nop

JS: Performance optimisation for matching framework libraries with their marker comments
The `matchMarkerComment` predicate performs badly on any codebase with a moderately large number of comments, because the current implementation has to first compute the Cartesian product between the set of comments and the set of framework library comment regexes. Instead, match first against a single regex: the union of all framework library comment regexes. This computes a more benign Cartesian product, the same size as the set of comments. See inline comments for more details.
2026-05-21 14:47:10 +02:00 · 2021-12-09 12:57:37 +00:00 · 2021-12-02 20:04:36 -08:00 · 2021-12-02 16:44:38 -08:00 · 2021-12-02 18:52:22 +01:00 · 2021-12-02 16:30:45 +00:00
618 changed files with 47268 additions and 23834 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -1,11 +1,16 @@
-{ "provide": [ "ruby/.codeqlmanifest.json",
-                "*/ql/src/qlpack.yml",
-               "*/ql/lib/qlpack.yml",
-               "*/ql/test/qlpack.yml",
-               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
-               "*/ql/examples/qlpack.yml",
-               "*/upgrades/qlpack.yml",
-               "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
-               "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
-               "misc/legacy-support/*/qlpack.yml",
-               "misc/suite-helpers/qlpack.yml" ] }
+{
+    "provide": [
+        "*/ql/src/qlpack.yml",
+        "*/ql/lib/qlpack.yml",
+        "*/ql/test/qlpack.yml",
+        "*/ql/examples/qlpack.yml",
+        "*/upgrades/qlpack.yml",
+        "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
+        "misc/legacy-support/*/qlpack.yml",
+        "misc/suite-helpers/qlpack.yml",
+        "ruby/ql/consistency-queries/qlpack.yml",
+        "ruby/extractor-pack/codeql-extractor.yml"
+   ]
+}
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -24,7 +24,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        repo: [rails/rails, discourse/discourse, spree/spree]
+        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
@@ -41,7 +41,7 @@ jobs:
      - name: Create database
        run: |
          codeql database create \
-            --search-path "${{ github.workspace }}/ruby" \
+            --search-path "${{ github.workspace }}/ruby/extractor-pack" \
            --threads 4 \
            --language ruby --source-root "${{ github.workspace }}/repo" \
            "${{ runner.temp }}/database"
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -32,14 +32,14 @@ jobs:
      - uses: ./ruby/actions/create-extractor-pack
      - name: Run QL tests
        run: |
-          codeql test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}"  --consistency-queries ql/consistency-queries ql/test
+          codeql test run --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test
        env:
          GITHUB_TOKEN: ${{ github.token }}
      - name: Check QL formatting
        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
      - name: Check QL compilation
        run: |
-          codeql query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}" "ql/src" "ql/examples"
+          codeql query compile --check-only --threads=4 --warnings=error "ql/src" "ql/examples"
        env:
          GITHUB_TOKEN: ${{ github.token }}
      - name: Check DB upgrade scripts
--- a/benjamin-button.md
+++ b/benjamin-button.md
@@ -1,51 +0,0 @@
-# benjamin-buttons.md
-
-This file describes the changes that have been applied to
-the library to make it behave as if it was younger.
-
-## TaintedPath.ql
-
-Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
-
- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
-
-Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at:
-
- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+pathinjection
- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+tainted-path
-
-Sinks from the "graceful-fs" and "fs-extra" (added before the open-sourcing squash).
-
-## Xss.ql
-
-Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
-
- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
-
- recursive type tracking for `jQuery::dollar`, `DOM::domValueRef`.
-
-## SqlInjection.ql
-
-Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
-
- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-089
- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
-
-Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at:
-
- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-089
- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sql
-
-TypeTracking in SQL.qll (added before the open-sourcing squash)
-
-The model of `mssql` and `sequelize` (added before the open-sourcing squash)
-
-## PseudoProperties
-
-Pseudo-properties (`$name$`) used in type-tracking and global dataflow configurations have been disabled.
-Found by searching for `"\$.*\$"`.
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -460,9 +460,10 @@
    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll"
  ],
-  "ReDoS Util Python/JS": [
+  "ReDoS Util Python/JS/Ruby": [
    "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
-    "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll"
+    "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll",
+    "ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtil.qll"
  ],
  "ReDoS Exponential Python/JS": [
    "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
--- a/cpp/change-notes/2021-11-25-certificate-not-checked.md
+++ b/cpp/change-notes/2021-11-25-certificate-not-checked.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query `cpp/certificate-not-checked` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
--- a/cpp/change-notes/2021-11-25-certificate-result-conflation.md
+++ b/cpp/change-notes/2021-11-25-certificate-result-conflation.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query `cpp/certificate-result-conflation` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -9,6 +9,19 @@ private import tainttracking1.TaintTrackingParameter::Private
 private import tainttracking1.TaintTrackingParameter::Public

 module Consistency {
+  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
+
+  /** A class for configuring the consistency queries. */
+  class ConsistencyConfiguration extends TConsistencyConfiguration {
+    string toString() { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
+    predicate postWithInFlowExclude(Node n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
+    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
+  }
+
  private class RelevantNode extends Node {
    RelevantNode() {
      this instanceof ArgumentNode or
@@ -164,7 +177,7 @@ module Consistency {

  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
    not hasPost(n) and
-    not isImmutableOrUnobservable(n) and
+    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
    msg = "ArgumentNode is missing PostUpdateNode."
  }

@@ -177,6 +190,7 @@ module Consistency {
    isPostUpdateNode(n) and
    not clearsContent(n, _) and
    simpleLocalFlowStep(_, n) and
+    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
    msg = "PostUpdateNode should not be the target of local flow."
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -2,6 +2,7 @@ private import cpp
 private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
+private import DataFlowImplConsistency

 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
@@ -259,27 +260,6 @@ class Unit extends TUnit {
  string toString() { result = "unit" }
 }

-/**
- * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
- * modified or its modification cannot be observed, for example if it is a
- * freshly created object that is not saved in a variable.
- *
- * This predicate is only used for consistency checks.
- */
-predicate isImmutableOrUnobservable(Node n) {
-  // Is the null pointer (or something that's not really a pointer)
-  exists(n.asExpr().getValue())
-  or
-  // Isn't a pointer or is a pointer to const
-  forall(DerivedType dt | dt = n.asExpr().getActualType() |
-    dt.getBaseType().isConst()
-    or
-    dt.getBaseType() instanceof RoutineType
-  )
-  // The above list of cases isn't exhaustive, but it narrows down the
-  // consistency alerts enough that most of them are interesting.
-}
-
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) { none() }

@@ -302,3 +282,19 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
 * by default as a heuristic.
 */
 predicate allowParameterReturnInSelf(ParameterNode p) { none() }
+
+private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
+  override predicate argHasPostUpdateExclude(ArgumentNode n) {
+    // Is the null pointer (or something that's not really a pointer)
+    exists(n.asExpr().getValue())
+    or
+    // Isn't a pointer or is a pointer to const
+    forall(DerivedType dt | dt = n.asExpr().getActualType() |
+      dt.getBaseType().isConst()
+      or
+      dt.getBaseType() instanceof RoutineType
+    )
+    // The above list of cases isn't exhaustive, but it narrows down the
+    // consistency alerts enough that most of them are interesting.
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -484,8 +484,9 @@ module TaintedWithPath {
    /** Gets the element that `pathNode` wraps, if any. */
    Element getElementFromPathNode(PathNode pathNode) {
      exists(DataFlow::Node node | node = pathNode.(WrapPathNode).inner().getNode() |
-        result = node.asExpr() or
-        result = node.asParameter()
+        result = node.asInstruction().getAST()
+        or
+        result = node.asOperand().getDef().getAST()
      )
      or
      result = pathNode.(EndpointPathNode).inner()
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -9,6 +9,19 @@ private import tainttracking1.TaintTrackingParameter::Private
 private import tainttracking1.TaintTrackingParameter::Public

 module Consistency {
+  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
+
+  /** A class for configuring the consistency queries. */
+  class ConsistencyConfiguration extends TConsistencyConfiguration {
+    string toString() { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
+    predicate postWithInFlowExclude(Node n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
+    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
+  }
+
  private class RelevantNode extends Node {
    RelevantNode() {
      this instanceof ArgumentNode or
@@ -164,7 +177,7 @@ module Consistency {

  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
    not hasPost(n) and
-    not isImmutableOrUnobservable(n) and
+    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
    msg = "ArgumentNode is missing PostUpdateNode."
  }

@@ -177,6 +190,7 @@ module Consistency {
    isPostUpdateNode(n) and
    not clearsContent(n, _) and
    simpleLocalFlowStep(_, n) and
+    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
    msg = "PostUpdateNode should not be the target of local flow."
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -2,6 +2,7 @@ private import cpp
 private import DataFlowUtil
 private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
+private import DataFlowImplConsistency

 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
@@ -285,21 +286,18 @@ class Unit extends TUnit {
  string toString() { result = "unit" }
 }

-/**
- * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
- * modified or its modification cannot be observed, for example if it is a
- * freshly created object that is not saved in a variable.
- *
- * This predicate is only used for consistency checks.
- */
-predicate isImmutableOrUnobservable(Node n) {
-  // The rules for whether an IR argument gets a post-update node are too
-  // complex to model here.
-  any()
-}
-
 /** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) { n instanceof OperandNode and not n instanceof ArgumentNode }
+predicate nodeIsHidden(Node n) {
+  n instanceof OperandNode and not n instanceof ArgumentNode
+  or
+  StoreNodeFlow::flowThrough(n, _) and
+  not StoreNodeFlow::flowOutOf(n, _) and
+  not StoreNodeFlow::flowInto(_, n)
+  or
+  ReadNodeFlow::flowThrough(n, _) and
+  not ReadNodeFlow::flowOutOf(n, _) and
+  not ReadNodeFlow::flowInto(_, n)
+}

 class LambdaCallKind = Unit;

@@ -320,3 +318,11 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
 * by default as a heuristic.
 */
 predicate allowParameterReturnInSelf(ParameterNode p) { none() }
+
+private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
+  override predicate argHasPostUpdateExclude(ArgumentNode n) {
+    // The rules for whether an IR argument gets a post-update node are too
+    // complex to model here.
+    any()
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -806,7 +806,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
  simpleOperandLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asOperand())
  or
  // Flow into, through, and out of store nodes
-  StoreNodeFlow::flowInto(nodeFrom, nodeTo)
+  StoreNodeFlow::flowInto(nodeFrom.asInstruction(), nodeTo)
  or
  StoreNodeFlow::flowThrough(nodeFrom, nodeTo)
  or
@@ -831,23 +831,19 @@ private predicate adjacentDefUseFlow(Node nodeFrom, Node nodeTo) {
    //Def-use flow
    Ssa::ssaFlow(nodeFrom, nodeTo)
    or
-    exists(Instruction loadAddress | loadAddress = Ssa::getSourceAddressFromNode(nodeFrom) |
-      // Use-use flow through reads
-      exists(Node address |
-        Ssa::addressFlowTC(address.asInstruction(), loadAddress) and
-        Ssa::ssaFlow(address, nodeTo)
-      )
-      or
-      // Use-use flow through stores.
-      exists(Node store |
-        Ssa::explicitWrite(_, store.asInstruction(), loadAddress) and
-        Ssa::ssaFlow(store, nodeTo)
-      )
+    // Use-use flow through stores.
+    exists(Instruction loadAddress, Node store |
+      loadAddress = Ssa::getSourceAddressFromNode(nodeFrom) and
+      Ssa::explicitWrite(_, store.asInstruction(), loadAddress) and
+      Ssa::ssaFlow(store, nodeTo)
    )
  )
 }

-private module ReadNodeFlow {
+/**
+ * INTERNAL: Do not use.
+ */
+module ReadNodeFlow {
  /** Holds if the read node `nodeTo` should receive flow from `nodeFrom`. */
  predicate flowInto(Node nodeFrom, ReadNode nodeTo) {
    nodeTo.isInitial() and
@@ -867,7 +863,12 @@ private module ReadNodeFlow {
    )
  }

-  /** Holds if the read node `nodeTo` should receive flow from the read node `nodeFrom`. */
+  /**
+   * Holds if the read node `nodeTo` should receive flow from the read node `nodeFrom`.
+   *
+   * This happens when `readFrom` is _not_ the source of a `readStep`, and `nodeTo` is
+   * the `ReadNode` that represents an address that directly depends on `nodeFrom`.
+   */
  predicate flowThrough(ReadNode nodeFrom, ReadNode nodeTo) {
    not readStep(nodeFrom, _, _) and
    nodeFrom.getOuter() = nodeTo
@@ -906,17 +907,25 @@ private module ReadNodeFlow {
  }
 }

-private module StoreNodeFlow {
+/**
+ * INTERNAL: Do not use.
+ */
+module StoreNodeFlow {
  /** Holds if the store node `nodeTo` should receive flow from `nodeFrom`. */
-  predicate flowInto(Node nodeFrom, StoreNode nodeTo) {
-    nodeTo.flowInto(Ssa::getDestinationAddress(nodeFrom.asInstruction()))
+  predicate flowInto(Instruction instrFrom, StoreNode nodeTo) {
+    nodeTo.flowInto(Ssa::getDestinationAddress(instrFrom))
  }

-  /** Holds if the store node `nodeTo` should receive flow from `nodeFom`. */
-  predicate flowThrough(StoreNode nFrom, StoreNode nodeTo) {
+  /**
+   * Holds if the store node `nodeTo` should receive flow from `nodeFom`.
+   *
+   * This happens when `nodeFrom` is _not_ the source of a `storeStep`, and `nodeFrom` is
+   * the `Storenode` that represents an address that directly depends on `nodeTo`.
+   */
+  predicate flowThrough(StoreNode nodeFrom, StoreNode nodeTo) {
    // Flow through a post update node that doesn't need a store step.
-    not storeStep(nFrom, _, _) and
-    nodeTo.getOuter() = nFrom
+    not storeStep(nodeFrom, _, _) and
+    nodeTo.getOuter() = nodeFrom
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
@@ -634,3 +634,29 @@ class UncertainWriteDefinition extends WriteDefinition {
    )
  }
 }
+
+/** Provides a set of consistency queries. */
+module Consistency {
+  abstract class RelevantDefinition extends Definition {
+    abstract predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    );
+  }
+
+  query predicate nonUniqueDef(RelevantDefinition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefReachesRead(v, def, bb, i) and
+    not exists(unique(Definition def0 | ssaDefReachesRead(v, def0, bb, i)))
+  }
+
+  query predicate readWithoutDef(SourceVariable v, BasicBlock bb, int i) {
+    variableRead(bb, i, v, _) and
+    not ssaDefReachesRead(v, _, bb, i)
+  }
+
+  query predicate deadDef(RelevantDefinition def, SourceVariable v) {
+    v = def.getSourceVariable() and
+    not ssaDefReachesRead(_, def, _, _) and
+    not phiHasInputFromBlock(_, def, _) and
+    not uncertainWriteDefinitionInput(_, def)
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -244,17 +244,6 @@ Instruction getDestinationAddress(Instruction instr) {
    ]
 }

-class ReferenceToInstruction extends CopyValueInstruction {
-  ReferenceToInstruction() {
-    this.getResultType() instanceof Cpp::ReferenceType and
-    not this.getUnary().getResultType() instanceof Cpp::ReferenceType
-  }
-
-  Instruction getSourceAddress() { result = getSourceAddressOperand().getDef() }
-
-  Operand getSourceAddressOperand() { result = this.getUnaryOperand() }
-}
-
 /** Gets the source address of `instr` if it is an instruction that behaves like a `LoadInstruction`. */
 Instruction getSourceAddress(Instruction instr) { result = getSourceAddressOperand(instr).getDef() }

@@ -266,11 +255,7 @@ Operand getSourceAddressOperand(Instruction instr) {
  result =
    [
      instr.(LoadInstruction).getSourceAddressOperand(),
-      instr.(ReadSideEffectInstruction).getArgumentOperand(),
-      // `ReferenceToInstruction` is really more of an address-of operation,
-      // but by including it in this list we break out of `flowOutOfAddressStep` at an
-      // instruction that, at the source level, looks like a use of a variable.
-      instr.(ReferenceToInstruction).getSourceAddressOperand()
+      instr.(ReadSideEffectInstruction).getArgumentOperand()
    ]
 }

@@ -295,10 +280,6 @@ Operand getSourceValueOperand(Instruction instr) {
  result = instr.(LoadInstruction).getSourceValueOperand()
  or
  result = instr.(ReadSideEffectInstruction).getSideEffectOperand()
-  or
-  // See the comment on the `ReferenceToInstruction` disjunct in `getSourceAddressOperand` for why
-  // this case is included.
-  result = instr.(ReferenceToInstruction).getSourceValueOperand()
 }

 /**
@@ -513,6 +494,64 @@ private module Cached {
      explicitWrite(false, storeNode.getStoreInstruction(), def)
    )
    or
+    // The destination of a store operation has undergone lvalue-to-rvalue conversion and is now a
+    // right-hand-side of a store operation.
+    // Find the next use of the variable in that store operation, and recursively find the load of that
+    // pointer. For example, consider this case:
+    //
+    // ```cpp
+    // int x = source();
+    // int* p = &x;
+    // sink(*p);
+    // ```
+    //
+    // if we want to find the load of the address of `x`, we see that the pointer is stored into `p`,
+    // and we then need to recursively look for the load of `p`.
+    exists(
+      Def def, StoreInstruction store, IRBlock block1, int rnk1, Use use, IRBlock block2, int rnk2
+    |
+      store = def.getInstruction() and
+      store.getSourceValueOperand() = operand and
+      def.hasRankInBlock(block1, rnk1) and
+      use.hasRankInBlock(block2, rnk2) and
+      adjacentDefRead(_, block1, rnk1, block2, rnk2)
+    |
+      // The shared SSA library has determined that `use` is the next use of the operand
+      // so we find the next load of that use (but only if there is no `PostUpdateNode`) we
+      // need to flow into first.
+      not StoreNodeFlow::flowInto(store, _) and
+      flowOutOfAddressStep(use.getOperand(), nodeTo)
+      or
+      // It may also be the case that `store` gives rise to another store step. So let's make sure that
+      // we also take those into account.
+      StoreNodeFlow::flowInto(store, nodeTo)
+    )
+    or
+    // As we find the next load of an address, we might come across another use of the same variable.
+    // In that case, we recursively find the next use of _that_ operand, and continue searching for
+    // the next load of that operand. For example, consider this case:
+    //
+    // ```cpp
+    // int x = source();
+    // use(&x);
+    // int* p = &x;
+    // sink(*p);
+    // ```
+    //
+    // The next use of `x` after its definition is `use(&x)`, but there is a later load of the address
+    // of `x` that we want to flow to. So we use the shared SSA library to find the next load.
+    not operand = getSourceAddressOperand(_) and
+    exists(Use use1, Use use2, IRBlock block1, int rnk1, IRBlock block2, int rnk2 |
+      use1.getOperand() = operand and
+      use1.hasRankInBlock(block1, rnk1) and
+      // Don't flow to the next use if this use is part of a store operation that totally
+      // overrides a variable.
+      not explicitWrite(true, _, use1.getOperand().getDef()) and
+      adjacentDefRead(_, block1, rnk1, block2, rnk2) and
+      use2.hasRankInBlock(block2, rnk2) and
+      flowOutOfAddressStep(use2.getOperand(), nodeTo)
+    )
+    or
    operand = getSourceAddressOperand(nodeTo.asInstruction())
    or
    exists(ReturnIndirectionInstruction ret |
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -20,6 +20,14 @@ private import internal.OperandInternal
 private class TStageOperand =
  TRegisterOperand or TNonSSAMemoryOperand or TPhiOperand or TChiOperand;

+/**
+ * A known location. Testing `loc instanceof KnownLocation` will account for non existing locations, as
+ * opposed to testing `not loc isntanceof UnknownLocation`
+ */
+private class KnownLocation extends Language::Location {
+  KnownLocation() { not this instanceof Language::UnknownLocation }
+}
+
 /**
 * An operand of an `Instruction`. The operand represents a use of the result of one instruction
 * (the defining instruction) in another instruction (the use instruction)
@@ -45,8 +53,10 @@ class Operand extends TStageOperand {

  /**
   * Gets the location of the source code for this operand.
+   * By default this is where the operand is used, but some subclasses may override this
+   * using `getAnyDef()` if it makes more sense.
   */
-  final Language::Location getLocation() { result = this.getUse().getLocation() }
+  Language::Location getLocation() { result = this.getUse().getLocation() }

  /**
   * Gets the function that contains this operand.
@@ -269,6 +279,10 @@ class RegisterOperand extends NonPhiOperand, TRegisterOperand {

  final override string toString() { result = tag.toString() }

+  // most `RegisterOperands` have a more meaningful location at the definition
+  // the only exception are specific cases of `ThisArgumentOperand`
+  override Language::Location getLocation() { result = this.getAnyDef().getLocation() }
+
  final override Instruction getAnyDef() { result = defInstr }

  final override Overlap getDefinitionOverlap() {
@@ -401,11 +415,19 @@ class ArgumentOperand extends RegisterOperand {
 }

 /**
- * An operand representing the implicit 'this' argument to a member function
+ * An operand representing the implicit `this` argument to a member function
 * call.
 */
 class ThisArgumentOperand extends ArgumentOperand {
  override ThisArgumentOperandTag tag;
+
+  // in most cases the def location makes more sense, but in some corner cases it
+  // has an unknown location: in those cases we fall back to the use location
+  override Language::Location getLocation() {
+    if this.getAnyDef().getLocation() instanceof KnownLocation
+    then result = this.getAnyDef().getLocation()
+    else result = this.getUse().getLocation()
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -20,6 +20,14 @@ private import internal.OperandInternal
 private class TStageOperand =
  TRegisterOperand or TNonSSAMemoryOperand or TPhiOperand or TChiOperand;

+/**
+ * A known location. Testing `loc instanceof KnownLocation` will account for non existing locations, as
+ * opposed to testing `not loc isntanceof UnknownLocation`
+ */
+private class KnownLocation extends Language::Location {
+  KnownLocation() { not this instanceof Language::UnknownLocation }
+}
+
 /**
 * An operand of an `Instruction`. The operand represents a use of the result of one instruction
 * (the defining instruction) in another instruction (the use instruction)
@@ -45,8 +53,10 @@ class Operand extends TStageOperand {

  /**
   * Gets the location of the source code for this operand.
+   * By default this is where the operand is used, but some subclasses may override this
+   * using `getAnyDef()` if it makes more sense.
   */
-  final Language::Location getLocation() { result = this.getUse().getLocation() }
+  Language::Location getLocation() { result = this.getUse().getLocation() }

  /**
   * Gets the function that contains this operand.
@@ -269,6 +279,10 @@ class RegisterOperand extends NonPhiOperand, TRegisterOperand {

  final override string toString() { result = tag.toString() }

+  // most `RegisterOperands` have a more meaningful location at the definition
+  // the only exception are specific cases of `ThisArgumentOperand`
+  override Language::Location getLocation() { result = this.getAnyDef().getLocation() }
+
  final override Instruction getAnyDef() { result = defInstr }

  final override Overlap getDefinitionOverlap() {
@@ -401,11 +415,19 @@ class ArgumentOperand extends RegisterOperand {
 }

 /**
- * An operand representing the implicit 'this' argument to a member function
+ * An operand representing the implicit `this` argument to a member function
 * call.
 */
 class ThisArgumentOperand extends ArgumentOperand {
  override ThisArgumentOperandTag tag;
+
+  // in most cases the def location makes more sense, but in some corner cases it
+  // has an unknown location: in those cases we fall back to the use location
+  override Language::Location getLocation() {
+    if this.getAnyDef().getLocation() instanceof KnownLocation
+    then result = this.getAnyDef().getLocation()
+    else result = this.getUse().getLocation()
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -20,6 +20,14 @@ private import internal.OperandInternal
 private class TStageOperand =
  TRegisterOperand or TNonSSAMemoryOperand or TPhiOperand or TChiOperand;

+/**
+ * A known location. Testing `loc instanceof KnownLocation` will account for non existing locations, as
+ * opposed to testing `not loc isntanceof UnknownLocation`
+ */
+private class KnownLocation extends Language::Location {
+  KnownLocation() { not this instanceof Language::UnknownLocation }
+}
+
 /**
 * An operand of an `Instruction`. The operand represents a use of the result of one instruction
 * (the defining instruction) in another instruction (the use instruction)
@@ -45,8 +53,10 @@ class Operand extends TStageOperand {

  /**
   * Gets the location of the source code for this operand.
+   * By default this is where the operand is used, but some subclasses may override this
+   * using `getAnyDef()` if it makes more sense.
   */
-  final Language::Location getLocation() { result = this.getUse().getLocation() }
+  Language::Location getLocation() { result = this.getUse().getLocation() }

  /**
   * Gets the function that contains this operand.
@@ -269,6 +279,10 @@ class RegisterOperand extends NonPhiOperand, TRegisterOperand {

  final override string toString() { result = tag.toString() }

+  // most `RegisterOperands` have a more meaningful location at the definition
+  // the only exception are specific cases of `ThisArgumentOperand`
+  override Language::Location getLocation() { result = this.getAnyDef().getLocation() }
+
  final override Instruction getAnyDef() { result = defInstr }

  final override Overlap getDefinitionOverlap() {
@@ -401,11 +415,19 @@ class ArgumentOperand extends RegisterOperand {
 }

 /**
- * An operand representing the implicit 'this' argument to a member function
+ * An operand representing the implicit `this` argument to a member function
 * call.
 */
 class ThisArgumentOperand extends ArgumentOperand {
  override ThisArgumentOperandTag tag;
+
+  // in most cases the def location makes more sense, but in some corner cases it
+  // has an unknown location: in those cases we fall back to the use location
+  override Language::Location getLocation() {
+    if this.getAnyDef().getLocation() instanceof KnownLocation
+    then result = this.getAnyDef().getLocation()
+    else result = this.getUse().getLocation()
+  }
 }

 /**
--- a/Bugs/Protocols/TlsSettingsMisconfiguration.ql
+++ b/Bugs/Protocols/TlsSettingsMisconfiguration.ql
@@ -3,8 +3,10 @@
 * @description Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols, or disabling minimum-recommended protocols.
 * @kind problem
 * @problem.severity error
+ * @security-severity 7.5
 * @id cpp/boost/tls-settings-misconfiguration
 * @tags security
+ *       external/cwe/cwe-326
 */

 import cpp
--- a/Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+++ b/Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
@@ -3,8 +3,10 @@
 * @description Using a deprecated hard-coded protocol using the boost::asio library.
 * @kind problem
 * @problem.severity error
+ * @security-severity 7.5
 * @id cpp/boost/use-of-deprecated-hardcoded-security-protocol
 * @tags security
+ *       external/cwe/cwe-327
 */

 import cpp
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.qhelp
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>When checking the result of SSL certificate verification, accepting any error code may allow an attacker to impersonate someone who is trusted.</p>
+
+</overview>
+<recommendation>
+
+<p>When checking an SSL certificate with <code>SSL_get_verify_result</code>, only <code>X509_V_OK</code> is a success code. If there is any other result the certificate should not be accepted.</p>
+
+</recommendation>
+<example>
+
+<p>In this example the error code <code>X509_V_ERR_CERT_HAS_EXPIRED</code> is treated the same as an OK result. An expired certificate should not be accepted as it is more likely to be compromised than a valid certificate.</p>
+
+<sample src="SSLResultConflationBad.cpp" />
+
+<p>In the corrected example, only a result of <code>X509_V_OK</code> is accepted.</p>
+
+<sample src="SSLResultConflationGood.cpp" />
+
+</example>
+<references>
+
+</references>
+</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
@@ -0,0 +1,50 @@
+/**
+ * @name Certificate result conflation
+ * @description Only accept SSL certificates that pass certificate verification.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @id cpp/certificate-result-conflation
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import cpp
+import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.dataflow.DataFlow
+
+/**
+ * A call to `SSL_get_verify_result`.
+ */
+class SSLGetVerifyResultCall extends FunctionCall {
+  SSLGetVerifyResultCall() { getTarget().getName() = "SSL_get_verify_result" }
+}
+
+/**
+ * Data flow from a call to `SSL_get_verify_result` to a guard condition
+ * that references the result.
+ */
+class VerifyResultConfig extends DataFlow::Configuration {
+  VerifyResultConfig() { this = "VerifyResultConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof SSLGetVerifyResultCall
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(GuardCondition guard | guard.getAChild*() = sink.asExpr())
+  }
+}
+
+from
+  VerifyResultConfig config, DataFlow::Node source, DataFlow::Node sink1, DataFlow::Node sink2,
+  GuardCondition guard, Expr c1, Expr c2, boolean testIsTrue
+where
+  config.hasFlow(source, sink1) and
+  config.hasFlow(source, sink2) and
+  guard.comparesEq(sink1.asExpr(), c1, 0, false, testIsTrue) and // (value != c1) => testIsTrue
+  guard.comparesEq(sink2.asExpr(), c2, 0, false, testIsTrue) and // (value != c2) => testIsTrue
+  c1.getValue().toInt() = 0 and
+  c2.getValue().toInt() != 0
+select guard, "This expression conflates OK and non-OK results from $@.", source, source.toString()
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationBad.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationBad.cpp
@@ -0,0 +1,13 @@
+// ...
+
+if (cert = SSL_get_peer_certificate(ssl))
+{
+	result = SSL_get_verify_result(ssl);
+
+	if ((result == X509_V_OK) || (result == X509_V_ERR_CERT_HAS_EXPIRED)) // BAD (conflates OK and a non-OK codes)
+	{
+		do_ok();
+	} else {
+		do_error();
+	}
+}
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationGood.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationGood.cpp
@@ -0,0 +1,13 @@
+// ...
+
+if (cert = SSL_get_peer_certificate(ssl))
+{
+	result = SSL_get_verify_result(ssl);
+
+	if (result == X509_V_OK) // GOOD
+	{
+		do_ok();
+	} else {
+		do_error();
+	}
+}
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.qhelp
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>After fetching an SSL certificate, always check the result of certificate verification.</p>
+
+</overview>
+<recommendation>
+
+<p>Always check the result of SSL certificate verification. A certificate that has been revoked may indicate that data is coming from an attacker, whereas a certificate that has expired or was self-signed may indicate an increased likelihood that the data is malicious.</p>
+
+</recommendation>
+<example>
+
+<p>In this example, the <code>SSL_get_peer_certificate</code> function is used to get the certificate of a peer. However it is unsafe to use that information without checking if the certificate is valid.</p>
+
+<sample src="SSLResultNotCheckedBad.cpp" />
+
+<p>In the corrected example, we use <code>SSL_get_verify_result</code> to check that certificate verification was successful.</p>
+
+<sample src="SSLResultNotCheckedGood.cpp" />
+
+</example>
+<references>
+
+</references>
+</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
@@ -0,0 +1,120 @@
+/**
+ * @name Certificate not checked
+ * @description Always check the result of certificate verification after fetching an SSL certificate.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @id cpp/certificate-not-checked
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.controlflow.IRGuards
+
+/**
+ * A call to `SSL_get_peer_certificate`.
+ */
+class SSLGetPeerCertificateCall extends FunctionCall {
+  SSLGetPeerCertificateCall() {
+    getTarget().getName() = "SSL_get_peer_certificate" // SSL_get_peer_certificate(ssl)
+  }
+
+  Expr getSSLArgument() { result = getArgument(0) }
+}
+
+/**
+ * A call to `SSL_get_verify_result`.
+ */
+class SSLGetVerifyResultCall extends FunctionCall {
+  SSLGetVerifyResultCall() {
+    getTarget().getName() = "SSL_get_verify_result" // SSL_get_peer_certificate(ssl)
+  }
+
+  Expr getSSLArgument() { result = getArgument(0) }
+}
+
+/**
+ * Holds if the SSL object passed into `SSL_get_peer_certificate` is checked with
+ * `SSL_get_verify_result` entering `node`.
+ */
+predicate resultIsChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
+  exists(Expr ssl, SSLGetVerifyResultCall check |
+    ssl = globalValueNumber(getCertCall.getSSLArgument()).getAnExpr() and
+    ssl = check.getSSLArgument() and
+    node = check
+  )
+}
+
+/**
+ * Holds if the certificate returned by `SSL_get_peer_certificate` is found to be
+ * `0` on the edge `node1` to `node2`.
+ */
+predicate certIsZero(
+  SSLGetPeerCertificateCall getCertCall, ControlFlowNode node1, ControlFlowNode node2
+) {
+  exists(Expr cert | cert = globalValueNumber(getCertCall).getAnExpr() |
+    exists(GuardCondition guard, Expr zero |
+      zero.getValue().toInt() = 0 and
+      node1 = guard and
+      (
+        // if (cert == zero) {
+        guard.comparesEq(cert, zero, 0, true, true) and
+        node2 = guard.getATrueSuccessor()
+        or
+        // if (cert != zero) { }
+        guard.comparesEq(cert, zero, 0, false, true) and
+        node2 = guard.getAFalseSuccessor()
+      )
+    )
+    or
+    (
+      // if (cert) { }
+      node1 = cert
+      or
+      // if (!cert) {
+      node1.(NotExpr).getAChild() = cert
+    ) and
+    node2 = node1.getASuccessor() and
+    not cert.(GuardCondition).controls(node2, true) // cert may be false
+  )
+}
+
+/**
+ * Holds if the SSL object passed into `SSL_get_peer_certificate` has not been checked with
+ * `SSL_get_verify_result` at `node`. Note that this is only computed at the call to
+ * `SSL_get_peer_certificate` and at the start and end of `BasicBlock`s.
+ */
+predicate certNotChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
+  // cert is not checked at the call to `SSL_get_peer_certificate`
+  node = getCertCall
+  or
+  exists(BasicBlock bb, int pos |
+    // flow to end of a `BasicBlock`
+    certNotChecked(getCertCall, bb.getNode(pos)) and
+    node = bb.getEnd() and
+    // check for barrier node
+    not exists(int pos2 |
+      pos2 > pos and
+      resultIsChecked(getCertCall, bb.getNode(pos2))
+    )
+  )
+  or
+  exists(BasicBlock pred, BasicBlock bb |
+    // flow from the end of one `BasicBlock` to the beginning of a successor
+    certNotChecked(getCertCall, pred.getEnd()) and
+    bb = pred.getASuccessor() and
+    node = bb.getStart() and
+    // check for barrier bb
+    not certIsZero(getCertCall, pred.getEnd(), bb.getStart())
+  )
+}
+
+from SSLGetPeerCertificateCall getCertCall, ControlFlowNode node
+where
+  certNotChecked(getCertCall, node) and
+  node instanceof Function // (function exit)
+select getCertCall,
+  "This " + getCertCall.toString() + " is not followed by a call to SSL_get_verify_result."
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedBad.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedBad.cpp
@@ -0,0 +1,5 @@
+// ...
+
+X509 *cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)
+
+// ...
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedGood.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedGood.cpp
@@ -0,0 +1,9 @@
+// ...
+
+X509 *cert = SSL_get_peer_certificate(ssl); // GOOD
+if (cert)
+{
+	result = SSL_get_verify_result(ssl);
+	if (result == X509_V_OK)
+	{
+		// ...
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -8,6 +8,7 @@
 * @precision high
 * @id cpp/cleartext-storage-file
 * @tags security
+ *       external/cwe/cwe-260
 *       external/cwe/cwe-313
 */

--- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -29,7 +29,7 @@ class SqliteFunctionCall extends FunctionCall {
 }

 predicate sqlite_encryption_used() {
-  any(StringLiteral l).getValue().toLowerCase().regexpMatch("pragma key.*") or
+  any(StringLiteral l).getValue().toLowerCase().matches("pragma key%") or
  any(StringLiteral l).getValue().toLowerCase().matches("%attach%database%key%") or
  any(FunctionCall fc).getTarget().getName().matches("sqlite%\\_key\\_%")
 }
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.expected
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/dispatch.cpp
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/dispatch.cpp
@@ -4,8 +4,8 @@ using SinkFunction = void (*)(int);

 void notSink(int notSinkParam);

-void callsSink(int sinkParam) { // $ ir-path=31:28 ir-path=32:31 ir-path=34:22
-  sink(sinkParam); // $ ir-sink=31:28 ir-sink=32:31 ir-sink=34:22 ast=31:28 ast=32:31 ast=34:22 MISSING: ast,ir=28
+void callsSink(int sinkParam) { // $ ir-path=31:23 ir-path=32:26 ir-path=34:17
+  sink(sinkParam); // $ ast=31:28 ast=32:31 ast=34:22 ir-sink
 }

 struct {
@@ -25,7 +25,7 @@ void assignGlobals() {
 };

 void testStruct() {
-  globalStruct.sinkPtr(atoi(getenv("TAINTED"))); // $ ir MISSING: ast
+  globalStruct.sinkPtr(atoi(getenv("TAINTED"))); // $ MISSING: ir-path,ast
  globalStruct.notSinkPtr(atoi(getenv("TAINTED"))); // clean

  globalUnion.sinkPtr(atoi(getenv("TAINTED"))); // $ ast ir-path
@@ -48,8 +48,8 @@ class D2 : public D1 {

 class D3 : public D2 {
    public:
-    void f(const char* p) override { // $ ir-path=58:10 ir-path=60:17 ir-path=61:28 ir-path=62:29 ir-path=63:33 ir-path=73:30
-        sink(p); // $ ir-sink=58:10 ir-sink=60:17 ir-sink=61:28 ir-sink=62:29 ir-sink=63:33 ast=58:10 ast=60:17 ast=61:28 ast=62:29 ast=63:33 SPURIOUS: ast=73:30 ir-sink=73:30
+    void f(const char* p) override { // $ ir-path=58:10 ir-path=60:17 ir-path=61:28 ir-path=62:29 ir-path=63:33 SPURIOUS: ir-path=73:30
+        sink(p); // $ ast=58:10 ast=60:17 ast=61:28 ast=62:29 ast=63:33 ir-sink SPURIOUS: ast=73:30
    }
 };

--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
@@ -23,11 +23,10 @@ class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
  override predicate isSink(Element e) { isSinkArgument(e) }
 }

-predicate irTaint(Element source, Element sink, string tag) {
-  exists(TaintedWithPath::PathNode sinkNode, TaintedWithPath::PathNode predNode |
+predicate irTaint(Element source, TaintedWithPath::PathNode predNode, string tag) {
+  exists(TaintedWithPath::PathNode sinkNode |
    TaintedWithPath::taintedWithPath(source, _, _, sinkNode) and
    predNode = getAPredecessor*(sinkNode) and
-    sink = getElementFromPathNode(predNode) and
    // Make sure the path is actually reachable from this predecessor.
    // Otherwise, we could pick `predNode` to be b when `source` is
    // `source1` in this dataflow graph:
@@ -35,7 +34,7 @@ predicate irTaint(Element source, Element sink, string tag) {
    //                   ^
    // source2 ---> b --/
    source = getElementFromPathNode(getAPredecessor*(predNode)) and
-    if sinkNode = predNode then tag = "ir-sink" else tag = "ir-path"
+    if predNode = sinkNode then tag = "ir-sink" else tag = "ir-path"
  )
 }

@@ -45,21 +44,25 @@ class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
  override string getARelevantTag() { result = ["ir-path", "ir-sink"] }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Element source, Element tainted, int n |
-      irTaint(source, tainted, tag) and
-      n = strictcount(Element otherSource | irTaint(otherSource, tainted, _)) and
-      (
-        n = 1 and value = ""
-        or
-        // If there is more than one source for this sink
-        // we specify the source location explicitly.
-        n > 1 and
+    exists(Element source, Element elem, TaintedWithPath::PathNode node, int n |
+      irTaint(source, node, tag) and
+      elem = getElementFromPathNode(node) and
+      n = count(int startline | getAPredecessor(node).hasLocationInfo(_, startline, _, _, _)) and
+      location = elem.getLocation() and
+      element = elem.toString()
+    |
+      // Zero predecessors means it's a source, and 1 predecessor means it has a unique predecessor.
+      // In either of these cases we leave out the location.
+      n = [0, 1] and value = ""
+      or
+      // If there is more than one predecessor for this node
+      // we specify the source location explicitly.
+      n > 1 and
+      exists(TaintedWithPath::PathNode pred | pred = getAPredecessor(node) |
        value =
-          source.getLocation().getStartLine().toString() + ":" +
-            source.getLocation().getStartColumn()
-      ) and
-      location = tainted.getLocation() and
-      element = tainted.toString()
+          getElementFromPathNode(pred).getLocation().getStartLine().toString() + ":" +
+            getElementFromPathNode(pred).getLocation().getStartColumn()
+      )
    )
  }
 }
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp
@@ -13,8 +13,8 @@ struct S {
    }
 };

-void calls_sink_with_argv(const char* a) { // $ ir-path=96:26 ir-path=98:18
-    sink(a); // $ ast=96:26 ast=98:18 ir-sink=96:26 ir-sink=98:18
+void calls_sink_with_argv(const char* a) { // $ ir-path=96:26 ir-path=102:26
+    sink(a); // $ ast=96:26 ast=98:18 ir-sink
 }

 extern int i;
@@ -27,7 +27,7 @@ public:
 class DerivedCallsSink : public BaseWithPureVirtual {
 public:
    void f(const char* p) override { // $ ir-path
-        sink(p); // $ ir-sink ast=108:10 SPURIOUS: ast=111:10
+        sink(p); // $ ast=108:10 ir-sink SPURIOUS: ast=111:10
    }
 };

@@ -49,8 +49,8 @@ public:
 };

 class DerivesMultiple : public DerivedCallsSinkDiamond1, public DerivedDoesNotCallSinkDiamond2 {
-    void f(const char* p) override { // $ ir-path
-        DerivedCallsSinkDiamond1::f(p);
+    void f(const char* p) override { // $ ir-path=53:37 ir-path=115:11
+        DerivedCallsSinkDiamond1::f(p); // $ ir-path
    }
 };

@@ -58,7 +58,7 @@ template<typename T>
 class CRTP {
 public:
    void f(const char* p) { // $ ir-path
-        static_cast<T*>(this)->g(p);
+        static_cast<T*>(this)->g(p); // $ ir-path
    }
 };

@@ -79,7 +79,7 @@ class Derived2 : public Derived1 {
 class Derived3 : public Derived2 {
    public:
    void f(const char* p) override { // $ ir-path=124:19 ir-path=126:43 ir-path=128:44
-        sink(p); // $ ast,ir-sink=124:19 ast,ir-sink=126:43 ast,ir-sink=128:44
+        sink(p); // $ ast=124:19 ast=126:43 ast=128:44 ir-sink
    }
 };

@@ -97,11 +97,11 @@ int main(int argc, char *argv[]) {

    char*** p = &argv; // $ ast,ir-path

-    sink(*p[0]); // $ ast,ir-sink
+    sink(*p[0]); // $ ast ir-sink=96:26 ir-sink=98:18

-    calls_sink_with_argv(*p[i]); // $ MISSING: ast,ir-path
+    calls_sink_with_argv(*p[i]); // $ ir-path=96:26 ir-path=98:18 MISSING:ast

-    sink(*(argv + 1)); // $ ast,ir-path ir-sink
+    sink(*(argv + 1)); // $ ast ir-path ir-sink

    BaseWithPureVirtual* b = new DerivedCallsSink;

--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
@@ -190,9 +190,9 @@ void test_pointers1()
 	sink(ptr1); // $ ast MISSING: ir
 	sink(ptr2); // $ SPURIOUS: ast
 	sink(*ptr2); // $ ast MISSING: ir
-	sink(ptr3); // $ ast MISSING: ir
-	sink(ptr4); // $ SPURIOUS: ast
-	sink(*ptr4); // $ ast MISSING: ir
+	sink(ptr3); // $ ast,ir
+	sink(ptr4); // $ SPURIOUS: ast,ir
+	sink(*ptr4); // $ ast,ir
 }

 void test_pointers2()
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
@@ -35,17 +35,17 @@ postWithInFlow
 | BarrierGuard.cpp:60:3:60:4 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:8:20:8:29 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:22:3:22:6 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:22:8:22:20 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:22:8:22:20 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:22:9:22:20 | sourceArray1 [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:26:8:26:24 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:26:8:26:24 | sourceStruct1_ptr [post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:26:27:26:34 | sourceStruct1_ptr [post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:26:8:26:24 | sourceStruct1_ptr [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:28:3:28:19 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:28:22:28:23 | m1 [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:30:8:30:24 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:30:8:30:24 | sourceStruct1_ptr [post update] | PostUpdateNode should not be the target of local flow. |
-| clang.cpp:30:27:30:34 | sourceStruct1_ptr [post update] | PostUpdateNode should not be the target of local flow. |
+| clang.cpp:30:8:30:24 | sourceStruct1_ptr [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:34:19:34:41 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:34:19:34:41 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | clang.cpp:39:16:39:21 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -77,55 +77,55 @@ postWithInFlow
 | dispatch.cpp:29:29:29:34 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:31:8:31:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:31:8:31:13 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:31:16:31:24 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:31:8:31:13 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:32:8:32:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:32:8:32:13 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:32:16:32:24 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:32:8:32:13 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:33:3:33:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:33:3:33:8 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:33:11:33:16 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:33:3:33:8 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:35:8:35:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:35:8:35:13 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:35:16:35:25 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:35:8:35:13 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:36:8:36:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:36:8:36:13 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:36:16:36:25 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:36:8:36:13 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:37:3:37:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:37:3:37:8 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:37:11:37:17 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:37:3:37:8 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:39:8:39:13 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:39:8:39:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:39:8:39:13 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:39:15:39:23 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:39:8:39:13 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:40:8:40:13 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:40:8:40:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:40:8:40:13 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:40:15:40:23 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:40:8:40:13 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:41:3:41:8 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:41:3:41:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:41:3:41:8 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:41:10:41:15 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:41:3:41:8 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:43:8:43:13 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:43:8:43:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:43:8:43:13 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:43:15:43:24 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:43:8:43:13 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:44:8:44:13 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:44:8:44:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:44:8:44:13 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:44:15:44:24 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:44:8:44:13 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:45:3:45:8 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:45:3:45:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:45:3:45:8 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:45:10:45:16 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:45:3:45:8 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:51:3:51:22 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:55:8:55:19 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:55:8:55:19 | globalBottom [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:55:22:55:30 | globalBottom [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:55:8:55:19 | globalBottom [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:56:8:56:19 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:56:8:56:19 | globalMiddle [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:56:22:56:30 | globalMiddle [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:56:8:56:19 | globalMiddle [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:58:8:58:23 | call to readGlobalBottom [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:58:8:58:23 | call to readGlobalBottom [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:58:28:58:36 | call to readGlobalBottom [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:60:3:60:14 | globalBottom [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:60:18:60:29 | Call [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:60:18:60:29 | new [post update] | PostUpdateNode should not be the target of local flow. |
@@ -140,34 +140,34 @@ postWithInFlow
 | dispatch.cpp:65:10:65:21 | new [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:69:3:69:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:69:3:69:5 | top [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:69:8:69:13 | top [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:69:3:69:5 | top [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:73:3:73:5 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:73:3:73:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:73:3:73:5 | top [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:73:7:73:12 | top [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:77:3:77:19 | call to allocateBottom [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:73:3:73:5 | top [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:77:21:77:34 | call to allocateBottom [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:77:21:77:34 | call to allocateBottom [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:78:3:78:21 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:78:23:78:39 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:78:23:78:39 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:78:23:78:39 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:78:24:78:37 | call to allocateBottom [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:80:8:80:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:81:3:81:3 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:81:3:81:3 | x [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:81:6:81:11 | x [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:81:3:81:3 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:85:3:85:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:89:3:89:10 | bottom [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:89:3:89:10 | call to identity [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:89:3:89:10 | call to identity [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:89:12:89:17 | (Middle *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:89:12:89:17 | (Top *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:89:12:89:17 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:89:12:89:17 | bottom [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:89:21:89:26 | call to identity [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:89:12:89:17 | bottom [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:90:3:90:10 | call to identity [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:90:3:90:10 | call to identity [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:90:3:90:10 | top [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:90:12:90:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:90:12:90:14 | top [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:90:18:90:23 | call to identity [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:90:12:90:14 | top [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:100:3:100:18 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:105:5:105:17 | maybeCallSink [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:113:30:113:38 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -176,11 +176,11 @@ postWithInFlow
 | dispatch.cpp:127:31:127:36 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:129:10:129:15 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:129:10:129:15 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:129:18:129:25 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:129:10:129:15 | topPtr [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:130:10:130:15 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:130:10:130:15 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:130:10:130:15 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
-| dispatch.cpp:130:17:130:24 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
+| dispatch.cpp:130:10:130:15 | topRef [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:148:3:148:3 | u [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:148:5:148:5 | f [post update] | PostUpdateNode should not be the target of local flow. |
 | dispatch.cpp:168:3:168:4 | u2 [post update] | PostUpdateNode should not be the target of local flow. |
@@ -191,10 +191,10 @@ postWithInFlow
 | example.c:24:9:24:9 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:24:20:24:20 | y [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:26:9:26:9 | x [post update] | PostUpdateNode should not be the target of local flow. |
-| example.c:26:13:26:16 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| example.c:26:18:26:24 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:26:18:26:24 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:26:19:26:24 | coords [post update] | PostUpdateNode should not be the target of local flow. |
-| example.c:28:2:28:12 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| example.c:28:14:28:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:28:14:28:25 | (void *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:28:22:28:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | example.c:28:23:28:25 | pos [post update] | PostUpdateNode should not be the target of local flow. |
@@ -227,23 +227,23 @@ postWithInFlow
 | lambdas.cpp:43:3:43:3 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:43:3:43:3 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:43:3:43:3 | c [post update] | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:45:3:45:3 | t [post update] | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:45:3:45:3 | u [post update] | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:45:3:45:3 | w [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:45:4:45:4 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:45:4:45:4 | t [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:45:4:45:4 | t [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:45:7:45:7 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:45:7:45:7 | u [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:45:7:45:7 | u [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:45:10:45:10 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:45:10:45:10 | w [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:45:10:45:10 | w [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:11:5:11:7 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:11:5:11:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:11:5:11:7 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:16:5:16:10 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:16:12:16:14 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:16:12:16:14 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:16:12:16:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:16:12:16:14 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:16:12:16:14 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:20:5:20:7 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:20:5:20:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:20:5:20:7 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
@@ -259,11 +259,11 @@ postWithInFlow
 | ref.cpp:31:7:31:9 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:31:7:31:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:31:7:31:9 | out [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:37:7:37:19 | out [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:37:21:37:23 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:37:21:37:23 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:37:21:37:23 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:37:21:37:23 | out [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:37:21:37:23 | out [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:39:7:39:9 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:39:7:39:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:39:7:39:9 | out [post update] | PostUpdateNode should not be the target of local flow. |
@@ -276,26 +276,26 @@ postWithInFlow
 | ref.cpp:48:7:48:9 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:48:7:48:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:48:7:48:9 | out [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:55:5:55:17 | x1 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:55:19:55:20 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:55:19:55:20 | x1 [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:58:5:58:13 | x2 [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:55:19:55:20 | x1 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:58:15:58:16 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:58:15:58:16 | x2 [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:61:5:61:24 | x3 [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:58:15:58:16 | x2 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:61:26:61:27 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:61:26:61:27 | x3 [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:64:5:64:13 | x4 [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:61:26:61:27 | x3 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:64:15:64:16 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:64:15:64:16 | x4 [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:64:15:64:16 | x4 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:75:5:75:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:75:5:75:7 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:75:9:75:11 | val [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:79:5:79:10 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:79:12:79:14 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:79:12:79:14 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:79:12:79:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:79:12:79:14 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:79:12:79:14 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:83:5:83:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:83:5:83:7 | lhs [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:83:9:83:11 | val [post update] | PostUpdateNode should not be the target of local flow. |
@@ -311,11 +311,11 @@ postWithInFlow
 | ref.cpp:96:7:96:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:96:7:96:9 | out [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:96:11:96:13 | val [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:102:7:102:19 | out [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:102:21:102:23 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:102:21:102:23 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:102:21:102:23 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:102:21:102:23 | out [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:102:21:102:23 | out [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:104:7:104:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:104:7:104:9 | out [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:104:11:104:13 | val [post update] | PostUpdateNode should not be the target of local flow. |
@@ -328,18 +328,18 @@ postWithInFlow
 | ref.cpp:115:7:115:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:115:7:115:9 | out [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:115:11:115:13 | val [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:122:5:122:17 | x1 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:122:19:122:20 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:122:19:122:20 | x1 [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:125:5:125:13 | x2 [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:122:19:122:20 | x1 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:125:15:125:16 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:125:15:125:16 | x2 [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:128:5:128:24 | x3 [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:125:15:125:16 | x2 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:128:26:128:27 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:128:26:128:27 | x3 [post update] | PostUpdateNode should not be the target of local flow. |
-| ref.cpp:131:5:131:13 | x4 [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:128:26:128:27 | x3 [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:131:15:131:16 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | ref.cpp:131:15:131:16 | x4 [post update] | PostUpdateNode should not be the target of local flow. |
+| ref.cpp:131:15:131:16 | x4 [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:6:7:6:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:8:3:8:4 | t2 [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:12:5:12:6 | t2 [post update] | PostUpdateNode should not be the target of local flow. |
@@ -520,40 +520,40 @@ postWithInFlow
 | test.cpp:374:5:374:20 | this [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:374:5:374:20 | this [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:383:7:383:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:384:3:384:8 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:384:10:384:13 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:384:10:384:13 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:384:10:384:13 | (void *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:384:11:384:13 | tmp [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:389:7:389:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:390:8:390:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:391:3:391:8 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:391:10:391:13 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:391:10:391:13 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:391:10:391:13 | (void *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:391:11:391:13 | tmp [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:400:3:400:8 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:400:10:400:13 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:400:10:400:13 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:400:10:400:13 | (void *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:400:11:400:13 | tmp [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:406:8:406:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:407:3:407:8 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:407:10:407:13 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:407:10:407:13 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:407:10:407:13 | (void *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:407:11:407:13 | tmp [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:417:3:417:14 | local [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:417:16:417:20 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:417:16:417:20 | local [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:423:3:423:18 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:417:16:417:20 | local [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:423:20:423:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:423:20:423:25 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:423:21:423:25 | local [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:429:3:429:18 | local [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:429:20:429:24 | array to pointer conversion [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:429:20:429:24 | local [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:436:3:436:16 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:429:20:429:24 | local [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:436:18:436:23 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:436:18:436:23 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:436:19:436:23 | local [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:442:3:442:16 | local [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:442:18:442:22 | array to pointer conversion [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:442:18:442:22 | local [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:442:18:442:22 | local [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:453:7:453:11 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:456:7:456:9 | tmp [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:458:7:458:9 | tmp [post update] | PostUpdateNode should not be the target of local flow. |
@@ -561,12 +561,12 @@ postWithInFlow
 | test.cpp:465:4:465:4 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:465:4:465:4 | p [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:469:7:469:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:470:3:470:19 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:470:21:470:22 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:470:21:470:22 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:470:22:470:22 | x [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:481:3:481:19 | content [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:481:21:481:21 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:481:21:481:30 | (void *)... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:481:21:481:30 | content [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:481:24:481:30 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:481:24:481:30 | content [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:482:8:482:16 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
--- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
@@ -1,28 +1,28 @@
 | A.cpp:25:13:25:13 | c | AST only |
 | A.cpp:27:28:27:28 | c | AST only |
 | A.cpp:31:14:31:21 | new | IR only |
-| A.cpp:40:8:40:13 | 0 | IR only |
-| A.cpp:41:8:41:13 | new | IR only |
+| A.cpp:40:15:40:21 | 0 | IR only |
+| A.cpp:41:15:41:21 | new | IR only |
 | A.cpp:41:15:41:21 | new | IR only |
 | A.cpp:47:12:47:18 | new | IR only |
 | A.cpp:54:12:54:18 | new | IR only |
-| A.cpp:55:8:55:10 | new | IR only |
+| A.cpp:55:12:55:19 | new | IR only |
 | A.cpp:55:12:55:19 | new | IR only |
 | A.cpp:57:11:57:24 | new | IR only |
 | A.cpp:57:11:57:24 | new | IR only |
 | A.cpp:57:17:57:23 | new | IR only |
-| A.cpp:57:28:57:30 | new | IR only |
+| A.cpp:57:17:57:23 | new | IR only |
 | A.cpp:62:13:62:19 | new | IR only |
-| A.cpp:64:10:64:15 | new | IR only |
+| A.cpp:64:21:64:28 | new | IR only |
 | A.cpp:64:21:64:28 | new | IR only |
 | A.cpp:71:13:71:19 | new | IR only |
-| A.cpp:73:10:73:19 | new | IR only |
+| A.cpp:73:25:73:32 | new | IR only |
 | A.cpp:73:25:73:32 | new | IR only |
 | A.cpp:89:15:89:21 | new | IR only |
 | A.cpp:99:14:99:21 | new | IR only |
 | A.cpp:100:9:100:9 | a | AST only |
 | A.cpp:116:12:116:19 | new | IR only |
-| A.cpp:126:8:126:10 | new | IR only |
+| A.cpp:126:12:126:18 | new | IR only |
 | A.cpp:126:12:126:18 | new | IR only |
 | A.cpp:130:12:130:18 | new | IR only |
 | A.cpp:142:10:142:10 | c | AST only |
@@ -33,57 +33,57 @@
 | A.cpp:151:12:151:24 | new | IR only |
 | A.cpp:159:12:159:18 | new | IR only |
 | A.cpp:160:18:160:60 | new | IR only |
-| A.cpp:160:18:160:60 | new | IR only |
-| A.cpp:160:32:160:59 | 0 | IR only |
-| A.cpp:160:32:160:59 | 0 | IR only |
 | A.cpp:160:32:160:59 | new | IR only |
-| A.cpp:161:18:161:40 | 0 | IR only |
+| A.cpp:160:32:160:59 | new | IR only |
+| A.cpp:160:43:160:49 | 0 | IR only |
+| A.cpp:160:52:160:58 | 0 | IR only |
 | A.cpp:161:18:161:40 | new | IR only |
-| A.cpp:162:18:162:40 | 0 | IR only |
+| A.cpp:161:29:161:35 | 0 | IR only |
 | A.cpp:162:18:162:40 | new | IR only |
+| A.cpp:162:29:162:35 | 0 | IR only |
 | A.cpp:183:7:183:10 | head | AST only |
 | A.cpp:184:13:184:16 | next | AST only |
-| B.cpp:7:16:7:35 | 0 | IR only |
 | B.cpp:7:16:7:35 | new | IR only |
+| B.cpp:7:28:7:34 | 0 | IR only |
 | B.cpp:8:16:8:27 | new | IR only |
-| B.cpp:16:16:16:38 | 0 | IR only |
 | B.cpp:16:16:16:38 | new | IR only |
+| B.cpp:16:28:16:34 | 0 | IR only |
 | B.cpp:17:16:17:27 | new | IR only |
 | B.cpp:35:13:35:17 | elem1 | AST only |
 | B.cpp:36:13:36:17 | elem2 | AST only |
 | B.cpp:46:13:46:16 | box1 | AST only |
 | C.cpp:18:12:18:18 | new | IR only |
 | C.cpp:24:11:24:12 | s3 | AST only |
-| C.cpp:30:5:30:8 | s2 | IR only |
+| C.cpp:30:10:30:11 | s2 | IR only |
 | C.cpp:30:10:30:11 | this | IR only |
-| C.cpp:32:5:32:8 | s4 | IR only |
+| C.cpp:32:10:32:11 | s4 | IR only |
 | D.cpp:9:21:9:24 | elem | AST only |
 | D.cpp:11:29:11:32 | elem | AST only |
 | D.cpp:16:21:16:23 | box | AST only |
 | D.cpp:18:29:18:31 | box | AST only |
 | D.cpp:29:15:29:41 | new | IR only |
-| D.cpp:29:15:29:41 | new | IR only |
-| D.cpp:29:24:29:40 | 0 | IR only |
 | D.cpp:29:24:29:40 | new | IR only |
+| D.cpp:29:24:29:40 | new | IR only |
+| D.cpp:29:33:29:39 | 0 | IR only |
 | D.cpp:30:13:30:16 | elem | AST only |
 | D.cpp:36:15:36:41 | new | IR only |
-| D.cpp:36:15:36:41 | new | IR only |
-| D.cpp:36:24:36:40 | 0 | IR only |
 | D.cpp:36:24:36:40 | new | IR only |
+| D.cpp:36:24:36:40 | new | IR only |
+| D.cpp:36:33:36:39 | 0 | IR only |
 | D.cpp:43:15:43:41 | new | IR only |
-| D.cpp:43:15:43:41 | new | IR only |
-| D.cpp:43:24:43:40 | 0 | IR only |
 | D.cpp:43:24:43:40 | new | IR only |
+| D.cpp:43:24:43:40 | new | IR only |
+| D.cpp:43:33:43:39 | 0 | IR only |
 | D.cpp:44:19:44:22 | elem | AST only |
 | D.cpp:50:15:50:41 | new | IR only |
-| D.cpp:50:15:50:41 | new | IR only |
-| D.cpp:50:24:50:40 | 0 | IR only |
 | D.cpp:50:24:50:40 | new | IR only |
+| D.cpp:50:24:50:40 | new | IR only |
+| D.cpp:50:33:50:39 | 0 | IR only |
 | D.cpp:57:5:57:12 | boxfield | AST only |
 | D.cpp:57:16:57:42 | new | IR only |
-| D.cpp:57:16:57:42 | new | IR only |
-| D.cpp:57:25:57:41 | 0 | IR only |
 | D.cpp:57:25:57:41 | new | IR only |
+| D.cpp:57:25:57:41 | new | IR only |
+| D.cpp:57:34:57:40 | 0 | IR only |
 | D.cpp:58:20:58:23 | elem | AST only |
 | aliasing.cpp:9:6:9:7 | m1 | AST only |
 | aliasing.cpp:13:5:13:6 | m1 | AST only |
@@ -100,13 +100,13 @@
 | aliasing.cpp:98:5:98:6 | m1 | AST only |
 | aliasing.cpp:106:3:106:5 | * ... | AST only |
 | arrays.cpp:6:3:6:8 | access to array | AST only |
-| arrays.cpp:7:3:7:6 | access to array | IR only |
-| arrays.cpp:8:3:8:6 | access to array | IR only |
-| arrays.cpp:9:3:9:6 | * ... | IR only |
-| arrays.cpp:10:3:10:6 | * ... | IR only |
+| arrays.cpp:7:8:7:13 | access to array | IR only |
+| arrays.cpp:8:8:8:13 | access to array | IR only |
+| arrays.cpp:9:8:9:11 | * ... | IR only |
+| arrays.cpp:10:8:10:15 | * ... | IR only |
 | arrays.cpp:15:3:15:10 | * ... | AST only |
-| arrays.cpp:16:3:16:6 | access to array | IR only |
-| arrays.cpp:17:3:17:6 | access to array | IR only |
+| arrays.cpp:16:8:16:13 | access to array | IR only |
+| arrays.cpp:17:8:17:13 | access to array | IR only |
 | arrays.cpp:36:19:36:22 | data | AST only |
 | arrays.cpp:42:22:42:25 | data | AST only |
 | arrays.cpp:48:22:48:25 | data | AST only |
--- a/cpp/ql/test/library-tests/dataflow/fields/struct_init.c
+++ b/cpp/ql/test/library-tests/dataflow/fields/struct_init.c
@@ -12,7 +12,7 @@ struct Outer {
 };

 void absink(struct AB *ab) {
-  sink(ab->a); //$ ast,ir=20:20 ast,ir=27:7 ast=40:20 MISSING: ir
+  sink(ab->a); //$ ast,ir=20:20 ast,ir=27:7 ast,ir=40:20
  sink(ab->b); // no flow
 }

@@ -30,7 +30,7 @@ int struct_init(void) {

  sink(outer.nestedAB.a); //$ ast,ir
  sink(outer.nestedAB.b); // no flow
-  sink(outer.pointerAB->a); //$ ast MISSING: ir
+  sink(outer.pointerAB->a); //$ ast,ir
  sink(outer.pointerAB->b); // no flow

  absink(&outer.nestedAB);
--- a/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/smart-pointers-taint/test.cpp
@@ -21,9 +21,9 @@ void test_unique_ptr_struct() {
 	std::unique_ptr<A> p1(new A{source(), 0});
 	std::unique_ptr<A> p2 = std::make_unique<A>(source(), 0);
 	
-	sink(p1->x); // $ ir MISSING: ast
+	sink(p1->x); // $ MISSING: ast,ir
 	sink(p1->y);
-	sink(p2->x); // $ ir=22:46 MISSING: ast
+	sink(p2->x); // $ MISSING: ast,ir=22:46
 	sink(p2->y);
 }

--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -126,15 +126,15 @@ void pointer_test() {

 	*p2 = source();

-	sink(*p1); // $ ast MISSING: ir
+	sink(*p1); // $ ast,ir
 	sink(*p2); // $ ast,ir
 	sink(*p3);

 	p3 = &t1;
-	sink(*p3); // $ ast MISSING: ir
+	sink(*p3); // $ ast,ir

 	*p3 = 0;
-	sink(*p3); // $ SPURIOUS: ast
+	sink(*p3); // $ SPURIOUS: ast,ir
 }

 // --- return values ---
--- a/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
+++ b/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
@@ -1,10 +1,15 @@
 private import cpp

+/**
+ * Holds if the specified location is in standard headers.
+ */
+predicate locationIsInStandardHeaders(Location loc) {
+  loc.getFile().getAbsolutePath().regexpMatch(".*/include/[^/]+")
+}
+
 /**
 * Holds if the AST or IR for the specified function should be printed in the test output.
 *
 * This predicate excludes functions defined in standard headers.
 */
-predicate shouldDumpFunction(Function func) {
-  not func.getLocation().getFile().getAbsolutePath().regexpMatch(".*/include/[^/]+")
-}
+predicate shouldDumpFunction(Function func) { not locationIsInStandardHeaders(func.getLocation()) }
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.ql
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.ql
@@ -0,0 +1,7 @@
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import PrintConfig
+
+from Operand a
+where not locationIsInStandardHeaders(a.getLocation())
+select a, a.getDumpString()
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
@@ -1474,7 +1474,7 @@ reverseRead
 argHasPostUpdate
 postWithInFlow
 | FunctionTryStmt.cpp:2:3:2:11 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| VacuousDestructorCall.cpp:10:3:10:16 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| VacuousDestructorCall.cpp:10:21:10:22 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | VacuousDestructorCall.cpp:10:21:10:22 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | VacuousDestructorCall.cpp:10:22:10:22 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | abortingfunctions.cpp:49:5:49:12 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -1497,7 +1497,7 @@ postWithInFlow
 | bad_asts.cpp:10:7:10:23 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | bad_asts.cpp:15:10:15:12 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | bad_asts.cpp:16:5:16:5 | s [post update] | PostUpdateNode should not be the target of local flow. |
-| bad_asts.cpp:16:7:16:23 | s [post update] | PostUpdateNode should not be the target of local flow. |
+| bad_asts.cpp:16:5:16:5 | s [post update] | PostUpdateNode should not be the target of local flow. |
 | bad_asts.cpp:27:11:27:11 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | break_labels.c:3:9:3:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | break_labels.c:5:9:5:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -1520,35 +1520,35 @@ postWithInFlow
 | builtin.c:22:3:22:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:29:5:29:15 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:34:3:34:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| builtin.c:34:10:34:20 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| builtin.c:34:22:34:31 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:34:22:34:31 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:34:22:34:31 | (volatile void *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:34:23:34:31 | staticint [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:39:3:39:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| builtin.c:39:10:39:23 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| builtin.c:39:36:39:45 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:39:36:39:45 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:39:37:39:45 | carry_out [post update] | PostUpdateNode should not be the target of local flow. |
-| builtin.c:43:3:43:24 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| builtin.c:43:40:43:49 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:43:40:43:49 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:43:41:43:49 | staticint [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:45:3:45:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:48:2:48:4 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:51:3:51:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| builtin.c:51:10:51:27 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| builtin.c:51:29:51:38 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:51:29:51:38 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:51:30:51:38 | staticint [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:54:3:54:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| builtin.c:54:10:54:26 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
+| builtin.c:54:28:54:38 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:54:28:54:38 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:54:29:54:38 | atomic_int [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.c:56:3:56:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.cpp:5:5:5:34 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.cpp:10:10:10:10 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| builtin.cpp:10:14:10:22 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.cpp:10:24:10:24 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.cpp:10:24:10:24 | i [post update] | PostUpdateNode should not be the target of local flow. |
+| builtin.cpp:10:24:10:24 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.cpp:14:11:14:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| builtin.cpp:15:5:15:29 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| builtin.cpp:15:31:15:35 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.cpp:15:31:15:35 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.cpp:15:32:15:35 | & ... [post update] | PostUpdateNode should not be the target of local flow. |
 | builtin.cpp:15:33:15:35 | ptr [post update] | PostUpdateNode should not be the target of local flow. |
@@ -1559,18 +1559,18 @@ postWithInFlow
 | condition_decls.cpp:3:13:3:22 | Call [post update] | PostUpdateNode should not be the target of local flow. |
 | condition_decls.cpp:3:13:3:22 | new [post update] | PostUpdateNode should not be the target of local flow. |
 | condition_decls.cpp:9:5:9:18 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| condition_decls.cpp:16:6:16:20 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | condition_decls.cpp:16:6:16:20 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| condition_decls.cpp:16:19:16:20 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
+| condition_decls.cpp:26:10:26:24 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | condition_decls.cpp:26:10:26:24 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| condition_decls.cpp:26:23:26:24 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
+| condition_decls.cpp:41:9:41:23 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | condition_decls.cpp:41:9:41:23 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| condition_decls.cpp:41:22:41:23 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
+| condition_decls.cpp:48:16:48:19 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | condition_decls.cpp:48:16:48:19 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| condition_decls.cpp:48:22:48:24 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
+| condition_decls.cpp:48:27:48:31 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | condition_decls.cpp:48:27:48:31 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| condition_decls.cpp:48:34:48:36 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
+| condition_decls.cpp:48:39:48:53 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | condition_decls.cpp:48:39:48:53 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| condition_decls.cpp:48:52:48:53 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | conditional_destructors.cpp:6:13:6:15 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | conditional_destructors.cpp:6:13:6:15 | val [post update] | PostUpdateNode should not be the target of local flow. |
 | conditional_destructors.cpp:10:9:10:32 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -1594,8 +1594,8 @@ postWithInFlow
 | conditional_destructors.cpp:42:18:42:22 | call to C2 [post update] | PostUpdateNode should not be the target of local flow. |
 | conditional_destructors.cpp:42:18:42:22 | temporary object [post update] | PostUpdateNode should not be the target of local flow. |
 | constmemberaccess.cpp:9:2:9:2 | i [post update] | PostUpdateNode should not be the target of local flow. |
+| constructorinitializer.cpp:8:4:8:4 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | constructorinitializer.cpp:8:4:8:4 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| constructorinitializer.cpp:8:6:8:18 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:6:5:6:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:6:5:6:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp11.cpp:6:5:6:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -1650,13 +1650,13 @@ postWithInFlow
 | cpp17.cpp:15:5:15:45 | Call [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp17.cpp:15:5:15:45 | new [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp17.cpp:15:5:15:45 | new [post update] | PostUpdateNode should not be the target of local flow. |
-| cpp17.cpp:19:5:19:8 | 1 [post update] | PostUpdateNode should not be the target of local flow. |
-| cpp17.cpp:19:5:19:8 | 2 [post update] | PostUpdateNode should not be the target of local flow. |
-| cpp17.cpp:19:5:19:8 | p [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp17.cpp:19:10:19:10 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp17.cpp:19:10:19:10 | p [post update] | PostUpdateNode should not be the target of local flow. |
+| cpp17.cpp:19:10:19:10 | p [post update] | PostUpdateNode should not be the target of local flow. |
+| cpp17.cpp:19:13:19:13 | 1 [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp17.cpp:19:13:19:13 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp17.cpp:19:13:19:13 | temporary object [post update] | PostUpdateNode should not be the target of local flow. |
+| cpp17.cpp:19:16:19:16 | 2 [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp17.cpp:19:16:19:16 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | cpp17.cpp:19:16:19:16 | temporary object [post update] | PostUpdateNode should not be the target of local flow. |
 | defdestructordeleteexpr.cpp:4:5:4:5 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -1982,20 +1982,20 @@ postWithInFlow
 | ir.cpp:579:10:579:10 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:579:16:579:21 | PointerAdd [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:579:16:579:21 | PointerAdd [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:585:5:585:18 | string [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:585:32:585:39 | array to pointer conversion [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:585:32:585:39 | string [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:585:32:585:39 | string [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:591:11:591:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:592:5:592:7 | pfn [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:593:5:593:7 | pfn [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:594:5:594:7 | pfn [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:616:12:616:13 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:616:12:616:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:617:12:617:13 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:617:12:617:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:617:15:617:22 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:618:12:618:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:619:12:619:13 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:619:12:619:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:619:16:619:30 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:631:9:631:17 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:635:9:635:17 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:639:9:639:17 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2011,11 +2011,11 @@ postWithInFlow
 | ir.cpp:649:9:649:9 | x [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:653:9:653:12 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:653:9:653:12 | this [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:653:15:653:36 | this [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:653:9:653:12 | this [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:654:10:654:14 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:654:10:654:14 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:654:11:654:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:654:11:654:14 | this [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:654:17:654:38 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:655:9:655:30 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:655:9:655:30 | this [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:655:9:655:30 | this [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2042,7 +2042,7 @@ postWithInFlow
 | ir.cpp:716:5:716:15 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:716:12:716:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:721:3:721:54 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:721:10:721:39 | 0 [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:721:41:721:47 | 0 [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:721:41:721:47 | (void *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:726:9:726:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:728:7:728:28 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2110,13 +2110,13 @@ postWithInFlow
 | ir.cpp:805:11:805:12 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:806:12:806:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:808:3:808:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:808:5:808:5 | b [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:808:3:808:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:809:3:809:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:809:3:809:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:809:5:809:5 | b [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:809:7:809:13 | call to Base [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:809:7:809:13 | temporary object [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:810:3:810:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:810:5:810:5 | b [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:810:3:810:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:810:7:810:26 | call to Base [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:810:7:810:26 | temporary object [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:811:3:811:4 | pb [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2124,20 +2124,20 @@ postWithInFlow
 | ir.cpp:813:3:813:4 | pb [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:814:3:814:4 | pb [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:816:3:816:3 | m [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:816:5:816:5 | m [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:816:3:816:3 | m [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:817:3:817:3 | m [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:817:3:817:3 | m [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:817:5:817:5 | m [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:818:3:818:4 | pm [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:819:3:819:4 | pm [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:820:3:820:4 | pm [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:822:3:822:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:822:5:822:5 | b [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:822:3:822:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:823:3:823:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:823:3:823:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:823:5:823:5 | b [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:823:7:823:13 | call to Base [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:823:7:823:13 | temporary object [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:824:3:824:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:824:5:824:5 | b [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:824:3:824:3 | b [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:824:7:824:26 | call to Base [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:824:7:824:26 | temporary object [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:825:3:825:4 | pb [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2145,9 +2145,9 @@ postWithInFlow
 | ir.cpp:827:3:827:4 | pb [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:828:3:828:4 | pb [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:830:3:830:3 | d [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:830:5:830:5 | d [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:830:3:830:3 | d [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:831:3:831:3 | d [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:831:3:831:3 | d [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:831:5:831:5 | d [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:832:3:832:4 | pd [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:833:3:833:4 | pd [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:834:3:834:4 | pd [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2170,8 +2170,8 @@ postWithInFlow
 | ir.cpp:861:23:861:24 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:863:9:863:10 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:864:15:864:17 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| ir.cpp:867:1:867:14 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:867:1:867:14 | this [post update] | PostUpdateNode should not be the target of local flow. |
-| ir.cpp:868:3:868:12 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:873:15:873:15 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:874:3:874:3 | p [post update] | PostUpdateNode should not be the target of local flow. |
 | ir.cpp:875:3:875:3 | p [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2293,23 +2293,23 @@ postWithInFlow
 | misc.c:229:7:229:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | misc.c:230:2:230:3 | p1 [post update] | PostUpdateNode should not be the target of local flow. |
 | misc.c:231:2:231:40 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| modeled-functions.cpp:6:3:6:8 | 0 [post update] | PostUpdateNode should not be the target of local flow. |
-| modeled-functions.cpp:6:3:6:8 | 0 [post update] | PostUpdateNode should not be the target of local flow. |
+| modeled-functions.cpp:6:19:6:19 | 0 [post update] | PostUpdateNode should not be the target of local flow. |
 | modeled-functions.cpp:6:19:6:19 | (char *)... [post update] | PostUpdateNode should not be the target of local flow. |
+| modeled-functions.cpp:6:22:6:22 | 0 [post update] | PostUpdateNode should not be the target of local flow. |
 | modeled-functions.cpp:6:22:6:22 | (unsigned long *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_assume.cpp:13:8:13:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_assume.cpp:14:8:14:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_assume.cpp:28:3:28:8 | result [post update] | PostUpdateNode should not be the target of local flow. |
-| ms_assume.cpp:28:12:28:16 | buffer [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_assume.cpp:28:18:28:23 | array to pointer conversion [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_assume.cpp:28:18:28:23 | buffer [post update] | PostUpdateNode should not be the target of local flow. |
+| ms_assume.cpp:28:18:28:23 | buffer [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_assume.cpp:34:1:34:1 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| ms_try_mix.cpp:11:7:11:10 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_try_mix.cpp:11:7:11:10 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| ms_try_mix.cpp:11:12:11:15 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
+| ms_try_mix.cpp:28:7:28:10 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_try_mix.cpp:28:7:28:10 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| ms_try_mix.cpp:28:12:28:15 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
+| ms_try_mix.cpp:48:5:48:8 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | ms_try_mix.cpp:48:5:48:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| ms_try_mix.cpp:48:10:48:13 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | newexpr.cpp:8:2:8:20 | Call [post update] | PostUpdateNode should not be the target of local flow. |
 | newexpr.cpp:8:2:8:20 | new [post update] | PostUpdateNode should not be the target of local flow. |
 | newexpr.cpp:8:2:8:20 | new [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2321,21 +2321,21 @@ postWithInFlow
 | ops.cpp:26:31:26:53 | Call [post update] | PostUpdateNode should not be the target of local flow. |
 | ops.cpp:26:31:26:53 | new [post update] | PostUpdateNode should not be the target of local flow. |
 | ops.cpp:26:31:26:53 | new [post update] | PostUpdateNode should not be the target of local flow. |
-| parameterinitializer.cpp:8:5:8:10 | Got %d\n [post update] | PostUpdateNode should not be the target of local flow. |
 | parameterinitializer.cpp:8:12:8:21 | (char *)... [post update] | PostUpdateNode should not be the target of local flow. |
 | parameterinitializer.cpp:8:12:8:21 | Got %d\n [post update] | PostUpdateNode should not be the target of local flow. |
+| parameterinitializer.cpp:8:12:8:21 | Got %d\n [post update] | PostUpdateNode should not be the target of local flow. |
 | parameterinitializer.cpp:8:12:8:21 | array to pointer conversion [post update] | PostUpdateNode should not be the target of local flow. |
 | parameterinitializer.cpp:25:5:25:8 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | parameterinitializer.cpp:25:5:25:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | parameterinitializer.cpp:27:3:27:6 | my_c [post update] | PostUpdateNode should not be the target of local flow. |
-| parameterinitializer.cpp:27:8:27:13 | my_c [post update] | PostUpdateNode should not be the target of local flow. |
+| parameterinitializer.cpp:27:3:27:6 | my_c [post update] | PostUpdateNode should not be the target of local flow. |
 | parameterinitializer.cpp:30:5:30:13 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | pointer_to_member.cpp:23:6:23:8 | obj [post update] | PostUpdateNode should not be the target of local flow. |
-| pointer_to_member.cpp:23:10:23:14 | obj [post update] | PostUpdateNode should not be the target of local flow. |
+| pointer_to_member.cpp:23:6:23:8 | obj [post update] | PostUpdateNode should not be the target of local flow. |
 | pointer_to_member.cpp:26:5:26:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | pointer_to_member.cpp:27:5:27:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | pointer_to_member.cpp:27:12:27:14 | obj [post update] | PostUpdateNode should not be the target of local flow. |
-| pointer_to_member.cpp:27:16:27:20 | obj [post update] | PostUpdateNode should not be the target of local flow. |
+| pointer_to_member.cpp:27:12:27:14 | obj [post update] | PostUpdateNode should not be the target of local flow. |
 | pointer_to_member.cpp:29:5:29:15 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | pruning.c:69:9:69:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | pruning.c:78:9:78:9 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2585,9 +2585,9 @@ postWithInFlow
 | static_init_templates.cpp:3:2:3:4 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:3:2:3:4 | ref [post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:18:7:18:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| static_init_templates.cpp:20:2:20:10 | a [post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:20:12:20:12 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:20:12:20:12 | a [post update] | PostUpdateNode should not be the target of local flow. |
+| static_init_templates.cpp:20:12:20:12 | a [post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:21:2:21:4 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:21:2:21:4 | val [post update] | PostUpdateNode should not be the target of local flow. |
 | static_init_templates.cpp:22:2:22:8 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2629,8 +2629,8 @@ postWithInFlow
 | staticlocals.cpp:26:19:26:21 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | staticlocals.cpp:29:14:29:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | staticlocals.cpp:29:14:29:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| stmt_expr.cpp:13:16:13:16 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | stmt_expr.cpp:13:16:13:16 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| stmt_expr.cpp:13:18:13:19 | Argument this [post update] | PostUpdateNode should not be the target of local flow. |
 | stmt_expr.cpp:27:5:27:7 | ptr [post update] | PostUpdateNode should not be the target of local flow. |
 | stream_it.cpp:4:16:4:30 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | stream_it.cpp:5:14:5:28 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
@@ -2644,9 +2644,9 @@ postWithInFlow
 | stream_it.cpp:11:16:11:16 | (__range) [post update] | PostUpdateNode should not be the target of local flow. |
 | stream_it.cpp:11:16:11:16 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | stream_it.cpp:11:16:11:16 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
-| stream_it.cpp:19:3:19:11 | xs [post update] | PostUpdateNode should not be the target of local flow. |
 | stream_it.cpp:19:13:19:14 | (reference to) [post update] | PostUpdateNode should not be the target of local flow. |
 | stream_it.cpp:19:13:19:14 | xs [post update] | PostUpdateNode should not be the target of local flow. |
+| stream_it.cpp:19:13:19:14 | xs [post update] | PostUpdateNode should not be the target of local flow. |
 | stream_it.cpp:20:3:20:11 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | subscriptexpr.c:4:2:4:2 | i [post update] | PostUpdateNode should not be the target of local flow. |
 | switchbody.c:5:11:5:24 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
--- a/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.expected
@@ -136,7 +136,7 @@ useNotDominatedByDefinition
 | VacuousDestructorCall.cpp:2:29:2:29 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | VacuousDestructorCall.cpp:2:6:2:6 | void CallDestructor<int>(int, int*) | void CallDestructor<int>(int, int*) |
 | misc.c:219:47:219:48 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | misc.c:219:5:219:26 | int assign_designated_init(someStruct*) | int assign_designated_init(someStruct*) |
 | static_init_templates.cpp:15:1:15:18 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | static_init_templates.cpp:15:1:15:18 | void MyClass::MyClass() | void MyClass::MyClass() |
-| try_catch.cpp:21:13:21:24 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | try_catch.cpp:19:6:19:23 | void throw_from_nonstmt(int) | void throw_from_nonstmt(int) |
+| try_catch.cpp:21:9:21:9 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | try_catch.cpp:19:6:19:23 | void throw_from_nonstmt(int) | void throw_from_nonstmt(int) |
 | vla.c:3:27:3:30 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | vla.c:3:5:3:8 | int main(int, char**) | int main(int, char**) |
 switchInstructionWithoutDefaultEdge
 notMarkedAsConflated
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
@@ -12,17 +12,17 @@ edges
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
 | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query indirection |
-| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
-| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
+| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
+| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
 | search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
 | search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
-| search.c:51:21:51:26 | call to getenv | search.c:57:5:57:15 | raw_query |
-| search.c:51:21:51:26 | call to getenv | search.c:57:5:57:15 | raw_query |
+| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query |
+| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query |
 | search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query indirection |
 | search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query indirection |
-| search.c:55:5:55:15 | raw_query | search.c:14:24:14:28 | query |
+| search.c:55:17:55:25 | raw_query | search.c:14:24:14:28 | query |
 | search.c:55:17:55:25 | raw_query indirection | search.c:14:24:14:28 | *query |
-| search.c:57:5:57:15 | raw_query | search.c:22:24:22:28 | query |
+| search.c:57:17:57:25 | raw_query | search.c:22:24:22:28 | query |
 | search.c:57:17:57:25 | raw_query indirection | search.c:22:24:22:28 | *query |
 subpaths
 nodes
@@ -44,9 +44,9 @@ nodes
 | search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
 | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
 | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
-| search.c:55:5:55:15 | raw_query | semmle.label | raw_query |
+| search.c:55:17:55:25 | raw_query | semmle.label | raw_query |
 | search.c:55:17:55:25 | raw_query indirection | semmle.label | raw_query indirection |
-| search.c:57:5:57:15 | raw_query | semmle.label | raw_query |
+| search.c:57:17:57:25 | raw_query | semmle.label | raw_query |
 | search.c:57:17:57:25 | raw_query indirection | semmle.label | raw_query indirection |
 #select
 | search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -6,11 +6,11 @@ edges
 | test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
 | test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
 | test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data indirection |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:17:73:22 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:17:73:22 | data |
+| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
+| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
 | test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
 | test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:73:17:73:22 | data | test.cpp:37:73:37:76 | data |
+| test.cpp:73:24:73:27 | data | test.cpp:37:73:37:76 | data |
 | test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | *data |
 subpaths
 nodes
@@ -25,7 +25,7 @@ nodes
 | test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
 | test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
 | test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:73:17:73:22 | data | semmle.label | data |
+| test.cpp:73:24:73:27 | data | semmle.label | data |
 | test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
 #select
 | test.cpp:43:32:43:35 | data | test.cpp:64:30:64:35 | call to getenv | test.cpp:43:32:43:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA | test.cpp:64:30:64:35 | call to getenv | call to getenv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -11,24 +11,50 @@ edges
 | test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
 | test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
 | test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command indirection |
-| test.cpp:42:7:42:16 | call to getenv | test.cpp:24:30:24:36 | command |
-| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | call to getenv |
+| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv |
 | test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv indirection |
-| test.cpp:42:18:42:34 | (const char *)... | test.cpp:42:7:42:16 | call to getenv |
+| test.cpp:42:18:42:34 | (const char *)... | test.cpp:42:18:42:34 | call to getenv |
 | test.cpp:42:18:42:34 | (const char *)... | test.cpp:42:18:42:34 | call to getenv indirection |
+| test.cpp:42:18:42:34 | call to getenv | test.cpp:24:30:24:36 | command |
 | test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:24:30:24:36 | *command |
-| test.cpp:43:7:43:16 | call to getenv | test.cpp:29:30:29:36 | command |
-| test.cpp:43:18:43:23 | call to getenv | test.cpp:43:7:43:16 | call to getenv |
+| test.cpp:43:18:43:23 | call to getenv | test.cpp:43:18:43:34 | call to getenv |
 | test.cpp:43:18:43:23 | call to getenv | test.cpp:43:18:43:34 | call to getenv indirection |
-| test.cpp:43:18:43:34 | (const char *)... | test.cpp:43:7:43:16 | call to getenv |
+| test.cpp:43:18:43:34 | (const char *)... | test.cpp:43:18:43:34 | call to getenv |
 | test.cpp:43:18:43:34 | (const char *)... | test.cpp:43:18:43:34 | call to getenv indirection |
+| test.cpp:43:18:43:34 | call to getenv | test.cpp:29:30:29:36 | command |
 | test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | *command |
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... |
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer indirection |
+| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | (const char *)... |
+| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
+| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
+| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data indirection |
+| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | (const char *)... |
+| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | (reference dereference) |
+| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
+| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
+| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref indirection |
+| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | (const char *)... |
+| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
+| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
+| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 indirection |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | (const char *)... |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | (const char *)... |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (const char *)... |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | (const char *)... |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection |
 | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | (const char *)... |
 | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
 | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer indirection |
@@ -63,13 +89,13 @@ nodes
 | test.cpp:31:10:31:16 | command | semmle.label | command |
 | test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
 | test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
-| test.cpp:42:7:42:16 | call to getenv | semmle.label | call to getenv |
 | test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:42:18:42:34 | call to getenv | semmle.label | call to getenv |
 | test.cpp:42:18:42:34 | call to getenv indirection | semmle.label | call to getenv indirection |
-| test.cpp:43:7:43:16 | call to getenv | semmle.label | call to getenv |
 | test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:43:18:43:34 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:43:18:43:34 | call to getenv | semmle.label | call to getenv |
 | test.cpp:43:18:43:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
 | test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
@@ -78,6 +104,29 @@ nodes
 | test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
 | test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:63:10:63:13 | data | semmle.label | data |
+| test.cpp:63:10:63:13 | data | semmle.label | data |
+| test.cpp:63:10:63:13 | data | semmle.label | data |
+| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
+| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
+| test.cpp:64:10:64:16 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:64:10:64:16 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:64:10:64:16 | (reference dereference) | semmle.label | (reference dereference) |
+| test.cpp:64:10:64:16 | (reference dereference) | semmle.label | (reference dereference) |
+| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
+| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
+| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
+| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
+| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
+| test.cpp:65:10:65:14 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:65:10:65:14 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
+| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
+| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
+| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
+| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
 | test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
 | test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
 | test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
@@ -103,6 +152,9 @@ nodes
 | test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
 | test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
 | test.cpp:62:10:62:15 | buffer | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
+| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
+| test.cpp:64:10:64:16 | dataref | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
+| test.cpp:65:10:65:14 | data2 | test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
 | test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
 | test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:98:17:98:22 | buffer | buffer |
 | test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:106:17:106:22 | buffer | buffer |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp
@@ -61,8 +61,8 @@ void testReferencePointer1()

 		system(buffer); // BAD
 		system(data); // BAD
-		system(dataref); // BAD [NOT DETECTED]
-		system(data2); // BAD [NOT DETECTED]
+		system(dataref); // BAD
+		system(data2); // BAD
 	}
 }

--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
@@ -108,10 +108,45 @@ edges
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:10 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:17:136:18 | i4 |
+| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:17:136:18 | i4 |
 | argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:9:25:9:31 | *correct |
 | argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
+| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 indirection |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
 | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
@@ -317,6 +352,8 @@ nodes
 | argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
 | argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
+| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
+| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
 | argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
 | argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
 | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected
@@ -23,9 +23,9 @@ edges
 | globalVars.c:15:21:15:23 | val | globalVars.c:16:2:16:12 | Store |
 | globalVars.c:16:2:16:12 | Store | globalVars.c:9:7:9:11 | copy2 |
 | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | ReturnIndirection |
-| globalVars.c:24:2:24:9 | argv | globalVars.c:11:22:11:25 | argv |
-| globalVars.c:24:11:24:14 | argv | globalVars.c:24:2:24:9 | argv |
-| globalVars.c:24:11:24:14 | argv | globalVars.c:24:2:24:9 | argv |
+| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
+| globalVars.c:24:11:24:14 | argv | globalVars.c:24:11:24:14 | argv |
+| globalVars.c:24:11:24:14 | argv | globalVars.c:24:11:24:14 | argv |
 | globalVars.c:24:11:24:14 | argv | globalVars.c:24:11:24:14 | argv indirection |
 | globalVars.c:24:11:24:14 | argv | globalVars.c:24:11:24:14 | argv indirection |
 | globalVars.c:24:11:24:14 | argv indirection | globalVars.c:11:22:11:25 | *argv |
@@ -37,13 +37,13 @@ edges
 | globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
 | globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy indirection |
 | globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy indirection |
-| globalVars.c:30:15:30:18 | copy | globalVars.c:35:2:35:9 | copy |
+| globalVars.c:30:15:30:18 | copy | globalVars.c:35:11:35:14 | copy |
 | globalVars.c:30:15:30:18 | copy indirection | globalVars.c:19:25:19:27 | *str |
 | globalVars.c:30:15:30:18 | copy indirection | globalVars.c:30:15:30:18 | printWrapper output argument |
-| globalVars.c:30:15:30:18 | printWrapper output argument | globalVars.c:35:2:35:9 | copy |
-| globalVars.c:33:15:33:18 | copy | globalVars.c:35:2:35:9 | copy |
-| globalVars.c:35:2:35:9 | copy | globalVars.c:15:21:15:23 | val |
-| globalVars.c:35:11:35:14 | copy | globalVars.c:35:2:35:9 | copy |
+| globalVars.c:30:15:30:18 | printWrapper output argument | globalVars.c:35:11:35:14 | copy |
+| globalVars.c:33:15:33:18 | copy | globalVars.c:35:11:35:14 | copy |
+| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val |
+| globalVars.c:35:11:35:14 | copy | globalVars.c:35:11:35:14 | copy |
 | globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... |
 | globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
 | globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 indirection |
@@ -85,7 +85,7 @@ nodes
 | globalVars.c:16:2:16:12 | Store | semmle.label | Store |
 | globalVars.c:19:25:19:27 | *str | semmle.label | *str |
 | globalVars.c:19:25:19:27 | ReturnIndirection | semmle.label | ReturnIndirection |
-| globalVars.c:24:2:24:9 | argv | semmle.label | argv |
+| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
 | globalVars.c:24:11:24:14 | argv | semmle.label | argv |
 | globalVars.c:24:11:24:14 | argv | semmle.label | argv |
 | globalVars.c:24:11:24:14 | argv indirection | semmle.label | argv indirection |
@@ -103,7 +103,7 @@ nodes
 | globalVars.c:30:15:30:18 | copy indirection | semmle.label | copy indirection |
 | globalVars.c:30:15:30:18 | printWrapper output argument | semmle.label | printWrapper output argument |
 | globalVars.c:33:15:33:18 | copy | semmle.label | copy |
-| globalVars.c:35:2:35:9 | copy | semmle.label | copy |
+| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
 | globalVars.c:35:11:35:14 | copy | semmle.label | copy |
 | globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
 | globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
@@ -13,17 +13,15 @@ edges
 | test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r |
 | test.cpp:6:5:6:12 | ReturnValue | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:6:5:6:12 | ReturnValue |
-| test.cpp:13:2:13:6 | * ... [post update] | test.cpp:30:3:30:11 | & ... [post update] |
-| test.cpp:13:3:13:6 | dest [post update] | test.cpp:30:3:30:11 | & ... [post update] |
+| test.cpp:13:2:13:6 | * ... [post update] | test.cpp:30:13:30:14 | & ... [post update] |
 | test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:6 | * ... [post update] |
-| test.cpp:13:10:13:13 | call to rand | test.cpp:13:3:13:6 | dest [post update] |
-| test.cpp:18:2:18:5 | (reference dereference) [post update] | test.cpp:36:3:36:11 | r [post update] |
-| test.cpp:18:2:18:5 | dest [post update] | test.cpp:36:3:36:11 | r [post update] |
+| test.cpp:13:10:13:13 | call to rand | test.cpp:30:13:30:14 | & ... [post update] |
+| test.cpp:18:2:18:5 | (reference dereference) [post update] | test.cpp:36:13:36:13 | r [post update] |
 | test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:5 | (reference dereference) [post update] |
-| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:5 | dest [post update] |
+| test.cpp:18:9:18:12 | call to rand | test.cpp:36:13:36:13 | r [post update] |
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
-| test.cpp:30:3:30:11 | & ... [post update] | test.cpp:31:7:31:7 | r |
-| test.cpp:36:3:36:11 | r [post update] | test.cpp:37:7:37:7 | r |
+| test.cpp:30:13:30:14 | & ... [post update] | test.cpp:31:7:31:7 | r |
+| test.cpp:36:13:36:13 | r [post update] | test.cpp:37:7:37:7 | r |
 | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x |
 | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x |
 | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y |
@@ -64,16 +62,14 @@ nodes
 | test.cpp:6:5:6:12 | ReturnValue | semmle.label | ReturnValue |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:13:2:13:6 | * ... [post update] | semmle.label | * ... [post update] |
-| test.cpp:13:3:13:6 | dest [post update] | semmle.label | dest [post update] |
 | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
 | test.cpp:18:2:18:5 | (reference dereference) [post update] | semmle.label | (reference dereference) [post update] |
-| test.cpp:18:2:18:5 | dest [post update] | semmle.label | dest [post update] |
 | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
 | test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
-| test.cpp:30:3:30:11 | & ... [post update] | semmle.label | & ... [post update] |
+| test.cpp:30:13:30:14 | & ... [post update] | semmle.label | & ... [post update] |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
-| test.cpp:36:3:36:11 | r [post update] | semmle.label | r [post update] |
+| test.cpp:36:13:36:13 | r [post update] | semmle.label | r [post update] |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand |
 | test.cpp:90:10:90:10 | x | semmle.label | x |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -50,31 +50,31 @@ edges
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | (size_t)... |
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
-| test.cpp:237:24:237:29 | call to getenv | test.cpp:245:2:245:9 | local_size |
-| test.cpp:237:24:237:29 | call to getenv | test.cpp:247:2:247:8 | local_size |
+| test.cpp:237:24:237:29 | call to getenv | test.cpp:245:11:245:20 | local_size |
+| test.cpp:237:24:237:29 | call to getenv | test.cpp:247:10:247:19 | local_size |
 | test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | (size_t)... |
 | test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | local_size |
 | test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | local_size |
-| test.cpp:237:24:237:37 | (const char *)... | test.cpp:245:2:245:9 | local_size |
-| test.cpp:237:24:237:37 | (const char *)... | test.cpp:247:2:247:8 | local_size |
-| test.cpp:245:2:245:9 | local_size | test.cpp:224:23:224:23 | s |
-| test.cpp:247:2:247:8 | local_size | test.cpp:230:21:230:21 | s |
-| test.cpp:251:2:251:9 | (reference dereference) [post update] | test.cpp:289:8:289:15 | size [post update] |
-| test.cpp:251:2:251:9 | (reference dereference) [post update] | test.cpp:305:9:305:16 | size [post update] |
-| test.cpp:251:2:251:9 | out_size [post update] | test.cpp:289:8:289:15 | size [post update] |
-| test.cpp:251:2:251:9 | out_size [post update] | test.cpp:305:9:305:16 | size [post update] |
+| test.cpp:237:24:237:37 | (const char *)... | test.cpp:245:11:245:20 | local_size |
+| test.cpp:237:24:237:37 | (const char *)... | test.cpp:247:10:247:19 | local_size |
+| test.cpp:245:11:245:20 | local_size | test.cpp:224:23:224:23 | s |
+| test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s |
+| test.cpp:251:2:251:9 | (reference dereference) [post update] | test.cpp:289:17:289:20 | size [post update] |
+| test.cpp:251:2:251:9 | (reference dereference) [post update] | test.cpp:305:18:305:21 | size [post update] |
 | test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:9 | (reference dereference) [post update] |
-| test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:9 | out_size [post update] |
+| test.cpp:251:18:251:23 | call to getenv | test.cpp:289:17:289:20 | size [post update] |
+| test.cpp:251:18:251:23 | call to getenv | test.cpp:305:18:305:21 | size [post update] |
 | test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:9 | (reference dereference) [post update] |
-| test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:9 | out_size [post update] |
+| test.cpp:251:18:251:31 | (const char *)... | test.cpp:289:17:289:20 | size [post update] |
+| test.cpp:251:18:251:31 | (const char *)... | test.cpp:305:18:305:21 | size [post update] |
 | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
-| test.cpp:289:8:289:15 | size [post update] | test.cpp:291:11:291:28 | ... * ... |
-| test.cpp:289:8:289:15 | size [post update] | test.cpp:291:11:291:28 | ... * ... |
-| test.cpp:305:9:305:16 | size [post update] | test.cpp:308:10:308:27 | ... * ... |
-| test.cpp:305:9:305:16 | size [post update] | test.cpp:308:10:308:27 | ... * ... |
+| test.cpp:289:17:289:20 | size [post update] | test.cpp:291:11:291:28 | ... * ... |
+| test.cpp:289:17:289:20 | size [post update] | test.cpp:291:11:291:28 | ... * ... |
+| test.cpp:305:18:305:21 | size [post update] | test.cpp:308:10:308:27 | ... * ... |
+| test.cpp:305:18:305:21 | size [post update] | test.cpp:308:10:308:27 | ... * ... |
 subpaths
 nodes
 | test.cpp:40:21:40:24 | argv | semmle.label | argv |
@@ -137,8 +137,8 @@ nodes
 | test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
-| test.cpp:245:2:245:9 | local_size | semmle.label | local_size |
-| test.cpp:247:2:247:8 | local_size | semmle.label | local_size |
+| test.cpp:245:11:245:20 | local_size | semmle.label | local_size |
+| test.cpp:247:10:247:19 | local_size | semmle.label | local_size |
 | test.cpp:251:2:251:9 | (reference dereference) [post update] | semmle.label | (reference dereference) [post update] |
 | test.cpp:251:2:251:9 | out_size [post update] | semmle.label | out_size [post update] |
 | test.cpp:251:18:251:23 | call to getenv | semmle.label | call to getenv |
@@ -148,11 +148,11 @@ nodes
 | test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:289:8:289:15 | size [post update] | semmle.label | size [post update] |
+| test.cpp:289:17:289:20 | size [post update] | semmle.label | size [post update] |
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:305:9:305:16 | size [post update] | semmle.label | size [post update] |
+| test.cpp:305:18:305:21 | size [post update] | semmle.label | size [post update] |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -1,9 +1,9 @@
 edges
 | test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
 | test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
-| test2.cpp:25:22:25:23 | & ... | test2.cpp:27:2:27:11 | v |
-| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:2:27:11 | v |
-| test2.cpp:27:2:27:11 | v | test2.cpp:12:21:12:21 | v |
+| test2.cpp:25:22:25:23 | & ... | test2.cpp:27:13:27:13 | v |
+| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:13:27:13 | v |
+| test2.cpp:27:13:27:13 | v | test2.cpp:12:21:12:21 | v |
 | test5.cpp:5:5:5:17 | ReturnValue | test5.cpp:17:6:17:18 | call to getTaintedInt |
 | test5.cpp:5:5:5:17 | ReturnValue | test5.cpp:17:6:17:18 | call to getTaintedInt |
 | test5.cpp:5:5:5:17 | ReturnValue | test5.cpp:18:6:18:18 | call to getTaintedInt |
@@ -31,7 +31,7 @@ nodes
 | test2.cpp:14:11:14:11 | v | semmle.label | v |
 | test2.cpp:25:22:25:23 | & ... | semmle.label | & ... |
 | test2.cpp:25:22:25:23 | fscanf output argument | semmle.label | fscanf output argument |
-| test2.cpp:27:2:27:11 | v | semmle.label | v |
+| test2.cpp:27:13:27:13 | v | semmle.label | v |
 | test5.cpp:5:5:5:17 | ReturnValue | semmle.label | ReturnValue |
 | test5.cpp:9:7:9:9 | buf | semmle.label | buf |
 | test5.cpp:9:7:9:9 | gets output argument | semmle.label | gets output argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected
@@ -3,13 +3,17 @@
 | tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
-| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
-| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
+| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
 | tests.cpp:341:2:341:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | tests.cpp:343:2:343:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | tests.cpp:345:2:345:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
 | tests.cpp:347:2:347:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
+| tests.cpp:350:2:350:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:354:2:354:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:358:2:358:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:363:2:363:8 | call to sprintf | This 'call to sprintf' operation requires 5 bytes but the destination is only 4 bytes. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp
@@ -310,39 +310,56 @@ namespace custom_sprintf_impl {
 }

 void test6(unsigned unsigned_value, int value) {
-	char buffer[2];
+	char buffer2[2], buffer3[3], buffer4[4], buffer5[5];
 	
-	sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
-	sprintf(buffer, "%d", unsigned_value); // BAD: buffer overflow
-	if (unsigned_value < 10) {
-		sprintf(buffer, "%u", unsigned_value); // GOOD
+	sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
+	sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow
+	if (unsigned_value < 1000) {
+		sprintf(buffer4, "%u", unsigned_value); // GOOD
 	}

-	sprintf(buffer, "%u", -10); // BAD: buffer overflow
+	sprintf(buffer4, "%u", -100); // BAD: buffer overflow

-	if(unsigned_value == (unsigned)-10) {
-		sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
+	if(unsigned_value == (unsigned)-100) {
+		sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
 	}

-	sprintf(buffer, "%d", value); // BAD: buffer overflow
-	if (value < 10) {
-		sprintf(buffer, "%d", value); // BAD: buffer overflow
+	sprintf(buffer4, "%d", value); // BAD: buffer overflow
+	if (value < 1000) {
+		sprintf(buffer4, "%d", value); // BAD: buffer overflow

-		if(value > 0) {
-			sprintf(buffer, "%d", value); // GOOD
+		if(value > -100) {
+			sprintf(buffer4, "%d", value); // GOOD
 		}
 	}

-	sprintf(buffer, "%u", 0); // GOOD
-	sprintf(buffer, "%d", 0); // GOOD
-	sprintf(buffer, "%u", 5); // GOOD
-	sprintf(buffer, "%d", 5); // GOOD
+	sprintf(buffer2, "%u", 0); // GOOD
+	sprintf(buffer2, "%d", 0); // GOOD
+	sprintf(buffer2, "%u", 5); // GOOD
+	sprintf(buffer2, "%d", 5); // GOOD

-	sprintf(buffer, "%d", -1); // BAD
-	sprintf(buffer, "%d", 9); // GOOD
-	sprintf(buffer, "%d", 10); // BAD
+	sprintf(buffer2, "%d", -1); // BAD
+	sprintf(buffer2, "%d", 9); // GOOD
+	sprintf(buffer2, "%d", 10); // BAD

-	sprintf(buffer, "%u", -1); // BAD
-	sprintf(buffer, "%u", 9); // GOOD
-	sprintf(buffer, "%u", 10); // BAD
+	sprintf(buffer2, "%u", -1); // BAD
+	sprintf(buffer2, "%u", 9); // GOOD
+	sprintf(buffer2, "%u", 10); // BAD
+
+	unsigned char unsigned_char = unsigned_value;
+	sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD
+	sprintf(buffer4, "%u", (unsigned)unsigned_char); // GOOD: 0..255 fits
+
+	unsigned small = unsigned_value >> (sizeof(unsigned_value) * 8 - 9);  // in range 0..511
+	sprintf(buffer3, "%u", small); // BAD
+	sprintf(buffer4, "%u", small); // GOOD
+
+	small = unsigned_value & ((1u << 9) - 1);  // in range 0..511
+	sprintf(buffer3, "%u", small); // BAD
+	sprintf(buffer4, "%u", small); // GOOD: 0..511 fits
+
+	char c = value;
+
+	sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit
+	sprintf(buffer5, "%d", (int)c); // GOOD: -127..128 fits
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.expected
@@ -0,0 +1,8 @@
+| test.cpp:18:9:18:38 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:100:18:100:38 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:38:7:38:36 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:36:16:36:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:54:7:54:47 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:52:16:52:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:62:7:62:36 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:60:16:60:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:70:7:70:36 | ... && ... | This expression conflates OK and non-OK results from $@. | test.cpp:68:16:68:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:83:7:83:40 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:78:16:78:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:87:7:87:38 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:7:57:7:77 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:107:13:107:42 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:105:16:105:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-295/SSLResultConflation.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.expected
@@ -0,0 +1,4 @@
+| test2.cpp:13:13:13:36 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
+| test2.cpp:28:13:28:36 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
+| test2.cpp:61:9:61:32 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
+| test2.cpp:89:9:89:32 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-295/SSLResultNotChecked.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp
@@ -0,0 +1,149 @@
+
+struct SSL {
+	// ...
+};
+
+int SSL_get_verify_result(const SSL *ssl);
+int get_verify_result_indirect(const SSL *ssl) { return SSL_get_verify_result(ssl); }
+
+int something_else(const SSL *ssl);
+
+bool is_ok(int result)
+{
+	return (result == 0); // GOOD
+}
+
+bool is_maybe_ok(int result)
+{
+	return (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes)
+}
+
+void test1_1(SSL *ssl)
+{
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if (result == 0) // GOOD
+		{
+		}
+
+		if (result == 1) // GOOD
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((result == 0) || (result == 1)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((result == 1) || (result == 2)) // GOOD (both results are non-OK)
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((result == 0) || (false) || (result == 2)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((0 == result) || (1 == result)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((result != 0) && (result != 1)) // BAD (conflates OK and a non-OK codes)
+		{
+		} else {
+			// conflation occurs here
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+		int result_cpy = result;
+		int result2 = get_verify_result_indirect(ssl);
+		int result3 = something_else(ssl);
+
+		if ((result == 0) || (result_cpy == 1)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	
+		if ((result2 == 0) || (result2 == 1)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	
+		if ((result3 == 0) || (result3 == 1)) // GOOD (not an SSL result)
+		{
+		}
+	}
+
+	if (is_ok(SSL_get_verify_result(ssl)))
+	{
+	}
+
+	if (is_maybe_ok(SSL_get_verify_result(ssl)))
+	{
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		bool ok = (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes)
+	
+		if (ok) {
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if (result == 1) // BAD (conflates OK and a non-OK codes in `else`) [NOT DETECTED]
+		{
+		} else {
+		}
+	}
+}
+
+void do_good();
+
+void test1_2(SSL *ssl)
+{
+	int result = SSL_get_verify_result(ssl);
+
+	if (result == 0) { // GOOD
+		do_good();
+	} else if (result == 1) {
+		throw 1;
+	} else {
+		throw 1;
+	}
+}
+
+void test1_3(SSL *ssl)
+{
+	int result = SSL_get_verify_result(ssl);
+
+	if (result == 0) { // BAD (error code 1 is treated as OK, not as non-OK) [NOT DETECTED]
+		do_good();
+	} else if (result == 1) {
+		do_good();
+	} else {
+		throw 1;
+	}
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp
@@ -0,0 +1,147 @@
+
+struct SSL {
+	// ...
+};
+
+int SSL_get_peer_certificate(const SSL *ssl);
+int SSL_get_verify_result(const SSL *ssl);
+
+bool maybe();
+
+bool test2_1(SSL *ssl)
+{
+	int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)
+
+	return true;
+}
+
+bool test2_2(SSL *ssl)
+{
+	int cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is always called)
+	int result = SSL_get_verify_result(ssl);
+
+	return (result == 0);
+}
+
+bool test2_3(SSL *ssl)
+{
+	int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result may not be called)
+
+	if (maybe())
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		return (result == 0);
+	}
+
+	return true;
+}
+
+bool test2_4(SSL *ssl)
+{
+	int cert, result;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+	if (cert != 0)
+	{
+		result = SSL_get_verify_result(ssl);
+		if (result == 0)
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool test2_5(SSL *ssl)
+{
+	int cert, result;
+
+	cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is not used reliably)
+	if ((cert != 0) && (maybe()))
+	{
+		result = SSL_get_verify_result(ssl);
+		if (result == 0)
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool test2_6(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+	if (cert == 0) return false;
+	if (SSL_get_verify_result(ssl) != 0) return false;
+
+	return true;
+}
+
+bool test2_7(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is only called when there is not a cert)
+	if (cert != 0) return false;
+	if (SSL_get_verify_result(ssl) != 0) return false;
+
+	return true;
+}
+
+bool test2_8(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+	if (!cert) return false;
+	if (!SSL_get_verify_result(ssl)) return false;
+
+	return true;
+}
+
+bool test2_9(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+	if ((!cert) || (SSL_get_verify_result(ssl) != 0)) {
+		return false;
+	}
+
+	return true;
+}
+
+bool test2_10(SSL *ssl)
+{
+	int cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+
+	if (cert)
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if (result == 0)
+		{
+			return true;
+		}
+	}
+
+	return true;
+}
+
+bool test2_11(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+
+	if ((cert) && (SSL_get_verify_result(ssl) == 0)) {
+		return true;
+	}
+
+	return false;
+}
--- a/csharp/ql/consistency-queries/SsaConsistency.ql
+++ b/csharp/ql/consistency-queries/SsaConsistency.ql
@@ -0,0 +1,10 @@
+import csharp
+import semmle.code.csharp.dataflow.internal.SsaImplCommon::Consistency
+
+class MyRelevantDefinition extends RelevantDefinition, Ssa::Definition {
+  override predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
--- a/csharp/ql/lib/Linq/Helpers.qll
+++ b/csharp/ql/lib/Linq/Helpers.qll
--- a/csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll
+++ b/csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll
@@ -634,3 +634,29 @@ class UncertainWriteDefinition extends WriteDefinition {
    )
  }
 }
+
+/** Provides a set of consistency queries. */
+module Consistency {
+  abstract class RelevantDefinition extends Definition {
+    abstract predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    );
+  }
+
+  query predicate nonUniqueDef(RelevantDefinition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefReachesRead(v, def, bb, i) and
+    not exists(unique(Definition def0 | ssaDefReachesRead(v, def0, bb, i)))
+  }
+
+  query predicate readWithoutDef(SourceVariable v, BasicBlock bb, int i) {
+    variableRead(bb, i, v, _) and
+    not ssaDefReachesRead(v, _, bb, i)
+  }
+
+  query predicate deadDef(RelevantDefinition def, SourceVariable v) {
+    v = def.getSourceVariable() and
+    not ssaDefReachesRead(_, def, _, _) and
+    not phiHasInputFromBlock(_, def, _) and
+    not uncertainWriteDefinitionInput(_, def)
+  }
+}
--- a/csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll
+++ b/csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll
@@ -140,7 +140,9 @@ private module Cached {
  }

  private Expr getAChildExpr(ExprOrStmtParent parent) {
-    result = parent.getAChildExpr() or
+    result = parent.getAChildExpr() and
+    not result = parent.(DeclarationWithGetSetAccessors).getExpressionBody()
+    or
    result = parent.(AssignOperation).getExpandedAssignment()
  }

@@ -159,7 +161,7 @@ private module Cached {

  private predicate parent(ControlFlowElement child, ExprOrStmtParent parent) {
    child = getAChild(parent) and
-    not child instanceof Callable
+    not child = any(Callable c).getBody()
  }

  /** Holds if the enclosing body of `cfe` is `body`. */
--- a/csharp/ql/lib/semmle/code/csharp/Member.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Member.qll
@@ -383,7 +383,7 @@ class Parameterizable extends DotNet::Parameterizable, Declaration, @parameteriz
  override Parameter getParameter(int i) { params(result, _, _, i, _, this, _) }

  /**
-   * Gets the name of this parameter followed by its type, possibly prefixed
+   * Gets the type of the parameter, possibly prefixed
   * with `out`, `ref`, or `params`, where appropriate.
   */
  private string parameterTypeToString(int i) {
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll
@@ -25,7 +25,7 @@ module ControlFlow {
   * Only nodes that can be reached from the callable entry point are included in
   * the CFG.
   */
-  class Node extends TNode {
+  class Node extends TCfgNode {
    /** Gets a textual representation of this control flow node. */
    string toString() { none() }

@@ -268,13 +268,13 @@ module ControlFlow {

    /** A node for a callable exit point, annotated with the type of exit. */
    class AnnotatedExitNode extends Node, TAnnotatedExitNode {
-      private Callable c;
+      private CfgScope scope;
      private boolean normal;

-      AnnotatedExitNode() { this = TAnnotatedExitNode(c, normal) }
+      AnnotatedExitNode() { this = TAnnotatedExitNode(scope, normal) }

      /** Gets the callable that this exit applies to. */
-      Callable getCallable() { result = c }
+      CfgScope getCallable() { result = scope }

      /** Holds if this node represents a normal exit. */
      predicate isNormal() { normal = true }
@@ -285,7 +285,7 @@ module ControlFlow {

      override Callable getEnclosingCallable() { result = this.getCallable() }

-      override Location getLocation() { result = this.getCallable().getLocation() }
+      override Location getLocation() { result = scope.getLocation() }

      override string toString() {
        exists(string s |
@@ -293,23 +293,27 @@ module ControlFlow {
          or
          normal = false and s = "abnormal"
        |
-          result = "exit " + this.getCallable() + " (" + s + ")"
+          result = "exit " + scope + " (" + s + ")"
        )
      }
    }

    /** A node for a callable exit point. */
    class ExitNode extends Node, TExitNode {
+      private CfgScope scope;
+
+      ExitNode() { this = TExitNode(scope) }
+
      /** Gets the callable that this exit applies to. */
-      Callable getCallable() { this = TExitNode(result) }
+      Callable getCallable() { result = scope }

      override BasicBlocks::ExitBlock getBasicBlock() { result = Node.super.getBasicBlock() }

      override Callable getEnclosingCallable() { result = this.getCallable() }

-      override Location getLocation() { result = this.getCallable().getLocation() }
+      override Location getLocation() { result = scope.getLocation() }

-      override string toString() { result = "exit " + this.getCallable().toString() }
+      override string toString() { result = "exit " + scope }
    }

    /**
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -97,6 +97,24 @@ module ControlFlowTree {
  predicate idOf(Range_ x, int y) = equivalenceRelation(id/2)(x, y)
 }

+/**
+ * The `expr_parent_top_level_adjusted()` relation restricted to exclude relations
+ * between properties and their getters' expression bodies in properties such as
+ * `int P => 0`.
+ *
+ * This is in order to only associate the expression body with one CFG scope, namely
+ * the getter (and not the declaration itself).
+ */
+private predicate expr_parent_top_level_adjusted2(
+  Expr child, int i, @top_level_exprorstmt_parent parent
+) {
+  expr_parent_top_level_adjusted(child, i, parent) and
+  not exists(Getter g |
+    g.getDeclaration() = parent and
+    i = 0
+  )
+}
+
 /** Holds if `first` is first executed when entering `scope`. */
 predicate scopeFirst(CfgScope scope, ControlFlowElement first) {
  scope =
@@ -109,17 +127,23 @@ predicate scopeFirst(CfgScope scope, ControlFlowElement first) {
        else first(c.getBody(), first)
    )
  or
-  expr_parent_top_level_adjusted(any(Expr e | first(e, first)), _, scope) and
+  expr_parent_top_level_adjusted2(any(Expr e | first(e, first)), _, scope) and
  not scope instanceof Callable
 }

 /** Holds if `scope` is exited when `last` finishes with completion `c`. */
-predicate scopeLast(Callable scope, ControlFlowElement last, Completion c) {
-  last(scope.getBody(), last, c) and
-  not c instanceof GotoCompletion
+predicate scopeLast(CfgScope scope, ControlFlowElement last, Completion c) {
+  scope =
+    any(Callable callable |
+      last(callable.getBody(), last, c) and
+      not c instanceof GotoCompletion
+      or
+      last(InitializerSplitting::lastConstructorInitializer(scope, _), last, c) and
+      not callable.hasBody()
+    )
  or
-  last(InitializerSplitting::lastConstructorInitializer(scope, _), last, c) and
-  not scope.hasBody()
+  expr_parent_top_level_adjusted2(any(Expr e | last(e, last, c)), _, scope) and
+  not scope instanceof Callable
 }

 private class ConstructorTree extends ControlFlowTree, Constructor {
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll
@@ -788,7 +788,7 @@ private module Cached {
   * The control flow graph is pruned for unreachable nodes.
   */
  cached
-  newtype TNode =
+  newtype TCfgNode =
    TEntryNode(CfgScope scope) { succEntrySplits(scope, _, _, _) } or
    TAnnotatedExitNode(CfgScope scope, boolean normal) {
      exists(Reachability::SameSplitsBlock b, SuccessorType t | b.isReachable(_) |
@@ -807,7 +807,7 @@ private module Cached {

  /** Gets a successor node of a given flow type, if any. */
  cached
-  TNode getASuccessor(TNode pred, SuccessorType t) {
+  TCfgNode getASuccessor(TCfgNode pred, SuccessorType t) {
    // Callable entry node -> callable body
    exists(ControlFlowElement succElement, Splits succSplits, CfgScope scope |
      result = TElementNode(succElement, succSplits) and
@@ -943,4 +943,9 @@ module Consistency {
    strictcount(getASuccessor(node, t)) > 1 and
    successor = getASuccessor(node, t)
  }
+
+  query predicate deadEnd(Node node) {
+    not node instanceof TExitNode and
+    not exists(getASuccessor(node, _))
+  }
 }
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll
@@ -634,3 +634,29 @@ class UncertainWriteDefinition extends WriteDefinition {
    )
  }
 }
+
+/** Provides a set of consistency queries. */
+module Consistency {
+  abstract class RelevantDefinition extends Definition {
+    abstract predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    );
+  }
+
+  query predicate nonUniqueDef(RelevantDefinition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefReachesRead(v, def, bb, i) and
+    not exists(unique(Definition def0 | ssaDefReachesRead(v, def0, bb, i)))
+  }
+
+  query predicate readWithoutDef(SourceVariable v, BasicBlock bb, int i) {
+    variableRead(bb, i, v, _) and
+    not ssaDefReachesRead(v, _, bb, i)
+  }
+
+  query predicate deadDef(RelevantDefinition def, SourceVariable v) {
+    v = def.getSourceVariable() and
+    not ssaDefReachesRead(_, def, _, _) and
+    not phiHasInputFromBlock(_, def, _) and
+    not uncertainWriteDefinitionInput(_, def)
+  }
+}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -78,6 +78,7 @@ private import internal.DataFlowPublic
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private::External
 private import internal.FlowSummaryImplSpecific
+private import semmle.code.csharp.dispatch.OverridableCallable

 /**
 * A module importing the frameworks that provide external flow data,
@@ -347,12 +348,15 @@ private class UnboundValueOrRefType extends ValueOrRefType {
  }
 }

-private class UnboundCallable extends Callable, Virtualizable {
+private class UnboundCallable extends Callable {
  UnboundCallable() { this.isUnboundDeclaration() }

  predicate overridesOrImplementsUnbound(UnboundCallable that) {
    exists(Callable c |
-      this.overridesOrImplementsOrEquals(c) and
+      this.(Virtualizable).overridesOrImplementsOrEquals(c) or
+      this = c.(OverridableCallable).getAnUltimateImplementor() or
+      this = c.(OverridableCallable).getAnOverrider+()
+    |
      this != c and
      that = c.getUnboundDeclaration()
    )
@@ -409,7 +413,7 @@ private Element interpretElement0(
  string namespace, string type, boolean subtypes, string name, string signature
 ) {
  exists(UnboundValueOrRefType t | elementSpec(namespace, type, subtypes, name, signature, _, t) |
-    exists(Member m |
+    exists(Declaration m |
      (
        result = m
        or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -289,6 +289,7 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

+pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -307,11 +308,23 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }
+private predicate sourceNode(NodeEx node, Configuration config) {
+  config.isSource(node.asNode()) and
+  not fullBarrier(node, config)
+}

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

+/** Provides the relevant barriers for a step from `node1` to `node2`. */
+pragma[inline]
+private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -320,16 +333,14 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false)
+    node2.isImplicitReadNode(n, false) and
+    not fullBarrier(node1, config)
  )
 }

@@ -342,16 +353,14 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    stepFilter(node1, node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n
+    node2.asNode() = n and
+    not fullBarrier(node2, config)
  )
 }

@@ -363,10 +372,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -380,16 +386,14 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    not outBarrier(node1, config) and
-    not inBarrier(node2, config) and
-    not fullBarrier(node1, config) and
-    not fullBarrier(node2, config) and
+    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode())
+  read(node1.asNode(), c, node2.asNode()) and
+  stepFilter(node1, node2, config)
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -402,7 +406,8 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config)
+  read(_, tc.getContent(), _, config) and
+  stepFilter(node1, node2, config)
 }

 pragma[nomagic]
@@ -451,63 +456,59 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    not fullBarrier(node, config) and
-    (
-      sourceNode(node, config) and
-      if hasSourceCallCtx(config) then cc = true else cc = false
+    sourceNode(node, config) and
+    if hasSourceCallCtx(config) then cc = true else cc = false
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      localFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, cc, config) and
+      additionalLocalFlowStep(mid, node, config)
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      jumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    exists(NodeEx mid |
+      fwdFlow(mid, _, config) and
+      additionalJumpStep(mid, node, config) and
+      cc = false
+    )
+    or
+    // store
+    exists(NodeEx mid |
+      useFieldFlow(config) and
+      fwdFlow(mid, cc, config) and
+      store(mid, _, node, _, config)
+    )
+    or
+    // read
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
+    )
+    or
+    // flow into a callable
+    exists(NodeEx arg |
+      fwdFlow(arg, _, config) and
+      viableParamArgEx(_, node, arg) and
+      cc = true and
+      not fullBarrier(node, config)
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, false, config) and
+      cc = false
      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        localFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, cc, config) and
-        additionalLocalFlowStep(mid, node, config)
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        jumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      exists(NodeEx mid |
-        fwdFlow(mid, _, config) and
-        additionalJumpStep(mid, node, config) and
-        cc = false
-      )
-      or
-      // store
-      exists(NodeEx mid |
-        useFieldFlow(config) and
-        fwdFlow(mid, cc, config) and
-        store(mid, _, node, _, config) and
-        not outBarrier(mid, config)
-      )
-      or
-      // read
-      exists(Content c |
-        fwdFlowRead(c, node, cc, config) and
-        fwdFlowConsCand(c, config) and
-        not inBarrier(node, config)
-      )
-      or
-      // flow into a callable
-      exists(NodeEx arg |
-        fwdFlow(arg, _, config) and
-        viableParamArgEx(_, node, arg) and
-        cc = true
-      )
-      or
-      // flow out of a callable
-      exists(DataFlowCall call |
-        fwdFlowOut(call, node, false, config) and
-        cc = false
-        or
-        fwdFlowOutFromArg(call, node, config) and
-        fwdFlowIsEntered(call, cc, config)
-      )
+      fwdFlowOutFromArg(call, node, config) and
+      fwdFlowIsEntered(call, cc, config)
    )
  }

@@ -547,7 +548,8 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out)
+      viableReturnPosOutEx(call, pos, out) and
+      not fullBarrier(out, config)
    )
  }

@@ -773,6 +775,7 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
+  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1009,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1017,14 +1023,23 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1037,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1107,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1142,9 +1164,8 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1159,9 +1180,8 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1171,10 +1191,8 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1188,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1230,6 +1248,11 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1306,7 +1329,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1341,9 +1364,8 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1353,9 +1375,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1365,9 +1386,8 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1707,12 +1727,14 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -1837,9 +1859,8 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1854,9 +1875,8 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1866,10 +1886,8 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -1925,6 +1943,11 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2001,7 +2024,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2036,9 +2059,8 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2048,9 +2070,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2060,9 +2081,8 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2473,12 +2493,14 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+    Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config))
+      pragma[only_bind_into](config)) and
+    ccc.matchesCall(call)
  }

  /**
@@ -2603,9 +2625,8 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2620,9 +2641,8 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      ccOut = getCallContextReturn(inner, call, innercc) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2632,10 +2652,8 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      ccc.matchesCall(call)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2691,6 +2709,11 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

+  pragma[nomagic]
+  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
+    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
+  }
+
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2767,7 +2790,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    if returnNodeMayFlowThrough(node, ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2802,9 +2825,8 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2814,9 +2836,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

@@ -2826,9 +2847,8 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
-    |
-      ap instanceof ApNil or allowsFieldFlow = true
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
+      if allowsFieldFlow = false then ap instanceof ApNil else any()
    )
  }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll
@@ -9,6 +9,19 @@ private import tainttracking1.TaintTrackingParameter::Private
 private import tainttracking1.TaintTrackingParameter::Public

 module Consistency {
+  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
+
+  /** A class for configuring the consistency queries. */
+  class ConsistencyConfiguration extends TConsistencyConfiguration {
+    string toString() { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
+    predicate postWithInFlowExclude(Node n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
+    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
+  }
+
  private class RelevantNode extends Node {
    RelevantNode() {
      this instanceof ArgumentNode or
@@ -164,7 +177,7 @@ module Consistency {

  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
    not hasPost(n) and
-    not isImmutableOrUnobservable(n) and
+    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
    msg = "ArgumentNode is missing PostUpdateNode."
  }

@@ -177,6 +190,7 @@ module Consistency {
    isPostUpdateNode(n) and
    not clearsContent(n, _) and
    simpleLocalFlowStep(_, n) and
+    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
    msg = "PostUpdateNode should not be the target of local flow."
  }
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -1947,15 +1947,6 @@ class Unit extends TUnit {
  string toString() { result = "unit" }
 }

-/**
- * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
- * modified or its modification cannot be observed, for example if it is a
- * freshly created object that is not saved in a variable.
- *
- * This predicate is only used for consistency checks.
- */
-predicate isImmutableOrUnobservable(Node n) { none() }
-
 class LambdaCallKind = Unit;

 /** Holds if `creation` is an expression that creates a delegate for `c`. */
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -127,6 +127,38 @@ module Public {
    SummaryComponentStack return(ReturnKind rk) { result = singleton(SummaryComponent::return(rk)) }
  }

+  private predicate noComponentSpecificCsv(SummaryComponent sc) {
+    not exists(getComponentSpecificCsv(sc))
+  }
+
+  /** Gets a textual representation of this component used for flow summaries. */
+  private string getComponentCsv(SummaryComponent sc) {
+    result = getComponentSpecificCsv(sc)
+    or
+    noComponentSpecificCsv(sc) and
+    (
+      exists(int i | sc = TParameterSummaryComponent(i) and result = "Parameter[" + i + "]")
+      or
+      exists(int i | sc = TArgumentSummaryComponent(i) and result = "Argument[" + i + "]")
+      or
+      sc = TReturnSummaryComponent(getReturnValueKind()) and result = "ReturnValue"
+    )
+  }
+
+  /** Gets a textual representation of this stack used for flow summaries. */
+  string getComponentStackCsv(SummaryComponentStack stack) {
+    exists(SummaryComponent head, SummaryComponentStack tail |
+      head = stack.head() and
+      tail = stack.tail() and
+      result = getComponentCsv(head) + " of " + getComponentStackCsv(tail)
+    )
+    or
+    exists(SummaryComponent c |
+      stack = TSingletonSummaryComponentStack(c) and
+      result = getComponentCsv(c)
+    )
+  }
+
  /**
   * A class that exists for QL technical reasons only (the IPA type used
   * to represent component stacks needs to be bounded).
@@ -970,18 +1002,38 @@ module Private {
  module TestOutput {
    /** A flow summary to include in the `summary/3` query predicate. */
    abstract class RelevantSummarizedCallable extends SummarizedCallable {
-      /** Gets the string representation of this callable used by `summary/3`. */
-      string getFullString() { result = this.toString() }
+      /** Gets the string representation of this callable used by `summary/1`. */
+      abstract string getCallableCsv();
+
+      /** Holds if flow is progated between `input` and `output` */
+      predicate relevantSummary(
+        SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+      ) {
+        this.propagatesFlow(input, output, preservesValue)
+      }
    }

-    /** A query predicate for outputting flow summaries in QL tests. */
-    query predicate summary(string callable, string flow, boolean preservesValue) {
+    /** Render the kind in the format used in flow summaries. */
+    private string renderKind(boolean preservesValue) {
+      preservesValue = true and result = "value"
+      or
+      preservesValue = false and result = "taint"
+    }
+
+    /**
+     * A query predicate for outputting flow summaries in semi-colon separated format in QL tests.
+     * The syntax is: "namespace;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+     * ext is hardcoded to empty.
+     */
+    query predicate summary(string csv) {
      exists(
-        RelevantSummarizedCallable c, SummaryComponentStack input, SummaryComponentStack output
+        RelevantSummarizedCallable c, SummaryComponentStack input, SummaryComponentStack output,
+        boolean preservesValue
      |
-        callable = c.getFullString() and
-        c.propagatesFlow(input, output, preservesValue) and
-        flow = input + " -> " + output
+        c.relevantSummary(input, output, preservesValue) and
+        csv =
+          c.getCallableCsv() + ";;" + getComponentStackCsv(input) + ";" +
+            getComponentStackCsv(output) + ";" + renderKind(preservesValue)
      )
    }
  }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -138,6 +138,26 @@ SummaryComponent interpretComponentSpecific(string c) {
  )
 }

+/** Gets the textual representation of the content in the format used for flow summaries. */
+private string getContentSpecificCsv(Content c) {
+  c = TElementContent() and result = "Element"
+  or
+  exists(Field f | c = TFieldContent(f) and result = "Field[" + f.getQualifiedName() + "]")
+  or
+  exists(Property p | c = TPropertyContent(p) and result = "Property[" + p.getQualifiedName() + "]")
+}
+
+/** Gets the textual representation of a summary component in the format used for flow summaries. */
+string getComponentSpecificCsv(SummaryComponent sc) {
+  exists(Content c | sc = TContentSummaryComponent(c) and result = getContentSpecificCsv(c))
+  or
+  exists(ReturnKind rk |
+    sc = TReturnSummaryComponent(rk) and
+    result = "ReturnValue[" + rk + "]" and
+    not rk instanceof NormalReturnKind
+  )
+}
+
 class SourceOrSinkElement = Element;

 /** Gets the return kind corresponding to specification `"ReturnValue"`. */
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
@@ -171,7 +171,8 @@ private module SourceVariableImpl {
      def.getTarget() = lv and
      lv.isRef() and
      lv = v.getAssignable() and
-      bb.getNode(i) = def.getAControlFlowNode()
+      bb.getNode(i) = def.getAControlFlowNode() and
+      not def.getAssignment() instanceof LocalVariableDeclAndInitExpr
    )
  }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
@@ -634,3 +634,29 @@ class UncertainWriteDefinition extends WriteDefinition {
    )
  }
 }
+
+/** Provides a set of consistency queries. */
+module Consistency {
+  abstract class RelevantDefinition extends Definition {
+    abstract predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    );
+  }
+
+  query predicate nonUniqueDef(RelevantDefinition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefReachesRead(v, def, bb, i) and
+    not exists(unique(Definition def0 | ssaDefReachesRead(v, def0, bb, i)))
+  }
+
+  query predicate readWithoutDef(SourceVariable v, BasicBlock bb, int i) {
+    variableRead(bb, i, v, _) and
+    not ssaDefReachesRead(v, _, bb, i)
+  }
+
+  query predicate deadDef(RelevantDefinition def, SourceVariable v) {
+    v = def.getSourceVariable() and
+    not ssaDefReachesRead(_, def, _, _) and
+    not phiHasInputFromBlock(_, def, _) and
+    not uncertainWriteDefinitionInput(_, def)
+  }
+}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplSpecific.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplSpecific.qll
@@ -3,6 +3,7 @@
 private import csharp
 private import AssignableDefinitions
 private import SsaImpl as SsaImpl
+private import semmle.code.csharp.dataflow.SSA

 class BasicBlock = ControlFlow::BasicBlock;

@@ -12,7 +13,7 @@ BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor()

 class ExitBasicBlock = ControlFlow::BasicBlocks::ExitBlock;

-class SourceVariable = SsaImpl::TSourceVariable;
+class SourceVariable = Ssa::SourceVariable;

 predicate variableWrite = SsaImpl::variableWrite/4;

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll
@@ -634,3 +634,29 @@ class UncertainWriteDefinition extends WriteDefinition {
    )
  }
 }
+
+/** Provides a set of consistency queries. */
+module Consistency {
+  abstract class RelevantDefinition extends Definition {
+    abstract predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    );
+  }
+
+  query predicate nonUniqueDef(RelevantDefinition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefReachesRead(v, def, bb, i) and
+    not exists(unique(Definition def0 | ssaDefReachesRead(v, def0, bb, i)))
+  }
+
+  query predicate readWithoutDef(SourceVariable v, BasicBlock bb, int i) {
+    variableRead(bb, i, v, _) and
+    not ssaDefReachesRead(v, _, bb, i)
+  }
+
+  query predicate deadDef(RelevantDefinition def, SourceVariable v) {
+    v = def.getSourceVariable() and
+    not ssaDefReachesRead(_, def, _, _) and
+    not phiHasInputFromBlock(_, def, _) and
+    not uncertainWriteDefinitionInput(_, def)
+  }
+}
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll
@@ -153,14 +153,14 @@ module JsonNET {
      // Serialize
      c = this.getSerializeMethod() and
      preservesValue = false and
-      source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 0) and
-      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 1)
+      source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 1) and
+      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 0)
      or
      // Deserialize
      c = this.getDeserializeMethod() and
      preservesValue = false and
      source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 0) and
-      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 1)
+      sink instanceof CallableFlowSinkReturn
    }
  }

--- a/csharp/ql/lib/semmle/code/dotnet/Element.qll
+++ b/csharp/ql/lib/semmle/code/dotnet/Element.qll
@@ -14,6 +14,7 @@ class Element extends @dotnet_element {
  string toString() { none() }

  /** Gets the location of this element. */
+  pragma[nomagic]
  Location getLocation() { none() }

  /**
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-295/SSLResultConflation.ql`
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-295/SSLResultNotChecked.ql`