Post-release preparation for 2.7.4

2026-05-26 09:01:22 +02:00 · 2021-12-15 07:45:49 +00:00
2162 changed files with 81797 additions and 205233 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -4,18 +4,14 @@
        "*/ql/lib/qlpack.yml",
        "*/ql/test/qlpack.yml",
        "*/ql/examples/qlpack.yml",
+        "*/upgrades/qlpack.yml",
        "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
        "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
        "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
-        "csharp/ql/campaigns/Solorigate/lib/qlpack.yml",
-        "csharp/ql/campaigns/Solorigate/src/qlpack.yml",
-        "csharp/ql/campaigns/Solorigate/test/qlpack.yml",
        "misc/legacy-support/*/qlpack.yml",
        "misc/suite-helpers/qlpack.yml",
        "ruby/extractor-pack/codeql-extractor.yml",
-        "ruby/ql/consistency-queries/qlpack.yml",
-        "ql/ql/consistency-queries/qlpack.yml",
-        "ql/extractor-pack/codeql-extractor.yml"
+        "ruby/ql/consistency-queries/qlpack.yml"
    ],
    "versionPolicies": {
      "default": {
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -26,6 +26,3 @@ documentation:
  - "**/*.qhelp"
  - "**/*.md"
  - docs/**/*
-
-"QL-for-QL": 
-  - ql/**/*
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -7,7 +7,6 @@ on:
      - "*/ql/src/**/*.ql"
      - "*/ql/src/**/*.qll"
      - "!**/experimental/**"
-      - "!ql/**"

 jobs:
  check-change-note:
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -1,192 +0,0 @@
-name: Run QL for QL
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-env:
-  CARGO_TERM_COLOR: always
-
-jobs:
-  queries:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Find codeql
-        id: find-codeql
-        uses: github/codeql-action/init@erik-krogh/ql
-        with:
-          languages: javascript # does not matter
-      - name: Get CodeQL version
-        id: get-codeql-version
-        run: |
-          echo "::set-output name=version::$("${CODEQL}" --version | head -n 1 | rev | cut -d " " -f 1 | rev)"
-        shell: bash
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Cache queries
-        id: cache-queries
-        uses: actions/cache@v2
-        with:
-          path: ${{ runner.temp }}/query-pack.zip
-          key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}
-      - name: Build query pack
-        if: steps.cache-queries.outputs.cache-hit != 'true'
-        run: |
-          cd ql/ql/src
-          "${CODEQL}" pack create
-          cd .codeql/pack/codeql/ql-all/0.0.0
-          zip "${PACKZIP}" -r .
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-          PACKZIP: ${{ runner.temp }}/query-pack.zip
-      - name: Upload query pack
-        uses: actions/upload-artifact@v2
-        with:
-          name: query-pack-zip
-          path: ${{ runner.temp }}/query-pack.zip
-
-  extractors:
-    strategy:
-      fail-fast: false
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-      - name: Cache entire extractor
-        id: cache-extractor
-        uses: actions/cache@v2
-        with:
-          path: |
-            ql/target/release/ql-autobuilder
-            ql/target/release/ql-autobuilder.exe
-            ql/target/release/ql-extractor
-            ql/target/release/ql-extractor.exe
-          key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
-      - name: Cache cargo
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        uses: actions/cache@v2
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ql/target
-          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
-      - name: Check formatting
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd ql; cargo fmt --all -- --check
-      - name: Build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd ql; cargo build --verbose
-      - name: Run tests
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd ql; cargo test --verbose
-      - name: Release build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd ql; cargo build --release
-      - name: Generate dbscheme
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: ql/target/release/ql-generator --dbscheme ql/ql/src/ql.dbscheme --library ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v2
-        with:
-          name: extractor-ubuntu-latest
-          path: |
-            ql/target/release/ql-autobuilder
-            ql/target/release/ql-autobuilder.exe
-            ql/target/release/ql-extractor
-            ql/target/release/ql-extractor.exe
-          retention-days: 1
-  package:
-    runs-on: ubuntu-latest
-
-    needs:
-      - extractors
-      - queries
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/download-artifact@v2
-        with:
-          name: query-pack-zip
-          path: query-pack-zip
-      - uses: actions/download-artifact@v2
-        with:
-          name: extractor-ubuntu-latest
-          path: linux64
-      - run: |
-          unzip query-pack-zip/*.zip -d pack
-          cp -r ql/codeql-extractor.yml ql/tools ql/ql/src/ql.dbscheme.stats pack/
-          mkdir -p pack/tools/linux64
-          if [[ -f linux64/ql-autobuilder ]]; then
-            cp linux64/ql-autobuilder pack/tools/linux64/autobuilder
-            chmod +x pack/tools/linux64/autobuilder
-          fi
-          if [[ -f linux64/ql-extractor ]]; then
-            cp linux64/ql-extractor pack/tools/linux64/extractor
-            chmod +x pack/tools/linux64/extractor
-          fi
-          cd pack
-          zip -rq ../codeql-ql.zip .
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-ql-pack
-          path: codeql-ql.zip
-          retention-days: 1
-  analyze:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        folder: [cpp, csharp, java, javascript, python, ql, ruby]
-
-    needs:
-      - package
-
-    steps:
-      - name: Download pack
-        uses: actions/download-artifact@v2
-        with:
-          name: codeql-ql-pack
-          path: ${{ runner.temp }}/codeql-ql-pack-artifact
-
-      - name: Prepare pack
-        run: |
-          unzip "${PACK_ARTIFACT}/*.zip" -d "${PACK}"
-        env:
-          PACK_ARTIFACT: ${{ runner.temp }}/codeql-ql-pack-artifact
-          PACK: ${{ runner.temp }}/pack
-      - name: Hack codeql-action options
-        run: |
-          JSON=$(jq -nc --arg pack "${PACK}" '.resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]')
-          echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
-        env:
-          PACK: ${{ runner.temp }}/pack
-
-      - name: Checkout repository
-        uses: actions/checkout@v2
-      - name: Create CodeQL config file
-        run: |
-          echo "paths:" > ${CONF}
-          echo "  - ${FOLDER}" >> ${CONF}
-          echo "paths-ignore:" >> ${CONF}
-          echo "  - ql/ql/test" >> ${CONF}
-          echo "Config file: "
-          cat ${CONF}
-        env: 
-          CONF: ./ql-for-ql-config.yml
-          FOLDER: ${{ matrix.folder }}
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@erik-krogh/ql
-        with:
-          languages: ql
-          db-location: ${{ runner.temp }}/db
-          config-file: ./ql-for-ql-config.yml
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@erik-krogh/ql
-        with: 
-          category: "ql-for-ql-${{ matrix.folder }}"
-
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -1,84 +0,0 @@
-name: Collect database stats for QL for QL
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - ql/ql/src/ql.dbscheme
-  pull_request:
-    branches: [main]
-    paths:
-      - ql/ql/src/ql.dbscheme
-  workflow_dispatch:
-
-jobs:
-  measure:
-    env:
-      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
-    strategy:
-      matrix:
-        repo: 
-          - github/codeql
-          - github/codeql-go
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Find codeql
-        id: find-codeql
-        uses: github/codeql-action/init@erik-krogh/ql
-        with:
-          languages: javascript # does not matter
-      - uses: actions/cache@v2
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ql/target
-          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - name: Build Extractor
-        run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./create-extractor-pack.sh
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v2
-        with:
-          repository: ${{ matrix.repo }}
-          path: ${{ github.workspace }}/repo
-      - name: Create database
-        run: |
-          "${CODEQL}" database create \
-            --search-path "ql/extractor-pack" \
-            --threads 4 \
-            --language ql --source-root "${{ github.workspace }}/repo" \
-            "${{ runner.temp }}/database"
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Measure database
-        run: |
-          mkdir -p "stats/${{ matrix.repo }}"
-          "${CODEQL}" dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ql"
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - uses: actions/upload-artifact@v2
-        with:
-          name: measurements
-          path: stats
-          retention-days: 1
-
-  merge:
-    runs-on: ubuntu-latest
-    needs: measure
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/download-artifact@v2
-        with:
-          name: measurements
-          path: stats
-      - run: |
-          python -m pip install --user lxml
-          find stats -name 'stats.xml' -print0 | sort -z | xargs -0 python ql/scripts/merge_stats.py --output ql/ql/src/ql.dbscheme.stats --normalise ql_tokeninfo
-      - uses: actions/upload-artifact@v2
-        with:
-          name: ql.dbscheme.stats
-          path: ql/ql/src/ql.dbscheme.stats
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -1,52 +0,0 @@
-name: Run QL for QL Tests
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "ql/**"
-  pull_request:
-    branches: [main]
-    paths:
-      - "ql/**"
-
-env:
-  CARGO_TERM_COLOR: always
-
-jobs:
-  qltest:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Find codeql
-        id: find-codeql
-        uses: github/codeql-action/init@erik-krogh/ql
-        with:
-          languages: javascript # does not matter
-      - uses: actions/cache@v2
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ql/target
-          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - name: Build extractor
-        run: |
-          cd ql;
-          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
-          env "PATH=$PATH:$codeqlpath" ./create-extractor-pack.sh
-      - name: Run QL tests
-        run: | 
-          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Check QL formatting
-        run: | 
-          find ql/ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Check QL compilation
-        run: | 
-          "${CODEQL}" query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ql/extractor-pack" "ql/ql/src" "ql/ql/examples"
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
--- a/3
+++ b/3
@@ -25,6 +25,3 @@
 /docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
 /docs/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
-
-# QL for QL reviewers
-/ql/ @github/codeql-ql-for-ql-reviewers
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -4,9 +4,6 @@ We welcome contributions to our CodeQL libraries and queries. Got an idea for a

 There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).

-## Change notes
-
-Any nontrivial user-visible change to a query pack or library pack should have a change note. For details on how to add a change note for your change, see [this guide](docs/change-notes.md).

 ## Submitting a new experimental query

--- a/README.md
+++ b/README.md
@@ -1,11 +1,11 @@
 # CodeQL

-This open source repository contains the standard CodeQL libraries and queries that power [GitHub Advanced Security](https://github.com/features/security/code) and the other application security products that [GitHub](https://github.com/features/security/) makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the [CodeQL for Go repository](https://github.com/github/codeql-go).
+This open source repository contains the standard CodeQL libraries and queries that power [LGTM](https://lgtm.com) and the other CodeQL products that [GitHub](https://github.com) makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the [CodeQL for Go repository](https://github.com/github/codeql-go).

 ## How do I learn CodeQL and run queries?

 There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
-You can use the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension or the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com (Semmle Legacy product) to try out your queries on any open source project that's currently being analyzed.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension to try out your queries on any open source project that's currently being analyzed.

 ## Contributing

@@ -13,7 +13,7 @@ We welcome contributions to our standard library and standard checks. Do you hav

 ## License

-The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com). The use of CodeQL on open source code is licensed under specific [Terms & Conditions](https://securitylab.github.com/tools/codeql/license/) UNLESS you have a commercial license in place. If you'd like to use CodeQL with a commercial codebase, please [contact us](https://github.com/enterprise/contact) for further help.
+The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).

 ## Visual Studio Code integration

--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -7,7 +7,6 @@
    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll",
    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
@@ -453,15 +452,9 @@
    "ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll",
    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll"
  ],
-  "CryptoAlgorithms Python/JS/Ruby": [
+  "CryptoAlgorithms Python/JS": [
    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
-    "ruby/ql/lib/codeql/ruby/security/CryptoAlgorithms.qll"
-  ],
-  "CryptoAlgorithmNames Python/JS/Ruby": [
-    "javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll",
-    "python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll",
-    "ruby/ql/lib/codeql/ruby/security/internal/CryptoAlgorithmNames.qll"
+    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll"
  ],
  "SensitiveDataHeuristics Python/JS": [
    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
@@ -17,7 +17,7 @@
  </ItemGroup>

  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.11.0" />
+    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
  </ItemGroup>

  <ItemGroup>
--- a/cpp/config/suites/security/cwe-120
+++ b/cpp/config/suites/security/cwe-120
@@ -5,11 +5,9 @@
  @name Badly bounded write (CWE-120)
 + semmlecode-cpp-queries/Security/CWE/CWE-120/OverrunWrite.ql: /CWE/CWE-120
  @name Potentially overrunning write (CWE-120)
-+ semmlecode-cpp-queries/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql: /CWE/CWE-120
-  @name Likely overrunning write
 + semmlecode-cpp-queries/Security/CWE/CWE-120/OverrunWriteFloat.ql: /CWE/CWE-120
  @name Potentially overrunning write with float to string conversion (CWE-120)
 + semmlecode-cpp-queries/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql: /CWE/CWE-120
  @name Array offset used before range check (CWE-120)
 + semmlecode-cpp-queries/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql: /CWE/CWE-120
-  @name Potentially unsafe use of strcat (CWE-120)
+    @name Potentially unsafe use of strcat (CWE-120)
--- a/cpp/old-change-notes/2021-10-07-cleartext-transmission.md
+++ b/cpp/old-change-notes/2021-10-07-cleartext-transmission.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The "Cleartext transmission of sensitive information" (`cpp/cleartext-transmission`) query has been improved, reducing the number of false positive results when encryption is present.
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.0.7
-
-## 0.0.6
-
 ## 0.0.5

 ## 0.0.4
--- a/cpp/ql/lib/DefaultOptions.qll
+++ b/cpp/ql/lib/DefaultOptions.qll
@@ -73,7 +73,7 @@ class Options extends string {
   *   __assume(0);
   * ```
   * (note that in this case if the hint is wrong and the expression is reached at
-   * runtime, the program's behavior is undefined)
+   * runtime, the program's behaviour is undefined)
   */
  predicate exprExits(Expr e) {
    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
--- a/cpp/ql/lib/Options.qll
+++ b/cpp/ql/lib/Options.qll
@@ -50,7 +50,7 @@ class CustomOptions extends Options {
   *   __assume(0);
   * ```
   * (note that in this case if the hint is wrong and the expression is reached at
-   * runtime, the program's behavior is undefined)
+   * runtime, the program's behaviour is undefined)
   */
  override predicate exprExits(Expr e) { Options.super.exprExits(e) }

--- a/cpp/ql/lib/change-notes/2022-01-11-remove-upgrades-packs.md
+++ b/cpp/ql/lib/change-notes/2022-01-11-remove-upgrades-packs.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The `codeql/cpp-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the `codeql/cpp-all` CodeQL pack.
--- a/cpp/ql/lib/change-notes/2022-01-14-hex-format-range-analysis.md
+++ b/cpp/ql/lib/change-notes/2022-01-14-hex-format-range-analysis.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
-* `FormatLiteral::getMaxConvertedLength` now uses range analysis to provide a
-  more accurate length for integers formatted with `%x`
--- a/cpp/ql/lib/change-notes/released/0.0.7.md
+++ b/cpp/ql/lib/change-notes/released/0.0.7.md
@@ -1 +0,0 @@
-## 0.0.7
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.7
+lastReleaseVersion: 0.0.5
--- a/cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisDefinition.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisDefinition.qll
@@ -37,7 +37,7 @@ abstract class SimpleRangeAnalysisDefinition extends RangeSsaDefinition {
   * dependencies. Without this information, range analysis might work for
   * simple cases but will go into infinite loops on complex code.
   *
-   * For example, when modeling the definition by reference in a call to an
+   * For example, when modelling the definition by reference in a call to an
   * overloaded `operator=`, written as `v = e`, the definition of `(this, v)`
   * depends on `e`.
   */
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/InBoundsPointerDeref.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/InBoundsPointerDeref.qll
@@ -5,7 +5,7 @@
 * `Instruction` level), and then using the array length analysis and the range
 * analysis together to prove that some of these pointer dereferences are safe.
 *
- * The analysis is soundy, i.e. it is sound if no undefined behavior is present
+ * The analysis is soundy, i.e. it is sound if no undefined behaviour is present
 * in the program.
 * Furthermore, it crucially depends on the soundiness of the range analysis and
 * the array length analysis.
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,7 +1,8 @@
 name: codeql/cpp-all
-version: 0.0.8-dev
+version: 0.0.6-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
-upgrades: upgrades
+dependencies:
+  codeql/cpp-upgrades: ^0.0.3
--- a/cpp/ql/lib/semmle/code/cpp/Class.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Class.qll
@@ -206,7 +206,9 @@ class Class extends UserType {
   * it is callable by a particular caller. For C++11, there's also a question
   * of whether to include members that are defaulted or deleted.
   */
-  deprecated predicate hasCopyConstructor() { this.getAMemberFunction() instanceof CopyConstructor }
+  deprecated predicate hasCopyConstructor() {
+    exists(CopyConstructor cc | cc = this.getAMemberFunction())
+  }

  /**
   * Holds if this class has a copy assignment operator that is either
@@ -222,7 +224,7 @@ class Class extends UserType {
   * or deleted.
   */
  deprecated predicate hasCopyAssignmentOperator() {
-    this.getAMemberFunction() instanceof CopyAssignmentOperator
+    exists(CopyAssignmentOperator coa | coa = this.getAMemberFunction())
  }

  /**
@@ -885,7 +887,7 @@ class NestedClass extends Class {
 * pure virtual function.
 */
 class AbstractClass extends Class {
-  AbstractClass() { this.getAMemberFunction() instanceof PureVirtualFunction }
+  AbstractClass() { exists(PureVirtualFunction f | this.getAMemberFunction() = f) }

  override string getAPrimaryQlClass() { result = "AbstractClass" }
 }
--- a/cpp/ql/lib/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Specifier.qll
@@ -286,13 +286,13 @@ class AttributeArgument extends Element, @attribute_arg {
  override Location getLocation() { attribute_args(underlyingElement(this), _, _, _, result) }

  override string toString() {
-    if underlyingElement(this) instanceof @attribute_arg_empty
+    if exists(@attribute_arg_empty self | self = underlyingElement(this))
    then result = "empty argument"
    else
      exists(string prefix, string tail |
        (if exists(this.getName()) then prefix = this.getName() + "=" else prefix = "") and
        (
-          if underlyingElement(this) instanceof @attribute_arg_type
+          if exists(@attribute_arg_type self | self = underlyingElement(this))
          then tail = this.getValueType().getName()
          else tail = this.getValueText()
        ) and
--- a/cpp/ql/lib/semmle/code/cpp/XML.qll
+++ b/cpp/ql/lib/semmle/code/cpp/XML.qll
@@ -233,7 +233,7 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
  XMLAttribute getAttribute(string name) { result.getElement() = this and result.getName() = name }

  /** Holds if this XML element has an attribute with the specified `name`. */
-  predicate hasAttribute(string name) { exists(this.getAttribute(name)) }
+  predicate hasAttribute(string name) { exists(XMLAttribute a | a = this.getAttribute(name)) }

  /** Gets the value of the attribute with the specified `name`, if any. */
  string getAttributeValue(string name) { result = this.getAttribute(name).getValue() }
--- a/cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll
@@ -101,21 +101,6 @@ predicate functionArgumentMustBeNullTerminated(Function f, int i) {
  f instanceof StrcatFunction and i = 0
 }

-/**
- * Holds if `arg` is a string format argument to a formatting function call
- * `ffc`.
- */
-predicate formatArgumentMustBeNullTerminated(FormattingFunctionCall ffc, Expr arg) {
-  // String argument to a formatting function (such as `printf`)
-  exists(int n, FormatLiteral fl |
-    ffc.getConversionArgument(n) = arg and
-    fl = ffc.getFormat() and
-    fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
-    not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
-    not fl.hasPrecision(n) // exclude: `%.*s`
-  )
-}
-
 /**
 * Holds if `va` is a variable access where the contents must be null terminated.
 */
@@ -128,7 +113,13 @@ predicate variableMustBeNullTerminated(VariableAccess va) {
    )
    or
    // String argument to a formatting function (such as `printf`)
-    formatArgumentMustBeNullTerminated(fc, va)
+    exists(int n, FormatLiteral fl |
+      fc.(FormattingFunctionCall).getConversionArgument(n) = va and
+      fl = fc.(FormattingFunctionCall).getFormat() and
+      fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
+      not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
+      not fl.hasPrecision(n) // exclude: `%.*s`
+    )
    or
    // Call to a wrapper function that requires null termination
    // (not itself adding a null terminator)
--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -9,106 +9,6 @@ import semmle.code.cpp.models.interfaces.FormattingFunction
 private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils

-private newtype TBufferWriteEstimationReason =
-  TUnspecifiedEstimateReason() or
-  TTypeBoundsAnalysis() or
-  TWidenedValueFlowAnalysis() or
-  TValueFlowAnalysis()
-
-private predicate gradeToReason(int grade, TBufferWriteEstimationReason reason) {
-  // when combining reasons, lower grade takes precedence
-  grade = 0 and reason = TUnspecifiedEstimateReason()
-  or
-  grade = 1 and reason = TTypeBoundsAnalysis()
-  or
-  grade = 2 and reason = TWidenedValueFlowAnalysis()
-  or
-  grade = 3 and reason = TValueFlowAnalysis()
-}
-
-/**
- * A reason for a specific buffer write size estimate.
- */
-abstract class BufferWriteEstimationReason extends TBufferWriteEstimationReason {
-  /**
-   * Returns the name of the concrete class.
-   */
-  abstract string toString();
-
-  /**
-   * Returns a human readable representation of this reason.
-   */
-  abstract string getDescription();
-
-  /**
-   * Combine estimate reasons. Used to give a reason for the size of a format string
-   * conversion given reasons coming from its individual specifiers.
-   */
-  BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
-    exists(int grade, int otherGrade |
-      gradeToReason(grade, this) and gradeToReason(otherGrade, other)
-    |
-      if otherGrade < grade then result = other else result = this
-    )
-  }
-}
-
-/**
- * No particular reason given. This is currently used for backward compatibility so that
- * classes derived from BufferWrite and overriding `getMaxData/0` still work with the
- * queries as intended.
- */
-class UnspecifiedEstimateReason extends BufferWriteEstimationReason, TUnspecifiedEstimateReason {
-  override string toString() { result = "UnspecifiedEstimateReason" }
-
-  override string getDescription() { result = "no reason specified" }
-}
-
-/**
- * The estimation comes from rough bounds just based on the type (e.g.
- * `0 <= x < 2^32` for an unsigned 32 bit integer).
- */
-class TypeBoundsAnalysis extends BufferWriteEstimationReason, TTypeBoundsAnalysis {
-  override string toString() { result = "TypeBoundsAnalysis" }
-
-  override string getDescription() { result = "based on type bounds" }
-}
-
-/**
- * The estimation comes from non trivial bounds found via actual flow analysis,
- * but a widening aproximation might have been used for variables in loops.
- * For example
- * ```
- * for (int i = 0; i < 10; ++i) {
- *    int j = i + i;
- *    //...  <- estimation done here based on j
- * }
- * ```
- */
-class WidenedValueFlowAnalysis extends BufferWriteEstimationReason, TWidenedValueFlowAnalysis {
-  override string toString() { result = "WidenedValueFlowAnalysis" }
-
-  override string getDescription() {
-    result = "based on flow analysis of value bounds with a widening approximation"
-  }
-}
-
-/**
- * The estimation comes from non trivial bounds found via actual flow analysis.
- * For example
- * ```
- * unsigned u = x;
- * if (u < 1000) {
- *    //...  <- estimation done here based on u
- * }
- * ```
- */
-class ValueFlowAnalysis extends BufferWriteEstimationReason, TValueFlowAnalysis {
-  override string toString() { result = "ValueFlowAnalysis" }
-
-  override string getDescription() { result = "based on flow analysis of value bounds" }
-}
-
 class PrintfFormatAttribute extends FormatAttribute {
  PrintfFormatAttribute() { this.getArchetype() = ["printf", "__printf__"] }
 }
@@ -382,38 +282,6 @@ private int lengthInBase10(float f) {
  result = f.log10().floor() + 1
 }

-pragma[nomagic]
-private predicate isPointerTypeWithBase(Type base, PointerType pt) { base = pt.getBaseType() }
-
-bindingset[expr]
-private BufferWriteEstimationReason getEstimationReasonForIntegralExpression(Expr expr) {
-  // we consider the range analysis non trivial if it
-  // * constrained non-trivially both sides of a signed value, or
-  // * constrained non-trivially the positive side of an unsigned value
-  // expr should already be given as getFullyConverted
-  if
-    upperBound(expr) < exprMaxVal(expr) and
-    (exprMinVal(expr) >= 0 or lowerBound(expr) > exprMinVal(expr))
-  then
-    // next we check whether the estimate may have been widened
-    if upperBoundMayBeWidened(expr)
-    then result = TWidenedValueFlowAnalysis()
-    else result = TValueFlowAnalysis()
-  else result = TTypeBoundsAnalysis()
-}
-
-/**
- * Gets the number of hex digits required to represent the integer represented by `f`.
- *
- * `f` is assumed to be nonnegative.
- */
-bindingset[f]
-private int lengthInBase16(float f) {
-  f = 0 and result = 1
-  or
-  result = (f.log2() / 4.0).floor() + 1
-}
-
 /**
 * A class to represent format strings that occur as arguments to invocations of formatting functions.
 */
@@ -965,19 +833,19 @@ class FormatLiteral extends Literal {
      (
        conv = ["s", "S"] and
        len = "h" and
-        isPointerTypeWithBase(any(PlainCharType plainCharType), result)
+        result.(PointerType).getBaseType() instanceof PlainCharType
        or
        conv = ["s", "S"] and
        len = ["l", "w"] and
-        isPointerTypeWithBase(this.getWideCharType(), result)
+        result.(PointerType).getBaseType() = this.getWideCharType()
        or
        conv = "s" and
        (len != "l" and len != "w" and len != "h") and
-        isPointerTypeWithBase(this.getDefaultCharType(), result)
+        result.(PointerType).getBaseType() = this.getDefaultCharType()
        or
        conv = "S" and
        (len != "l" and len != "w" and len != "h") and
-        isPointerTypeWithBase(this.getNonDefaultCharType(), result)
+        result.(PointerType).getBaseType() = this.getNonDefaultCharType()
      )
    )
  }
@@ -1122,14 +990,7 @@ class FormatLiteral extends Literal {
   * conversion specifier of this format string; has no result if this cannot
   * be determined.
   */
-  int getMaxConvertedLength(int n) { result = max(this.getMaxConvertedLength(n, _)) }
-
-  /**
-   * Gets the maximum length of the string that can be produced by the nth
-   * conversion specifier of this format string, specifying the estimation reason;
-   * has no result if this cannot be determined.
-   */
-  int getMaxConvertedLength(int n, BufferWriteEstimationReason reason) {
+  int getMaxConvertedLength(int n) {
    exists(int len |
      (
        (
@@ -1141,12 +1002,10 @@ class FormatLiteral extends Literal {
      ) and
      (
        this.getConversionChar(n) = "%" and
-        len = 1 and
-        reason = TValueFlowAnalysis()
+        len = 1
        or
        this.getConversionChar(n).toLowerCase() = "c" and
-        len = 1 and
-        reason = TValueFlowAnalysis() // e.g. 'a'
+        len = 1 // e.g. 'a'
        or
        this.getConversionChar(n).toLowerCase() = "f" and
        exists(int dot, int afterdot |
@@ -1160,8 +1019,7 @@ class FormatLiteral extends Literal {
            afterdot = 6
          ) and
          len = 1 + 309 + dot + afterdot
-        ) and
-        reason = TTypeBoundsAnalysis() // e.g. -1e308="-100000"...
+        ) // e.g. -1e308="-100000"...
        or
        this.getConversionChar(n).toLowerCase() = "e" and
        exists(int dot, int afterdot |
@@ -1175,8 +1033,7 @@ class FormatLiteral extends Literal {
            afterdot = 6
          ) and
          len = 1 + 1 + dot + afterdot + 1 + 1 + 3
-        ) and
-        reason = TTypeBoundsAnalysis() // -1e308="-1.000000e+308"
+        ) // -1e308="-1.000000e+308"
        or
        this.getConversionChar(n).toLowerCase() = "g" and
        exists(int dot, int afterdot |
@@ -1199,110 +1056,85 @@ class FormatLiteral extends Literal {
          //       (e.g. 123456, 0.000123456 are just OK)
          //       so case %f can be at most P characters + 4 zeroes, sign, dot = P + 6
          len = (afterdot.maximum(1) + 6).maximum(1 + 1 + dot + afterdot + 1 + 1 + 3)
-        ) and
-        reason = TTypeBoundsAnalysis() // (e.g. "-1.59203e-319")
+        ) // (e.g. "-1.59203e-319")
        or
        this.getConversionChar(n).toLowerCase() = ["d", "i"] and
        // e.g. -2^31 = "-2147483648"
-        exists(float typeBasedBound, float valueBasedBound |
-          // The first case handles length sub-specifiers
-          // Subtract one in the exponent because one bit is for the sign.
-          // Add 1 to account for the possible sign in the output.
-          typeBasedBound =
-            1 + lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8 - 1)) and
-          // The second case uses range analysis to deduce a length that's shorter than the length
-          // of the number -2^31.
-          exists(Expr arg, float lower, float upper |
-            arg = this.getUse().getConversionArgument(n) and
-            lower = lowerBound(arg.getFullyConverted()) and
-            upper = upperBound(arg.getFullyConverted())
-          |
-            valueBasedBound =
-              max(int cand |
-                // Include the sign bit in the length if it can be negative
-                (
-                  if lower < 0
-                  then cand = 1 + lengthInBase10(lower.abs())
-                  else cand = lengthInBase10(lower)
+        len =
+          min(float cand |
+            // The first case handles length sub-specifiers
+            // Subtract one in the exponent because one bit is for the sign.
+            // Add 1 to account for the possible sign in the output.
+            cand = 1 + lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8 - 1))
+            or
+            // The second case uses range analysis to deduce a length that's shorter than the length
+            // of the number -2^31.
+            exists(Expr arg, float lower, float upper |
+              arg = this.getUse().getConversionArgument(n) and
+              lower = lowerBound(arg.getFullyConverted()) and
+              upper = upperBound(arg.getFullyConverted())
+            |
+              cand =
+                max(int cand0 |
+                  // Include the sign bit in the length if it can be negative
+                  (
+                    if lower < 0
+                    then cand0 = 1 + lengthInBase10(lower.abs())
+                    else cand0 = lengthInBase10(lower)
+                  )
+                  or
+                  (
+                    if upper < 0
+                    then cand0 = 1 + lengthInBase10(upper.abs())
+                    else cand0 = lengthInBase10(upper)
+                  )
                )
-                or
-                (
-                  if upper < 0
-                  then cand = 1 + lengthInBase10(upper.abs())
-                  else cand = lengthInBase10(upper)
-                )
-              ) and
-            // we don't want to call this on `arg.getFullyConverted()` as we want
-            // to detect non-trivial range analysis without taking into account up-casting
-            reason = getEstimationReasonForIntegralExpression(arg)
-          ) and
-          len = valueBasedBound.minimum(typeBasedBound)
-        )
+            )
+          )
        or
        this.getConversionChar(n).toLowerCase() = "u" and
        // e.g. 2^32 - 1 = "4294967295"
-        exists(float typeBasedBound, float valueBasedBound |
-          // The first case handles length sub-specifiers
-          typeBasedBound = lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8) - 1) and
-          // The second case uses range analysis to deduce a length that's shorter than
-          // the length of the number 2^31 - 1.
-          exists(Expr arg, float lower, float upper |
-            arg = this.getUse().getConversionArgument(n) and
-            lower = lowerBound(arg.getFullyConverted()) and
-            upper = upperBound(arg.getFullyConverted())
-          |
-            valueBasedBound =
-              lengthInBase10(max(float cand |
+        len =
+          min(float cand |
+            // The first case handles length sub-specifiers
+            cand = 2.pow(this.getIntegralDisplayType(n).getSize() * 8)
+            or
+            // The second case uses range analysis to deduce a length that's shorter than
+            // the length of the number 2^31 - 1.
+            exists(Expr arg, float lower |
+              arg = this.getUse().getConversionArgument(n) and
+              lower = lowerBound(arg.getFullyConverted())
+            |
+              cand =
+                max(float cand0 |
                  // If lower can be negative we use `(unsigned)-1` as the candidate value.
                  lower < 0 and
-                  cand = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
+                  cand0 = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
                  or
-                  cand = upper
-                )) and
-            // we don't want to call this on `arg.getFullyConverted()` as we want
-            // to detect non-trivial range analysis without taking into account up-casting
-            reason = getEstimationReasonForIntegralExpression(arg)
-          ) and
-          len = valueBasedBound.minimum(typeBasedBound)
-        )
+                  cand0 = upperBound(arg.getFullyConverted())
+                )
+            )
+          |
+            lengthInBase10(cand)
+          )
        or
        this.getConversionChar(n).toLowerCase() = "x" and
        // e.g. "12345678"
-        exists(int baseLen, int typeBasedBound, int valueBasedBound |
-          typeBasedBound =
-            min(int digits |
-              digits = 2 * this.getIntegralDisplayType(n).getSize()
+        exists(int sizeBytes, int baseLen |
+          sizeBytes =
+            min(int bytes |
+              bytes = this.getIntegralDisplayType(n).getSize()
              or
              exists(IntegralType t |
                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
              |
-                t.isUnsigned() and
-                digits = 2 * t.getSize()
+                t.isUnsigned() and bytes = t.getSize()
              )
            ) and
-          exists(Expr arg, float lower, float upper, float typeLower, float typeUpper |
-            arg = this.getUse().getConversionArgument(n) and
-            lower = lowerBound(arg.getFullyConverted()) and
-            upper = upperBound(arg.getFullyConverted()) and
-            typeLower = exprMinVal(arg.getFullyConverted()) and
-            typeUpper = exprMaxVal(arg.getFullyConverted())
-          |
-            valueBasedBound =
-              lengthInBase16(max(float cand |
-                  // If lower can be negative we use `(unsigned)-1` as the candidate value.
-                  lower < 0 and
-                  cand = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
-                  or
-                  cand = upper
-                )) and
-            (
-              if lower > typeLower or upper < typeUpper
-              then reason = TValueFlowAnalysis()
-              else reason = TTypeBoundsAnalysis()
-            )
-          ) and
-          baseLen = valueBasedBound.minimum(typeBasedBound) and
-          if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
+          baseLen = sizeBytes * 2 and
+          (
+            if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
+          )
        )
        or
        this.getConversionChar(n).toLowerCase() = "p" and
@@ -1312,8 +1144,7 @@ class FormatLiteral extends Literal {
          (
            if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
          )
-        ) and
-        reason = TValueFlowAnalysis()
+        )
        or
        this.getConversionChar(n).toLowerCase() = "o" and
        // e.g. 2^32 - 1 = "37777777777"
@@ -1332,16 +1163,14 @@ class FormatLiteral extends Literal {
          (
            if this.hasAlternateFlag(n) then len = 1 + baseLen else len = baseLen // "0"
          )
-        ) and
-        reason = TTypeBoundsAnalysis()
+        )
        or
        this.getConversionChar(n).toLowerCase() = "s" and
        len =
          min(int v |
            v = this.getPrecision(n) or
            v = this.getUse().getFormatArgument(n).(AnalysedString).getMaxLength() - 1 // (don't count null terminator)
-          ) and
-        reason = TValueFlowAnalysis()
+          )
      )
    )
  }
@@ -1353,19 +1182,10 @@ class FormatLiteral extends Literal {
   * determining whether a buffer overflow is caused by long float to string
   * conversions.
   */
-  int getMaxConvertedLengthLimited(int n) { result = max(this.getMaxConvertedLengthLimited(n, _)) }
-
-  /**
-   * Gets the maximum length of the string that can be produced by the nth
-   * conversion specifier of this format string, specifying the reason for the
-   * estimation, except that float to string conversions are assumed to be 8
-   * characters.  This is helpful for determining whether a buffer overflow is
-   * caused by long float to string conversions.
-   */
-  int getMaxConvertedLengthLimited(int n, BufferWriteEstimationReason reason) {
+  int getMaxConvertedLengthLimited(int n) {
    if this.getConversionChar(n).toLowerCase() = "f"
-    then result = this.getMaxConvertedLength(n, reason).minimum(8)
-    else result = this.getMaxConvertedLength(n, reason)
+    then result = this.getMaxConvertedLength(n).minimum(8)
+    else result = this.getMaxConvertedLength(n)
  }

  /**
@@ -1405,35 +1225,29 @@ class FormatLiteral extends Literal {
    )
  }

-  private int getMaxConvertedLengthAfter(int n, BufferWriteEstimationReason reason) {
+  private int getMaxConvertedLengthAfter(int n) {
    if n = this.getNumConvSpec()
-    then result = this.getConstantSuffix().length() + 1 and reason = TValueFlowAnalysis()
+    then result = this.getConstantSuffix().length() + 1
    else
-      exists(BufferWriteEstimationReason headReason, BufferWriteEstimationReason tailReason |
-        result =
-          this.getConstantPart(n).length() + this.getMaxConvertedLength(n, headReason) +
-            this.getMaxConvertedLengthAfter(n + 1, tailReason) and
-        reason = headReason.combineWith(tailReason)
-      )
+      result =
+        this.getConstantPart(n).length() + this.getMaxConvertedLength(n) +
+          this.getMaxConvertedLengthAfter(n + 1)
  }

-  private int getMaxConvertedLengthAfterLimited(int n, BufferWriteEstimationReason reason) {
+  private int getMaxConvertedLengthAfterLimited(int n) {
    if n = this.getNumConvSpec()
-    then result = this.getConstantSuffix().length() + 1 and reason = TValueFlowAnalysis()
+    then result = this.getConstantSuffix().length() + 1
    else
-      exists(BufferWriteEstimationReason headReason, BufferWriteEstimationReason tailReason |
-        result =
-          this.getConstantPart(n).length() + this.getMaxConvertedLengthLimited(n, headReason) +
-            this.getMaxConvertedLengthAfterLimited(n + 1, tailReason) and
-        reason = headReason.combineWith(tailReason)
-      )
+      result =
+        this.getConstantPart(n).length() + this.getMaxConvertedLengthLimited(n) +
+          this.getMaxConvertedLengthAfterLimited(n + 1)
  }

  /**
   * Gets the maximum length of the string that can be produced by this format
   * string.  Has no result if this cannot be determined.
   */
-  int getMaxConvertedLength() { result = this.getMaxConvertedLengthAfter(0, _) }
+  int getMaxConvertedLength() { result = this.getMaxConvertedLengthAfter(0) }

  /**
   * Gets the maximum length of the string that can be produced by this format
@@ -1441,24 +1255,5 @@ class FormatLiteral extends Literal {
   * characters.  This is helpful for determining whether a buffer overflow
   * is caused by long float to string conversions.
   */
-  int getMaxConvertedLengthLimited() { result = this.getMaxConvertedLengthAfterLimited(0, _) }
-
-  /**
-   * Gets the maximum length of the string that can be produced by this format
-   * string, specifying the reason for the estimate. Has no result if no estimate
-   * can be found.
-   */
-  int getMaxConvertedLengthWithReason(BufferWriteEstimationReason reason) {
-    result = this.getMaxConvertedLengthAfter(0, reason)
-  }
-
-  /**
-   * Gets the maximum length of the string that can be produced by this format
-   * string, specifying the reason for the estimate, except that float to string
-   * conversions are assumed to be 8 characters.  This is helpful for determining
-   * whether a buffer overflow is caused by long float to string conversions.
-   */
-  int getMaxConvertedLengthLimitedWithReason(BufferWriteEstimationReason reason) {
-    result = this.getMaxConvertedLengthAfterLimited(0, reason)
-  }
+  int getMaxConvertedLengthLimited() { result = this.getMaxConvertedLengthAfterLimited(0) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -29,7 +29,7 @@ class GuardCondition extends Expr {
    exists(IRGuardCondition ir | this = ir.getUnconvertedResultExpression())
    or
    // no binary operators in the IR
-    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
+    exists(GuardCondition gc | this.(BinaryLogicalOperation).getAnOperand() = gc)
    or
    // the IR short-circuits if(!x)
    // don't produce a guard condition for `y = !x` and other non-short-circuited cases
@@ -98,7 +98,7 @@ class GuardCondition extends Expr {
 */
 private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
  GuardConditionFromBinaryLogicalOperator() {
-    this.(BinaryLogicalOperation).getAnOperand() instanceof GuardCondition
+    exists(GuardCondition gc | this.(BinaryLogicalOperation).getAnOperand() = gc)
  }

  override predicate controls(BasicBlock controlled, boolean testIsTrue) {
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll
@@ -153,11 +153,9 @@ library class SSAHelper extends int {
   * Modern Compiler Implementation by Andrew Appel.
   */
  private predicate frontier_phi_node(StackVariable v, BasicBlock b) {
-    exists(BasicBlock x |
-      dominanceFrontier(x, b) and ssa_defn_rec(pragma[only_bind_into](v), pragma[only_bind_into](x))
-    ) and
+    exists(BasicBlock x | dominanceFrontier(x, b) and ssa_defn_rec(v, x)) and
    /* We can also eliminate those nodes where the variable is not live on any incoming edge */
-    live_at_start_of_bb(pragma[only_bind_into](v), b)
+    live_at_start_of_bb(v, b)
  }

  private predicate ssa_defn_rec(StackVariable v, BasicBlock b) {
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -3,17 +3,6 @@ private import DataFlowImplSpecific::Public
 import Cached

 module DataFlowImplCommonPublic {
-  /** A state value to track during data flow. */
-  class FlowState = string;
-
-  /**
-   * The default state, which is used when the state is unspecified for a source
-   * or a sink.
-   */
-  class FlowStateEmpty extends FlowState {
-    FlowStateEmpty() { this = "" }
-  }
-
  private newtype TFlowFeature =
    TFeatureHasSourceCallContext() or
    TFeatureHasSinkCallContext() or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -15,23 +15,11 @@ module Consistency {
  class ConsistencyConfiguration extends TConsistencyConfiguration {
    string toString() { none() }

-    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
-    predicate uniqueEnclosingCallableExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
-    predicate uniqueNodeLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
-    predicate missingLocationExclude(Node n) { none() }
-
    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
    predicate postWithInFlowExclude(Node n) { none() }

    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
-    predicate reverseReadExclude(Node n) { none() }
  }

  private class RelevantNode extends Node {
@@ -58,7 +46,6 @@ module Consistency {
      n instanceof RelevantNode and
      c = count(nodeGetEnclosingCallable(n)) and
      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
      msg = "Node should have one enclosing callable but has " + c + "."
    )
  }
@@ -79,7 +66,6 @@ module Consistency {
          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
        ) and
      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
      msg = "Node should have one location but has " + c + "."
    )
  }
@@ -90,8 +76,7 @@ module Consistency {
        strictcount(Node n |
          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
-          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
+          )
        ) and
      msg = "Nodes without location: " + c
    )
@@ -187,7 +172,6 @@ module Consistency {

  query predicate reverseRead(Node n, string msg) {
    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
-    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
    msg = "Origin of readStep is missing a PostUpdateNode."
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -48,7 +48,7 @@ private class Argument extends Expr {
 */
 class ArgumentNode extends Node {
  ArgumentNode() {
-    this.asExpr() instanceof Argument or
+    exists(Argument arg | this.asExpr() = arg) or
    this = getInstanceArgument(_)
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -435,7 +435,7 @@ module FlowVar_internal {
      parameterIsNonConstReference(p) and
      p = v and
      // This definition reaches the exit node of the function CFG
-      getAReachedBlockVarSBB(this).getEnd() = p.getFunction()
+      getAReachedBlockVarSBB(this).getANode() = p.getFunction()
    }

    override predicate definedByInitialValue(StackVariable lsv) {
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -47,12 +47,6 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
 */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }

-/**
- * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
 /**
 * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
 * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
+  abstract override predicate isSource(DataFlow::Node source);

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
+  abstract override predicate isSink(DataFlow::Node sink);

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+    this.isSanitizerGuard(guard)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
+  abstract override predicate isSource(DataFlow::Node source);

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
+  abstract override predicate isSink(DataFlow::Node sink);

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+    this.isSanitizerGuard(guard)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Access.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Access.qll
@@ -84,8 +84,8 @@ class VariableAccess extends Access, @varaccess {
    exists(Assignment a | a.getLValue() = this) or
    exists(CrementOperation c | c.getOperand() = this) or
    exists(AddressOfExpr addof | addof.getOperand() = this) or
-    this.getConversion() instanceof ReferenceToExpr or
-    this.getConversion() instanceof ArrayToPointerConversion
+    exists(ReferenceToExpr rte | this.getConversion() = rte) or
+    exists(ArrayToPointerConversion atpc | this.getConversion() = atpc)
  }

  /**
@@ -104,8 +104,8 @@ class VariableAccess extends Access, @varaccess {
  predicate isRValue() {
    not exists(AssignExpr ae | ae.getLValue() = this) and
    not exists(AddressOfExpr addof | addof.getOperand() = this) and
-    not this.getConversion() instanceof ReferenceToExpr and
-    not this.getConversion() instanceof ArrayToPointerConversion
+    not exists(ReferenceToExpr rte | this.getConversion() = rte) and
+    not exists(ArrayToPointerConversion atpc | this.getConversion() = atpc)
  }

  /**
@@ -218,7 +218,9 @@ class PointerFieldAccess extends FieldAccess {
 class DotFieldAccess extends FieldAccess {
  override string getAPrimaryQlClass() { result = "DotFieldAccess" }

-  DotFieldAccess() { this.getQualifier().getFullyConverted().getUnspecifiedType() instanceof Class }
+  DotFieldAccess() {
+    exists(Class c | c = this.getQualifier().getFullyConverted().getUnspecifiedType())
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
@@ -35,7 +35,7 @@ class Call extends Expr, NameQualifiableElement, TCall {
   *
   * For example, `ptr->f()` has a qualifier, whereas plain `f()` does not.
   */
-  predicate hasQualifier() { exists(this.getChild(-1)) }
+  predicate hasQualifier() { exists(Expr e | this.getChild(-1) = e) }

  /**
   * Gets the expression to the left of the function name or function pointer variable name.
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll
@@ -724,7 +724,7 @@ class SizeofOperator extends Expr, @runtime_sizeof {
 * ```
 */
 class SizeofExprOperator extends SizeofOperator {
-  SizeofExprOperator() { exists(this.getChild(0)) }
+  SizeofExprOperator() { exists(Expr e | this.getChild(0) = e) }

  override string getAPrimaryQlClass() { result = "SizeofExprOperator" }

@@ -787,7 +787,7 @@ class AlignofOperator extends Expr, @runtime_alignof {
 * ```
 */
 class AlignofExprOperator extends AlignofOperator {
-  AlignofExprOperator() { exists(this.getChild(0)) }
+  AlignofExprOperator() { exists(Expr e | this.getChild(0) = e) }

  /**
   * Gets the contained expression.
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Lambda.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Lambda.qll
@@ -118,7 +118,7 @@ class LambdaCapture extends Locatable, @lambdacapture {
   * An identifier is captured by reference if:
   *   - It is explicitly captured by reference.
   *   - It is implicitly captured, and the lambda's default capture mode is by-reference.
-   *   - The identifier is "this". [Said behavior is dictated by the C++11 standard, but it
+   *   - The identifier is "this". [Said behaviour is dictated by the C++11 standard, but it
   *                                is actually "*this" being captured rather than "this".]
   */
  predicate isCapturedByReference() { lambda_capture(this, _, _, _, true, _, _) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -63,7 +63,7 @@ private module VirtualDispatch {
        this.flowsFrom(other, allowOtherFromArg)
      |
        // Call argument
-        exists(DataFlowCall call, Position i |
+        exists(DataFlowCall call, int i |
          other
              .(DataFlow::ParameterNode)
              .isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
@@ -268,6 +268,16 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
  )
 }

+/** A parameter position represented by an integer. */
+class ParameterPosition extends int {
+  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
+}
+
+/** An argument position represented by an integer. */
+class ArgumentPosition extends int {
+  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
+}
+
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -3,17 +3,6 @@ private import DataFlowImplSpecific::Public
 import Cached

 module DataFlowImplCommonPublic {
-  /** A state value to track during data flow. */
-  class FlowState = string;
-
-  /**
-   * The default state, which is used when the state is unspecified for a source
-   * or a sink.
-   */
-  class FlowStateEmpty extends FlowState {
-    FlowStateEmpty() { this = "" }
-  }
-
  private newtype TFlowFeature =
    TFeatureHasSourceCallContext() or
    TFeatureHasSinkCallContext() or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -15,23 +15,11 @@ module Consistency {
  class ConsistencyConfiguration extends TConsistencyConfiguration {
    string toString() { none() }

-    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
-    predicate uniqueEnclosingCallableExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
-    predicate uniqueNodeLocationExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
-    predicate missingLocationExclude(Node n) { none() }
-
    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
    predicate postWithInFlowExclude(Node n) { none() }

    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
-    predicate reverseReadExclude(Node n) { none() }
  }

  private class RelevantNode extends Node {
@@ -58,7 +46,6 @@ module Consistency {
      n instanceof RelevantNode and
      c = count(nodeGetEnclosingCallable(n)) and
      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
      msg = "Node should have one enclosing callable but has " + c + "."
    )
  }
@@ -79,7 +66,6 @@ module Consistency {
          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
        ) and
      c != 1 and
-      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
      msg = "Node should have one location but has " + c + "."
    )
  }
@@ -90,8 +76,7 @@ module Consistency {
        strictcount(Node n |
          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          ) and
-          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
+          )
        ) and
      msg = "Nodes without location: " + c
    )
@@ -187,7 +172,6 @@ module Consistency {

  query predicate reverseRead(Node n, string msg) {
    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
-    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
    msg = "Origin of readStep is missing a PostUpdateNode."
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -27,7 +27,7 @@ abstract class ArgumentNode extends OperandNode {
   * Holds if this argument occurs at the given position in the given call.
   * The instance argument is considered to have index `-1`.
   */
-  abstract predicate argumentOf(DataFlowCall call, ArgumentPosition pos);
+  abstract predicate argumentOf(DataFlowCall call, int pos);

  /** Gets the call in which this node is an argument. */
  DataFlowCall getCall() { this.argumentOf(result, _) }
@@ -42,9 +42,7 @@ private class PrimaryArgumentNode extends ArgumentNode {

  PrimaryArgumentNode() { exists(CallInstruction call | op = call.getAnArgumentOperand()) }

-  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    op = call.getArgumentOperand(pos.(DirectPosition).getIndex())
-  }
+  override predicate argumentOf(DataFlowCall call, int pos) { op = call.getArgumentOperand(pos) }

  override string toString() {
    exists(Expr unconverted |
@@ -73,9 +71,9 @@ private class SideEffectArgumentNode extends ArgumentNode {

  SideEffectArgumentNode() { op = read.getSideEffectOperand() }

-  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+  override predicate argumentOf(DataFlowCall call, int pos) {
    read.getPrimaryInstruction() = call and
-    pos.(IndirectionPosition).getIndex() = read.getIndex()
+    pos = getArgumentPosOfSideEffect(read.getIndex())
  }

  override string toString() {
@@ -92,54 +90,6 @@ private class SideEffectArgumentNode extends ArgumentNode {
  }
 }

-/** A parameter position represented by an integer. */
-class ParameterPosition = Position;
-
-/** An argument position represented by an integer. */
-class ArgumentPosition = Position;
-
-class Position extends TPosition {
-  abstract string toString();
-}
-
-class DirectPosition extends TDirectPosition {
-  int index;
-
-  DirectPosition() { this = TDirectPosition(index) }
-
-  string toString() {
-    index = -1 and
-    result = "this"
-    or
-    index != -1 and
-    result = index.toString()
-  }
-
-  int getIndex() { result = index }
-}
-
-class IndirectionPosition extends TIndirectionPosition {
-  int index;
-
-  IndirectionPosition() { this = TIndirectionPosition(index) }
-
-  string toString() {
-    index = -1 and
-    result = "this"
-    or
-    index != -1 and
-    result = index.toString()
-  }
-
-  int getIndex() { result = index }
-}
-
-newtype TPosition =
-  TDirectPosition(int index) { exists(any(CallInstruction c).getArgument(index)) } or
-  TIndirectionPosition(int index) {
-    exists(ReadSideEffectInstruction instr | instr.getIndex() = index)
-  }
-
 private newtype TReturnKind =
  TNormalReturnKind() or
  TIndirectReturnKind(ParameterIndex index)
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -490,6 +490,19 @@ class ExprNode extends InstructionNode {
  override string toString() { result = this.asConvertedExpr().toString() }
 }

+/**
+ * INTERNAL: do not use. Translates a parameter/argument index into a negative
+ * number that denotes the index of its side effect (pointer indirection).
+ */
+bindingset[index]
+int getArgumentPosOfSideEffect(int index) {
+  // -1 -> -2
+  //  0 -> -3
+  //  1 -> -4
+  // ...
+  result = -3 - index
+}
+
 /**
 * The value of a parameter at function entry, viewed as a node in a data
 * flow graph. This includes both explicit parameters such as `x` in `f(x)`
@@ -512,7 +525,7 @@ class ParameterNode extends InstructionNode {
   * implicit `this` parameter is considered to have position `-1`, and
   * pointer-indirection parameters are at further negative positions.
   */
-  predicate isParameterOf(Function f, ParameterPosition pos) { none() } // overridden by subclasses
+  predicate isParameterOf(Function f, int pos) { none() } // overridden by subclasses
 }

 /** An explicit positional parameter, not including `this` or `...`. */
@@ -521,8 +534,8 @@ private class ExplicitParameterNode extends ParameterNode {

  ExplicitParameterNode() { exists(instr.getParameter()) }

-  override predicate isParameterOf(Function f, ParameterPosition pos) {
-    f.getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
+  override predicate isParameterOf(Function f, int pos) {
+    f.getParameter(pos) = instr.getParameter()
  }

  /** Gets the `Parameter` associated with this node. */
@@ -537,8 +550,8 @@ class ThisParameterNode extends ParameterNode {

  ThisParameterNode() { instr.getIRVariable() instanceof IRThisVariable }

-  override predicate isParameterOf(Function f, ParameterPosition pos) {
-    pos.(DirectPosition).getIndex() = -1 and instr.getEnclosingFunction() = f
+  override predicate isParameterOf(Function f, int pos) {
+    pos = -1 and instr.getEnclosingFunction() = f
  }

  override string toString() { result = "this" }
@@ -548,12 +561,12 @@ class ThisParameterNode extends ParameterNode {
 class ParameterIndirectionNode extends ParameterNode {
  override InitializeIndirectionInstruction instr;

-  override predicate isParameterOf(Function f, ParameterPosition pos) {
+  override predicate isParameterOf(Function f, int pos) {
    exists(int index |
      instr.getEnclosingFunction() = f and
      instr.hasIndex(index)
    |
-      pos.(IndirectionPosition).getIndex() = index
+      pos = getArgumentPosOfSideEffect(index)
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
@@ -659,15 +659,4 @@ module Consistency {
    not phiHasInputFromBlock(_, def, _) and
    not uncertainWriteDefinitionInput(_, def)
  }
-
-  query predicate notDominatedByDef(RelevantDefinition def, SourceVariable v, BasicBlock bb, int i) {
-    exists(BasicBlock bbDef, int iDef | def.definesAt(v, bbDef, iDef) |
-      ssaDefReachesReadWithinBlock(v, def, bb, i) and
-      (bb != bbDef or i < iDef)
-      or
-      ssaDefReachesRead(v, def, bb, i) and
-      not ssaDefReachesReadWithinBlock(v, def, bb, i) and
-      not def.definesAt(v, getImmediateBasicBlockDominator*(bb), _)
-    )
-  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -51,6 +51,16 @@ private newtype TDefOrUse =
  TExplicitUse(Operand op) { isExplicitUse(op) } or
  TReturnParamIndirection(Operand op) { returnParameterIndirection(op, _) }

+pragma[nomagic]
+private int getRank(DefOrUse defOrUse, IRBlock block) {
+  defOrUse =
+    rank[result](int i, DefOrUse cand |
+      block.getInstruction(i) = toInstruction(cand)
+    |
+      cand order by i
+    )
+}
+
 private class DefOrUse extends TDefOrUse {
  /** Gets the instruction associated with this definition, if any. */
  Instruction asDef() { none() }
@@ -64,10 +74,9 @@ private class DefOrUse extends TDefOrUse {
  /** Gets the block of this definition or use. */
  abstract IRBlock getBlock();

-  /** Holds if this definition or use has index `index` in block `block`. */
-  final predicate hasIndexInBlock(IRBlock block, int index) {
-    block.getInstruction(index) = toInstruction(this)
-  }
+  /** Holds if this definition or use has rank `rank` in block `block`. */
+  cached
+  final predicate hasRankInBlock(IRBlock block, int rnk) { rnk = getRank(this, block) }

  /** Gets the location of this element. */
  abstract Cpp::Location getLocation();
@@ -170,16 +179,10 @@ private class ReturnParameterIndirection extends Use, TReturnParamIndirection {
 }

 private predicate isExplicitUse(Operand op) {
-  exists(VariableAddressInstruction vai | vai = op.getDef() |
-    // Don't include this operand as a use if it only exists to initialize the
-    // indirection of a parameter.
-    not exists(LoadInstruction load |
-      load.getSourceAddressOperand() = op and
-      load.getAUse().getUse() instanceof InitializeIndirectionInstruction
-    ) and
-    // Don't include this operand as a use if the only use of the address is for a write
-    // that definitely overrides a variable.
-    not (explicitWrite(true, _, vai) and exists(unique( | | vai.getAUse())))
+  op.getDef() instanceof VariableAddressInstruction and
+  not exists(LoadInstruction load |
+    load.getSourceAddressOperand() = op and
+    load.getAUse().getUse() instanceof InitializeIndirectionInstruction
  )
 }

@@ -310,8 +313,8 @@ cached
 private module Cached {
  private predicate defUseFlow(Node nodeFrom, Node nodeTo) {
    exists(IRBlock bb1, int i1, IRBlock bb2, int i2, DefOrUse defOrUse, Use use |
-      defOrUse.hasIndexInBlock(bb1, i1) and
-      use.hasIndexInBlock(bb2, i2) and
+      defOrUse.hasRankInBlock(bb1, i1) and
+      use.hasRankInBlock(bb2, i2) and
      adjacentDefRead(_, bb1, i1, bb2, i2) and
      nodeFrom.asInstruction() = toInstruction(defOrUse) and
      flowOutOfAddressStep(use.getOperand(), nodeTo)
@@ -323,9 +326,9 @@ private module Cached {
    exists(IRBlock bb1, int i1, IRBlock bb2, int i2, Def def, Use use |
      nodeFrom.isTerminal() and
      def.getInstruction() = nodeFrom.getStoreInstruction() and
-      def.hasIndexInBlock(bb1, i1) and
+      def.hasRankInBlock(bb1, i1) and
      adjacentDefRead(_, bb1, i1, bb2, i2) and
-      use.hasIndexInBlock(bb2, i2) and
+      use.hasRankInBlock(bb2, i2) and
      flowOutOfAddressStep(use.getOperand(), nodeTo)
    )
    or
@@ -356,8 +359,8 @@ private module Cached {

  private predicate fromReadNode(ReadNode nodeFrom, Node nodeTo) {
    exists(IRBlock bb1, int i1, IRBlock bb2, int i2, Use use1, Use use2 |
-      use1.hasIndexInBlock(bb1, i1) and
-      use2.hasIndexInBlock(bb2, i2) and
+      use1.hasRankInBlock(bb1, i1) and
+      use2.hasRankInBlock(bb2, i2) and
      use1.getOperand().getDef() = nodeFrom.getInstruction() and
      adjacentDefRead(_, bb1, i1, bb2, i2) and
      flowOutOfAddressStep(use2.getOperand(), nodeTo)
@@ -368,7 +371,7 @@ private module Cached {
    exists(PhiNode phi, Use use, IRBlock block, int rnk |
      phi = nodeFrom.getPhiNode() and
      adjacentDefRead(phi, _, _, block, rnk) and
-      use.hasIndexInBlock(block, rnk) and
+      use.hasRankInBlock(block, rnk) and
      flowOutOfAddressStep(use.getOperand(), nodeTo)
    )
  }
@@ -376,7 +379,7 @@ private module Cached {
  private predicate toPhiNode(Node nodeFrom, SsaPhiNode nodeTo) {
    // Flow to phi nodes
    exists(Def def, IRBlock block, int rnk |
-      def.hasIndexInBlock(block, rnk) and
+      def.hasRankInBlock(block, rnk) and
      nodeTo.hasInputAtRankInBlock(block, rnk)
    |
      exists(StoreNodeInstr storeNode |
@@ -509,8 +512,8 @@ private module Cached {
    |
      store = def.getInstruction() and
      store.getSourceValueOperand() = operand and
-      def.hasIndexInBlock(block1, rnk1) and
-      use.hasIndexInBlock(block2, rnk2) and
+      def.hasRankInBlock(block1, rnk1) and
+      use.hasRankInBlock(block2, rnk2) and
      adjacentDefRead(_, block1, rnk1, block2, rnk2)
    |
      // The shared SSA library has determined that `use` is the next use of the operand
@@ -540,12 +543,12 @@ private module Cached {
    not operand = getSourceAddressOperand(_) and
    exists(Use use1, Use use2, IRBlock block1, int rnk1, IRBlock block2, int rnk2 |
      use1.getOperand() = operand and
-      use1.hasIndexInBlock(block1, rnk1) and
+      use1.hasRankInBlock(block1, rnk1) and
      // Don't flow to the next use if this use is part of a store operation that totally
      // overrides a variable.
      not explicitWrite(true, _, use1.getOperand().getDef()) and
      adjacentDefRead(_, block1, rnk1, block2, rnk2) and
-      use2.hasIndexInBlock(block2, rnk2) and
+      use2.hasRankInBlock(block2, rnk2) and
      flowOutOfAddressStep(use2.getOperand(), nodeTo)
    )
    or
@@ -617,7 +620,7 @@ import Cached
 predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
  DataFlowImplCommon::forceCachingInSameStage() and
  exists(Def def |
-    def.hasIndexInBlock(bb, i) and
+    def.hasRankInBlock(bb, i) and
    v = def.getSourceVariable() and
    (if def.isCertain() then certain = true else certain = false)
  )
@@ -629,7 +632,7 @@ predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
 */
 predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
  exists(Use use |
-    use.hasIndexInBlock(bb, i) and
+    use.hasRankInBlock(bb, i) and
    v = use.getSourceVariable() and
    certain = true
  )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -160,12 +160,6 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { n
 */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }

-/**
- * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
 /**
 * Holds if taint can flow from `instrIn` to `instrOut` through a call to a
 * modeled function.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
+  abstract override predicate isSource(DataFlow::Node source);

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
+  abstract override predicate isSink(DataFlow::Node sink);

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+    this.isSanitizerGuard(guard)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
+  abstract override predicate isSource(DataFlow::Node source);

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
+  abstract override predicate isSink(DataFlow::Node sink);

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+    this.isSanitizerGuard(guard)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSource(DataFlow::Node source) { none() }
+  abstract override predicate isSource(DataFlow::Node source);

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  override predicate isSink(DataFlow::Node sink) { none() }
+  abstract override predicate isSink(DataFlow::Node sink);

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
+    this.isSanitizerGuard(guard)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -266,20 +266,6 @@ private predicate operandReturned(Operand operand, IntValue bitOffset) {
  bitOffset = Ints::unknown()
 }

-pragma[nomagic]
-private predicate initializeParameterInstructionHasVariable(
-  IRVariable var, InitializeParameterInstruction init
-) {
-  init.getIRVariable() = var
-}
-
-private predicate instructionInitializesThisInFunction(
-  Language::Function f, InitializeParameterInstruction init
-) {
-  initializeParameterInstructionHasVariable(any(IRThisVariable var), pragma[only_bind_into](init)) and
-  init.getEnclosingFunction() = f
-}
-
 private predicate isArgumentForParameter(
  CallInstruction ci, Operand operand, InitializeParameterInstruction init
 ) {
@@ -289,7 +275,8 @@ private predicate isArgumentForParameter(
    (
      init.getParameter() = f.getParameter(operand.(PositionalArgumentOperand).getIndex())
      or
-      instructionInitializesThisInFunction(f, init) and
+      init.getIRVariable() instanceof IRThisVariable and
+      unique( | | init.getEnclosingFunction()) = f and
      operand instanceof ThisArgumentOperand
    ) and
    not Language::isFunctionVirtual(f) and
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -266,20 +266,6 @@ private predicate operandReturned(Operand operand, IntValue bitOffset) {
  bitOffset = Ints::unknown()
 }

-pragma[nomagic]
-private predicate initializeParameterInstructionHasVariable(
-  IRVariable var, InitializeParameterInstruction init
-) {
-  init.getIRVariable() = var
-}
-
-private predicate instructionInitializesThisInFunction(
-  Language::Function f, InitializeParameterInstruction init
-) {
-  initializeParameterInstructionHasVariable(any(IRThisVariable var), pragma[only_bind_into](init)) and
-  init.getEnclosingFunction() = f
-}
-
 private predicate isArgumentForParameter(
  CallInstruction ci, Operand operand, InitializeParameterInstruction init
 ) {
@@ -289,7 +275,8 @@ private predicate isArgumentForParameter(
    (
      init.getParameter() = f.getParameter(operand.(PositionalArgumentOperand).getIndex())
      or
-      instructionInitializesThisInFunction(f, init) and
+      init.getIRVariable() instanceof IRThisVariable and
+      unique( | | init.getEnclosingFunction()) = f and
      operand instanceof ThisArgumentOperand
    ) and
    not Language::isFunctionVirtual(f) and
--- a/cpp/ql/lib/semmle/code/cpp/metrics/MetricClass.qll
+++ b/cpp/ql/lib/semmle/code/cpp/metrics/MetricClass.qll
@@ -308,45 +308,45 @@ class MetricClass extends Class {
  }

  private string getAUsedHalsteadN1Operator() {
-    this.getAnEnclosedExpression() instanceof CommaExpr and result = "comma"
+    exists(CommaExpr e | e = this.getAnEnclosedExpression()) and result = "comma"
    or
-    this.getAnEnclosedExpression() instanceof ReferenceToExpr and result = "refTo"
+    exists(ReferenceToExpr e | e = this.getAnEnclosedExpression()) and result = "refTo"
    or
-    this.getAnEnclosedExpression() instanceof PointerDereferenceExpr and result = "dereference"
+    exists(PointerDereferenceExpr e | e = this.getAnEnclosedExpression()) and result = "dereference"
    or
-    this.getAnEnclosedExpression() instanceof CStyleCast and result = "cCast"
+    exists(CStyleCast e | e = this.getAnEnclosedExpression()) and result = "cCast"
    or
-    this.getAnEnclosedExpression() instanceof StaticCast and result = "staticCast"
+    exists(StaticCast e | e = this.getAnEnclosedExpression()) and result = "staticCast"
    or
-    this.getAnEnclosedExpression() instanceof ConstCast and result = "constCast"
+    exists(ConstCast e | e = this.getAnEnclosedExpression()) and result = "constCast"
    or
-    this.getAnEnclosedExpression() instanceof ReinterpretCast and result = "reinterpretCast"
+    exists(ReinterpretCast e | e = this.getAnEnclosedExpression()) and result = "reinterpretCast"
    or
-    this.getAnEnclosedExpression() instanceof DynamicCast and result = "dynamicCast"
+    exists(DynamicCast e | e = this.getAnEnclosedExpression()) and result = "dynamicCast"
    or
-    this.getAnEnclosedExpression() instanceof SizeofExprOperator and result = "sizeofExpr"
+    exists(SizeofExprOperator e | e = this.getAnEnclosedExpression()) and result = "sizeofExpr"
    or
-    this.getAnEnclosedExpression() instanceof SizeofTypeOperator and result = "sizeofType"
+    exists(SizeofTypeOperator e | e = this.getAnEnclosedExpression()) and result = "sizeofType"
    or
-    this.getAnEnclosedStmt() instanceof IfStmt and result = "ifVal"
+    exists(IfStmt e | e = this.getAnEnclosedStmt()) and result = "ifVal"
    or
-    this.getAnEnclosedStmt() instanceof SwitchStmt and result = "switchVal"
+    exists(SwitchStmt e | e = this.getAnEnclosedStmt()) and result = "switchVal"
    or
-    this.getAnEnclosedStmt() instanceof ForStmt and result = "forVal"
+    exists(ForStmt e | e = this.getAnEnclosedStmt()) and result = "forVal"
    or
-    this.getAnEnclosedStmt() instanceof DoStmt and result = "doVal"
+    exists(DoStmt e | e = this.getAnEnclosedStmt()) and result = "doVal"
    or
-    this.getAnEnclosedStmt() instanceof WhileStmt and result = "whileVal"
+    exists(WhileStmt e | e = this.getAnEnclosedStmt()) and result = "whileVal"
    or
-    this.getAnEnclosedStmt() instanceof GotoStmt and result = "gotoVal"
+    exists(GotoStmt e | e = this.getAnEnclosedStmt()) and result = "gotoVal"
    or
-    this.getAnEnclosedStmt() instanceof ContinueStmt and result = "continueVal"
+    exists(ContinueStmt e | e = this.getAnEnclosedStmt()) and result = "continueVal"
    or
-    this.getAnEnclosedStmt() instanceof BreakStmt and result = "breakVal"
+    exists(BreakStmt e | e = this.getAnEnclosedStmt()) and result = "breakVal"
    or
-    this.getAnEnclosedStmt() instanceof ReturnStmt and result = "returnVal"
+    exists(ReturnStmt e | e = this.getAnEnclosedStmt()) and result = "returnVal"
    or
-    this.getAnEnclosedStmt() instanceof SwitchCase and result = "caseVal"
+    exists(SwitchCase e | e = this.getAnEnclosedStmt()) and result = "caseVal"
    or
    exists(IfStmt s | s = this.getAnEnclosedStmt() and s.hasElse()) and
    result = "elseVal"
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
@@ -65,6 +65,4 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio
  }

  override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
-
-  override predicate hasSocketInput(FunctionInput input) { input.isParameter(2) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll
@@ -20,9 +20,8 @@ abstract class RemoteFlowSourceFunction extends Function {
  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);

  /**
-   * Holds if remote data from this source comes from a socket or stream
-   * described by `input`. There is no result if none is specified by a
-   * parameter.
+   * Holds if remote data from this source comes from a socket described by
+   * `input`. There is no result if a socket is not specified.
   */
  predicate hasSocketInput(FunctionInput input) { none() }
 }
@@ -60,9 +59,8 @@ abstract class RemoteFlowSinkFunction extends Function {
  abstract predicate hasRemoteFlowSink(FunctionInput input, string description);

  /**
-   * Holds if data put into this sink is transmitted through a socket or stream
-   * described by `input`. There is no result if none is specified by a
-   * parameter.
+   * Holds if data put into this sink is transmitted through a socket described
+   * by `input`. There is no result if a socket is not specified.
   */
  predicate hasSocketInput(FunctionInput input) { none() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/padding/Padding.qll
+++ b/cpp/ql/lib/semmle/code/cpp/padding/Padding.qll
@@ -397,7 +397,7 @@ class PaddedType extends Class {
    // Support only single inheritance for now. If multiple inheritance is
    // supported, be sure to fix up the calls to getABaseClass*() to correctly
    // handle the presence of multiple base class subojects with the same type.
-    not exists(this.getDerivation(1))
+    not exists(ClassDerivation cd | cd = this.getDerivation(1))
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/pointsto/PointsTo.qll
+++ b/cpp/ql/lib/semmle/code/cpp/pointsto/PointsTo.qll
@@ -72,7 +72,7 @@ predicate lvalue(Element e) {
  or
  exists(Cast c | lvalue(c) and e.(Expr).getConversion() = c)
  or
-  e.(Expr).getConversion() instanceof ReferenceToExpr
+  exists(ReferenceToExpr toref | e.(Expr).getConversion() = toref)
  or
  // If f is a function-pointer, then the following two
  // calls are equivalent:  f()  and  (*f)()
--- a/cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll
@@ -71,14 +71,6 @@ abstract class BufferWrite extends Expr {
   */
  int getMaxData() { none() }

-  /**
-   * Gets an upper bound to the amount of data that's being written (if one
-   * can be found), specifying the reason for the estimation.
-   */
-  int getMaxData(BufferWriteEstimationReason reason) {
-    reason instanceof UnspecifiedEstimateReason and result = this.getMaxData()
-  }
-
  /**
   * Gets an upper bound to the amount of data that's being written (if one
   * can be found), except that float to string conversions are assumed to be
@@ -87,15 +79,6 @@ abstract class BufferWrite extends Expr {
   */
  int getMaxDataLimited() { result = this.getMaxData() }

-  /**
-   * Gets an upper bound to the amount of data that's being written (if one
-   * can be found), specifying the reason for the estimation, except that
-   * float to string conversions are assumed to be much smaller (8 bytes)
-   * than their true maximum length.  This can be helpful in determining the
-   * cause of a buffer overflow issue.
-   */
-  int getMaxDataLimited(BufferWriteEstimationReason reason) { result = this.getMaxData(reason) }
-
  /**
   * Gets the size of a single character of the type this
   * operation works with, in bytes.
@@ -152,18 +135,10 @@ class StrCopyBW extends BufferWriteCall {
    result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
  }

-  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
-    // when result exists, it is an exact flow analysis
-    reason instanceof ValueFlowAnalysis and
+  override int getMaxData() {
    result =
      this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
  }
-
-  override int getMaxData(BufferWriteEstimationReason reason) {
-    result = this.getMaxDataImpl(reason)
-  }
-
-  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }

 /**
@@ -198,18 +173,10 @@ class StrCatBW extends BufferWriteCall {
    result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
  }

-  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
-    // when result exists, it is an exact flow analysis
-    reason instanceof ValueFlowAnalysis and
+  override int getMaxData() {
    result =
      this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
  }
-
-  override int getMaxData(BufferWriteEstimationReason reason) {
-    result = this.getMaxDataImpl(reason)
-  }
-
-  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }

 /**
@@ -266,31 +233,19 @@ class SprintfBW extends BufferWriteCall {

  override Expr getDest() { result = this.getArgument(f.getOutputParameterIndex(false)) }

-  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+  override int getMaxData() {
    exists(FormatLiteral fl |
      fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLengthWithReason(reason) * this.getCharSize()
+      result = fl.getMaxConvertedLength() * this.getCharSize()
    )
  }

-  override int getMaxData(BufferWriteEstimationReason reason) {
-    result = this.getMaxDataImpl(reason)
-  }
-
-  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
-
-  private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
+  override int getMaxDataLimited() {
    exists(FormatLiteral fl |
      fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLengthLimitedWithReason(reason) * this.getCharSize()
+      result = fl.getMaxConvertedLengthLimited() * this.getCharSize()
    )
  }
-
-  override int getMaxDataLimited(BufferWriteEstimationReason reason) {
-    result = this.getMaxDataLimitedImpl(reason)
-  }
-
-  override int getMaxDataLimited() { result = max(this.getMaxDataLimitedImpl(_)) }
 }

 /**
@@ -381,31 +336,19 @@ class SnprintfBW extends BufferWriteCall {
    result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
  }

-  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+  override int getMaxData() {
    exists(FormatLiteral fl |
      fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLengthWithReason(reason) * this.getCharSize()
+      result = fl.getMaxConvertedLength() * this.getCharSize()
    )
  }

-  override int getMaxData(BufferWriteEstimationReason reason) {
-    result = this.getMaxDataImpl(reason)
-  }
-
-  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
-
-  private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
+  override int getMaxDataLimited() {
    exists(FormatLiteral fl |
      fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLengthLimitedWithReason(reason) * this.getCharSize()
+      result = fl.getMaxConvertedLengthLimited() * this.getCharSize()
    )
  }
-
-  override int getMaxDataLimited(BufferWriteEstimationReason reason) {
-    result = this.getMaxDataLimitedImpl(reason)
-  }
-
-  override int getMaxDataLimited() { result = max(this.getMaxDataLimitedImpl(_)) }
 }

 /**
@@ -493,9 +436,7 @@ class ScanfBW extends BufferWrite {

  override Expr getDest() { result = this }

-  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
-    // when this returns, it is based on exact flow analysis
-    reason instanceof ValueFlowAnalysis and
+  override int getMaxData() {
    exists(ScanfFunctionCall fc, ScanfFormatLiteral fl, int arg |
      this = fc.getArgument(arg) and
      fl = fc.getFormat() and
@@ -503,12 +444,6 @@ class ScanfBW extends BufferWrite {
    )
  }

-  override int getMaxData(BufferWriteEstimationReason reason) {
-    result = this.getMaxDataImpl(reason)
-  }
-
-  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
-
  override string getBWDesc() {
    exists(FunctionCall fc |
      this = fc.getArgument(_) and
@@ -539,16 +474,8 @@ class RealpathBW extends BufferWriteCall {

  override Expr getASource() { result = this.getArgument(0) }

-  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
-    // although there may be some unknown invariants guaranteeing that a real path is shorter than PATH_MAX, we can consider providing less than PATH_MAX a problem with high precision
-    reason instanceof ValueFlowAnalysis and
+  override int getMaxData() {
    result = path_max() and
    this = this // Suppress a compiler warning
  }
-
-  override int getMaxData(BufferWriteEstimationReason reason) {
-    result = this.getMaxDataImpl(reason)
-  }
-
-  override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/Overflow.qll
@@ -9,7 +9,6 @@ import semmle.code.cpp.controlflow.Dominance
 private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
-import semmle.code.cpp.controlflow.Guards

 /**
 * Holds if the value of `use` is guarded using `abs`.
@@ -17,16 +16,53 @@ import semmle.code.cpp.controlflow.Guards
 predicate guardedAbs(Operation e, Expr use) {
  exists(FunctionCall fc | fc.getTarget().getName() = ["abs", "labs", "llabs", "imaxabs"] |
    fc.getArgument(0).getAChild*() = use and
-    exists(GuardCondition c | c.ensuresLt(fc, _, _, e.getBasicBlock(), true))
+    guardedLesser(e, fc)
  )
 }

+/**
+ * Gets the position of `stmt` in basic block `block` (this is a thin layer
+ * over `BasicBlock.getNode`, intended to improve performance).
+ */
+pragma[noinline]
+private int getStmtIndexInBlock(BasicBlock block, Stmt stmt) { block.getNode(result) = stmt }
+
+pragma[inline]
+private predicate stmtDominates(Stmt dominator, Stmt dominated) {
+  // In same block
+  exists(BasicBlock block, int dominatorIndex, int dominatedIndex |
+    dominatorIndex = getStmtIndexInBlock(block, dominator) and
+    dominatedIndex = getStmtIndexInBlock(block, dominated) and
+    dominatedIndex >= dominatorIndex
+  )
+  or
+  // In (possibly) different blocks
+  bbStrictlyDominates(dominator.getBasicBlock(), dominated.getBasicBlock())
+}
+
 /**
 * Holds if the value of `use` is guarded to be less than something, and `e`
 * is in code controlled by that guard (where the guard condition held).
 */
+pragma[nomagic]
 predicate guardedLesser(Operation e, Expr use) {
-  exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), true))
+  exists(IfStmt c, RelationalOperation guard |
+    use = guard.getLesserOperand().getAChild*() and
+    guard = c.getControllingExpr().getAChild*() and
+    stmtDominates(c.getThen(), e.getEnclosingStmt())
+  )
+  or
+  exists(Loop c, RelationalOperation guard |
+    use = guard.getLesserOperand().getAChild*() and
+    guard = c.getControllingExpr().getAChild*() and
+    stmtDominates(c.getStmt(), e.getEnclosingStmt())
+  )
+  or
+  exists(ConditionalExpr c, RelationalOperation guard |
+    use = guard.getLesserOperand().getAChild*() and
+    guard = c.getCondition().getAChild*() and
+    c.getThen().getAChild*() = e
+  )
  or
  guardedAbs(e, use)
 }
@@ -35,8 +71,25 @@ predicate guardedLesser(Operation e, Expr use) {
 * Holds if the value of `use` is guarded to be greater than something, and `e`
 * is in code controlled by that guard (where the guard condition held).
 */
+pragma[nomagic]
 predicate guardedGreater(Operation e, Expr use) {
-  exists(GuardCondition c | c.ensuresLt(use, _, _, e.getBasicBlock(), false))
+  exists(IfStmt c, RelationalOperation guard |
+    use = guard.getGreaterOperand().getAChild*() and
+    guard = c.getControllingExpr().getAChild*() and
+    stmtDominates(c.getThen(), e.getEnclosingStmt())
+  )
+  or
+  exists(Loop c, RelationalOperation guard |
+    use = guard.getGreaterOperand().getAChild*() and
+    guard = c.getControllingExpr().getAChild*() and
+    stmtDominates(c.getStmt(), e.getEnclosingStmt())
+  )
+  or
+  exists(ConditionalExpr c, RelationalOperation guard |
+    use = guard.getGreaterOperand().getAChild*() and
+    guard = c.getCondition().getAChild*() and
+    c.getThen().getAChild*() = e
+  )
  or
  guardedAbs(e, use)
 }
--- a/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll
@@ -258,7 +258,7 @@ private predicate insideFunctionValueMoveTo(Element src, Element dest) {
          format.getConversionChar(sourceArg - ffc.getTarget().getNumberOfParameters()) = ["s", "S"]
        )
        or
-        not c.(FormattingFunctionCall).getFormat() instanceof FormatLiteral
+        not exists(FormatLiteral fl | fl = c.(FormattingFunctionCall).getFormat())
        or
        not c instanceof FormattingFunctionCall
      ) and
--- a/cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
@@ -271,7 +271,7 @@ class IfStmt extends ConditionalStmt, @stmt_if {
   * if (b) { x = 1; }
   * ```
   */
-  predicate hasElse() { exists(this.getElse()) }
+  predicate hasElse() { exists(Stmt s | this.getElse() = s) }

  override string toString() { result = "if (...) ... " }

@@ -357,7 +357,7 @@ class ConstexprIfStmt extends ConditionalStmt, @stmt_constexpr_if {
   * if constexpr (b) { x = 1; }
   * ```
   */
-  predicate hasElse() { exists(this.getElse()) }
+  predicate hasElse() { exists(Stmt s | this.getElse() = s) }

  override string toString() { result = "if constexpr (...) ... " }

--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.0.7
-
-## 0.0.6
-
 ## 0.0.5

 ### New Queries
--- a/cpp/ql/src/Critical/DeadCodeGoto.ql
+++ b/cpp/ql/src/Critical/DeadCodeGoto.ql
@@ -30,8 +30,8 @@ where
  // the next statement isn't breaking out of a switch
  not s.(BreakStmt).getBreakable() instanceof SwitchStmt and
  // the next statement isn't a loop that can be jumped into
-  not s.(Loop).getStmt().getAChild*() instanceof LabelStmt and
-  not s.(Loop).getStmt().getAChild*() instanceof SwitchCase and
+  not exists(LabelStmt ls | s.(Loop).getStmt().getAChild*() = ls) and
+  not exists(SwitchCase sc | s.(Loop).getStmt().getAChild*() = sc) and
  // no preprocessor logic applies
  not functionContainsPreprocCode(js.getEnclosingFunction())
 select js, "This statement makes $@ unreachable.", s, s.toString()
--- a/Bugs/AmbiguouslySignedBitField.ql
+++ b/Bugs/AmbiguouslySignedBitField.ql
@@ -26,8 +26,6 @@ where
  // At least for C programs on Windows, BOOL is a common typedef for a type
  // representing BoolType.
  not bf.getType().hasName("BOOL") and
-  // GLib's gboolean is a typedef for a type representing BoolType.
-  not bf.getType().hasName("gboolean") and
  // If this is true, then there cannot be unsigned sign extension or overflow.
  not bf.getDeclaredNumBits() = bf.getType().getSize() * 8 and
  not bf.isAnonymous() and
--- a/Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql
+++ b/Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql
@@ -85,8 +85,7 @@ private predicate cancelingSubExprs(ComparisonOperation cmp, VariableAccess a1,
  exists(Variable v |
    exists(float m | m < 0 and cmpLinearSubVariable(cmp, v, a1, m)) and
    exists(float m | m > 0 and cmpLinearSubVariable(cmp, v, a2, m))
-  ) and
-  not any(ClassTemplateInstantiation inst).getATemplateArgument() = cmp.getParent*()
+  )
 }

 from ComparisonOperation cmp, VariableAccess a1, VariableAccess a2
--- a/Bugs/Arithmetic/PointlessSelfComparison.qll
+++ b/Bugs/Arithmetic/PointlessSelfComparison.qll
@@ -29,9 +29,7 @@ predicate pointlessSelfComparison(ComparisonOperation cmp) {
    not exists(lhs.getQualifier()) and // Avoid structure fields
    not exists(rhs.getQualifier()) and // Avoid structure fields
    not convertedExprMightOverflow(lhs) and
-    not convertedExprMightOverflow(rhs) and
-    // Don't warn if the comparison is part of a template argument.
-    not any(ClassTemplateInstantiation inst).getATemplateArgument() = cmp.getParent*()
+    not convertedExprMightOverflow(rhs)
  )
 }

--- a/Bugs/Format/SnprintfOverflow.qhelp
+++ b/Bugs/Format/SnprintfOverflow.qhelp
@@ -3,7 +3,7 @@
  "qhelp.dtd">
 <qhelp>
 <overview>
-<p>The return value of a call to <code>snprintf</code> is the number of characters that <i>would have</i> been written to the buffer assuming there was sufficient space.  In the event that the operation reaches the end of the buffer and more than one character is discarded, the return value will be greater than the buffer size.  This can cause incorrect behavior, for example:
+<p>The return value of a call to <code>snprintf</code> is the number of characters that <i>would have</i> been written to the buffer assuming there was sufficient space.  In the event that the operation reaches the end of the buffer and more than one character is discarded, the return value will be greater than the buffer size.  This can cause incorrect behaviour, for example:
 </p>
 </overview>

--- a/Year/LeapYear.qll
+++ b/Year/LeapYear.qll
@@ -55,7 +55,7 @@ abstract class LeapYearFieldAccess extends YearFieldAccess {
      op.getAnOperand() = this and
      (
        op instanceof AssignArithmeticOperation or
-        op.getAnOperand() instanceof BinaryArithmeticOperation or
+        exists(BinaryArithmeticOperation bao | bao = op.getAnOperand()) or
        op instanceof CrementOperation
      )
    )
@@ -212,7 +212,9 @@ class ChecksForLeapYearFunctionCall extends FunctionCall {
 class LeapYearCheckConfiguration extends DataFlow::Configuration {
  LeapYearCheckConfiguration() { this = "LeapYearCheckConfiguration" }

-  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof VariableAccess }
+  override predicate isSource(DataFlow::Node source) {
+    exists(VariableAccess va | va = source.asExpr())
+  }

  override predicate isSink(DataFlow::Node sink) {
    exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
--- a/Management/ImproperNullTermination.ql
+++ b/Management/ImproperNullTermination.ql
@@ -23,10 +23,6 @@ DeclStmt declWithNoInit(LocalVariable v) {
  not exists(v.getInitializer())
 }

-/**
- * Control flow reachability from a buffer that is not not null terminated to a
- * sink that requires null termination.
- */
 class ImproperNullTerminationReachability extends StackVariableReachabilityWithReassignment {
  ImproperNullTerminationReachability() { this = "ImproperNullTerminationReachability" }

@@ -56,44 +52,12 @@ class ImproperNullTerminationReachability extends StackVariableReachabilityWithR

  override predicate isBarrier(ControlFlowNode node, StackVariable v) {
    exprDefinition(v, node, _) or
+    mayAddNullTerminator(node, v.getAnAccess()) or
+    node.(AddressOfExpr).getOperand() = v.getAnAccess() or // address taken
    isSinkActual(node, v) // only report first use
  }
 }

-/**
- * Flow from a place where null termination is added, to a sink of
- * `ImproperNullTerminationReachability`. This was previously implemented as a
- * simple barrier in `ImproperNullTerminationReachability`, but there were
- * false positive results involving multiple paths from source to sink.  We'd
- * prefer to report only the results we are sure of.
- */
-class NullTerminationReachability extends StackVariableReachabilityWithReassignment {
-  NullTerminationReachability() { this = "NullTerminationReachability" }
-
-  override predicate isSourceActual(ControlFlowNode node, StackVariable v) {
-    mayAddNullTerminator(node, v.getAnAccess()) or // null termination
-    node.(AddressOfExpr).getOperand() = v.getAnAccess() // address taken (possible null termination)
-  }
-
-  override predicate isSinkActual(ControlFlowNode node, StackVariable v) {
-    // have the same sinks as `ImproperNullTerminationReachability`.
-    exists(ImproperNullTerminationReachability r | r.isSinkActual(node, v))
-  }
-
-  override predicate isBarrier(ControlFlowNode node, StackVariable v) {
-    // don't look further back than the source, or further forward than the sink
-    exists(ImproperNullTerminationReachability r | r.isSourceActual(node, v)) or
-    exists(ImproperNullTerminationReachability r | r.isSinkActual(node, v))
-  }
-}
-
-from
-  ImproperNullTerminationReachability reaches, NullTerminationReachability nullTermReaches,
-  ControlFlowNode source, LocalVariable v, VariableAccess sink
-where
-  reaches.reaches(source, v, sink) and
-  not exists(ControlFlowNode termination |
-    nullTermReaches.reaches(termination, _, sink) and
-    termination != source
-  )
-select sink, "Variable $@ may not be null terminated.", v, v.getName()
+from ImproperNullTerminationReachability r, LocalVariable v, VariableAccess va
+where r.reaches(_, v, va)
+select va, "Variable $@ may not be null terminated.", v, v.getName()
--- a/Management/ReturnStackAllocatedMemory.cpp
+++ b/Management/ReturnStackAllocatedMemory.cpp
@@ -4,4 +4,4 @@ Record* fixRecord(Record* r) {

 	myRecord.fix();
 	return &myRecord; //returns reference to myRecord, which is a stack-allocated object
-}
+}
--- a/Management/ReturnStackAllocatedMemory.ql
+++ b/Management/ReturnStackAllocatedMemory.ql
@@ -3,169 +3,68 @@
 * @description A function returns a pointer to a stack-allocated region of
 *              memory. This memory is deallocated at the end of the function,
 *              which may lead the caller to dereference a dangling pointer.
- * @kind path-problem
+ * @kind problem
 * @id cpp/return-stack-allocated-memory
 * @problem.severity warning
- * @security-severity 9.3
 * @precision high
 * @tags reliability
- *       security
 *       external/cwe/cwe-825
 */

 import cpp
-import semmle.code.cpp.ir.IR
-import semmle.code.cpp.ir.dataflow.DataFlow::DataFlow
+import semmle.code.cpp.dataflow.EscapesTree
+import semmle.code.cpp.models.interfaces.PointerWrapper
+import semmle.code.cpp.dataflow.DataFlow

-/** Holds if `f` has a name that we intrepret as evidence of intentionally returning the value of the stack pointer. */
-predicate intentionallyReturnsStackPointer(Function f) {
-  f.getName().toLowerCase().matches(["%stack%", "%sp%"])
+/**
+ * Holds if `n1` may flow to `n2`, ignoring flow through fields because these
+ * are currently modeled as an overapproximation that assumes all objects may
+ * alias.
+ */
+predicate conservativeDataFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+  DataFlow::localFlowStep(n1, n2) and
+  not n2.asExpr() instanceof FieldAccess and
+  not hasNontrivialConversion(n2.asExpr())
 }

 /**
- * Holds if `source` is a node that represents the use of a stack variable
+ * Holds if `e` has a conversion that changes it from lvalue to pointer or
+ * back. As the data-flow library does not support conversions, we cannot track
+ * data flow through such expressions.
 */
-predicate isSource(Node source) {
-  exists(VariableAddressInstruction var, Function func |
-    var = source.asInstruction() and
-    func = var.getEnclosingFunction() and
-    var.getASTVariable() instanceof StackVariable and
-    // Pointer-to-member types aren't properly handled in the dbscheme.
-    not var.getResultType() instanceof PointerToMemberType and
-    // Rule out FPs caused by extraction errors.
-    not any(ErrorExpr e).getEnclosingFunction() = func and
-    not intentionallyReturnsStackPointer(func)
-  )
-}
-
-/**
- * Holds if `sink` is a node that represents the `StoreInstruction` that is subsequently used in
- * a `ReturnValueInstruction`. We use the `StoreInstruction` instead of the instruction that defines the
- * `ReturnValueInstruction`'s source value oprand because the former has better location information.
- */
-predicate isSink(Node sink) {
-  exists(StoreInstruction store |
-    store.getDestinationAddress().(VariableAddressInstruction).getIRVariable() instanceof
-      IRReturnVariable and
-    sink.asOperand() = store.getSourceValueOperand()
-  )
-}
-
-/** Holds if `node1` _must_ flow to `node2`. */
-predicate step(Node node1, Node node2) {
-  instructionToOperandStep(node1.asInstruction(), node2.asOperand())
-  or
-  operandToInstructionStep(node1.asOperand(), node2.asInstruction())
-}
-
-predicate instructionToOperandStep(Instruction instr, Operand operand) { operand.getDef() = instr }
-
-/**
- * Holds if `operand` flows to the result of `instr`.
- *
- * This predicate ignores flow through `PhiInstruction`s to create a 'must flow' relation. It also
- * intentionally conflates addresses of fields and their object, and pointer offsets with their
- * base pointer as this allows us to detect cases where an object's address flows to a return statement
- * via a field. For example:
- *
- * ```cpp
- * struct S { int x, y };
- * int* test() {
- *   S s;
- *   return &s.x; // BAD: &s.x is an address of a variable on the stack.
- * }
- * ```
- */
-predicate operandToInstructionStep(Operand operand, Instruction instr) {
-  instr.(CopyInstruction).getSourceValueOperand() = operand
-  or
-  instr.(ConvertInstruction).getUnaryOperand() = operand
-  or
-  instr.(CheckedConvertOrNullInstruction).getUnaryOperand() = operand
-  or
-  instr.(InheritanceConversionInstruction).getUnaryOperand() = operand
-  or
-  instr.(FieldAddressInstruction).getObjectAddressOperand() = operand
-  or
-  instr.(PointerOffsetInstruction).getLeftOperand() = operand
-}
-
-/** Holds if a source node flows to `n`. */
-predicate branchlessLocalFlow0(Node n) {
-  isSource(n)
-  or
-  exists(Node mid |
-    branchlessLocalFlow0(mid) and
-    step(mid, n)
-  )
-}
-
-/** Holds if `n` is reachable through some source node, and `n` also eventually reaches a sink. */
-predicate branchlessLocalFlow1(Node n) {
-  branchlessLocalFlow0(n) and
-  (
-    isSink(n)
+predicate hasNontrivialConversion(Expr e) {
+  e instanceof Conversion and
+  not (
+    e instanceof Cast
    or
-    exists(Node mid |
-      branchlessLocalFlow1(mid) and
-      step(n, mid)
+    e instanceof ParenthesisExpr
+  )
+  or
+  // A smart pointer can be stack-allocated while the data it points to is heap-allocated.
+  // So we exclude such "conversions" from this predicate.
+  e = any(PointerWrapper wrapper).getAnUnwrapperFunction().getACallToThisFunction()
+  or
+  hasNontrivialConversion(e.getConversion())
+}
+
+from StackVariable var, VariableAccess va, ReturnStmt r
+where
+  not var.getUnspecifiedType() instanceof ReferenceType and
+  not r.isFromUninstantiatedTemplate(_) and
+  va = var.getAnAccess() and
+  (
+    // To check if the address escapes directly from `e` in `return e`, we need
+    // to check the fully-converted `e` in case there are implicit
+    // array-to-pointer conversions or reference conversions.
+    variableAddressEscapesTree(va, r.getExpr().getFullyConverted())
+    or
+    // The data flow library doesn't support conversions, so here we check that
+    // the address escapes into some expression `pointerToLocal`, which flows
+    // in one or more steps to a returned expression.
+    exists(Expr pointerToLocal |
+      variableAddressEscapesTree(va, pointerToLocal.getFullyConverted()) and
+      not hasNontrivialConversion(pointerToLocal) and
+      conservativeDataFlowStep+(DataFlow::exprNode(pointerToLocal), DataFlow::exprNode(r.getExpr()))
    )
  )
-}
-
-newtype TLocalPathNode =
-  TLocalPathNodeMid(Node n) {
-    branchlessLocalFlow1(n) and
-    (
-      isSource(n) or
-      exists(LocalPathNodeMid mid | step(mid.getNode(), n))
-    )
-  }
-
-abstract class LocalPathNode extends TLocalPathNode {
-  Node n;
-
-  /** Gets the underlying node. */
-  Node getNode() { result = n }
-
-  /** Gets a textual representation of this node. */
-  string toString() { result = n.toString() }
-
-  /** Gets the location of this element. */
-  Location getLocation() { result = n.getLocation() }
-
-  /** Gets a successor `LocalPathNode`, if any. */
-  LocalPathNode getASuccessor() { step(this.getNode(), result.getNode()) }
-}
-
-class LocalPathNodeMid extends LocalPathNode, TLocalPathNodeMid {
-  LocalPathNodeMid() { this = TLocalPathNodeMid(n) }
-}
-
-class LocalPathNodeSink extends LocalPathNodeMid {
-  LocalPathNodeSink() { isSink(this.getNode()) }
-}
-
-/**
- * Holds if `source` is a source node, `sink` is a sink node, and there's flow
- * from `source` to `sink` using `step` relation.
- */
-predicate hasFlow(LocalPathNode source, LocalPathNodeSink sink) {
-  isSource(source.getNode()) and
-  source.getASuccessor+() = sink
-}
-
-predicate reach(LocalPathNode n) { n instanceof LocalPathNodeSink or reach(n.getASuccessor()) }
-
-query predicate edges(LocalPathNode a, LocalPathNode b) { a.getASuccessor() = b and reach(b) }
-
-query predicate nodes(LocalPathNode n, string key, string val) {
-  reach(n) and key = "semmle.label" and val = n.toString()
-}
-
-from LocalPathNode source, LocalPathNodeSink sink, VariableAddressInstruction var
-where
-  hasFlow(source, sink) and
-  source.getNode().asInstruction() = var
-select sink.getNode(), source, sink, "May return stack-allocated memory from $@.", var.getAST(),
-  var.getAST().toString()
+select r, "May return stack-allocated memory from $@.", va, va.toString()
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.qhelp
@@ -18,5 +18,8 @@
 <p>To fix the problem, either the second argument to <code>snprintf</code> should be changed to 80, or the buffer extended to 256 characters.  A further improvement is to use a preprocessor define so that the size is only specified in one place, potentially preventing future recurrence of this issue.</p>

 </example>
-<include src="OverrunWriteReferences.inc.qhelp" />
+<references>
+
+
+</references>
 </qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.c
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.c
@@ -1,9 +1,9 @@
-void sayHello(uint32_t userId)
+void sayHello()
 {
-	char buffer[18];
+	char buffer[10];

-	// BAD: this message overflows the buffer if userId >= 10000
-	sprintf(buffer, "Hello, user %d!", userId);
+	// BAD: this message overflows the buffer
+	strcpy(buffer, "Hello, world!");

 	MessageBox(hWnd, buffer, "New Message", MB_OK);
 }
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.qhelp
@@ -6,20 +6,30 @@
 <p>The program performs a buffer copy or write operation with no upper limit on the size of the copy, and it appears that certain inputs will cause a buffer overflow to occur in this case.  In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.</p>

 </overview>
-<include src="OverrunWriteRecommendation.inc.qhelp" />
+<recommendation>
+<p>Always control the length of buffer copy and buffer write operations.  <code>strncpy</code> should be used over <code>strcpy</code>, <code>snprintf</code> over <code>sprintf</code>, and in other cases 'n-variant' functions should be preferred.</p>
+
+</recommendation>
 <example>
 <sample src="OverrunWrite.c" />

-<p>In this example, the call to <code>sprintf</code> writes a message of 14 characters (including the terminating null) plus the length of the string conversion of `userId` into a buffer with space for just 18 characters.  As such, if `userId` is greater or equal to `10000`, the last characters overflow the buffer resulting in undefined behavior.</p>
+<p>In this example, the call to <code>strcpy</code> copies a message of 14 characters (including the terminating null) into a buffer with space for just 10 characters.  As such, the last four characters overflow the buffer resulting in undefined behavior.</p>

-<p>To fix this issue these changes should be made:</p>
+<p>To fix this issue three changes should be made:</p>
 <ul>
-  <li>Control the size of the buffer by declaring it with a compile time constant.</li>
-  <li>Preferably, replace the call to <code>sprintf</code> with <code>snprintf</code>, using the defined constant size of the buffer or `sizeof(buffer)` as maximum length to write. This will prevent the buffer overflow.</li>
-  <li>Optionally, if `userId` is expected to be less than `10000`, then return or throw an error if `userId` is out of bounds.</li>
-  <li>Otherwise, consider increasing the buffer size to at least 25 characters, so that the message is displayed correctly regardless of the value of `userId`.</li>
+  <li>Control the size of the buffer using a preprocessor define.</li>
+  <li>Replace the call to <code>strcpy</code> with <code>strncpy</code>, specifying the define as the maximum length to copy.  This will prevent the buffer overflow.</li>
+  <li>Consider increasing the buffer size, say to 20 characters, so that the message is displayed correctly.</li>
 </ul>

 </example>
-<include src="OverrunWriteReferences.inc.qhelp" />
+<references>
+
+<li>CERT C Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.</li>
+
+
+<!--  LocalWords:  preprocessor CWE STR
+ -->
+
+</references>
 </qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -21,17 +21,14 @@ import semmle.code.cpp.commons.Alloc
 * See CWE-120/UnboundedWrite.ql for a summary of CWE-120 alert cases.
 */

-from BufferWrite bw, Expr dest, int destSize, int estimated, BufferWriteEstimationReason reason
+from BufferWrite bw, Expr dest, int destSize
 where
  not bw.hasExplicitLimit() and // has no explicit size limit
  dest = bw.getDest() and
  destSize = getBufferSize(dest, _) and
-  estimated = bw.getMaxDataLimited(reason) and
-  // we exclude ValueFlowAnalysis as it is reported in cpp/very-likely-overruning-write
-  not reason instanceof ValueFlowAnalysis and
  // we can deduce that too much data may be copied (even without
  // long '%f' conversions)
-  estimated > destSize
+  bw.getMaxDataLimited() > destSize
 select bw,
-  "This '" + bw.getBWDesc() + "' operation requires " + estimated +
+  "This '" + bw.getBWDesc() + "' operation requires " + bw.getMaxData() +
    " bytes but the destination is only " + destSize + " bytes."
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.qhelp
@@ -6,19 +6,30 @@
 <p>The program performs a buffer copy or write operation that includes one or more float to string conversions (i.e. the %f format specifier), which may overflow the destination buffer if extreme inputs are given.  In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.</p>

 </overview>
-<include src="OverrunWriteRecommendation.inc.qhelp" />
+<recommendation>
+<p>Always control the length of buffer copy and buffer write operations.  <code>strncpy</code> should be used over <code>strcpy</code>, <code>snprintf</code> over <code>sprintf</code>, and in other cases 'n-variant' functions should be preferred.</p>
+
+</recommendation>
 <example>
 <sample src="OverrunWriteFloat.c" />

-<p>In this example, the call to <code>sprintf</code> contains a <code>%f</code> format specifier.  Though a 256 character buffer has been allowed, it is not sufficient for the most extreme floating point inputs.  For example the representation of double value 1e304 (that is 1 with 304 zeroes after it) will overflow a buffer of this length.</p>
+<p>In this example, the call to <code>sprintf</code> contains a %f format specifier.  Though a 256 character buffer has been allowed, it is not sufficient for the most extreme floating point inputs.  For example the representation of double value 1e304 (that is 1 with 304 zeroes after it) will overflow a buffer of this length.</p>

 <p>To fix this issue three changes should be made:</p>
 <ul>
  <li>Control the size of the buffer using a preprocessor define.</li>
  <li>Replace the call to <code>sprintf</code> with <code>snprintf</code>, specifying the define as the maximum length to copy.  This will prevent the buffer overflow.</li>
-  <li>Consider using the <code>%g</code> format specifier instead of <code>%f</code>.</li>
+  <li>Consider using the %g format specifier instead of %f.</li>
 </ul>

 </example>
-<include src="OverrunWriteReferences.inc.qhelp" />
+<references>
+
+<li>CERT C Coding
+Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee
+that storage for strings has sufficient space for character data and
+the null terminator</a>.</li>
+
+
+</references>
 </qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
@@ -21,15 +21,14 @@ import semmle.code.cpp.security.BufferWrite
 * See CWE-120/UnboundedWrite.ql for a summary of CWE-120 alert cases.
 */

-from BufferWrite bw, int destSize, int estimated, BufferWriteEstimationReason reason
+from BufferWrite bw, int destSize
 where
  not bw.hasExplicitLimit() and
  // has no explicit size limit
  destSize = getBufferSize(bw.getDest(), _) and
-  estimated = bw.getMaxData(reason) and
-  estimated > destSize and
+  bw.getMaxData() > destSize and
  // and we can deduce that too much data may be copied
-  bw.getMaxDataLimited(reason) <= destSize // but it would fit without long '%f' conversions
+  bw.getMaxDataLimited() <= destSize // but it would fit without long '%f' conversions
 select bw,
-  "This '" + bw.getBWDesc() + "' operation may require " + estimated +
+  "This '" + bw.getBWDesc() + "' operation may require " + bw.getMaxData() +
    " bytes because of float conversions, but the target is only " + destSize + " bytes."
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteRecommendation.inc.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteRecommendation.inc.qhelp
@@ -1,8 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<recommendation>
-<p>Always control the length of buffer copy and buffer write operations. <code>strncpy</code> should be used over <code>strcpy</code>, <code>snprintf</code> over <code>sprintf</code>, and in other cases 'n-variant' functions should be preferred.</p>
-</recommendation>
-</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteReferences.inc.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteReferences.inc.qhelp
@@ -1,14 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<references>
-
-<li>CERT C Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.</li>
-<li>CERT C++ Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/cplusplus/STR50-CPP.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR50-CPP. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.</li>
-
-<!--  LocalWords:  preprocessor CWE STR
- -->
-
-</references>
-</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.qhelp
@@ -6,7 +6,10 @@
 <p>The program performs a buffer copy or write operation with no upper limit on the size of the copy.  An unexpectedly long input that reaches this code will cause the buffer to overflow.  In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.</p>

 </overview>
-<include src="OverrunWriteRecommendation.inc.qhelp" />
+<recommendation>
+<p>Always control the length of buffer copy and buffer write operations.  <code>strncpy</code> should be used over <code>strcpy</code>, <code>snprintf</code> over <code>sprintf</code> etc.  In general 'n-variant' functions should be preferred.</p>
+
+</recommendation>
 <example>
 <sample src="UnboundedWrite.c" />

@@ -15,5 +18,13 @@
 <p>To fix the problem the call to <code>sprintf</code> should be replaced with <code>snprintf</code>, specifying a maximum length of 80 characters.</p>

 </example>
-<include src="OverrunWriteReferences.inc.qhelp" />
+<references>
+
+<li>CERT C++ Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/cplusplus/STR50-CPP.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR50-CPP. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.</li>
+
+
+<!--  LocalWords:  CWE STR
+ -->
+
+</references>
 </qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -33,7 +33,7 @@ import TaintedWithPath
 *    hasExplicitLimit()    exists(getMaxData())  exists(getBufferSize(bw.getDest(), _))) handled by
 *    NO                    NO                    either                                  UnboundedWrite.ql isUnboundedWrite()
 *    NO                    YES                   NO                                      UnboundedWrite.ql isMaybeUnboundedWrite()
- *    NO                    YES                   YES                                     VeryLikelyOverrunWrite.ql, OverrunWrite.ql, OverrunWriteFloat.ql
+ *    NO                    YES                   YES                                     OverrunWrite.ql, OverrunWriteFloat.ql
 *    YES                   either                YES                                     BadlyBoundedWrite.ql
 *    YES                   either                NO                                      (assumed OK)
 */
@@ -44,7 +44,7 @@ import TaintedWithPath

 predicate isUnboundedWrite(BufferWrite bw) {
  not bw.hasExplicitLimit() and // has no explicit size limit
-  not exists(bw.getMaxData(_)) // and we can't deduce an upper bound to the amount copied
+  not exists(bw.getMaxData()) // and we can't deduce an upper bound to the amount copied
 }

 /*
--- a/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.c
+++ b/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.c
@@ -1,14 +0,0 @@
-int sayHello(uint32_t userId)
-{
-	char buffer[17];
-
-	if (userId > 9999) return USER_ID_OUT_OF_BOUNDS;
-
-	// BAD: this message overflows the buffer if userId >= 1000,
-	// as no space for the null terminator was accounted for
-	sprintf(buffer, "Hello, user %d!", userId);
-
-	MessageBox(hWnd, buffer, "New Message", MB_OK);
-	
-	return SUCCESS;
-}
--- a/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.qhelp
@@ -1,24 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>The program performs a buffer copy or write operation with no upper limit on the size of the copy. By analyzing the bounds of the expressions involved, it appears that certain inputs will cause a buffer overflow to occur in this case.  In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.</p>
-
-</overview>
-<include src="OverrunWriteRecommendation.inc.qhelp" />
-<example>
-<sample src="VeryLikelyOverrunWrite.c" />
-
-<p>In this example, the call to <code>sprintf</code> writes a message of 14 characters (including the terminating null) plus the length of the string conversion of `userId` into a buffer with space for just 17 characters. While `userId` is checked to occupy no more than 4 characters when converted, there is no space in the buffer for the terminating null character if `userId >= 1000`. In this case, the null character overflows the buffer resulting in undefined behavior.</p>
-
-<p>To fix this issue these changes should be made:</p>
-<ul>
-  <li>Control the size of the buffer by declaring it with a compile time constant.</li>
-  <li>Preferably, replace the call to <code>sprintf</code> with <code>snprintf</code>, using the defined constant size of the buffer or `sizeof(buffer)` as maximum length to write. This will prevent the buffer overflow.</li>
-  <li>Increasing the buffer size to account for the full range of `userId` and the terminating null character.</li>
-</ul>
-
-</example>
-<include src="OverrunWriteReferences.inc.qhelp" />
-</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
@@ -1,34 +0,0 @@
-/**
- * @name Likely overrunning write
- * @description Buffer write operations that do not control the length
- *              of data written may overflow
- * @kind problem
- * @problem.severity error
- * @security-severity 9.3
- * @precision high
- * @id cpp/very-likely-overrunning-write
- * @tags reliability
- *       security
- *       external/cwe/cwe-120
- *       external/cwe/cwe-787
- *       external/cwe/cwe-805
- */
-
-import semmle.code.cpp.security.BufferWrite
-import semmle.code.cpp.commons.Alloc
-
-/*
- * See CWE-120/UnboundedWrite.ql for a summary of CWE-120 alert cases.
- */
-
-from BufferWrite bw, Expr dest, int destSize, int estimated, ValueFlowAnalysis reason
-where
-  not bw.hasExplicitLimit() and // has no explicit size limit
-  dest = bw.getDest() and
-  destSize = getBufferSize(dest, _) and
-  estimated = bw.getMaxDataLimited(reason) and
-  // we can deduce from non-trivial range analysis that too much data may be copied
-  estimated > destSize
-select bw,
-  "This '" + bw.getBWDesc() + "' operation requires " + estimated +
-    " bytes but the destination is only " + destSize + " bytes."
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -19,7 +19,6 @@ import cpp
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Allocation
-import semmle.code.cpp.commons.NullTermination

 predicate terminationProblem(AllocationExpr malloc, string msg) {
  // malloc(strlen(...))
@@ -36,7 +35,13 @@ predicate terminationProblem(AllocationExpr malloc, string msg) {
      af.hasArrayWithUnknownSize(arg)
      or
      // flows into string argument to a formatting function (such as `printf`)
-      formatArgumentMustBeNullTerminated(fc, fc.getArgument(arg))
+      exists(int n, FormatLiteral fl |
+        fc.getArgument(arg) = fc.(FormattingFunctionCall).getConversionArgument(n) and
+        fl = fc.(FormattingFunctionCall).getFormat() and
+        fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
+        not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
+        not fl.hasPrecision(n) // exclude: `%.*s`
+      )
    )
  ) and
  msg = "This allocation does not include space to null-terminate the string."
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -5,7 +5,7 @@
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 8.6
- * @precision high
+ * @precision medium
 * @id cpp/uncontrolled-arithmetic
 * @tags security
 *       external/cwe/cwe-190
@@ -82,11 +82,8 @@ predicate missingGuard(VariableAccess va, string effect) {
    op.getUnspecifiedType().(IntegralType).isUnsigned() and
    not op instanceof MulExpr
    or
-    // overflow - only report signed integer overflow since unsigned overflow
-    // is well-defined.
-    op.getUnspecifiedType().(IntegralType).isSigned() and
-    missingGuardAgainstOverflow(op, va) and
-    effect = "overflow"
+    // overflow
+    missingGuardAgainstOverflow(op, va) and effect = "overflow"
  )
 }

--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -22,13 +22,11 @@ import semmle.code.cpp.dataflow.DataFlow
 *  Holds if `sub` is guarded by a condition which ensures that
 * `left >= right`.
 */
-pragma[nomagic]
+pragma[noinline]
 predicate isGuarded(SubExpr sub, Expr left, Expr right) {
-  exprIsSubLeftOrLess(pragma[only_bind_into](sub), _) and // Manual magic
-  exists(GuardCondition guard, int k, BasicBlock bb |
-    pragma[only_bind_into](bb) = sub.getBasicBlock() and
-    guard.controls(pragma[only_bind_into](bb), _) and
-    guard.ensuresLt(left, right, k, bb, false) and
+  exists(GuardCondition guard, int k |
+    guard.controls(sub.getBasicBlock(), _) and
+    guard.ensuresLt(left, right, k, sub.getBasicBlock(), false) and
    k >= 0
  )
 }
@@ -38,56 +36,47 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
 * `sub.getLeftOperand()`.
 */
 predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
-  interestingSubExpr(sub, _) and // Manual magic
-  (
-    n.asExpr() = sub.getLeftOperand()
-    or
-    exists(DataFlow::Node other |
-      // dataflow
-      exprIsSubLeftOrLess(sub, other) and
-      (
-        DataFlow::localFlowStep(n, other) or
-        DataFlow::localFlowStep(other, n)
-      )
-    )
-    or
-    exists(DataFlow::Node other |
-      // guard constraining `sub`
-      exprIsSubLeftOrLess(sub, other) and
-      isGuarded(sub, other.asExpr(), n.asExpr()) // other >= n
-    )
-    or
-    exists(DataFlow::Node other, float p, float q |
-      // linear access of `other`
-      exprIsSubLeftOrLess(sub, other) and
-      linearAccess(n.asExpr(), other.asExpr(), p, q) and // n = p * other + q
-      p <= 1 and
-      q <= 0
-    )
-    or
-    exists(DataFlow::Node other, float p, float q |
-      // linear access of `n`
-      exprIsSubLeftOrLess(sub, other) and
-      linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * n + q
-      p >= 1 and
-      q >= 0
+  n.asExpr() = sub.getLeftOperand()
+  or
+  exists(DataFlow::Node other |
+    // dataflow
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(n, other) or
+      DataFlow::localFlowStep(other, n)
    )
  )
-}
-
-predicate interestingSubExpr(SubExpr sub, RelationalOperation ro) {
-  not isFromMacroDefinition(sub) and
-  ro.getLesserOperand().getValue().toInt() = 0 and
-  ro.getGreaterOperand() = sub and
-  sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
-  // generally catches false positives involving constants
-  exprMightOverflowNegatively(sub.getFullyConverted())
+  or
+  exists(DataFlow::Node other |
+    // guard constraining `sub`
+    exprIsSubLeftOrLess(sub, other) and
+    isGuarded(sub, other.asExpr(), n.asExpr()) // other >= n
+  )
+  or
+  exists(DataFlow::Node other, float p, float q |
+    // linear access of `other`
+    exprIsSubLeftOrLess(sub, other) and
+    linearAccess(n.asExpr(), other.asExpr(), p, q) and // n = p * other + q
+    p <= 1 and
+    q <= 0
+  )
+  or
+  exists(DataFlow::Node other, float p, float q |
+    // linear access of `n`
+    exprIsSubLeftOrLess(sub, other) and
+    linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * n + q
+    p >= 1 and
+    q >= 0
+  )
 }

 from RelationalOperation ro, SubExpr sub
 where
-  interestingSubExpr(sub, ro) and
  not isFromMacroDefinition(ro) and
-  // generally catches false positives where there's a relation between the left and right operands
-  not exprIsSubLeftOrLess(sub, DataFlow::exprNode(sub.getRightOperand()))
+  not isFromMacroDefinition(sub) and
+  ro.getLesserOperand().getValue().toInt() = 0 and
+  ro.getGreaterOperand() = sub and
+  sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
+  exprMightOverflowNegatively(sub.getFullyConverted()) and // generally catches false positives involving constants
+  not exprIsSubLeftOrLess(sub, DataFlow::exprNode(sub.getRightOperand())) // generally catches false positives where there's a relation between the left and right operands
 select ro, "Unsigned subtraction can never be negative."
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -2,7 +2,7 @@
 * @name Cleartext storage of sensitive information in file
 * @description Storing sensitive information in cleartext can expose it
 *              to an attacker.
- * @kind path-problem
+ * @kind problem
 * @problem.severity warning
 * @security-severity 7.5
 * @precision high
@@ -17,19 +17,6 @@ import semmle.code.cpp.security.SensitiveExprs
 import semmle.code.cpp.security.FileWrite
 import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-import semmle.code.cpp.dataflow.TaintTracking
-import DataFlow::PathGraph
-
-/**
- * Taint flow from a sensitive expression to a `FileWrite` sink.
- */
-class FromSensitiveConfiguration extends TaintTracking::Configuration {
-  FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
-
-  override predicate isSink(DataFlow::Node sink) { any(FileWrite w).getASource() = sink.asExpr() }
-}

 /**
 * An operation on a filename.
@@ -56,17 +43,12 @@ predicate isFileName(GVN gvn) {
  )
 }

-from
-  FromSensitiveConfiguration config, SensitiveExpr source, DataFlow::PathNode sourceNode, Expr mid,
-  DataFlow::PathNode midNode, FileWrite w, Expr dest
+from FileWrite w, SensitiveExpr source, Expr mid, Expr dest
 where
-  config.hasFlowPath(sourceNode, midNode) and
-  sourceNode.getNode().asExpr() = source and
-  midNode.getNode().asExpr() = mid and
+  DataFlow::localFlow(DataFlow::exprNode(source), DataFlow::exprNode(mid)) and
  mid = w.getASource() and
  dest = w.getDest() and
  not isFileName(globalValueNumber(source)) and // file names are not passwords
  not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
-select w, sourceNode, midNode,
-  "This write into file '" + dest.toString() + "' may contain unencrypted data from $@", source,
-  "this source."
+select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
+  source, "this source."
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -14,205 +14,105 @@
 import cpp
 import semmle.code.cpp.security.SensitiveExprs
 import semmle.code.cpp.dataflow.TaintTracking
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.models.interfaces.FlowSource
 import DataFlow::PathGraph

-/**
- * A DataFlow node corresponding to a variable or function call that
- * might contain or return a password or other sensitive information.
- */
-class SensitiveNode extends DataFlow::Node {
-  SensitiveNode() {
-    this.asExpr() = any(SensitiveVariable sv).getInitializer().getExpr() or
-    this.asExpr().(VariableAccess).getTarget() =
-      any(SensitiveVariable sv).(GlobalOrNamespaceVariable) or
-    this.asUninitialized() instanceof SensitiveVariable or
-    this.asParameter() instanceof SensitiveVariable or
-    this.asExpr().(FunctionCall).getTarget() instanceof SensitiveFunction
-  }
-}
-
-/**
- * A function that sends or receives data over a network.
- */
-abstract class SendRecv extends Function {
-  /**
-   * Gets the expression for the socket or similar object used for sending or
-   * receiving data through the function call `call` (if any).
-   */
-  abstract Expr getSocketExpr(Call call);
-
-  /**
-   * Gets the expression for the buffer to be sent from / received into through
-   * the function call `call`.
-   */
-  abstract Expr getDataExpr(Call call);
-}
-
-/**
- * A function that sends data over a network.
- */
-class Send extends SendRecv instanceof RemoteFlowSinkFunction {
-  override Expr getSocketExpr(Call call) {
-    call.getTarget() = this and
-    exists(FunctionInput input, int arg |
-      super.hasSocketInput(input) and
-      input.isParameter(arg) and
-      result = call.getArgument(arg)
-    )
-  }
-
-  override Expr getDataExpr(Call call) {
-    call.getTarget() = this and
-    exists(FunctionInput input, int arg |
-      super.hasRemoteFlowSink(input, _) and
-      input.isParameterDeref(arg) and
-      result = call.getArgument(arg)
-    )
-  }
-}
-
-/**
- * A function that receives data over a network.
- */
-class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
-  override Expr getSocketExpr(Call call) {
-    call.getTarget() = this and
-    exists(FunctionInput input, int arg |
-      super.hasSocketInput(input) and
-      input.isParameter(arg) and
-      result = call.getArgument(arg)
-    )
-  }
-
-  override Expr getDataExpr(Call call) {
-    call.getTarget() = this and
-    exists(FunctionOutput output, int arg |
-      super.hasRemoteFlowSource(output, _) and
-      output.isParameterDeref(arg) and
-      result = call.getArgument(arg)
-    )
-  }
-}
-
 /**
 * A function call that sends or receives data over a network.
- *
- * note: function calls such as `write` may be writing to a network source
- * or a file. We could attempt to determine which, and sort results into
- * `cpp/cleartext-transmission` and perhaps `cpp/cleartext-storage-file`. In
- * practice it usually isn't very important which query reports a result as
- * long as its reported exactly once.
- *
- * We do exclude function calls that specify an apparently constant socket,
- * which is likely to mean standard input, standard output or a similar channel.
 */
 abstract class NetworkSendRecv extends FunctionCall {
-  SendRecv target;
+  /**
+   * Gets the expression for the socket or similar object used for sending or
+   * receiving data (if any).
+   */
+  abstract Expr getSocketExpr();

-  NetworkSendRecv() {
-    this.getTarget() = target and
-    // exclude calls based on the socket...
-    not exists(GVN g |
-      g = globalValueNumber(target.getSocketExpr(this)) and
-      (
-        // literal constant
-        globalValueNumber(any(Literal l)) = g
-        or
-        // variable (such as a global) initialized to a literal constant
-        exists(Variable v |
-          v.getInitializer().getExpr() instanceof Literal and
-          g = globalValueNumber(v.getAnAccess())
-        )
-        or
-        // result of a function call with literal inputs (likely constant)
-        exists(FunctionCall fc |
-          forex(Expr arg | arg = fc.getAnArgument() | arg instanceof Literal) and
-          g = globalValueNumber(fc)
-        )
-        // (this is far from exhaustive)
-      )
-    )
-  }
-
-  final Expr getDataExpr() { result = target.getDataExpr(this) }
+  /**
+   * Gets the expression for the buffer to be sent from / received into.
+   */
+  abstract Expr getDataExpr();
 }

 /**
 * A function call that sends data over a network.
+ *
+ * note: functions such as `write` may be writing to a network source or a file. We could attempt to determine which, and sort results into `cpp/cleartext-transmission` and perhaps `cpp/cleartext-storage-file`. In practice it usually isn't very important which query reports a result as long as its reported exactly once.
 */
 class NetworkSend extends NetworkSendRecv {
-  override Send target;
+  RemoteFlowSinkFunction target;
+
+  NetworkSend() { target = this.getTarget() }
+
+  override Expr getSocketExpr() {
+    exists(FunctionInput input, int arg |
+      target.hasSocketInput(input) and
+      input.isParameter(arg) and
+      result = this.getArgument(arg)
+    )
+  }
+
+  override Expr getDataExpr() {
+    exists(FunctionInput input, int arg |
+      target.hasRemoteFlowSink(input, _) and
+      input.isParameterDeref(arg) and
+      result = this.getArgument(arg)
+    )
+  }
 }

 /**
 * A function call that receives data over a network.
 */
 class NetworkRecv extends NetworkSendRecv {
-  override Recv target;
-}
+  RemoteFlowSourceFunction target;

-/**
- * An expression that is an argument or return value from an encryption /
- * decryption call. This is quite inclusive to minimize false positives, for
- * example `SecureZeroMemory` is not an encryption routine but a clue that
- * encryption may be present.
- */
-class Encrypted extends Expr {
-  Encrypted() {
-    exists(FunctionCall fc |
-      fc.getTarget()
-          .getName()
-          .toLowerCase()
-          .regexpMatch(".*(crypt|encode|decode|hash|securezero).*") and
-      (
-        this = fc or
-        this = fc.getAnArgument()
-      )
+  NetworkRecv() { target = this.getTarget() }
+
+  override Expr getSocketExpr() {
+    exists(FunctionInput input, int arg |
+      target.hasSocketInput(input) and
+      input.isParameter(arg) and
+      result = this.getArgument(arg)
    )
-    or
-    exists(Type t |
-      this.getType().refersTo(t) and
-      t.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
+  }
+
+  override Expr getDataExpr() {
+    exists(FunctionOutput output, int arg |
+      target.hasRemoteFlowSource(output, _) and
+      output.isParameterDeref(arg) and
+      result = this.getArgument(arg)
    )
  }
 }

 /**
- * Taint flow from a sensitive expression.
+ * Taint flow from a sensitive expression to a network operation with data
+ * tainted by that expression.
 */
-class FromSensitiveConfiguration extends TaintTracking::Configuration {
-  FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
+class SensitiveSendRecvConfiguration extends TaintTracking::Configuration {
+  SensitiveSendRecvConfiguration() { this = "SensitiveSendRecvConfiguration" }

-  override predicate isSource(DataFlow::Node source) { source instanceof SensitiveNode }
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }

  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(NetworkSendRecv nsr).getDataExpr()
-    or
-    sink.asExpr() instanceof Encrypted
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    // flow through encryption functions to the return value (in case we can reach other sinks)
-    node2.asExpr().(Encrypted).(FunctionCall).getAnArgument() = node1.asExpr()
+    exists(NetworkSendRecv transmission |
+      sink.asExpr() = transmission.getDataExpr() and
+      // a zero socket descriptor is standard input, which is not interesting for this query.
+      not exists(Zero zero |
+        DataFlow::localFlow(DataFlow::exprNode(zero),
+          DataFlow::exprNode(transmission.getSocketExpr()))
+      )
+    )
  }
 }

 from
-  FromSensitiveConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  NetworkSendRecv networkSendRecv, string msg
+  SensitiveSendRecvConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  NetworkSendRecv transmission, string msg
 where
-  // flow from sensitive -> network data
  config.hasFlowPath(source, sink) and
-  sink.getNode().asExpr() = networkSendRecv.getDataExpr() and
-  // no flow from sensitive -> evidence of encryption
-  not exists(DataFlow::Node encrypted |
-    config.hasFlow(source.getNode(), encrypted) and
-    encrypted.asExpr() instanceof Encrypted
-  ) and
-  // construct result
-  if networkSendRecv instanceof NetworkSend
+  sink.getNode().asExpr() = transmission.getDataExpr() and
+  if transmission instanceof NetworkSend
  then
    msg =
      "This operation transmits '" + sink.toString() +
@@ -221,4 +121,4 @@ where
    msg =
      "This operation receives into '" + sink.toString() +
        "', which may put unencrypted sensitive data into $@"
-select networkSendRecv, source, sink, msg, source, source.getNode().toString()
+select transmission, source, sink, msg, source, source.getNode().asExpr().toString()
--- a/Show More
+++ b/Show More