attribute(v, aligned);
- * ```
- */
-class BuiltInOperationHasAttribute extends BuiltInOperation, @builtinhasattribute {
-  override string toString() { result = "__builtin_has_attribute" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationHasAttribute" }
-}
-
-/**
- * A C++ `__is_referenceable` built-in operation.
- *
- * Returns `true` if a type can be referenced.
- * ```
- * bool is_referenceable = __is_referenceable(int);
- * ```
- */
-class BuiltInOperationIsReferenceable extends BuiltInOperation, @isreferenceable {
-  override string toString() { result = "__is_referenceable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsReferenceable" }
-}
-
-/**
- * The `__is_valid_winrt_type` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the type is a valid WinRT type.
- */
-class BuiltInOperationIsValidWinRtType extends BuiltInOperation, @isvalidwinrttype {
-  override string toString() { result = "__is_valid_winrt_type" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsValidWinRtType" }
-}
-
-/**
- * The `__is_win_class` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the class is a ref class.
- */
-class BuiltInOperationIsWinClass extends BuiltInOperation, @iswinclass {
-  override string toString() { result = "__is_win_class" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinClass" }
-}
-
-/**
- * The `__is_win_class` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the class is an interface class.
- */
-class BuiltInOperationIsWinInterface extends BuiltInOperation, @iswininterface {
-  override string toString() { result = "__is_win_interface" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinInterface" }
-}
-
-/**
- * A C++ `__is_trivially_equality_comparable` built-in operation.
- *
- * Returns `true` if comparing two objects of type `_Tp` is equivalent to
- * comparing their object representations.
- *
- * ```
- * template<typename _Tp>
- *   struct is_trivially_equality_comparable
- *   : public integral_constant<bool, __is_trivially_equality_comparable(_Tp)>
- *   {};
- * ```
- */
-class BuiltInOperationIsTriviallyEqualityComparable extends BuiltInOperation,
-  @istriviallyequalitycomparable
-{
-  override string toString() { result = "__is_trivially_equality_comparable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyEqualityComparable" }
-}
-
-/**
- * A C++ `__is_scoped_enum` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is a scoped enum.
- * ```
- * template<typename _Tp>
- * constexpr bool is_scoped_enum = __is_scoped_enum(_Tp);
- * ```
- */
-class BuiltInOperationIsScopedEnum extends BuiltInOperation, @isscopedenum {
-  override string toString() { result = "__is_scoped_enum" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsScopedEnum" }
-}
-
-/**
- * A C++ `__is_trivially_relocatable` built-in operation.
- *
- * Returns `true` if moving an object of type `_Tp` is equivalent to
- * copying the underlying bytes.
- *
- * ```
- * template<typename _Tp>
- *   struct is_trivially_relocatable
- *   : public integral_constant<bool, __is_trivially_relocatable(_Tp)>
- *   {};
- * ```
- */
-class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istriviallyrelocatable {
-  override string toString() { result = "__is_trivially_relocatable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
-}

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -791,53 +791,6 @@ class AlignofTypeOperator extends AlignofOperator {
   override string toString() { result = "alignof(" + this.getTypeOperand().getName() + ")" }
 }
 
-/**
- * A C++ `__datasizeof` expression (used by some implementations
- * of the `<type_traits>` header).
- *
- * The `__datasizeof` expression behaves identically to `sizeof` except
- * that the result ignores tail padding.
- */
-class DatasizeofOperator extends Expr, @datasizeof {
-  override int getPrecedence() { result = 16 }
-}
-
-/**
- * A C++ `__datasizeof` expression whose operand is an expression.
- */
-class DatasizeofExprOperator extends DatasizeofOperator {
-  DatasizeofExprOperator() { exists(this.getChild(0)) }
-
-  override string getAPrimaryQlClass() { result = "DatasizeofExprOperator" }
-
-  /** Gets the contained expression. */
-  Expr getExprOperand() { result = this.getChild(0) }
-
-  override string toString() { result = "__datasizeof(<expr>)" }
-
-  override predicate mayBeImpure() { this.getExprOperand().mayBeImpure() }
-
-  override predicate mayBeGloballyImpure() { this.getExprOperand().mayBeGloballyImpure() }
-}
-
-/**
- * A C++ `__datasizeof` expression whose operand is a type name.
- */
-class DatasizeofTypeOperator extends DatasizeofOperator {
-  DatasizeofTypeOperator() { sizeof_bind(underlyingElement(this), _) }
-
-  override string getAPrimaryQlClass() { result = "DatasizeofTypeOperator" }
-
-  /** Gets the contained type. */
-  Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
-
-  override string toString() { result = "__datasizeof(" + this.getTypeOperand().getName() + ")" }
-
-  override predicate mayBeImpure() { none() }
-
-  override predicate mayBeGloballyImpure() { none() }
-}
-
 /**
  * A C/C++ array to pointer conversion.
  *

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -304,15 +304,9 @@ class Expr extends StmtParent, @expr {
       e instanceof NoExceptExpr
       or
       e instanceof AlignofOperator
-      or
-      e instanceof DatasizeofOperator
     )
     or
     exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
-    or
-    exists(ConstexprIfStmt constIf |
-      constIf.getControllingExpr() = this.getParentWithConversions*()
-    )
   }
 
   /**
@@ -632,106 +626,6 @@ class ParenthesisExpr extends Conversion, @parexpr {
   override string getAPrimaryQlClass() { result = "ParenthesisExpr" }
 }
 
-/**
- * A node representing a C11 `_Generic` selection expression.
- *
- * For example:
- * ```
- * _Generic(e, int: "int", default: "unknown")
- * ```
- */
-class C11GenericExpr extends Conversion, @c11_generic {
-  int associationCount;
-
-  C11GenericExpr() { associationCount = (count(this.getAChild()) - 1) / 2 }
-
-  override string toString() { result = "_Generic" }
-
-  override string getAPrimaryQlClass() { result = "C11GenericExpr" }
-
-  /**
-   * Gets the controlling expression of the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the result is `e`.
-   */
-  Expr getControllingExpr() { result = this.getChild(0) }
-
-  /**
-   * Gets the type of the `n`th element in the association list of the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the type of the 0th element is `int`. In the case of the default element the
-   * type will an instance of `VoidType`.
-   */
-  Type getAssociationType(int n) {
-    n in [0 .. associationCount - 1] and
-    result = this.getChild(n * 2 + 1).(TypeName).getType()
-  }
-
-  /**
-   * Gets the type of an element in the association list of the generic selection.
-   */
-  Type getAnAssociationType() { result = this.getAssociationType(_) }
-
-  /**
-   * Gets the expression of the `n`th element in the association list of
-   * the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the expression for 0th element is `"a"`, and the expression for the
-   * 1st element is `"b"`. For the selected expression, this predicate
-   * will yield a `ReuseExpr`, such that
-   * ```
-   * this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
-   * ```
-   */
-  Expr getAssociationExpr(int n) {
-    n in [0 .. associationCount - 1] and
-    result = this.getChild(n * 2 + 2)
-  }
-
-  /**
-   * Gets the expression of an element in the association list of the generic selection.
-   */
-  Expr getAnAssociationExpr() { result = this.getAssociationExpr(_) }
-
-  /**
-   * Holds if the `n`th element of the association list of the generic selection is the
-   * default element.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * this holds for 1.
-   */
-  predicate isDefaultAssociation(int n) { this.getAssociationType(n) instanceof VoidType }
-
-  /**
-   * Holds if the `n`th element of the association list of the generic selection is the
-   * one whose expression was selected.
-   *
-   * For example, with `e` of type `int` and
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * this holds for 0.
-   */
-  predicate isSelectedAssociation(int n) {
-    this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
-  }
-}
-
 /**
  * A C/C++ expression that could not be resolved, or that can no longer be
  * represented due to a database upgrade or downgrade.
@@ -768,8 +662,6 @@ class AssumeExpr extends Expr, @assume {
 
 /**
  * A C/C++ comma expression.
- *
- * For example:
  * ```
  * int c = compute1(), compute2(), resulting_value;
  * ```
@@ -963,16 +855,6 @@ class NewOrNewArrayExpr extends Expr, @any_new_expr {
     )
   }
 
-  /**
-   * Holds if the deallocation function is a destroying delete.
-   */
-  predicate isDestroyingDeleteDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(4) != 0 // Bit two is the "destroying delete" bit
-    )
-  }
-
   /**
    * Gets the type that is being allocated.
    *
@@ -1067,16 +949,6 @@ class NewArrayExpr extends NewOrNewArrayExpr, @new_array_expr {
    * gives nothing, as the 10 is considered part of the type.
    */
   Expr getExtent() { result = this.getChild(2) }
-
-  /**
-   * Gets the number of elements in the array, if available.
-   *
-   * For example, `new int[]{1,2,3}` has an array size of 3.
-   */
-  int getArraySize() {
-    result = this.getAllocatedType().(ArrayType).getArraySize() or
-    result = this.getInitializer().(ArrayAggregateLiteral).getArraySize()
-  }
 }
 
 private class TDeleteOrDeleteArrayExpr = @delete_expr or @delete_array_expr;
@@ -1143,16 +1015,6 @@ class DeleteOrDeleteArrayExpr extends Expr, TDeleteOrDeleteArrayExpr {
     )
   }
 
-  /**
-   * Holds if the deallocation function is a destroying delete.
-   */
-  predicate isDestroyingDeleteDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(4) != 0 // Bit two is the "destroying delete" bit
-    )
-  }
-
   /**
    * Gets the object or array being deleted.
    */

cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll

@@ -195,6 +195,17 @@ class ClassAggregateLiteral extends AggregateLiteral {
    */
   Expr getAFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
 
+  /**
+   * DEPRECATED: Use `getAFieldExpr` instead.
+   *
+   * Gets the expression within the aggregate literal that is used to initialize
+   * field `field`, if present.
+   *
+   * This predicate may have multiple results since a field can be initialized
+   * multiple times in the same initializer.
+   */
+  deprecated Expr getFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
+
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * field `field`, if present. The expression is the `position`'th entry in the
@@ -289,6 +300,17 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
    */
   Expr getAnElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
 
+  /**
+   * DEPRECATED: Use `getAnElementExpr` instead.
+   *
+   * Gets the expression within the aggregate literal that is used to initialize
+   * element `elementIndex`, if present.
+   *
+   * This predicate may have multiple results since an element can be initialized
+   * multiple times in the same initializer.
+   */
+  deprecated Expr getElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
+
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * element `elementIndex`, if present. The expression is the `position`'th entry

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -11,7 +11,6 @@ private import Node0ToString
 private import ModelUtil
 private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as IO
 private import semmle.code.cpp.models.interfaces.DataFlow as DF
-private import semmle.code.cpp.dataflow.ExternalFlow as External
 
 cached
 private module Cached {
@@ -994,6 +993,9 @@ DataFlowType getNodeType(Node n) {
   result instanceof VoidType // stub implementation
 }
 
+/** Gets a string representation of a type returned by `getNodeType`. */
+string ppReprType(DataFlowType t) { none() } // stub implementation
+
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
@@ -1058,6 +1060,16 @@ class DataFlowCallable extends TDataFlowCallable {
     result = this.asSummarizedCallable() or // SummarizedCallable = Function (in CPP)
     result = this.asSourceCallable()
   }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCallable c, string file, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(file, startline, startcolumn, _, _)
+      |
+        c order by file, startline, startcolumn
+      )
+  }
 }
 
 /**
@@ -1094,11 +1106,7 @@ class SummarizedCallable extends DataFlowCallable, TSummarizedCallable {
 
 class DataFlowExpr = Expr;
 
-final private class TypeFinal = Type;
-
-class DataFlowType extends TypeFinal {
-  string toString() { result = "" }
-}
+class DataFlowType = Type;
 
 cached
 private newtype TDataFlowCall =
@@ -1159,6 +1167,16 @@ class DataFlowCall extends TDataFlowCall {
    * Gets the location of this call.
    */
   Location getLocation() { none() }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCall c, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+      |
+        c order by startline, startcolumn
+      )
+  }
 }
 
 /**
@@ -1251,6 +1269,15 @@ module IsUnreachableInCall {
     string toString() { result = "NodeRegion" }
 
     predicate contains(Node n) { this = n.getBasicBlock() }
+
+    int totalOrder() {
+      this =
+        rank[result](IRBlock b, int startline, int startcolumn |
+          b.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+        |
+          b order by startline, startcolumn
+        )
+    }
   }
 
   predicate isUnreachableInCall(NodeRegion block, DataFlowCall call) {
@@ -1335,9 +1362,9 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
 
-predicate knownSourceModel(Node source, string model) { External::sourceNode(source, _, model) }
+predicate knownSourceModel(Node source, string model) { none() }
 
-predicate knownSinkModel(Node sink, string model) { External::sinkNode(sink, _, model) }
+predicate knownSinkModel(Node sink, string model) { none() }
 
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll

@@ -546,7 +546,7 @@ module ProductFlow {
       Flow1::PathGraph::edges(pred1, succ1, _, _) and
       exists(ReturnKindExt returnKind |
         succ1.getNode() = returnKind.getAnOutNode(call) and
-        returnKind = getParamReturnPosition(_, pred1.asParameterReturnNode()).getKind()
+        paramReturnNode(_, pred1.asParameterReturnNode(), _, returnKind)
       )
     }
 
@@ -574,7 +574,7 @@ module ProductFlow {
       Flow2::PathGraph::edges(pred2, succ2, _, _) and
       exists(ReturnKindExt returnKind |
         succ2.getNode() = returnKind.getAnOutNode(call) and
-        returnKind = getParamReturnPosition(_, pred2.asParameterReturnNode()).getKind()
+        paramReturnNode(_, pred2.asParameterReturnNode(), _, returnKind)
       )
     }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -104,7 +104,7 @@ predicate hasRawIndirectInstruction(Instruction instr, int indirectionIndex) {
 
 cached
 private newtype TDefImpl =
-  TDefAddressImpl(BaseSourceVariable v) or
+  TDefAddressImpl(BaseIRVariable v) or
   TDirectDefImpl(Operand address, int indirectionIndex) {
     isDef(_, _, address, _, _, indirectionIndex)
   } or
@@ -325,9 +325,9 @@ private Instruction getInitializationTargetAddress(IRVariable v) {
   )
 }
 
-/** An initial definition of an SSA variable address. */
-abstract private class DefAddressImpl extends DefImpl, TDefAddressImpl {
-  BaseSourceVariable v;
+/** An initial definition of an `IRVariable`'s address. */
+private class DefAddressImpl extends DefImpl, TDefAddressImpl {
+  BaseIRVariable v;
 
   DefAddressImpl() {
     this = TDefAddressImpl(v) and
@@ -342,19 +342,6 @@ abstract private class DefAddressImpl extends DefImpl, TDefAddressImpl {
 
   final override Node0Impl getValue() { none() }
 
-  override Cpp::Location getLocation() { result = v.getLocation() }
-
-  final override SourceVariable getSourceVariable() {
-    result.getBaseVariable() = v and
-    result.getIndirection() = 0
-  }
-
-  final override BaseSourceVariable getBaseSourceVariable() { result = v }
-}
-
-private class DefVariableAddressImpl extends DefAddressImpl {
-  override BaseIRVariable v;
-
   final override predicate hasIndexInBlock(IRBlock block, int index) {
     exists(IRVariable var | var = v.getIRVariable() |
       block.getInstruction(index) = getInitializationTargetAddress(var)
@@ -366,14 +353,15 @@ private class DefVariableAddressImpl extends DefAddressImpl {
       index = 0
     )
   }
-}
 
-private class DefCallAddressImpl extends DefAddressImpl {
-  override BaseCallVariable v;
+  override Cpp::Location getLocation() { result = v.getIRVariable().getLocation() }
 
-  final override predicate hasIndexInBlock(IRBlock block, int index) {
-    block.getInstruction(index) = v.getCallInstruction()
+  final override SourceVariable getSourceVariable() {
+    result.getBaseVariable() = v and
+    result.getIndirection() = 0
   }
+
+  final override BaseSourceVariable getBaseSourceVariable() { result = v }
 }
 
 private class DirectDef extends DefImpl, TDirectDefImpl {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -40,8 +40,7 @@ predicate ignoreInstruction(Instruction instr) {
     instr instanceof AliasedDefinitionInstruction or
     instr instanceof AliasedUseInstruction or
     instr instanceof InitializeNonLocalInstruction or
-    instr instanceof ReturnIndirectionInstruction or
-    instr instanceof UninitializedGroupInstruction
+    instr instanceof ReturnIndirectionInstruction
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll

@@ -13,8 +13,7 @@ private newtype TMemoryAccessKind =
   TPhiMemoryAccess() or
   TUnmodeledMemoryAccess() or
   TChiTotalMemoryAccess() or
-  TChiPartialMemoryAccess() or
-  TGroupedMemoryAccess()
+  TChiPartialMemoryAccess()
 
 /**
  * Describes the set of memory locations memory accessed by a memory operand or
@@ -100,11 +99,3 @@ class ChiTotalMemoryAccess extends MemoryAccessKind, TChiTotalMemoryAccess {
 class ChiPartialMemoryAccess extends MemoryAccessKind, TChiPartialMemoryAccess {
   override string toString() { result = "chi(partial)" }
 }
-
-/**
- * The result of an `UninitializedGroup` instruction, which initializes a set of
- * allocations that are each assigned the same virtual variable.
- */
-class GroupedMemoryAccess extends MemoryAccessKind, TGroupedMemoryAccess {
-  override string toString() { result = "group" }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -89,7 +89,6 @@ private newtype TOpcode =
   TSizedBufferMayWriteSideEffect() or
   TInitializeDynamicAllocation() or
   TChi() or
-  TUninitializedGroup() or
   TInlineAsm() or
   TUnreached() or
   TNewObj()
@@ -1238,17 +1237,6 @@ module Opcode {
     }
   }
 
-  /**
-   * The `Opcode` for a `UninitializedGroup`.
-   *
-   * See the `UninitializedGroupInstruction` documentation for more details.
-   */
-  class UninitializedGroup extends Opcode, TUninitializedGroup {
-    final override string toString() { result = "UninitializedGroup" }
-
-    override GroupedMemoryAccess getWriteMemoryAccess() { any() }
-  }
-
   /**
    * The `Opcode` for an `InlineAsmInstruction`.
    *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll

@@ -50,6 +50,9 @@ abstract private class AbstractIRVariable extends TIRVariable {
    */
   abstract Language::AST getAst();
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated Language::AST getAST() { result = this.getAst() }
+
   /**
    * Gets an identifier string for the variable. This identifier is unique
    * within the function.
@@ -93,6 +96,9 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {
 
   final override Language::AST getAst() { result = var }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   final override string getUniqueId() {
     result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
   }
@@ -157,6 +163,9 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {
 
   final override Language::AST getAst() { result = ast }
 
+  /** DEPRECATED: Alias for getAst */
+  deprecated override Language::AST getAST() { result = this.getAst() }
+
   override string toString() { result = this.getBaseString() + this.getLocationString() }
 
   override string getUniqueId() { none() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -2142,47 +2142,6 @@ class ChiInstruction extends Instruction {
   final predicate isPartialUpdate() { Construction::chiOnlyPartiallyUpdatesLocation(this) }
 }
 
-/**
- * An instruction that initializes a set of allocations that are each assigned
- * the same "virtual variable".
- *
- * As an example, consider the following snippet:
- * ```
- * int a;
- * int b;
- * int* p;
- * if(b) {
- *   p = &a;
- * } else {
- *   p = &b;
- * }
- * *p = 5;
- * int x = a;
- * ```
- *
- * Since both the address of `a` and `b` reach `p` at `*p = 5` the IR alias
- * analysis will create a region that contains both `a` and `b`. The region
- * containing both `a` and `b` are initialized by an `UninitializedGroup`
- * instruction in the entry block of the enclosing function.
- */
-class UninitializedGroupInstruction extends Instruction {
-  UninitializedGroupInstruction() { this.getOpcode() instanceof Opcode::UninitializedGroup }
-
-  /**
-   * Gets an `IRVariable` whose memory is initialized by this instruction, if any.
-   * Note: Allocations that are not represented as `IRVariable`s (such as
-   * dynamic allocations) are not returned by this predicate even if this
-   * instruction initializes such memory.
-   */
-  final IRVariable getAnIRVariable() {
-    result = Construction::getAnUninitializedGroupVariable(this)
-  }
-
-  final override string getImmediateString() {
-    result = strictconcat(this.getAnIRVariable().toString(), ",")
-  }
-}
-
 /**
  * An instruction representing unreachable code.
  *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -106,7 +106,8 @@ private predicate operandEscapesDomain(Operand operand) {
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
   not operand.getUse() instanceof ReturnValueInstruction and
-  not operand.getUse() instanceof ReturnIndirectionInstruction
+  not operand.getUse() instanceof ReturnIndirectionInstruction and
+  not operand instanceof PhiInputOperand
 }
 
 /**
@@ -190,11 +191,6 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instr
     // A copy propagates the source value.
     operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
   )
-  or
-  operand = instr.(PhiInstruction).getAnInputOperand() and
-  // Using `unknown` ensures termination since we cannot keep incrementing a bit offset
-  // through the back edge of a loop (or through recursion).
-  bitOffset = Ints::unknown()
 }
 
 private predicate operandEscapesNonReturn(Operand operand) {
@@ -216,6 +212,9 @@ private predicate operandEscapesNonReturn(Operand operand) {
   or
   isOnlyEscapesViaReturnArgument(operand) and resultEscapesNonReturn(operand.getUse())
   or
+  operand instanceof PhiInputOperand and
+  resultEscapesNonReturn(operand.getUse())
+  or
   operandEscapesDomain(operand)
 }
 
@@ -237,6 +236,9 @@ private predicate operandMayReachReturn(Operand operand) {
   operand.getUse() instanceof ReturnValueInstruction
   or
   isOnlyEscapesViaReturnArgument(operand) and resultMayReachReturn(operand.getUse())
+  or
+  operand instanceof PhiInputOperand and
+  resultMayReachReturn(operand.getUse())
 }
 
 private predicate operandReturned(Operand operand, IntValue bitOffset) {
@@ -338,56 +340,6 @@ private predicate resultEscapesNonReturn(Instruction instr) {
   not instr.isResultModeled()
 }
 
-/** Holds if `operand` may (transitively) flow to an `AddressOperand`. */
-private predicate consumedAsAddressOperand(Operand operand) {
-  operand instanceof AddressOperand
-  or
-  exists(Operand address |
-    consumedAsAddressOperand(address) and
-    operandIsPropagated(operand, _, address.getDef())
-  )
-}
-
-/**
- * Holds if `operand` may originate from a base instruction of an allocation,
- * and that operand may transitively flow to an `AddressOperand`.
- */
-private predicate propagatedFromAllocationBase(Operand operand, Configuration::Allocation allocation) {
-  consumedAsAddressOperand(operand) and
-  (
-    not exists(Configuration::getOldAllocation(allocation)) and
-    operand.getDef() = allocation.getABaseInstruction()
-    or
-    exists(Operand address |
-      operandIsPropagated(address, _, operand.getDef()) and
-      propagatedFromAllocationBase(address, allocation)
-    )
-  )
-}
-
-private predicate propagatedFromNonAllocationBase(Operand operand) {
-  exists(Instruction def |
-    def = operand.getDef() and
-    not operandIsPropagated(_, _, def) and
-    not def = any(Configuration::Allocation allocation).getABaseInstruction()
-  )
-  or
-  exists(Operand address |
-    operandIsPropagated(address, _, operand.getDef()) and
-    propagatedFromNonAllocationBase(address)
-  )
-}
-
-/**
- * Holds if we cannot see all producers of an operand for which allocation also flows into.
- */
-private predicate operandConsumesEscaped(Configuration::Allocation allocation) {
-  exists(AddressOperand address |
-    propagatedFromAllocationBase(address, allocation) and
-    propagatedFromNonAllocationBase(address)
-  )
-}
-
 /**
  * Holds if the address of `allocation` escapes outside the domain of the analysis. This can occur
  * either because the allocation's address is taken within the function and escapes, or because the
@@ -396,14 +348,12 @@ private predicate operandConsumesEscaped(Configuration::Allocation allocation) {
 predicate allocationEscapes(Configuration::Allocation allocation) {
   allocation.alwaysEscapes()
   or
-  exists(IREscapeAnalysisConfiguration config | config.useSoundEscapeAnalysis() |
-    resultEscapesNonReturn(allocation.getABaseInstruction())
-    or
-    operandConsumesEscaped(allocation)
+  exists(IREscapeAnalysisConfiguration config |
+    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
   or
   Configuration::phaseNeedsSoundEscapeAnalysis() and
-  (resultEscapesNonReturn(allocation.getABaseInstruction()) or operandConsumesEscaped(allocation))
+  resultEscapesNonReturn(allocation.getABaseInstruction())
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll

@@ -101,8 +101,6 @@ class IndirectParameterAllocation extends Allocation, TIndirectParameterAllocati
   final override predicate isAlwaysAllocatedOnStack() { none() }
 
   final override predicate alwaysEscapes() { none() }
-
-  final IRAutomaticVariable getIRVariable() { result = var }
 }
 
 class DynamicAllocation extends Allocation, TDynamicAllocation {
@@ -146,8 +144,3 @@ class DynamicAllocation extends Allocation, TDynamicAllocation {
 }
 
 predicate phaseNeedsSoundEscapeAnalysis() { none() }
-
-UnaliasedSsa::Allocation getOldAllocation(VariableAllocation allocation) {
-  UnaliasedSsa::canReuseSsaForVariable(allocation.getIRVariable()) and
-  result = allocation.getIRVariable()
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

@@ -7,8 +7,7 @@ private import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSAConst
 private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
 private import semmle.code.cpp.ir.internal.IntegerInterval as Interval
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
-import AliasConfiguration
-private import codeql.util.Boolean
+private import AliasConfiguration
 
 private class IntValue = Ints::IntValue;
 
@@ -17,196 +16,49 @@ private predicate isIndirectOrBufferMemoryAccess(MemoryAccessKind kind) {
   kind instanceof BufferMemoryAccess
 }
 
-private predicate hasMemoryAccess(
-  AddressOperand addrOperand, Allocation var, IntValue startBitOffset, boolean grouped
-) {
-  addressOperandAllocationAndOffset(addrOperand, var, startBitOffset) and
-  if strictcount(Allocation alloc | addressOperandAllocationAndOffset(addrOperand, alloc, _)) > 1
-  then grouped = true
-  else grouped = false
-}
-
 private predicate hasResultMemoryAccess(
-  AddressOperand address, Instruction instr, Allocation var, IRType type,
-  Language::LanguageType languageType, IntValue startBitOffset, IntValue endBitOffset,
-  boolean isMayAccess, boolean grouped
+  Instruction instr, Allocation var, IRType type, Language::LanguageType languageType,
+  IntValue startBitOffset, IntValue endBitOffset, boolean isMayAccess
 ) {
-  address = instr.getResultAddressOperand() and
-  hasMemoryAccess(address, var, startBitOffset, grouped) and
-  languageType = instr.getResultLanguageType() and
-  type = languageType.getIRType() and
-  isIndirectOrBufferMemoryAccess(instr.getResultMemoryAccess()) and
-  (if instr.hasResultMayMemoryAccess() then isMayAccess = true else isMayAccess = false) and
-  if exists(type.getByteSize())
-  then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
-  else endBitOffset = Ints::unknown()
+  exists(AddressOperand addrOperand |
+    addrOperand = instr.getResultAddressOperand() and
+    addressOperandAllocationAndOffset(addrOperand, var, startBitOffset) and
+    languageType = instr.getResultLanguageType() and
+    type = languageType.getIRType() and
+    isIndirectOrBufferMemoryAccess(instr.getResultMemoryAccess()) and
+    (if instr.hasResultMayMemoryAccess() then isMayAccess = true else isMayAccess = false) and
+    if exists(type.getByteSize())
+    then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
+    else endBitOffset = Ints::unknown()
+  )
 }
 
 private predicate hasOperandMemoryAccess(
-  AddressOperand address, MemoryOperand operand, Allocation var, IRType type,
-  Language::LanguageType languageType, IntValue startBitOffset, IntValue endBitOffset,
-  boolean isMayAccess, boolean grouped
+  MemoryOperand operand, Allocation var, IRType type, Language::LanguageType languageType,
+  IntValue startBitOffset, IntValue endBitOffset, boolean isMayAccess
 ) {
-  address = operand.getAddressOperand() and
-  hasMemoryAccess(address, var, startBitOffset, grouped) and
-  languageType = operand.getLanguageType() and
-  type = languageType.getIRType() and
-  isIndirectOrBufferMemoryAccess(operand.getMemoryAccess()) and
-  (if operand.hasMayReadMemoryAccess() then isMayAccess = true else isMayAccess = false) and
-  if exists(type.getByteSize())
-  then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
-  else endBitOffset = Ints::unknown()
-}
-
-private Allocation getAnAllocation(AddressOperand address) {
-  hasResultMemoryAccess(address, _, result, _, _, _, _, _, true) or
-  hasOperandMemoryAccess(address, _, result, _, _, _, _, _, true)
-}
-
-private module AllocationSet0 =
-  QlBuiltins::InternSets<AddressOperand, Allocation, getAnAllocation/1>;
-
-/**
- * A set of allocations containing at least 2 elements.
- */
-private class NonSingletonSets extends AllocationSet0::Set {
-  NonSingletonSets() { strictcount(Allocation var | this.contains(var)) > 1 }
-
-  /** Gets an allocation from this set. */
-  Allocation getAnAllocation() { this.contains(result) }
-
-  /** Gets the string representation of this set. */
-  string toString() { result = "{" + strictconcat(this.getAnAllocation().toString(), ", ") + "}" }
-}
-
-/** Holds the instersection of `s1` and `s2` is non-empty. */
-private predicate hasOverlappingElement(NonSingletonSets s1, NonSingletonSets s2) {
-  exists(Allocation var |
-    s1.contains(var) and
-    s2.contains(var)
+  exists(AddressOperand addrOperand |
+    addrOperand = operand.getAddressOperand() and
+    addressOperandAllocationAndOffset(addrOperand, var, startBitOffset) and
+    languageType = operand.getLanguageType() and
+    type = languageType.getIRType() and
+    isIndirectOrBufferMemoryAccess(operand.getMemoryAccess()) and
+    (if operand.hasMayReadMemoryAccess() then isMayAccess = true else isMayAccess = false) and
+    if exists(type.getByteSize())
+    then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
+    else endBitOffset = Ints::unknown()
   )
 }
 
-private module AllocationSet =
-  QlBuiltins::EquivalenceRelation<NonSingletonSets, hasOverlappingElement/2>;
-
-/**
- * Holds if `var` is created by the AST element `e`. Furthermore, the value `d`
- * represents which branch of the `Allocation` type `var` is from.
- */
-private predicate allocationAst(Allocation var, @element e, int d) {
-  var.(VariableAllocation).getIRVariable().getAst() = e and d = 0
-  or
-  var.(IndirectParameterAllocation).getIRVariable().getAst() = e and d = 1
-  or
-  var.(DynamicAllocation).getABaseInstruction().getAst() = e and d = 2
-}
-
-/** Holds if `x = y` and `x` is an AST element that creates an `Allocation`. */
-private predicate id(@element x, @element y) {
-  allocationAst(_, x, _) and
-  x = y
-}
-
-private predicate idOf(@element x, int y) = equivalenceRelation(id/2)(x, y)
-
-/** Gets a unique integer representation of `var`. */
-private int getUniqueAllocationId(Allocation var) {
-  exists(int r, @element e, int d |
-    allocationAst(var, e, d) and
-    idOf(e, r) and
-    result = 3 * r + d
-  )
-}
-
-/**
- * An equivalence class of a set of allocations.
- *
- * Any `VariableGroup` will be completely disjunct from any other
- * `VariableGroup`.
- */
-class VariableGroup extends AllocationSet::EquivalenceClass {
-  /** Gets the location of this set. */
-  final Location getLocation() { result = this.getIRFunction().getLocation() }
-
-  /** Gets the enclosing `IRFunction` of this set. */
-  final IRFunction getIRFunction() {
-    result = unique( | | this.getAnAllocation().getEnclosingIRFunction())
-  }
-
-  /** Gets the type of elements contained in this set. */
-  final Language::LanguageType getType() {
-    strictcount(Language::LanguageType langType |
-      exists(Allocation var | var = this.getAnAllocation() |
-        hasResultMemoryAccess(_, _, var, _, langType, _, _, _, true) or
-        hasOperandMemoryAccess(_, _, var, _, langType, _, _, _, true)
-      )
-    ) = 1 and
-    exists(Allocation var | var = this.getAnAllocation() |
-      hasResultMemoryAccess(_, _, var, _, result, _, _, _, true) or
-      hasOperandMemoryAccess(_, _, var, _, result, _, _, _, true)
-    )
-    or
-    strictcount(Language::LanguageType langType |
-      exists(Allocation var | var = this.getAnAllocation() |
-        hasResultMemoryAccess(_, _, var, _, langType, _, _, _, true) or
-        hasOperandMemoryAccess(_, _, var, _, langType, _, _, _, true)
-      )
-    ) > 1 and
-    result = any(IRUnknownType type).getCanonicalLanguageType()
-  }
-
-  /** Gets an allocation of this set. */
-  final Allocation getAnAllocation() {
-    exists(AllocationSet0::Set set |
-      this = AllocationSet::getEquivalenceClass(set) and
-      set.contains(result)
-    )
-  }
-
-  /** Gets a unique string representing this set. */
-  final private string getUniqueId() {
-    result = strictconcat(getUniqueAllocationId(this.getAnAllocation()).toString(), ",")
-  }
-
-  /**
-   * Gets the order that this set should be initialized in.
-   *
-   * Note: This is _not_ the order in which the _members_ of the set should be
-   * initialized. Rather, it represents the order in which the set should be
-   * initialized in relation to other sets. That is, if
-   * ```
-   * getInitializationOrder() = 2
-   * ```
-   * then this set will be initialized as the second (third) set in the
-   * enclosing function. In order words, the third `UninitializedGroup`
-   * instruction in the entry block of the enclosing function will initialize
-   * this set of allocations.
-   */
-  final int getInitializationOrder() {
-    exists(IRFunction func |
-      func = this.getIRFunction() and
-      this =
-        rank[result + 1](VariableGroup vg, string uniq |
-          vg.getIRFunction() = func and uniq = vg.getUniqueId()
-        |
-          vg order by uniq
-        )
-    )
-  }
-
-  string toString() { result = "{" + strictconcat(this.getAnAllocation().toString(), ", ") + "}" }
-}
-
 private newtype TMemoryLocation =
   TVariableMemoryLocation(
     Allocation var, IRType type, Language::LanguageType languageType, IntValue startBitOffset,
     IntValue endBitOffset, boolean isMayAccess
   ) {
     (
-      hasResultMemoryAccess(_, _, var, type, _, startBitOffset, endBitOffset, isMayAccess, false)
+      hasResultMemoryAccess(_, var, type, _, startBitOffset, endBitOffset, isMayAccess)
       or
-      hasOperandMemoryAccess(_, _, var, type, _, startBitOffset, endBitOffset, isMayAccess, false)
+      hasOperandMemoryAccess(_, var, type, _, startBitOffset, endBitOffset, isMayAccess)
       or
       // For a stack variable, always create a memory location for the entire variable.
       var.isAlwaysAllocatedOnStack() and
@@ -217,25 +69,31 @@ private newtype TMemoryLocation =
     ) and
     languageType = type.getCanonicalLanguageType()
   } or
-  TEntireAllocationMemoryLocation(Allocation var, Boolean isMayAccess) {
-    var instanceof IndirectParameterAllocation or
-    var instanceof DynamicAllocation
+  TEntireAllocationMemoryLocation(Allocation var, boolean isMayAccess) {
+    (
+      var instanceof IndirectParameterAllocation or
+      var instanceof DynamicAllocation
+    ) and
+    (isMayAccess = false or isMayAccess = true)
   } or
-  TGroupedMemoryLocation(VariableGroup vg, Boolean isMayAccess, Boolean isAll) or
-  TUnknownMemoryLocation(IRFunction irFunc, Boolean isMayAccess) or
-  TAllNonLocalMemory(IRFunction irFunc, Boolean isMayAccess) or
-  TAllAliasedMemory(IRFunction irFunc, Boolean isMayAccess)
+  TUnknownMemoryLocation(IRFunction irFunc, boolean isMayAccess) {
+    isMayAccess = false or isMayAccess = true
+  } or
+  TAllNonLocalMemory(IRFunction irFunc, boolean isMayAccess) {
+    isMayAccess = false or isMayAccess = true
+  } or
+  TAllAliasedMemory(IRFunction irFunc, boolean isMayAccess) {
+    isMayAccess = false or isMayAccess = true
+  }
 
 /**
- * A memory location accessed by a memory operand or memory result. In this implementation, the location is
+ * Represents the memory location accessed by a memory operand or memory result. In this implementation, the location is
  * one of the following:
  * - `VariableMemoryLocation` - A location within a known `IRVariable`, at an offset that is either a constant or is
  * unknown.
  * - `UnknownMemoryLocation` - A location not known to be within a specific `IRVariable`.
- *
- * Some of these memory locations will be filtered out for performance reasons before being passed to SSA construction.
  */
-abstract private class MemoryLocation0 extends TMemoryLocation {
+abstract class MemoryLocation extends TMemoryLocation {
   final string toString() {
     if this.isMayAccess()
     then result = "?" + this.toStringInternal()
@@ -258,14 +116,7 @@ abstract private class MemoryLocation0 extends TMemoryLocation {
 
   abstract predicate isMayAccess();
 
-  /**
-   * Gets an allocation associated with this `MemoryLocation`.
-   *
-   * This returns zero or one results in all cases except when `this` is an
-   * instance of `GroupedMemoryLocation`. When `this` is an instance of
-   * `GroupedMemoryLocation` this predicate always returns two or more results.
-   */
-  Allocation getAnAllocation() { none() }
+  Allocation getAllocation() { none() }
 
   /**
    * Holds if the location cannot be overwritten except by definition of a `MemoryLocation` for
@@ -285,6 +136,9 @@ abstract private class MemoryLocation0 extends TMemoryLocation {
   predicate isAlwaysAllocatedOnStack() { none() }
 
   final predicate canReuseSsa() { none() }
+
+  /** DEPRECATED: Alias for canReuseSsa */
+  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }
 
 /**
@@ -293,35 +147,30 @@ abstract private class MemoryLocation0 extends TMemoryLocation {
  * represented by a `MemoryLocation` that totally overlaps all other
  * `MemoryLocations` in the set.
  */
-abstract class VirtualVariable extends MemoryLocation0 { }
+abstract class VirtualVariable extends MemoryLocation { }
 
-abstract class AllocationMemoryLocation extends MemoryLocation0 {
+abstract class AllocationMemoryLocation extends MemoryLocation {
   Allocation var;
   boolean isMayAccess;
 
-  bindingset[isMayAccess]
-  AllocationMemoryLocation() { any() }
+  AllocationMemoryLocation() {
+    this instanceof TMemoryLocation and
+    isMayAccess = false
+    or
+    isMayAccess = true // Just ensures that `isMayAccess` is bound.
+  }
 
   final override VirtualVariable getVirtualVariable() {
     if allocationEscapes(var)
     then result = TAllAliasedMemory(var.getEnclosingIRFunction(), false)
-    else (
-      // It may be that the grouped memory location contains an escaping
-      // allocation. In that case, the virtual variable is still the memory
-      // location that represents all aliased memory. Thus, we need to
-      // call `getVirtualVariable` on the grouped memory location.
-      result = getGroupedMemoryLocation(var, false, false).getVirtualVariable()
-      or
-      not exists(getGroupedMemoryLocation(var, false, false)) and
-      result.(AllocationMemoryLocation).getAnAllocation() = var
-    )
+    else result.(AllocationMemoryLocation).getAllocation() = var
   }
 
   final override IRFunction getIRFunction() { result = var.getEnclosingIRFunction() }
 
   final override Location getLocation() { result = var.getLocation() }
 
-  final override Allocation getAnAllocation() { result = var }
+  final override Allocation getAllocation() { result = var }
 
   final override predicate isMayAccess() { isMayAccess = true }
 
@@ -362,13 +211,13 @@ class VariableMemoryLocation extends TVariableMemoryLocation, AllocationMemoryLo
   final override Language::LanguageType getType() {
     if
       strictcount(Language::LanguageType accessType |
-        hasResultMemoryAccess(_, _, var, type, accessType, startBitOffset, endBitOffset, _, false) or
-        hasOperandMemoryAccess(_, _, var, type, accessType, startBitOffset, endBitOffset, _, false)
+        hasResultMemoryAccess(_, var, type, accessType, startBitOffset, endBitOffset, _) or
+        hasOperandMemoryAccess(_, var, type, accessType, startBitOffset, endBitOffset, _)
       ) = 1
     then
       // All of the accesses have the same `LanguageType`, so just use that.
-      hasResultMemoryAccess(_, _, var, type, result, startBitOffset, endBitOffset, _, false) or
-      hasOperandMemoryAccess(_, _, var, type, result, startBitOffset, endBitOffset, _, false)
+      hasResultMemoryAccess(_, var, type, result, startBitOffset, endBitOffset, _) or
+      hasOperandMemoryAccess(_, var, type, result, startBitOffset, endBitOffset, _)
     else
       // There is no single type for all accesses, so just use the canonical one for this `IRType`.
       result = type.getCanonicalLanguageType()
@@ -398,89 +247,6 @@ class VariableMemoryLocation extends TVariableMemoryLocation, AllocationMemoryLo
   }
 }
 
-/**
- * A group of allocations represented as a single memory location.
- *
- * If `isAll()` holds then this memory location represents all the enclosing
- * allocations, and if `isSome()` holds then this memory location represents
- * one or more of the enclosing allocations.
- *
- * For example, consider the following snippet:
- * ```
- * int* p;
- * int a, b;
- * if(b) {
- *   p = &a;
- * } else {
- *   p = &b;
- * }
- * *p = 42;
- * ```
- *
- * The write memory location associated with the write to `*p` writes to a
- * grouped memory location representing the _some_ allocation in the set
- * `{a, b}`, and the subsequent `Chi` instruction merges the new value of
- * `{a, b}` into a memory location that represents _all_ of the allocations
- * in the set.
- */
-class GroupedMemoryLocation extends TGroupedMemoryLocation, MemoryLocation0 {
-  VariableGroup vg;
-  boolean isMayAccess;
-  boolean isAll;
-
-  GroupedMemoryLocation() { this = TGroupedMemoryLocation(vg, isMayAccess, isAll) }
-
-  final override Location getLocation() { result = vg.getLocation() }
-
-  final override IRFunction getIRFunction() { result = vg.getIRFunction() }
-
-  final override predicate isMayAccess() { isMayAccess = true }
-
-  final override string getUniqueId() {
-    if this.isAll()
-    then result = "All{" + strictconcat(vg.getAnAllocation().getUniqueId(), ", ") + "}"
-    else result = "Some{" + strictconcat(vg.getAnAllocation().getUniqueId(), ", ") + "}"
-  }
-
-  final override string toStringInternal() { result = this.getUniqueId() }
-
-  final override Language::LanguageType getType() { result = vg.getType() }
-
-  final override VirtualVariable getVirtualVariable() {
-    if allocationEscapes(this.getAnAllocation())
-    then result = TAllAliasedMemory(vg.getIRFunction(), false)
-    else result = TGroupedMemoryLocation(vg, false, true)
-  }
-
-  /** Gets an allocation of this memory location. */
-  override Allocation getAnAllocation() { result = vg.getAnAllocation() }
-
-  /** Gets the set of allocations associated with this memory location. */
-  VariableGroup getGroup() { result = vg }
-
-  /** Holds if this memory location represents all the enclosing allocations. */
-  predicate isAll() { isAll = true }
-
-  /** Holds if this memory location represents one or more of the enclosing allocations. */
-  predicate isSome() { isAll = false }
-}
-
-private GroupedMemoryLocation getGroupedMemoryLocation(
-  Allocation alloc, boolean isMayAccess, boolean isAll
-) {
-  result.getAnAllocation() = alloc and
-  (
-    isMayAccess = true and result.isMayAccess()
-    or
-    isMayAccess = false and not result.isMayAccess()
-  ) and
-  (
-    isAll = true and result.isAll()
-    or
-    isAll = false and result.isSome()
-  )
-}
-
 class EntireAllocationMemoryLocation extends TEntireAllocationMemoryLocation,
   AllocationMemoryLocation
 {
@@ -516,18 +282,10 @@ class VariableVirtualVariable extends VariableMemoryLocation, VirtualVariable {
   }
 }
 
-class GroupedVirtualVariable extends GroupedMemoryLocation, VirtualVariable {
-  GroupedVirtualVariable() {
-    forex(Allocation var | var = this.getAnAllocation() | not allocationEscapes(var)) and
-    not this.isMayAccess() and
-    this.isAll()
-  }
-}
-
 /**
  * An access to memory that is not known to be confined to a specific `IRVariable`.
  */
-class UnknownMemoryLocation extends TUnknownMemoryLocation, MemoryLocation0 {
+class UnknownMemoryLocation extends TUnknownMemoryLocation, MemoryLocation {
   IRFunction irFunc;
   boolean isMayAccess;
 
@@ -554,7 +312,7 @@ class UnknownMemoryLocation extends TUnknownMemoryLocation, MemoryLocation0 {
  * An access to memory that is not known to be confined to a specific `IRVariable`, but is known to
  * not access memory on the current function's stack frame.
  */
-class AllNonLocalMemory extends TAllNonLocalMemory, MemoryLocation0 {
+class AllNonLocalMemory extends TAllNonLocalMemory, MemoryLocation {
   IRFunction irFunc;
   boolean isMayAccess;
 
@@ -588,7 +346,7 @@ class AllNonLocalMemory extends TAllNonLocalMemory, MemoryLocation0 {
 /**
  * An access to all aliased memory.
  */
-class AllAliasedMemory extends TAllAliasedMemory, MemoryLocation0 {
+class AllAliasedMemory extends TAllAliasedMemory, MemoryLocation {
   IRFunction irFunc;
   boolean isMayAccess;
 
@@ -619,7 +377,7 @@ class AliasedVirtualVariable extends AllAliasedMemory, VirtualVariable {
 /**
  * Gets the overlap relationship between the definition location `def` and the use location `use`.
  */
-Overlap getOverlap(MemoryLocation0 def, MemoryLocation0 use) {
+Overlap getOverlap(MemoryLocation def, MemoryLocation use) {
   exists(Overlap overlap |
     // Compute the overlap based only on the extent.
     overlap = getExtentOverlap(def, use) and
@@ -647,7 +405,7 @@ Overlap getOverlap(MemoryLocation0 def, MemoryLocation0 use) {
  * based only on the set of memory locations accessed. Handling of "may" accesses and read-only
  * locations occurs in `getOverlap()`.
  */
-private Overlap getExtentOverlap(MemoryLocation0 def, MemoryLocation0 use) {
+private Overlap getExtentOverlap(MemoryLocation def, MemoryLocation use) {
   // The def and the use must have the same virtual variable, or no overlap is possible.
   (
     // AllAliasedMemory must totally overlap any location within the same virtual variable.
@@ -688,7 +446,7 @@ private Overlap getExtentOverlap(MemoryLocation0 def, MemoryLocation0 use) {
       result instanceof MustExactlyOverlap
       or
       not use instanceof EntireAllocationMemoryLocation and
-      if def.getAnAllocation() = use.getAnAllocation()
+      if def.getAllocation() = use.getAllocation()
       then
         // EntireAllocationMemoryLocation totally overlaps any location within
         // the same allocation.
@@ -696,48 +454,11 @@ private Overlap getExtentOverlap(MemoryLocation0 def, MemoryLocation0 use) {
       else (
         // There is no overlap with a location that's known to belong to a
         // different allocation, but all other locations may partially overlap.
-        not exists(use.getAnAllocation()) and
+        not exists(use.getAllocation()) and
         result instanceof MayPartiallyOverlap
       )
     )
     or
-    exists(GroupedMemoryLocation group |
-      group = def and
-      def.getVirtualVariable() = use.getVirtualVariable()
-    |
-      (
-        use instanceof UnknownMemoryLocation or
-        use instanceof AllAliasedMemory
-      ) and
-      result instanceof MayPartiallyOverlap
-      or
-      group.isAll() and
-      (
-        group.getAnAllocation() =
-          [
-            use.(EntireAllocationMemoryLocation).getAnAllocation(),
-            use.(VariableMemoryLocation).getAnAllocation()
-          ]
-        or
-        use.(GroupedMemoryLocation).isSome()
-      ) and
-      result instanceof MustTotallyOverlap
-      or
-      group.isAll() and
-      use.(GroupedMemoryLocation).isAll() and
-      result instanceof MustExactlyOverlap
-      or
-      group.isSome() and
-      (
-        use instanceof EntireAllocationMemoryLocation
-        or
-        use instanceof VariableMemoryLocation
-        or
-        use instanceof GroupedMemoryLocation
-      ) and
-      result instanceof MayPartiallyOverlap
-    )
-    or
     exists(VariableMemoryLocation defVariableLocation |
       defVariableLocation = def and
       (
@@ -747,8 +468,7 @@ private Overlap getExtentOverlap(MemoryLocation0 def, MemoryLocation0 use) {
         (
           use instanceof UnknownMemoryLocation or
           use instanceof AllAliasedMemory or
-          use instanceof EntireAllocationMemoryLocation or
-          use instanceof GroupedMemoryLocation
+          use instanceof EntireAllocationMemoryLocation
         ) and
         result instanceof MayPartiallyOverlap
         or
@@ -814,7 +534,7 @@ private predicate isCoveredOffset(Allocation var, int offsetRank, VariableMemory
   exists(int startRank, int endRank, VirtualVariable vvar |
     vml.getStartBitOffset() = rank[startRank](IntValue offset_ | isRelevantOffset(vvar, offset_)) and
     vml.getEndBitOffset() = rank[endRank](IntValue offset_ | isRelevantOffset(vvar, offset_)) and
-    var = vml.getAnAllocation() and
+    var = vml.getAllocation() and
     vvar = vml.getVirtualVariable() and
     isRelatableMemoryLocation(vml) and
     offsetRank in [startRank .. endRank]
@@ -822,7 +542,7 @@ private predicate isCoveredOffset(Allocation var, int offsetRank, VariableMemory
 }
 
 private predicate hasUnknownOffset(Allocation var, VariableMemoryLocation vml) {
-  vml.getAnAllocation() = var and
+  vml.getAllocation() = var and
   (
     vml.getStartBitOffset() = Ints::unknown() or
     vml.getEndBitOffset() = Ints::unknown()
@@ -837,9 +557,9 @@ private predicate overlappingIRVariableMemoryLocations(
     isCoveredOffset(var, offsetRank, use)
   )
   or
-  hasUnknownOffset(use.getAnAllocation(), def)
+  hasUnknownOffset(use.getAllocation(), def)
   or
-  hasUnknownOffset(def.getAnAllocation(), use)
+  hasUnknownOffset(def.getAllocation(), use)
 }
 
 private Overlap getVariableMemoryLocationOverlap(
@@ -860,40 +580,6 @@ predicate canReuseSsaForOldResult(Instruction instr) { OldSsa::canReuseSsaForMem
 bindingset[result, b]
 private boolean unbindBool(boolean b) { result != b.booleanNot() }
 
-/** Gets the number of overlapping uses of `def`. */
-private int numberOfOverlappingUses(MemoryLocation0 def) {
-  result = strictcount(MemoryLocation0 use | exists(getOverlap(def, use)))
-}
-
-/**
- * Holds if `def` is a busy definition. That is, it has a large number of
- * overlapping uses.
- */
-private predicate isBusyDef(MemoryLocation0 def) { numberOfOverlappingUses(def) > 1024 }
-
-/** Holds if `use` is a use that overlaps with a busy definition. */
-private predicate useOverlapWithBusyDef(MemoryLocation0 use) {
-  exists(MemoryLocation0 def |
-    exists(getOverlap(def, use)) and
-    isBusyDef(def)
-  )
-}
-
-final private class FinalMemoryLocation = MemoryLocation0;
-
-/**
- * A memory location accessed by a memory operand or memory result. In this implementation, the location is
- * one of the following:
- * - `VariableMemoryLocation` - A location within a known `IRVariable`, at an offset that is either a constant or is
- * unknown.
- * - `UnknownMemoryLocation` - A location not known to be within a specific `IRVariable`.
- *
- * Compared to `MemoryLocation0`, this class does not contain memory locations that represent uses of busy definitions.
- */
-class MemoryLocation extends FinalMemoryLocation {
-  MemoryLocation() { not useOverlapWithBusyDef(this) }
-}
-
 MemoryLocation getResultMemoryLocation(Instruction instr) {
   not canReuseSsaForOldResult(instr) and
   exists(MemoryAccessKind kind, boolean isMayAccess |
@@ -902,24 +588,13 @@ MemoryLocation getResultMemoryLocation(Instruction instr) {
     (
       (
         isIndirectOrBufferMemoryAccess(kind) and
-        if hasResultMemoryAccess(_, instr, _, _, _, _, _, _, _)
+        if hasResultMemoryAccess(instr, _, _, _, _, _, _)
         then
-          exists(
-            Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset,
-            boolean grouped
-          |
-            hasResultMemoryAccess(_, instr, var, type, _, startBitOffset, endBitOffset, isMayAccess,
-              grouped)
-          |
-            // If the instruction is only associated with one allocation we assign it a `VariableMemoryLocation`
-            if grouped = false
-            then
-              result =
-                TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset,
-                  unbindBool(isMayAccess))
-            else
-              // And otherwise we assign it a memory location that groups all the relevant memory locations into one.
-              result = getGroupedMemoryLocation(var, unbindBool(isMayAccess), false)
+          exists(Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset |
+            hasResultMemoryAccess(instr, var, type, _, startBitOffset, endBitOffset, isMayAccess) and
+            result =
+              TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset,
+                unbindBool(isMayAccess))
           )
         else result = TUnknownMemoryLocation(instr.getEnclosingIRFunction(), isMayAccess)
       )
@@ -938,31 +613,20 @@ MemoryLocation getResultMemoryLocation(Instruction instr) {
   )
 }
 
-private MemoryLocation0 getOperandMemoryLocation0(MemoryOperand operand, boolean isMayAccess) {
+MemoryLocation getOperandMemoryLocation(MemoryOperand operand) {
   not canReuseSsaForOldResult(operand.getAnyDef()) and
-  exists(MemoryAccessKind kind |
+  exists(MemoryAccessKind kind, boolean isMayAccess |
     kind = operand.getMemoryAccess() and
     (if operand.hasMayReadMemoryAccess() then isMayAccess = true else isMayAccess = false) and
     (
       (
         isIndirectOrBufferMemoryAccess(kind) and
-        if hasOperandMemoryAccess(_, operand, _, _, _, _, _, _, _)
+        if hasOperandMemoryAccess(operand, _, _, _, _, _, _)
         then
-          exists(
-            Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset,
-            boolean grouped
-          |
-            hasOperandMemoryAccess(_, operand, var, type, _, startBitOffset, endBitOffset,
-              isMayAccess, grouped)
-          |
-            // If the operand is only associated with one memory location we assign it a `VariableMemoryLocation`
-            if grouped = false
-            then
-              result =
-                TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset, isMayAccess)
-            else
-              // And otherwise we assign it a memory location that groups all relevant memory locations into one.
-              result = getGroupedMemoryLocation(var, isMayAccess, false)
+          exists(Allocation var, IRType type, IntValue startBitOffset, IntValue endBitOffset |
+            hasOperandMemoryAccess(operand, var, type, _, startBitOffset, endBitOffset, isMayAccess) and
+            result =
+              TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset, isMayAccess)
           )
         else result = TUnknownMemoryLocation(operand.getEnclosingIRFunction(), isMayAccess)
       )
@@ -981,19 +645,6 @@ private MemoryLocation0 getOperandMemoryLocation0(MemoryOperand operand, boolean
   )
 }
 
-MemoryLocation getOperandMemoryLocation(MemoryOperand operand) {
-  exists(MemoryLocation0 use0, boolean isMayAccess |
-    use0 = getOperandMemoryLocation0(operand, isMayAccess)
-  |
-    result = use0
-    or
-    // If `use0` overlaps with a busy definition we turn it into a use
-    // of `UnknownMemoryLocation`.
-    not use0 instanceof MemoryLocation and
-    result = TUnknownMemoryLocation(operand.getEnclosingIRFunction(), isMayAccess)
-  )
-}
-
 /** Gets the start bit offset of a `MemoryLocation`, if any. */
 int getStartBitOffset(VariableMemoryLocation location) {
   result = location.getStartBitOffset() and Ints::hasValue(result)

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -15,51 +15,6 @@ private class OldInstruction = Reachability::ReachableInstruction;
 
 import Cached
 
-/**
- * Holds if `instruction` is the first instruction that may be followed by
- * an `UninitializedGroup` instruction, and the enclosing function of
- * `instruction` is `func`.
- */
-private predicate isFirstInstructionBeforeUninitializedGroup(
-  Instruction instruction, IRFunction func
-) {
-  instruction = getChi(any(OldIR::InitializeNonLocalInstruction init)) and
-  func = instruction.getEnclosingIRFunction()
-}
-
-/** Gets the `i`'th `UninitializedGroup` instruction in `func`. */
-private UninitializedGroupInstruction getInitGroupInstruction(int i, IRFunction func) {
-  exists(Alias::VariableGroup vg |
-    vg.getIRFunction() = func and
-    vg.getInitializationOrder() = i and
-    result = uninitializedGroup(vg)
-  )
-}
-
-/**
- * Holds if `instruction` is the last instruction in the chain of `UninitializedGroup`
- * instructions in `func`. The chain of instructions may be empty in which case
- * `instruction` satisfies
- * ```
- * isFirstInstructionBeforeUninitializedGroup(instruction, func)
- * ```
- */
-predicate isLastInstructionForUninitializedGroups(Instruction instruction, IRFunction func) {
-  exists(int i |
-    instruction = getInitGroupInstruction(i, func) and
-    not exists(getChi(instruction)) and
-    not exists(getInitGroupInstruction(i + 1, func))
-  )
-  or
-  exists(int i |
-    instruction = getChi(getInitGroupInstruction(i, func)) and
-    not exists(getInitGroupInstruction(i + 1, func))
-  )
-  or
-  isFirstInstructionBeforeUninitializedGroup(instruction, func) and
-  not exists(getInitGroupInstruction(0, func))
-}
-
 cached
 private module Cached {
   cached
@@ -77,11 +32,6 @@ private module Cached {
     hasChiNode(_, primaryInstruction)
   }
 
-  cached
-  predicate hasChiNodeAfterUninitializedGroup(UninitializedGroupInstruction initGroup) {
-    hasChiNodeAfterUninitializedGroup(_, initGroup)
-  }
-
   cached
   predicate hasUnreachedInstructionCached(IRFunction irFunc) {
     exists(OldIR::Instruction oldInstruction |
@@ -95,8 +45,7 @@ private module Cached {
   }
 
   class TStageInstruction =
-    TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction or
-        TUninitializedGroupInstruction;
+    TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction;
 
   /**
    * If `oldInstruction` is a `Phi` instruction that has exactly one reachable predecessor block,
@@ -129,8 +78,6 @@ private module Cached {
     or
     instr instanceof TChiInstruction
     or
-    instr instanceof TUninitializedGroupInstruction
-    or
     instr instanceof TUnreachedInstruction
   }
 
@@ -176,8 +123,7 @@ private module Cached {
   predicate hasModeledMemoryResult(Instruction instruction) {
     canModelResultForOldInstruction(getOldInstruction(instruction)) or
     instruction instanceof PhiInstruction or // Phis always have modeled results
-    instruction instanceof ChiInstruction or // Chis always have modeled results
-    instruction instanceof UninitializedGroupInstruction // Group initializers always have modeled results
+    instruction instanceof ChiInstruction // Chis always have modeled results
   }
 
   cached
@@ -188,23 +134,16 @@ private module Cached {
     or
     // Chi instructions track virtual variables, and therefore a chi instruction is
     // conflated if it's associated with the aliased virtual variable.
-    exists(Instruction input | instruction = getChi(input) |
-      Alias::getResultMemoryLocation(input).getVirtualVariable() instanceof
+    exists(OldInstruction oldInstruction | instruction = getChi(oldInstruction) |
+      Alias::getResultMemoryLocation(oldInstruction).getVirtualVariable() instanceof
         Alias::AliasedVirtualVariable
-      or
-      // A chi following an `UninitializedGroupInstruction` only happens when the virtual
-      // variable of the grouped memory location is `{AllAliasedMemory}`.
-      exists(Alias::GroupedMemoryLocation gml |
-        input = uninitializedGroup(gml.getGroup()) and
-        gml.getVirtualVariable() instanceof Alias::AliasedVirtualVariable
-      )
     )
     or
     // Phi instructions track locations, and therefore a phi instruction is
     // conflated if it's associated with a conflated location.
     exists(Alias::MemoryLocation location |
       instruction = getPhi(_, location) and
-      not exists(location.getAnAllocation())
+      not exists(location.getAllocation())
     )
   }
 
@@ -266,11 +205,7 @@ private module Cached {
       hasMemoryOperandDefinition(oldInstruction, oldOperand, overlap, result)
     )
     or
-    (
-      instruction = getChi(getOldInstruction(result))
-      or
-      instruction = getChi(result.(UninitializedGroupInstruction))
-    ) and
+    instruction = getChi(getOldInstruction(result)) and
     tag instanceof ChiPartialOperandTag and
     overlap instanceof MustExactlyOverlap
     or
@@ -328,14 +263,6 @@ private module Cached {
     )
   }
 
-  cached
-  IRVariable getAnUninitializedGroupVariable(UninitializedGroupInstruction init) {
-    exists(Alias::VariableGroup vg |
-      init = uninitializedGroup(vg) and
-      result = vg.getAnAllocation().getABaseInstruction().(VariableInstruction).getIRVariable()
-    )
-  }
-
   /**
    * Holds if `instr` is part of a cycle in the operand graph that doesn't go
    * through a phi instruction and therefore should be impossible.
@@ -389,19 +316,6 @@ private module Cached {
     result = getNewPhiOperandDefinitionFromOldSsa(instr, newPredecessorBlock, overlap)
   }
 
-  private ChiInstruction getChiAfterUninitializedGroup(int i, IRFunction func) {
-    result =
-      rank[i + 1](VariableGroup vg, UninitializedGroupInstruction initGroup, ChiInstruction chi,
-        int r |
-        initGroup.getEnclosingIRFunction() = func and
-        chi = getChi(initGroup) and
-        initGroup = uninitializedGroup(vg) and
-        r = vg.getInitializationOrder()
-      |
-        chi order by r
-      )
-  }
-
   cached
   Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
     exists(
@@ -415,19 +329,6 @@ private module Cached {
       definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
       result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)
     )
-    or
-    exists(UninitializedGroupInstruction initGroup, IRFunction func |
-      chiInstr = getChi(initGroup) and
-      func = initGroup.getEnclosingIRFunction()
-    |
-      chiInstr = getChiAfterUninitializedGroup(0, func) and
-      isFirstInstructionBeforeUninitializedGroup(result, func)
-      or
-      exists(int i |
-        chiInstr = getChiAfterUninitializedGroup(i + 1, func) and
-        result = getChiAfterUninitializedGroup(i, func)
-      )
-    )
   }
 
   cached
@@ -443,40 +344,14 @@ private module Cached {
     )
   }
 
-  private UninitializedGroupInstruction firstInstructionToUninitializedGroup(
-    Instruction instruction, EdgeKind kind
-  ) {
-    exists(IRFunction func |
-      isFirstInstructionBeforeUninitializedGroup(instruction, func) and
-      result = getInitGroupInstruction(0, func) and
-      kind instanceof GotoEdge
-    )
-  }
+  /*
+   * This adds Chi nodes to the instruction successor relation; if an instruction has a Chi node,
+   * that node is its successor in the new successor relation, and the Chi node's successors are
+   * the new instructions generated from the successors of the old instruction
+   */
 
-  private Instruction getNextUninitializedGroupInstruction(Instruction instruction, EdgeKind kind) {
-    exists(int i, IRFunction func |
-      func = instruction.getEnclosingIRFunction() and
-      instruction = getInitGroupInstruction(i, func) and
-      kind instanceof GotoEdge
-    |
-      if hasChiNodeAfterUninitializedGroup(_, instruction)
-      then result = getChi(instruction)
-      else result = getInitGroupInstruction(i + 1, func)
-    )
-    or
-    exists(int i, IRFunction func, UninitializedGroupInstruction initGroup |
-      func = instruction.getEnclosingIRFunction() and
-      instruction = getChi(initGroup) and
-      initGroup = getInitGroupInstruction(i, func) and
-      kind instanceof GotoEdge
-    |
-      result = getInitGroupInstruction(i + 1, func)
-    )
-  }
-
-  private Instruction getInstructionSuccessorAfterUninitializedGroup0(
-    Instruction instruction, EdgeKind kind
-  ) {
+  cached
+  Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {
     if hasChiNode(_, getOldInstruction(instruction))
     then
       result = getChi(getOldInstruction(instruction)) and
@@ -496,107 +371,6 @@ private module Cached {
       )
   }
 
-  private Instruction getInstructionSuccessorAfterUninitializedGroup(
-    Instruction instruction, EdgeKind kind
-  ) {
-    exists(IRFunction func, Instruction firstBeforeUninitializedGroup |
-      isLastInstructionForUninitializedGroups(instruction, func) and
-      isFirstInstructionBeforeUninitializedGroup(firstBeforeUninitializedGroup, func) and
-      result = getInstructionSuccessorAfterUninitializedGroup0(firstBeforeUninitializedGroup, kind)
-    )
-  }
-
-  /**
-   * This adds Chi nodes to the instruction successor relation; if an instruction has a Chi node,
-   * that node is its successor in the new successor relation, and the Chi node's successors are
-   * the new instructions generated from the successors of the old instruction.
-   *
-   * Furthermore, the entry block is augmented with `UninitializedGroup` instructions and `Chi`
-   * instructions. For example, consider this example:
-   * ```cpp
-   * int x, y;
-   * int* p;
-   * if(b) {
-   *   p = &x;
-   *   escape(&x);
-   * } else {
-   *   p = &y;
-   * }
-   * *p = 42;
-   *
-   * int z, w;
-   * int* q;
-   * if(b) {
-   *   q = &z;
-   * } else {
-   *   q = &w;
-   * }
-   * *q = 43;
-   * ```
-   *
-   * the unaliased IR for the entry block of this snippet is:
-   * ```
-   * v1(void)         = EnterFunction          :
-   * m1(unknown)      = AliasedDefinition      :
-   * m2(unknown)      = InitializeNonLocal     :
-   * r1(glval<bool>)  = VariableAddress[b]     :
-   * m3(bool)         = InitializeParameter[b] : &:r1
-   * r2(glval<int>)   = VariableAddress[x]     :
-   * m4(int)          = Uninitialized[x]       : &:r2
-   * r3(glval<int>)   = VariableAddress[y]     :
-   * m5(int)          = Uninitialized[y]       : &:r3
-   * r4(glval<int *>) = VariableAddress[p]     :
-   * m6(int *)        = Uninitialized[p]       : &:r4
-   * r5(glval<bool>)  = VariableAddress[b]     :
-   * r6(bool)         = Load[b]                : &:r5, m3
-   * v2(void)         = ConditionalBranch      : r6
-   * ```
-   * and we need to transform this to aliased IR by inserting an `UninitializedGroup`
-   * instruction for every `VariableGroup` memory location in the function. Furthermore,
-   * if the `VariableGroup` memory location contains an allocation that escapes we need
-   * to insert a `Chi` that writes the memory produced by `UninitializedGroup` into
-   * `{AllAliasedMemory}`. For the above snippet we then end up with:
-   * ```
-   * v1(void)         = EnterFunction           :
-   * m2(unknown)      = AliasedDefinition       :
-   * m3(unknown)      = InitializeNonLocal      :
-   * m4(unknown)      = Chi                     : total:m2, partial:m3
-   * m5(int)          = UninitializedGroup[x,y] :
-   * m6(unknown)      = Chi                     : total:m4, partial:m5
-   * m7(int)          = UninitializedGroup[w,z] :
-   * r1(glval<bool>)  = VariableAddress[b]      :
-   * m8(bool)         = InitializeParameter[b]  : &:r1
-   * r2(glval<int>)   = VariableAddress[x]      :
-   * m10(int)         = Uninitialized[x]       : &:r2
-   * m11(unknown)     = Chi                    : total:m6, partial:m10
-   * r3(glval<int>)   = VariableAddress[y]      :
-   * m12(int)         = Uninitialized[y]       : &:r3
-   * m13(unknown)     = Chi                    : total:m11, partial:m12
-   * r4(glval<int *>) = VariableAddress[p]      :
-   * m14(int *)       = Uninitialized[p]       : &:r4
-   * r5(glval<bool>)  = VariableAddress[b]      :
-   * r6(bool)         = Load[b]                 : &:r5, m8
-   * v2(void)         = ConditionalBranch       : r6
-   * ```
-   *
-   * Here, the group `{x, y}` contains an allocation that escapes (`x`), so there
-   * is a `Chi` after the `UninitializedGroup` that initializes the memory for the
-   * `VariableGroup` containing `x`. None of the allocations in `{w, z}` escape so
-   * there is no `Chi` following that the `UninitializedGroup` that initializes the
-   * memory of `{w, z}`.
-   */
-  cached
-  Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) {
-    result = firstInstructionToUninitializedGroup(instruction, kind)
-    or
-    result = getNextUninitializedGroupInstruction(instruction, kind)
-    or
-    result = getInstructionSuccessorAfterUninitializedGroup(instruction, kind)
-    or
-    not isFirstInstructionBeforeUninitializedGroup(instruction, _) and
-    result = getInstructionSuccessorAfterUninitializedGroup0(instruction, kind)
-  }
-
   cached
   Instruction getInstructionBackEdgeSuccessor(Instruction instruction, EdgeKind kind) {
     exists(OldInstruction oldInstruction |
@@ -632,16 +406,6 @@ private module Cached {
     exists(IRFunctionBase irFunc |
       instr = unreachedInstruction(irFunc) and result = irFunc.getFunction()
     )
-    or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getIRFunction().getFunction()
-    )
-    or
-    exists(UninitializedGroupInstruction initGroup |
-      instr = chiInstruction(initGroup) and
-      result = getInstructionAst(initGroup)
-    )
   }
 
   cached
@@ -654,16 +418,9 @@ private module Cached {
     )
     or
     exists(Instruction primaryInstr, Alias::VirtualVariable vvar |
-      instr = chiInstruction(primaryInstr) and result = vvar.getType()
-    |
-      hasChiNode(vvar, primaryInstr)
-      or
-      hasChiNodeAfterUninitializedGroup(vvar, primaryInstr)
-    )
-    or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getType()
+      instr = chiInstruction(primaryInstr) and
+      hasChiNode(vvar, primaryInstr) and
+      result = vvar.getType()
     )
     or
     instr = reusedPhiInstruction(_) and
@@ -691,8 +448,6 @@ private module Cached {
     or
     instr = chiInstruction(_) and opcode instanceof Opcode::Chi
     or
-    instr = uninitializedGroup(_) and opcode instanceof Opcode::UninitializedGroup
-    or
     instr = unreachedInstruction(_) and opcode instanceof Opcode::Unreached
   }
 
@@ -705,15 +460,10 @@ private module Cached {
       result = blockStartInstr.getEnclosingIRFunction()
     )
     or
-    exists(Instruction primaryInstr |
+    exists(OldInstruction primaryInstr |
       instr = chiInstruction(primaryInstr) and result = primaryInstr.getEnclosingIRFunction()
     )
     or
-    exists(Alias::VariableGroup vg |
-      instr = uninitializedGroup(vg) and
-      result = vg.getIRFunction()
-    )
-    or
     instr = unreachedInstruction(result)
   }
 
@@ -728,8 +478,6 @@ private module Cached {
       instruction = getChi(oldInstruction) and
       result = getNewInstruction(oldInstruction)
     )
-    or
-    instruction = getChi(result.(UninitializedGroupInstruction))
   }
 }
 
@@ -737,7 +485,7 @@ private Instruction getNewInstruction(OldInstruction instr) { getOldInstruction(
 
 private OldInstruction getOldInstruction(Instruction instr) { instr = result }
 
-private ChiInstruction getChi(Instruction primaryInstr) { result = chiInstruction(primaryInstr) }
+private ChiInstruction getChi(OldInstruction primaryInstr) { result = chiInstruction(primaryInstr) }
 
 private PhiInstruction getPhi(OldBlock defBlock, Alias::MemoryLocation defLocation) {
   result = phiInstruction(defBlock.getFirstInstruction(), defLocation)
@@ -758,16 +506,6 @@ private predicate hasChiNode(Alias::VirtualVariable vvar, OldInstruction def) {
   )
 }
 
-private predicate hasChiNodeAfterUninitializedGroup(
-  Alias::AliasedVirtualVariable vvar, UninitializedGroupInstruction initGroup
-) {
-  exists(Alias::GroupedMemoryLocation defLocation |
-    initGroup = uninitializedGroup(defLocation.getGroup()) and
-    defLocation.getVirtualVariable() = vvar and
-    Alias::getOverlap(defLocation, vvar) instanceof MayPartiallyOverlap
-  )
-}
-
 private import PhiInsertion
 
 /**
@@ -930,37 +668,19 @@ private import DefUse
  * potentially very sparse.
  */
 module DefUse {
-  bindingset[index, block]
-  pragma[inline_late]
-  private int getNonChiOffset(int index, OldBlock block) {
-    exists(OldIR::IRFunction func, Instruction i, OldBlock entryBlock |
-      func = block.getEnclosingIRFunction() and
-      i = block.getInstruction(index) and
-      entryBlock = func.getEntryBlock()
-    |
-      if
-        block = entryBlock and
-        not i instanceof InitializeNonLocalInstruction and
-        not i instanceof AliasedDefinitionInstruction
-      then result = 2 * (index + count(VariableGroup vg | vg.getIRFunction() = func))
-      else result = 2 * index
-    )
-  }
-
-  bindingset[index, block]
-  pragma[inline_late]
-  private int getChiOffset(int index, OldBlock block) { result = getNonChiOffset(index, block) + 1 }
-
   /**
    * Gets the `Instruction` for the definition at offset `defOffset` in block `defBlock`.
    */
-  private Instruction getDefinitionOrChiInstruction0(
+  Instruction getDefinitionOrChiInstruction(
     OldBlock defBlock, int defOffset, Alias::MemoryLocation defLocation,
     Alias::MemoryLocation actualDefLocation
   ) {
-    exists(OldInstruction oldInstr, int oldOffset | oldInstr = defBlock.getInstruction(oldOffset) |
+    exists(OldInstruction oldInstr, int oldOffset |
+      oldInstr = defBlock.getInstruction(oldOffset) and
+      oldOffset >= 0
+    |
       // An odd offset corresponds to the `Chi` instruction.
-      defOffset = getChiOffset(oldOffset, defBlock) and
+      defOffset = oldOffset * 2 + 1 and
       result = getChi(oldInstr) and
       (
         defLocation = Alias::getResultMemoryLocation(oldInstr) or
@@ -969,7 +689,7 @@ module DefUse {
       actualDefLocation = defLocation.getVirtualVariable()
       or
       // An even offset corresponds to the original instruction.
-      defOffset = getNonChiOffset(oldOffset, defBlock) and
+      defOffset = oldOffset * 2 and
       result = getNewInstruction(oldInstr) and
       (
         defLocation = Alias::getResultMemoryLocation(oldInstr) or
@@ -982,54 +702,6 @@ module DefUse {
     hasDefinition(_, defLocation, defBlock, defOffset) and
     result = getPhi(defBlock, defLocation) and
     actualDefLocation = defLocation
-    or
-    exists(
-      Alias::VariableGroup vg, int index, UninitializedGroupInstruction initGroup,
-      Alias::GroupedMemoryLocation gml
-    |
-      // Add 3 to account for the function prologue:
-      // v1(void)    = EnterFunction
-      // m1(unknown) = AliasedDefinition
-      // m2(unknown) = InitializeNonLocal
-      index = 3 + vg.getInitializationOrder() and
-      not gml.isMayAccess() and
-      gml.isSome() and
-      gml.getGroup() = vg and
-      vg.getIRFunction().getEntryBlock() = defBlock and
-      initGroup = uninitializedGroup(vg) and
-      (defLocation = gml or defLocation = gml.getVirtualVariable())
-    |
-      result = initGroup and
-      defOffset = 2 * index and
-      actualDefLocation = defLocation
-      or
-      result = getChi(initGroup) and
-      defOffset = 2 * index + 1 and
-      actualDefLocation = defLocation.getVirtualVariable()
-    )
-  }
-
-  private ChiInstruction remapGetDefinitionOrChiInstruction(Instruction oldResult) {
-    exists(IRFunction func |
-      isFirstInstructionBeforeUninitializedGroup(oldResult, func) and
-      isLastInstructionForUninitializedGroups(result, func)
-    )
-  }
-
-  Instruction getDefinitionOrChiInstruction(
-    OldBlock defBlock, int defOffset, Alias::MemoryLocation defLocation,
-    Alias::MemoryLocation actualDefLocation
-  ) {
-    exists(Instruction oldResult |
-      oldResult =
-        getDefinitionOrChiInstruction0(defBlock, defOffset, defLocation, actualDefLocation) and
-      (
-        result = remapGetDefinitionOrChiInstruction(oldResult)
-        or
-        not exists(remapGetDefinitionOrChiInstruction(oldResult)) and
-        result = oldResult
-      )
-    )
   }
 
   /**
@@ -1170,20 +842,8 @@ module DefUse {
       block.getInstruction(index) = def and
       overlap = Alias::getOverlap(defLocation, useLocation) and
       if overlap instanceof MayPartiallyOverlap
-      then offset = getChiOffset(index, block) // The use will be connected to the definition on the `Chi` instruction.
-      else offset = getNonChiOffset(index, block) // The use will be connected to the definition on the original instruction.
-    )
-    or
-    exists(UninitializedGroupInstruction initGroup, int index, Overlap overlap, VariableGroup vg |
-      initGroup.getEnclosingIRFunction().getEntryBlock() = getNewBlock(block) and
-      vg = defLocation.(Alias::GroupedMemoryLocation).getGroup() and
-      // EnterFunction + AliasedDefinition + InitializeNonLocal + index
-      index = 3 + vg.getInitializationOrder() and
-      initGroup = uninitializedGroup(vg) and
-      overlap = Alias::getOverlap(defLocation, useLocation) and
-      if overlap instanceof MayPartiallyOverlap and hasChiNodeAfterUninitializedGroup(initGroup)
-      then offset = 2 * index + 1 // The use will be connected to the definition on the `Chi` instruction.
-      else offset = 2 * index // The use will be connected to the definition on the original instruction.
+      then offset = (index * 2) + 1 // The use will be connected to the definition on the `Chi` instruction.
+      else offset = index * 2 // The use will be connected to the definition on the original instruction.
     )
   }
 
@@ -1244,11 +904,10 @@ module DefUse {
       block.getInstruction(index) = use and
       (
         // A direct use of the location.
-        useLocation = Alias::getOperandMemoryLocation(use.getAnOperand()) and
-        offset = getNonChiOffset(index, block)
+        useLocation = Alias::getOperandMemoryLocation(use.getAnOperand()) and offset = index * 2
         or
         // A `Chi` instruction will include a use of the virtual variable.
-        hasChiNode(useLocation, use) and offset = getChiOffset(index, block)
+        hasChiNode(useLocation, use) and offset = (index * 2) + 1
       )
     )
   }
@@ -1398,9 +1057,5 @@ module Ssa {
 
   predicate hasChiInstruction = Cached::hasChiInstructionCached/1;
 
-  predicate hasChiNodeAfterUninitializedGroup = Cached::hasChiNodeAfterUninitializedGroup/1;
-
   predicate hasUnreachedInstruction = Cached::hasUnreachedInstructionCached/1;
-
-  class VariableGroup = Alias::VariableGroup;
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll

@@ -31,7 +31,6 @@ newtype TInstruction =
   TUnaliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
     UnaliasedSsa::Ssa::hasUnreachedInstruction(irFunc)
   } or
-  TUnaliasedSsaUninitializedGroupInstruction(UnaliasedSsa::Ssa::VariableGroup vg) or
   TAliasedSsaPhiInstruction(
     TRawInstruction blockStartInstr, AliasedSsa::Ssa::MemoryLocation memoryLocation
   ) {
@@ -42,12 +41,6 @@ newtype TInstruction =
   } or
   TAliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
     AliasedSsa::Ssa::hasUnreachedInstruction(irFunc)
-  } or
-  TAliasedSsaUninitializedGroupInstruction(AliasedSsa::Ssa::VariableGroup vg) or
-  TAliasedSsaChiAfterUninitializedGroupInstruction(
-    TAliasedSsaUninitializedGroupInstruction initGroup
-  ) {
-    AliasedSsa::Ssa::hasChiNodeAfterUninitializedGroup(initGroup)
   }
 
 /**
@@ -69,11 +62,7 @@ module UnaliasedSsaInstructions {
 
   class TChiInstruction = TUnaliasedSsaChiInstruction;
 
-  class TUninitializedGroupInstruction = TUnaliasedSsaUninitializedGroupInstruction;
-
-  class TRawOrUninitializedGroupInstruction = TRawInstruction or TUninitializedGroupInstruction;
-
-  TChiInstruction chiInstruction(TRawOrUninitializedGroupInstruction primaryInstruction) {
+  TChiInstruction chiInstruction(TRawInstruction primaryInstruction) {
     result = TUnaliasedSsaChiInstruction(primaryInstruction)
   }
 
@@ -82,12 +71,6 @@ module UnaliasedSsaInstructions {
   TUnreachedInstruction unreachedInstruction(IRFunctionBase irFunc) {
     result = TUnaliasedSsaUnreachedInstruction(irFunc)
   }
-
-  class VariableGroup = UnaliasedSsa::Ssa::VariableGroup;
-
-  // This really should just be `TUnaliasedSsaUninitializedGroupInstruction`, but that makes the
-  // compiler realize that certain expressions in `SSAConstruction` are unsatisfiable.
-  TRawOrUninitializedGroupInstruction uninitializedGroup(VariableGroup vg) { none() }
 }
 
 /**
@@ -109,16 +92,10 @@ module AliasedSsaInstructions {
     result = TUnaliasedSsaPhiInstruction(blockStartInstr, _)
   }
 
-  class TChiInstruction =
-    TAliasedSsaChiInstruction or TAliasedSsaChiAfterUninitializedGroupInstruction;
+  class TChiInstruction = TAliasedSsaChiInstruction;
 
-  class TRawOrInitialzieGroupInstruction =
-    TRawInstruction or TAliasedSsaUninitializedGroupInstruction;
-
-  TChiInstruction chiInstruction(TRawOrInitialzieGroupInstruction primaryInstruction) {
+  TChiInstruction chiInstruction(TRawInstruction primaryInstruction) {
     result = TAliasedSsaChiInstruction(primaryInstruction)
-    or
-    result = TAliasedSsaChiAfterUninitializedGroupInstruction(primaryInstruction)
   }
 
   class TUnreachedInstruction = TAliasedSsaUnreachedInstruction;
@@ -126,12 +103,4 @@ module AliasedSsaInstructions {
   TUnreachedInstruction unreachedInstruction(IRFunctionBase irFunc) {
     result = TAliasedSsaUnreachedInstruction(irFunc)
   }
-
-  class VariableGroup = AliasedSsa::Ssa::VariableGroup;
-
-  class TUninitializedGroupInstruction = TAliasedSsaUninitializedGroupInstruction;
-
-  TUninitializedGroupInstruction uninitializedGroup(VariableGroup vg) {
-    result = TAliasedSsaUninitializedGroupInstruction(vg)
-  }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll

@@ -12,9 +12,6 @@ private import semmle.code.cpp.ir.internal.Overlap
  * Provides the newtype used to represent operands across all phases of the IR.
  */
 private module Internal {
-  private class TAliasedChiInstruction =
-    TAliasedSsaChiInstruction or TAliasedSsaChiAfterUninitializedGroupInstruction;
-
   /**
    * An IR operand. `TOperand` is shared across all phases of the IR. There are branches of this
    * type for operands created directly from the AST (`TRegisterOperand` and `TNonSSAMemoryOperand`),
@@ -55,7 +52,7 @@ private module Internal {
     ) {
       exists(AliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap))
     } or
-    TAliasedChiOperand(TAliasedChiInstruction useInstr, ChiOperandTag tag) { any() }
+    TAliasedChiOperand(TAliasedSsaChiInstruction useInstr, ChiOperandTag tag) { any() }
 }
 
 /**
@@ -201,13 +198,10 @@ module AliasedSsaOperands {
     )
   }
 
-  private class TChiInstruction =
-    TAliasedSsaChiInstruction or TAliasedSsaChiAfterUninitializedGroupInstruction;
-
   /**
    * Returns the Chi operand with the specified parameters.
    */
-  TChiOperand chiOperand(TChiInstruction useInstr, ChiOperandTag tag) {
+  TChiOperand chiOperand(TAliasedSsaChiInstruction useInstr, ChiOperandTag tag) {
     result = Internal::TAliasedChiOperand(useInstr, tag)
   }
 }