Actions: Add workflow to publish packages

Ruby: Fix `basicStoreStep`

.codeqlmanifest.json

@@ -1,8 +1,11 @@
-{ "provide": [ "*/ql/src/qlpack.yml",
+{ "provide": [ "ruby/.codeqlmanifest.json",
+                "*/ql/src/qlpack.yml",
                "*/ql/lib/qlpack.yml",
                "*/ql/test/qlpack.yml",
                "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
+               "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
+               "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",
                "misc/suite-helpers/qlpack.yml" ] }

.devcontainer/devcontainer.json

@@ -1,9 +1,14 @@
 {
   "extensions": [
+    "rust-lang.rust",
+    "bungcip.better-toml",
     "github.vscode-codeql",
     "slevesque.vscode-zipexplorer"
   ],
   "settings": {
+    "files.watcherExclude": {
+      "**/target/**": true
+    },
     "codeQL.runningQueries.memory": 2048
   }
 }

.github/actions/fetch-codeql/action.yml

@@ -0,0 +1,29 @@
+name: Fetch CodeQL
+description: Fetches the latest version of CodeQL
+inputs:
+  use-bundle:
+    description: Set to `true` to download the CodeQL CLI bundle that also includes compiled queries.
+    default: 'false'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Fetch CodeQL
+      shell: bash
+      run: |
+        LATEST=$(gh release list --repo $REPO | cut -f 3 | grep -v beta | sort --version-sort | tail -1)
+        gh release download --repo $REPO --pattern "$PATTERN" "$LATEST"
+
+        if [ "$USE_BUNDLE" == 'true' ]; then
+          tar -xzf "$PATTERN" -C "${RUNNER_TEMP}"
+        else
+          unzip -q -d "${RUNNER_TEMP}" "$PATTERN"
+        fi
+        echo "${RUNNER_TEMP}/codeql" >> "${GITHUB_PATH}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+        USE_BUNDLE: '${{ inputs.use-bundle == ''true'' }}'
+        REPO: '${{ inputs.use-bundle == ''true'' && ''https://github.com/dsp-testing/codeql-cli-nightlies'' || ''https://github.com/github/codeql-cli-binaries''}}'
+        # REPO: '${{ inputs.use-bundle == ''true'' && ''https://github.com/github/codeql-action'' || ''https://github.com/github/codeql-cli-binaries''}}'
+        PATTERN: '${{ inputs.use-bundle == ''true'' && ''codeql-bundle-linux64.tar.gz'' || ''codeql-linux64.zip''}}'

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "ruby/node-types"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/generator"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/extractor"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/autobuilder"
+    schedule:
+      interval: "daily"

.github/labeler.yml

@@ -18,6 +18,10 @@ Python:
   - python/**/*
   - change-notes/**/*python*
 
+Ruby:
+  - ruby/**/*
+  - change-notes/**/*ruby*
+
 documentation:
   - "**/*.qhelp"
   - "**/*.md"

.github/workflows/pack-publisher.yml

@@ -0,0 +1,88 @@
+# Publishes the core libraries to the CodeQL package registry.
+name: Publish CodeQL core libraries
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/pack-publisher.yml' # for testing changes to this workflow
+
+  workflow_dispatch:
+    # the cli to use, or blank to build it again
+    # the pre-built packs, or blank to build again
+    inputs:
+      packages-build-number:
+        description: |
+          A CodeQL CLI workflow run number to download the packages artifacts from.
+          Leave blank to build packages from this repository.
+        default: ''
+        required: false
+
+permissions:
+  contents: write
+
+jobs:
+  codeql-package-publish:
+    name: CodeQL Package - Publish
+    runs-on: ubuntu-20.04
+    env:
+      GITHUB_TOKEN: ${{ github.token }}
+
+    steps:
+      - name: Dump environment
+        run: env
+      - name: Dump GitHub event context
+        env:
+          GITHUB_CONTEXT: '${{ toJson(github.event) }}'
+        run: echo "$GITHUB_CONTEXT"
+
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # TODO add a way to specify different versions of the CLI
+      - name: Download CLI
+        uses: ./.github/actions/fetch-codeql
+        with:
+          use-bundle: 'true'
+
+      - name: Publish packs
+        run: |
+          # do not publish go or suite-helpers
+          # `ls` all directories in the bundle remove suite-helpers and go
+          PACK_FOLDERS_TO_PUBLISH="$(ls -d $RUNNER_TEMP/codeql/qlpacks/codeql/*/* | grep -v suite | grep -v "\-go")"
+          ARCHIVES="$RUNNER_TEMP/archives"
+
+          mkdir -p "$ARCHIVES"
+
+          echo "Running on: $PACK_FOLDERS_TO_PUBLISH"
+
+          # tgz each folder
+          # then run pack publish on it
+          for folder in $PACK_FOLDERS_TO_PUBLISH
+          do
+            echo "Archiving $folder for publishing"
+            tar cfz "$ARCHIVES/archive.tgz" -C "$folder" .
+            echo "Publishing $ARCHIVES/archive.tgz"
+            echo "Would have run: 'codeql pack publish --file "$ARCHIVES/archive.tgz"'"
+          done
+
+      - name: Bump versions
+        run: |
+          echo "Would have run 'codeql pack release'"
+
+      - name: Update git config
+        run: |
+          git config --global user.email "github-actions@github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Create PR
+        run: |
+          set -exu
+          git add .
+          git commit -m "Post-release preparation"
+          NEW_BRANCH="post-release-prep-$(git show -s --format=%h)"
+          git checkout -b $NEW_BRANCH
+          git push origin "$NEW_BRANCH"
+          gh pr create \
+            --head "$NEW_BRANCH" \
+            --base "$GITHUB_BASE_REF" \
+            --fill \
+            --draft

.github/workflows/post-pr-comment.yml

@@ -0,0 +1,31 @@
+name: Post pull-request comment
+on:
+  workflow_run:
+    workflows: ["Query help preview"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+
+jobs:
+  post_comment:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifact
+        run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
+      - run: |
+          PR="$(grep -o '^[0-9]\+$' pr.txt)"
+          PR_HEAD_SHA="$(gh api "/repos/${GITHUB_REPOSITORY}/pulls/${PR}" --jq .head.sha)"
+          # Check that the pull-request head SHA matches the head SHA of the workflow run
+          if [ "${WORKFLOW_RUN_HEAD_SHA}" != "${PR_HEAD_SHA}" ]; then
+            echo "PR head SHA ${PR_HEAD_SHA} does not match workflow_run event SHA ${WORKFLOW_RUN_HEAD_SHA}. Stopping." 1>&2
+            exit 1
+          fi
+          gh pr comment "${PR}" --repo "${GITHUB_REPOSITORY}" -F comment.txt
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_commit.id }}

.github/workflows/qhelp-pr-preview.yml

@@ -0,0 +1,63 @@
+name: Query help preview
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - "ruby/**/*.qhelp"
+
+jobs:
+  qhelp:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "${{  github.event.number }}" > pr.txt
+      - uses: actions/upload-artifact@v2
+        with:
+          name: comment
+          path: pr.txt
+          retention-days: 1
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+          persist-credentials: false
+      - uses: ./.github/actions/fetch-codeql
+      - name: Determine changed files
+        id: changes
+        run: |
+          (git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp';
+           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename | xargs --null -rn1 git grep -z -l) |
+           grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt"
+
+      - name: QHelp preview
+        run: |
+          EXIT_CODE=0
+          echo "QHelp previews:" > comment.txt
+          while read -r -d $'\0' path; do
+            if [ ! -f "${path}" ]; then
+               exit 1
+            fi
+            echo "<details> <summary>${path}</summary>"
+            echo
+            codeql generate query-help --format=markdown -- "./${path}" 2> errors.txt || EXIT_CODE="$?"
+            if [ -s errors.txt ]; then
+               echo "# errors/warnings:"
+               echo '```'
+               cat errors.txt
+               cat errors.txt 1>&2
+               echo '```'
+            fi
+            echo "</details>"
+          done < "${RUNNER_TEMP}/paths.txt" >> comment.txt
+          exit "${EXIT_CODE}"
+
+      - if: always()
+        uses: actions/upload-artifact@v2
+        with:
+          name: comment
+          path: comment.txt
+          retention-days: 1

.github/workflows/ruby-build.yml

@@ -0,0 +1,234 @@
+name: "Ruby: Build"
+
+on:
+  push:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-build.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-build.yml
+    branches:
+      - main
+      - "rc/*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Version tag to create"
+        required: false
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: ruby
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install GNU tar
+        if: runner.os == 'macOS'
+        run: |
+          brew install gnu-tar
+          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ruby/target
+          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+      - name: Build
+        run: cargo build --verbose
+      - name: Run tests
+        run: cargo test --verbose
+      - name: Release build
+        run: cargo build --release
+      - name: Generate dbscheme
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: target/release/ruby-generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v2
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          name: ruby.dbscheme
+          path: ruby/ql/lib/ruby.dbscheme
+      - uses: actions/upload-artifact@v2
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          name: TreeSitter.qll
+          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v2
+        with:
+          name: extractor-${{ matrix.os }}
+          path: |
+            ruby/target/release/ruby-autobuilder
+            ruby/target/release/ruby-autobuilder.exe
+            ruby/target/release/ruby-extractor
+            ruby/target/release/ruby-extractor.exe
+          retention-days: 1
+  compile-queries:
+    runs-on: ubuntu-latest
+    env:
+      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
+    steps:
+      - uses: actions/checkout@v2
+      - name: Fetch CodeQL
+        run: |
+          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
+          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
+          unzip -q codeql-linux64.zip
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Build Query Pack
+        run: |
+          codeql/codeql pack create ql/lib --output target/packs
+          codeql/codeql pack install ql/src
+          codeql/codeql pack create ql/src --output target/packs
+          PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
+          codeql/codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
+          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
+      - name: Compile with previous CodeQL versions
+        run: |
+          for version in  $(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | tail -3 | head -2); do
+            rm -f codeql-linux64.zip
+            gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$version"
+            rm -rf codeql; unzip -q codeql-linux64.zip
+            codeql/codeql query compile target/packs/*
+          done
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - uses: actions/upload-artifact@v2
+        with:
+          name: codeql-ruby-queries
+          path: |
+            ruby/target/packs/*
+          retention-days: 1
+
+  package:
+    runs-on: ubuntu-latest
+    needs: [build, compile-queries]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: ruby.dbscheme
+          path: ruby/ruby
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-ubuntu-latest
+          path: ruby/linux64
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-windows-latest
+          path: ruby/win64
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-macos-latest
+          path: ruby/osx64
+      - run: |
+          mkdir -p ruby
+          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
+          mkdir -p ruby/tools/{linux64,osx64,win64}
+          cp linux64/ruby-autobuilder ruby/tools/linux64/autobuilder
+          cp osx64/ruby-autobuilder ruby/tools/osx64/autobuilder
+          cp win64/ruby-autobuilder.exe ruby/tools/win64/autobuilder.exe
+          cp linux64/ruby-extractor ruby/tools/linux64/extractor
+          cp osx64/ruby-extractor ruby/tools/osx64/extractor
+          cp win64/ruby-extractor.exe ruby/tools/win64/extractor.exe
+          chmod +x ruby/tools/{linux64,osx64}/{autobuilder,extractor}
+          zip -rq codeql-ruby.zip ruby
+      - uses: actions/upload-artifact@v2
+        with:
+          name: codeql-ruby-pack
+          path: ruby/codeql-ruby.zip
+          retention-days: 1
+      - uses: actions/download-artifact@v2
+        with:
+          name: codeql-ruby-queries
+          path: ruby/qlpacks
+      - run: |
+          echo '{
+            "provide": [
+            "ruby/codeql-extractor.yml",
+            "qlpacks/*/*/*/qlpack.yml"
+            ]
+          }' > .codeqlmanifest.json
+          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
+      - uses: actions/upload-artifact@v2
+        with:
+          name: codeql-ruby-bundle
+          path: ruby/codeql-ruby-bundle.zip
+          retention-days: 1
+
+  test:
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
+    needs: [package]
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          repository: Shopify/example-ruby-app
+          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
+      - name: Fetch CodeQL
+        shell: bash
+        run: |
+          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
+          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql.zip "$LATEST"
+          unzip -q codeql.zip
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        working-directory: ${{ runner.temp }}
+      - name: Download Ruby bundle
+        uses: actions/download-artifact@v2
+        with:
+          name: codeql-ruby-bundle
+          path: ${{ runner.temp }}
+      - name: Unzip Ruby bundle
+        shell: bash
+        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
+      - name: Prepare test files
+        shell: bash
+        run: |
+          echo "import ruby select count(File f)" > "test.ql"
+          echo "| 4 |" > "test.expected"
+          echo 'name: sample-tests
+          version: 0.0.0
+          dependencies:
+            codeql/ruby-all: 0.0.1
+          extractor: ruby
+          tests: .
+          ' > qlpack.yml
+      - name: Run QL test
+        shell: bash
+        run: |
+          "${{ runner.temp }}/codeql/codeql" test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
+      - name: Create database
+        shell: bash
+        run: |
+          "${{ runner.temp }}/codeql/codeql" database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
+      - name: Analyze database
+        shell: bash
+        run: |
+          "${{ runner.temp }}/codeql/codeql" database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls

.github/workflows/ruby-dataset-measure.yml

@@ -0,0 +1,73 @@
+name: "Ruby: Collect database stats"
+
+on:
+  push:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - ruby/ql/lib/ruby.dbscheme
+      - .github/workflows/ruby-dataset-measure.yml
+  pull_request:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - ruby/ql/lib/ruby.dbscheme
+      - .github/workflows/ruby-dataset-measure.yml
+  workflow_dispatch:
+
+jobs:
+  measure:
+    env:
+      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
+    strategy:
+      fail-fast: false
+      matrix:
+        repo: [rails/rails, discourse/discourse, spree/spree]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - uses: ./ruby/actions/create-extractor-pack
+
+      - name: Checkout ${{ matrix.repo }}
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ matrix.repo }}
+          path: ${{ github.workspace }}/repo
+      - name: Create database
+        run: |
+          codeql database create \
+            --search-path "${{ github.workspace }}/ruby" \
+            --threads 4 \
+            --language ruby --source-root "${{ github.workspace }}/repo" \
+            "${{ runner.temp }}/database"
+      - name: Measure database
+        run: |
+          mkdir -p "stats/${{ matrix.repo }}"
+          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
+      - uses: actions/upload-artifact@v2
+        with:
+          name: measurements
+          path: stats
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs: measure
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: measurements
+          path: stats
+      - run: |
+          python -m pip install --user lxml
+          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
+      - uses: actions/upload-artifact@v2
+        with:
+          name: ruby.dbscheme.stats
+          path: ruby/ql/lib/ruby.dbscheme.stats

.github/workflows/ruby-qltest.yml

@@ -0,0 +1,50 @@
+name: "Ruby: Run QL Tests"
+
+on:
+  push:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-qltest.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-qltest.yml
+    branches:
+      - main
+      - "rc/*"
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: ruby
+
+jobs:
+  qltest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./ruby/actions/create-extractor-pack
+      - name: Run QL tests
+        run: |
+          codeql test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}"  --consistency-queries ql/consistency-queries ql/test
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Check QL formatting
+        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
+      - name: Check QL compilation
+        run: |
+          codeql query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}" "ql/src" "ql/examples"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Check DB upgrade scripts
+        run: |
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme

.github/workflows/sync-files.yml

@@ -0,0 +1,20 @@
+name: Check synchronized files
+
+on:
+  push:
+    branches:
+      - main
+      - 'rc/*'
+  pull_request:
+    branches:
+      - main
+      - 'rc/*'
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Check synchronized files
+        run: python config/sync-files.py
+

CODEOWNERS

@@ -3,6 +3,7 @@
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
+/ruby/ @github/codeql-ruby
 
 # Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
 /cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
@@ -10,6 +11,7 @@
 /java/**/experimental/**/* @github/codeql-java @xcorail
 /javascript/**/experimental/**/* @github/codeql-javascript @xcorail
 /python/**/experimental/**/* @github/codeql-python @xcorail
+/ruby/**/experimental/**/* @github/codeql-ruby @xcorail
 
 # Notify members of codeql-go about PRs to the shared data-flow library files
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
@@ -22,4 +24,4 @@
 /docs/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
 /docs/ql-language-reference/ @github/codeql-frontend-reviewers
-/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
+/docs/query-*-style-guide.md @github/codeql-analysis-reviewers

CONTRIBUTING.md

@@ -11,13 +11,14 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
 1. **Directory structure**
 
-    There are five language-specific query directories in this repository:
+    There are six language-specific query directories in this repository:
 
       * C/C++: `cpp/ql/src`
       * C#: `csharp/ql/src`
       * Java: `java/ql/src`
       * JavaScript: `javascript/ql/src`
       * Python: `python/ql/src`
+      * Ruby: `ruby/ql/src`
 
     Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
     - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.

config/identical-files.json

@@ -24,14 +24,17 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
@@ -49,18 +52,21 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll"
   ],
   "DataFlow Java/C# Flow Summaries": [
     "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll"
   ],
   "SsaReadPosition Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
@@ -369,7 +375,8 @@
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
+    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll"
   ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
@@ -441,7 +448,9 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll"
+    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll"
   ],
   "CryptoAlgorithms Python/JS": [
     "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
@@ -461,13 +470,23 @@
   ],
   "ReDoS Polynomial Python/JS": [
     "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll"
+    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll",
+    "ruby/ql/lib/codeql/ruby/regexp/SuperlinearBackTracking.qll"
+  ],
+  "CFG": [
+    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
+    "ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll"
+  ],
+  "TypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
   ],
   "CodeQL Tutorial": [
     "cpp/ql/lib/tutorial.qll",
     "csharp/ql/lib/tutorial.qll",
     "java/ql/lib/tutorial.qll",
     "javascript/ql/lib/tutorial.qll",
-    "python/ql/lib/tutorial.qll"
+    "python/ql/lib/tutorial.qll",
+    "ruby/ql/lib/tutorial.qll"
   ]
-}
+}

cpp/change-notes/2021-11-01-isFromSystemMacroDefinition.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
+  `isFromSystemMacroDefinition` for identifying code that originates from a
+  macro outside the project being analyzed.

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -52,11 +52,8 @@ module PrivateCleartextWrite {
 
   class WriteSink extends Sink {
     WriteSink() {
-      exists(FileWrite f, BufferWrite b |
-        this.asExpr() = f.getASource()
-        or
-        this.asExpr() = b.getAChild()
-      )
+      this.asExpr() = any(FileWrite f).getASource() or
+      this.asExpr() = any(BufferWrite b).getAChild()
     }
   }
 }

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateData.qll

@@ -13,26 +13,25 @@ import cpp
 
 /** A string for `match` that identifies strings that look like they represent private data. */
 private string privateNames() {
-  // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
-  // Government identifiers, such as Social Security Numbers
-  result = "%social%security%number%" or
-  // Contact information, such as home addresses and telephone numbers
-  result = "%postcode%" or
-  result = "%zipcode%" or
-  // result = "%telephone%" or
-  // Geographic location - where the user is (or was)
-  result = "%latitude%" or
-  result = "%longitude%" or
-  // Financial data - such as credit card numbers, salary, bank accounts, and debts
-  result = "%creditcard%" or
-  result = "%salary%" or
-  result = "%bankaccount%" or
-  // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
-  // result = "%email%" or
-  // result = "%mobile%" or
-  result = "%employer%" or
-  // Health - medical conditions, insurance status, prescription records
-  result = "%medical%"
+  result =
+    [
+      // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
+      // Government identifiers, such as Social Security Numbers
+      "%social%security%number%",
+      // Contact information, such as home addresses and telephone numbers
+      "%postcode%", "%zipcode%",
+      // result = "%telephone%" or
+      // Geographic location - where the user is (or was)
+      "%latitude%", "%longitude%",
+      // Financial data - such as credit card numbers, salary, bank accounts, and debts
+      "%creditcard%", "%salary%", "%bankaccount%",
+      // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
+      // result = "%email%" or
+      // result = "%mobile%" or
+      "%employer%",
+      // Health - medical conditions, insurance status, prescription records
+      "%medical%"
+    ]
 }
 
 /** An expression that might contain private data. */

cpp/ql/lib/external/ExternalArtifact.qll

@@ -15,7 +15,7 @@ class ExternalData extends @externalDataElement {
    * Gets the path of the file this data was loaded from, with its
    * extension replaced by `.ql`.
    */
-  string getQueryPath() { result = getDataPath().regexpReplaceAll("\\.[^.]*$", ".ql") }
+  string getQueryPath() { result = this.getDataPath().regexpReplaceAll("\\.[^.]*$", ".ql") }
 
   /** Gets the number of fields in this data item. */
   int getNumFields() { result = 1 + max(int i | externalData(this, _, i, _) | i) }
@@ -24,22 +24,22 @@ class ExternalData extends @externalDataElement {
   string getField(int i) { externalData(this, _, i, result) }
 
   /** Gets the integer value of the `i`th field of this data item. */
-  int getFieldAsInt(int i) { result = getField(i).toInt() }
+  int getFieldAsInt(int i) { result = this.getField(i).toInt() }
 
   /** Gets the floating-point value of the `i`th field of this data item. */
-  float getFieldAsFloat(int i) { result = getField(i).toFloat() }
+  float getFieldAsFloat(int i) { result = this.getField(i).toFloat() }
 
   /** Gets the value of the `i`th field of this data item, interpreted as a date. */
-  date getFieldAsDate(int i) { result = getField(i).toDate() }
+  date getFieldAsDate(int i) { result = this.getField(i).toDate() }
 
   /** Gets a textual representation of this data item. */
-  string toString() { result = getQueryPath() + ": " + buildTupleString(0) }
+  string toString() { result = this.getQueryPath() + ": " + this.buildTupleString(0) }
 
   /** Gets a textual representation of this data item, starting with the `n`th field. */
   private string buildTupleString(int n) {
-    n = getNumFields() - 1 and result = getField(n)
+    n = this.getNumFields() - 1 and result = this.getField(n)
     or
-    n < getNumFields() - 1 and result = getField(n) + "," + buildTupleString(n + 1)
+    n < this.getNumFields() - 1 and result = this.getField(n) + "," + this.buildTupleString(n + 1)
   }
 }
 
@@ -53,8 +53,8 @@ class DefectExternalData extends ExternalData {
   }
 
   /** Gets the URL associated with this data item. */
-  string getURL() { result = getField(0) }
+  string getURL() { result = this.getField(0) }
 
   /** Gets the message associated with this data item. */
-  string getMessage() { result = getField(1) }
+  string getMessage() { result = this.getField(1) }
 }

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -237,7 +237,7 @@ class Class extends UserType {
     exists(ClassDerivation cd | cd.getBaseClass() = base |
       result =
         this.accessOfBaseMemberMulti(cd.getDerivedClass(),
-          fieldInBase.accessInDirectDerived(cd.getASpecifier().(AccessSpecifier)))
+          fieldInBase.accessInDirectDerived(cd.getASpecifier()))
     )
   }
 
@@ -261,21 +261,20 @@ class Class extends UserType {
    * includes the case of `base` = `this`.
    */
   AccessSpecifier accessOfBaseMember(Declaration member) {
-    result =
-      this.accessOfBaseMember(member.getDeclaringType(), member.getASpecifier().(AccessSpecifier))
+    result = this.accessOfBaseMember(member.getDeclaringType(), member.getASpecifier())
   }
 
   /**
    * DEPRECATED: name changed to `hasImplicitCopyConstructor` to reflect that
    * `= default` members are no longer included.
    */
-  deprecated predicate hasGeneratedCopyConstructor() { hasImplicitCopyConstructor() }
+  deprecated predicate hasGeneratedCopyConstructor() { this.hasImplicitCopyConstructor() }
 
   /**
    * DEPRECATED: name changed to `hasImplicitCopyAssignmentOperator` to
    * reflect that `= default` members are no longer included.
    */
-  deprecated predicate hasGeneratedCopyAssignmentOperator() { hasImplicitCopyConstructor() }
+  deprecated predicate hasGeneratedCopyAssignmentOperator() { this.hasImplicitCopyConstructor() }
 
   /**
    * Holds if this class, struct or union has an implicitly-declared copy
@@ -319,7 +318,7 @@ class Class extends UserType {
     exists(Type t | t = this.getAFieldSubobjectType().getUnspecifiedType() |
       // Note: Overload resolution is not implemented -- all copy
       // constructors are considered equal.
-      this.cannotAccessCopyConstructorOnAny(t.(Class))
+      this.cannotAccessCopyConstructorOnAny(t)
     )
     or
     // - T has direct or virtual base class that cannot be copied (has deleted,
@@ -392,7 +391,7 @@ class Class extends UserType {
     exists(Type t | t = this.getAFieldSubobjectType().getUnspecifiedType() |
       // Note: Overload resolution is not implemented -- all copy assignment
       // operators are considered equal.
-      this.cannotAccessCopyAssignmentOperatorOnAny(t.(Class))
+      this.cannotAccessCopyAssignmentOperatorOnAny(t)
     )
     or
     exists(Class c | c = this.getADirectOrVirtualBase() |
@@ -487,7 +486,7 @@ class Class extends UserType {
     exists(ClassDerivation cd |
       // Add the offset of the direct base class and the offset of `baseClass`
       // within that direct base class.
-      cd = getADerivation() and
+      cd = this.getADerivation() and
       result = cd.getBaseClass().getANonVirtualBaseClassByteOffset(baseClass) + cd.getByteOffset()
     )
   }
@@ -502,12 +501,12 @@ class Class extends UserType {
    */
   int getABaseClassByteOffset(Class baseClass) {
     // Handle the non-virtual case.
-    result = getANonVirtualBaseClassByteOffset(baseClass)
+    result = this.getANonVirtualBaseClassByteOffset(baseClass)
     or
     exists(Class virtualBaseClass, int virtualBaseOffset, int offsetFromVirtualBase |
       // Look for the base class as a non-virtual base of a direct or indirect
       // virtual base, adding the two offsets.
-      getVirtualBaseClassByteOffset(virtualBaseClass) = virtualBaseOffset and
+      this.getVirtualBaseClassByteOffset(virtualBaseClass) = virtualBaseOffset and
       offsetFromVirtualBase = virtualBaseClass.getANonVirtualBaseClassByteOffset(baseClass) and
       result = virtualBaseOffset + offsetFromVirtualBase
     )
@@ -623,11 +622,11 @@ class Class extends UserType {
    * inherits one).
    */
   predicate isPolymorphic() {
-    exists(MemberFunction f | f.getDeclaringType() = getABaseClass*() and f.isVirtual())
+    exists(MemberFunction f | f.getDeclaringType() = this.getABaseClass*() and f.isVirtual())
   }
 
   override predicate involvesTemplateParameter() {
-    getATemplateArgument().(Type).involvesTemplateParameter()
+    this.getATemplateArgument().(Type).involvesTemplateParameter()
   }
 
   /** Holds if this class, struct or union was declared 'final'. */
@@ -765,7 +764,7 @@ class ClassDerivation extends Locatable, @derivation {
    * };
    * ```
    */
-  Class getBaseClass() { result = getBaseType().getUnderlyingType() }
+  Class getBaseClass() { result = this.getBaseType().getUnderlyingType() }
 
   override string getAPrimaryQlClass() { result = "ClassDerivation" }
 
@@ -818,7 +817,7 @@ class ClassDerivation extends Locatable, @derivation {
   predicate hasSpecifier(string s) { this.getASpecifier().hasName(s) }
 
   /** Holds if the derivation is for a virtual base class. */
-  predicate isVirtual() { hasSpecifier("virtual") }
+  predicate isVirtual() { this.hasSpecifier("virtual") }
 
   /** Gets the location of the derivation. */
   override Location getLocation() { derivations(underlyingElement(this), _, _, _, result) }
@@ -846,7 +845,7 @@ class ClassDerivation extends Locatable, @derivation {
  * ```
  */
 class LocalClass extends Class {
-  LocalClass() { isLocal() }
+  LocalClass() { this.isLocal() }
 
   override string getAPrimaryQlClass() { not this instanceof LocalStruct and result = "LocalClass" }
 
@@ -989,9 +988,9 @@ class ClassTemplateSpecialization extends Class {
   TemplateClass getPrimaryTemplate() {
     // Ignoring template arguments, the primary template has the same name
     // as each of its specializations.
-    result.getSimpleName() = getSimpleName() and
+    result.getSimpleName() = this.getSimpleName() and
     // It is in the same namespace as its specializations.
-    result.getNamespace() = getNamespace() and
+    result.getNamespace() = this.getNamespace() and
     // It is distinguished by the fact that each of its template arguments
     // is a distinct template parameter.
     count(TemplateParameter tp | tp = result.getATemplateArgument()) =
@@ -1108,7 +1107,7 @@ deprecated class Interface extends Class {
  * ```
  */
 class VirtualClassDerivation extends ClassDerivation {
-  VirtualClassDerivation() { hasSpecifier("virtual") }
+  VirtualClassDerivation() { this.hasSpecifier("virtual") }
 
   override string getAPrimaryQlClass() { result = "VirtualClassDerivation" }
 }
@@ -1136,7 +1135,7 @@ class VirtualBaseClass extends Class {
   VirtualClassDerivation getAVirtualDerivation() { result.getBaseClass() = this }
 
   /** A class/struct that is derived from this one using virtual inheritance. */
-  Class getAVirtuallyDerivedClass() { result = getAVirtualDerivation().getDerivedClass() }
+  Class getAVirtuallyDerivedClass() { result = this.getAVirtualDerivation().getDerivedClass() }
 }
 
 /**
@@ -1155,7 +1154,7 @@ class ProxyClass extends UserType {
   override string getAPrimaryQlClass() { result = "ProxyClass" }
 
   /** Gets the location of the proxy class. */
-  override Location getLocation() { result = getTemplateParameter().getDefinitionLocation() }
+  override Location getLocation() { result = this.getTemplateParameter().getDefinitionLocation() }
 
   /** Gets the template parameter for which this is the proxy class. */
   TemplateParameter getTemplateParameter() {

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -184,7 +184,7 @@ class Declaration extends Locatable, @declaration {
   predicate hasDefinition() { exists(this.getDefinition()) }
 
   /** DEPRECATED: Use `hasDefinition` instead. */
-  predicate isDefined() { hasDefinition() }
+  predicate isDefined() { this.hasDefinition() }
 
   /** Gets the preferred location of this declaration, if any. */
   override Location getLocation() { none() }
@@ -209,7 +209,7 @@ class Declaration extends Locatable, @declaration {
   predicate isStatic() { this.hasSpecifier("static") }
 
   /** Holds if this declaration is a member of a class/struct/union. */
-  predicate isMember() { hasDeclaringType() }
+  predicate isMember() { this.hasDeclaringType() }
 
   /** Holds if this declaration is a member of a class/struct/union. */
   predicate hasDeclaringType() { exists(this.getDeclaringType()) }
@@ -226,14 +226,14 @@ class Declaration extends Locatable, @declaration {
    * When called on a template, this will return a template parameter type for
    * both typed and non-typed parameters.
    */
-  final Locatable getATemplateArgument() { result = getTemplateArgument(_) }
+  final Locatable getATemplateArgument() { result = this.getTemplateArgument(_) }
 
   /**
    * Gets a template argument used to instantiate this declaration from a template.
    * When called on a template, this will return a non-typed template
    * parameter value.
    */
-  final Locatable getATemplateArgumentKind() { result = getTemplateArgumentKind(_) }
+  final Locatable getATemplateArgumentKind() { result = this.getTemplateArgumentKind(_) }
 
   /**
    * Gets the `i`th template argument used to instantiate this declaration from a
@@ -252,9 +252,9 @@ class Declaration extends Locatable, @declaration {
    * `getTemplateArgument(1)` return `1`.
    */
   final Locatable getTemplateArgument(int index) {
-    if exists(getTemplateArgumentValue(index))
-    then result = getTemplateArgumentValue(index)
-    else result = getTemplateArgumentType(index)
+    if exists(this.getTemplateArgumentValue(index))
+    then result = this.getTemplateArgumentValue(index)
+    else result = this.getTemplateArgumentType(index)
   }
 
   /**
@@ -275,13 +275,13 @@ class Declaration extends Locatable, @declaration {
    * `getTemplateArgumentKind(0)`.
    */
   final Locatable getTemplateArgumentKind(int index) {
-    exists(getTemplateArgumentValue(index)) and
-    result = getTemplateArgumentType(index)
+    exists(this.getTemplateArgumentValue(index)) and
+    result = this.getTemplateArgumentType(index)
   }
 
   /** Gets the number of template arguments for this declaration. */
   final int getNumberOfTemplateArguments() {
-    result = count(int i | exists(getTemplateArgument(i)))
+    result = count(int i | exists(this.getTemplateArgument(i)))
   }
 
   private Type getTemplateArgumentType(int index) {
@@ -327,9 +327,9 @@ class DeclarationEntry extends Locatable, TDeclarationEntry {
    * available), or the name declared by this entry otherwise.
    */
   string getCanonicalName() {
-    if getDeclaration().hasDefinition()
-    then result = getDeclaration().getDefinition().getName()
-    else result = getName()
+    if this.getDeclaration().hasDefinition()
+    then result = this.getDeclaration().getDefinition().getName()
+    else result = this.getName()
   }
 
   /**
@@ -370,18 +370,18 @@ class DeclarationEntry extends Locatable, TDeclarationEntry {
   /**
    * Holds if this declaration entry has a specifier with the given name.
    */
-  predicate hasSpecifier(string specifier) { getASpecifier() = specifier }
+  predicate hasSpecifier(string specifier) { this.getASpecifier() = specifier }
 
   /** Holds if this declaration entry is a definition. */
   predicate isDefinition() { none() } // overridden in subclasses
 
   override string toString() {
-    if isDefinition()
-    then result = "definition of " + getName()
+    if this.isDefinition()
+    then result = "definition of " + this.getName()
     else
-      if getName() = getCanonicalName()
-      then result = "declaration of " + getName()
-      else result = "declaration of " + getCanonicalName() + " as " + getName()
+      if this.getName() = this.getCanonicalName()
+      then result = "declaration of " + this.getName()
+      else result = "declaration of " + this.getCanonicalName() + " as " + this.getName()
   }
 }
 
@@ -490,8 +490,7 @@ class AccessHolder extends Declaration, TAccessHolder {
    */
   pragma[inline]
   predicate canAccessMember(Declaration member, Class derived) {
-    this.couldAccessMember(member.getDeclaringType(), member.getASpecifier().(AccessSpecifier),
-      derived)
+    this.couldAccessMember(member.getDeclaringType(), member.getASpecifier(), derived)
   }
 
   /**
@@ -580,7 +579,7 @@ private class DirectAccessHolder extends Element {
     // transitive closure with a restricted base case.
     this.thisCanAccessClassStep(base, derived)
     or
-    exists(Class between | thisCanAccessClassTrans(base, between) |
+    exists(Class between | this.thisCanAccessClassTrans(base, between) |
       isDirectPublicBaseOf(between, derived) or
       this.thisCanAccessClassStep(between, derived)
     )

cpp/ql/lib/semmle/code/cpp/Element.qll

@@ -61,7 +61,7 @@ class ElementBase extends @element {
   /**
    * Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
    */
-  final string getPrimaryQlClasses() { result = concat(getAPrimaryQlClass(), ",") }
+  final string getPrimaryQlClasses() { result = concat(this.getAPrimaryQlClass(), ",") }
 
   /**
    * Gets the name of a primary CodeQL class to which this element belongs.
@@ -206,9 +206,9 @@ class Element extends ElementBase {
   /** Gets the closest `Element` enclosing this one. */
   cached
   Element getEnclosingElement() {
-    result = getEnclosingElementPref()
+    result = this.getEnclosingElementPref()
     or
-    not exists(getEnclosingElementPref()) and
+    not exists(this.getEnclosingElementPref()) and
     (
       this = result.(Class).getAMember()
       or
@@ -281,7 +281,7 @@ private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
  * ```
  */
 class StaticAssert extends Locatable, @static_assert {
-  override string toString() { result = "static_assert(..., \"" + getMessage() + "\")" }
+  override string toString() { result = "static_assert(..., \"" + this.getMessage() + "\")" }
 
   /**
    * Gets the expression which this static assertion ensures is true.

cpp/ql/lib/semmle/code/cpp/Enum.qll

@@ -85,7 +85,7 @@ class Enum extends UserType, IntegralOrEnumType {
  * ```
  */
 class LocalEnum extends Enum {
-  LocalEnum() { isLocal() }
+  LocalEnum() { this.isLocal() }
 
   override string getAPrimaryQlClass() { result = "LocalEnum" }
 }

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -52,7 +52,7 @@ class Container extends Locatable, @container {
    */
   string getRelativePath() {
     exists(string absPath, string pref |
-      absPath = getAbsolutePath() and sourceLocationPrefix(pref)
+      absPath = this.getAbsolutePath() and sourceLocationPrefix(pref)
     |
       absPath = pref and result = ""
       or
@@ -79,7 +79,7 @@ class Container extends Locatable, @container {
    * </table>
    */
   string getBaseName() {
-    result = getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1)
+    result = this.getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1)
   }
 
   /**
@@ -105,7 +105,9 @@ class Container extends Locatable, @container {
    * <tr><td>"/tmp/x.tar.gz"</td><td>"gz"</td></tr>
    * </table>
    */
-  string getExtension() { result = getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3) }
+  string getExtension() {
+    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3)
+  }
 
   /**
    * Gets the stem of this container, that is, the prefix of its base name up to
@@ -124,7 +126,9 @@ class Container extends Locatable, @container {
    * <tr><td>"/tmp/x.tar.gz"</td><td>"x.tar"</td></tr>
    * </table>
    */
-  string getStem() { result = getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1) }
+  string getStem() {
+    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1)
+  }
 
   /** Gets the parent container of this file or folder, if any. */
   Container getParentContainer() {
@@ -135,20 +139,20 @@ class Container extends Locatable, @container {
   Container getAChildContainer() { this = result.getParentContainer() }
 
   /** Gets a file in this container. */
-  File getAFile() { result = getAChildContainer() }
+  File getAFile() { result = this.getAChildContainer() }
 
   /** Gets the file in this container that has the given `baseName`, if any. */
   File getFile(string baseName) {
-    result = getAFile() and
+    result = this.getAFile() and
     result.getBaseName() = baseName
   }
 
   /** Gets a sub-folder in this container. */
-  Folder getAFolder() { result = getAChildContainer() }
+  Folder getAFolder() { result = this.getAChildContainer() }
 
   /** Gets the sub-folder in this container that has the given `baseName`, if any. */
   Folder getFolder(string baseName) {
-    result = getAFolder() and
+    result = this.getAFolder() and
     result.getBaseName() = baseName
   }
 
@@ -157,7 +161,7 @@ class Container extends Locatable, @container {
    *
    * This is the absolute path of the container.
    */
-  override string toString() { result = getAbsolutePath() }
+  override string toString() { result = this.getAbsolutePath() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -43,26 +43,26 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   string getFullSignature() {
     exists(string name, string templateArgs, string args |
-      result = name + templateArgs + args + " -> " + getType().toString() and
-      name = getQualifiedName() and
+      result = name + templateArgs + args + " -> " + this.getType().toString() and
+      name = this.getQualifiedName() and
       (
-        if exists(getATemplateArgument())
+        if exists(this.getATemplateArgument())
         then
           templateArgs =
             "<" +
               concat(int i |
-                exists(getTemplateArgument(i))
+                exists(this.getTemplateArgument(i))
               |
-                getTemplateArgument(i).toString(), ", " order by i
+                this.getTemplateArgument(i).toString(), ", " order by i
               ) + ">"
         else templateArgs = ""
       ) and
       args =
         "(" +
           concat(int i |
-            exists(getParameter(i))
+            exists(this.getParameter(i))
           |
-            getParameter(i).getType().toString(), ", " order by i
+            this.getParameter(i).getType().toString(), ", " order by i
           ) + ")"
     )
   }
@@ -70,7 +70,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   /** Gets a specifier of this function. */
   override Specifier getASpecifier() {
     funspecifiers(underlyingElement(this), unresolveElement(result)) or
-    result.hasName(getADeclarationEntry().getASpecifier())
+    result.hasName(this.getADeclarationEntry().getASpecifier())
   }
 
   /** Gets an attribute of this function. */
@@ -149,7 +149,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Holds if this function is declared with `__attribute__((naked))` or
    * `__declspec(naked)`.
    */
-  predicate isNaked() { getAnAttribute().hasName("naked") }
+  predicate isNaked() { this.getAnAttribute().hasName("naked") }
 
   /**
    * Holds if this function has a trailing return type.
@@ -172,7 +172,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Gets the return type of this function after specifiers have been deeply
    * stripped and typedefs have been resolved.
    */
-  Type getUnspecifiedType() { result = getType().getUnspecifiedType() }
+  Type getUnspecifiedType() { result = this.getType().getUnspecifiedType() }
 
   /**
    * Gets the nth parameter of this function. There is no result for the
@@ -206,7 +206,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   int getEffectiveNumberOfParameters() {
     // This method is overridden in `MemberFunction`, where the result is
     // adjusted to account for the implicit `this` parameter.
-    result = getNumberOfParameters()
+    result = this.getNumberOfParameters()
   }
 
   /**
@@ -216,7 +216,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * return `int p1, int p2`.
    */
   string getParameterString() {
-    result = concat(int i | | min(getParameter(i).getTypedName()), ", " order by i)
+    result = concat(int i | | min(this.getParameter(i).getTypedName()), ", " order by i)
   }
 
   /** Gets a call to this function. */
@@ -229,7 +229,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   override FunctionDeclarationEntry getADeclarationEntry() {
     if fun_decls(_, underlyingElement(this), _, _, _)
-    then declEntry(result)
+    then this.declEntry(result)
     else
       exists(Function f |
         this.isConstructedFrom(f) and
@@ -250,7 +250,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Gets the location of a `FunctionDeclarationEntry` corresponding to this
    * declaration.
    */
-  override Location getADeclarationLocation() { result = getADeclarationEntry().getLocation() }
+  override Location getADeclarationLocation() { result = this.getADeclarationEntry().getLocation() }
 
   /** Holds if this Function is a Template specialization. */
   predicate isSpecialization() {
@@ -265,14 +265,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * definition, if any.
    */
   override FunctionDeclarationEntry getDefinition() {
-    result = getADeclarationEntry() and
+    result = this.getADeclarationEntry() and
     result.isDefinition()
   }
 
   /** Gets the location of the definition, if any. */
   override Location getDefinitionLocation() {
-    if exists(getDefinition())
-    then result = getDefinition().getLocation()
+    if exists(this.getDefinition())
+    then result = this.getDefinition().getLocation()
     else exists(Function f | this.isConstructedFrom(f) and result = f.getDefinition().getLocation())
   }
 
@@ -281,7 +281,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * definition, if possible.)
    */
   override Location getLocation() {
-    if exists(getDefinition())
+    if exists(this.getDefinition())
     then result = this.getDefinitionLocation()
     else result = this.getADeclarationLocation()
   }
@@ -299,7 +299,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   BlockStmt getBlock() { result.getParentScope() = this }
 
   /** Holds if this function has an entry point. */
-  predicate hasEntryPoint() { exists(getEntryPoint()) }
+  predicate hasEntryPoint() { exists(this.getEntryPoint()) }
 
   /**
    * Gets the first node in this function's control flow graph.
@@ -392,7 +392,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Holds if this function has C linkage, as specified by one of its
    * declaration entries. For example: `extern "C" void foo();`.
    */
-  predicate hasCLinkage() { getADeclarationEntry().hasCLinkage() }
+  predicate hasCLinkage() { this.getADeclarationEntry().hasCLinkage() }
 
   /**
    * Holds if this function is constructed from `f` as a result
@@ -409,27 +409,27 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * several functions that are not linked together have been compiled. An
    * example would be a project with many 'main' functions.
    */
-  predicate isMultiplyDefined() { strictcount(getFile()) > 1 }
+  predicate isMultiplyDefined() { strictcount(this.getFile()) > 1 }
 
   /** Holds if this function is a varargs function. */
-  predicate isVarargs() { hasSpecifier("varargs") }
+  predicate isVarargs() { this.hasSpecifier("varargs") }
 
   /** Gets a type that is specified to be thrown by the function. */
-  Type getAThrownType() { result = getADeclarationEntry().getAThrownType() }
+  Type getAThrownType() { result = this.getADeclarationEntry().getAThrownType() }
 
   /**
    * Gets the `i`th type specified to be thrown by the function.
    */
-  Type getThrownType(int i) { result = getADeclarationEntry().getThrownType(i) }
+  Type getThrownType(int i) { result = this.getADeclarationEntry().getThrownType(i) }
 
   /** Holds if the function has an exception specification. */
-  predicate hasExceptionSpecification() { getADeclarationEntry().hasExceptionSpecification() }
+  predicate hasExceptionSpecification() { this.getADeclarationEntry().hasExceptionSpecification() }
 
   /** Holds if this function has a `throw()` exception specification. */
-  predicate isNoThrow() { getADeclarationEntry().isNoThrow() }
+  predicate isNoThrow() { this.getADeclarationEntry().isNoThrow() }
 
   /** Holds if this function has a `noexcept` exception specification. */
-  predicate isNoExcept() { getADeclarationEntry().isNoExcept() }
+  predicate isNoExcept() { this.getADeclarationEntry().isNoExcept() }
 
   /**
    * Gets a function that overloads this one.
@@ -539,7 +539,7 @@ private predicate candGetAnOverloadNonMember(string name, Namespace namespace, F
  */
 class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
   /** Gets the function which is being declared or defined. */
-  override Function getDeclaration() { result = getFunction() }
+  override Function getDeclaration() { result = this.getFunction() }
 
   override string getAPrimaryQlClass() { result = "FunctionDeclarationEntry" }
 
@@ -586,7 +586,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
    *   case, catch) plus the number of branching expressions (`?`, `&&`,
    *   `||`) plus one.
    */
-  int getCyclomaticComplexity() { result = 1 + cyclomaticComplexityBranches(getBlock()) }
+  int getCyclomaticComplexity() { result = 1 + cyclomaticComplexityBranches(this.getBlock()) }
 
   /**
    * If this is a function definition, get the block containing the
@@ -594,7 +594,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
    */
   BlockStmt getBlock() {
     this.isDefinition() and
-    result = getFunction().getBlock() and
+    result = this.getFunction().getBlock() and
     result.getFile() = this.getFile()
   }
 
@@ -604,7 +604,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
    */
   pragma[noopt]
   int getNumberOfLines() {
-    exists(BlockStmt b, Location l, int start, int end, int diff | b = getBlock() |
+    exists(BlockStmt b, Location l, int start, int end, int diff | b = this.getBlock() |
       l = b.getLocation() and
       start = l.getStartLine() and
       end = l.getEndLine() and
@@ -618,7 +618,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
    * declaration.
    */
   ParameterDeclarationEntry getAParameterDeclarationEntry() {
-    result = getParameterDeclarationEntry(_)
+    result = this.getParameterDeclarationEntry(_)
   }
 
   /**
@@ -639,7 +639,8 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
    * return 'int p1, int p2'.
    */
   string getParameterString() {
-    result = concat(int i | | min(getParameterDeclarationEntry(i).getTypedName()), ", " order by i)
+    result =
+      concat(int i | | min(this.getParameterDeclarationEntry(i).getTypedName()), ", " order by i)
   }
 
   /**
@@ -647,10 +648,10 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
    *
    *    `extern "C" void foo();`
    */
-  predicate hasCLinkage() { getASpecifier() = "c_linkage" }
+  predicate hasCLinkage() { this.getASpecifier() = "c_linkage" }
 
   /** Holds if this declaration entry has a void parameter list. */
-  predicate hasVoidParamList() { getASpecifier() = "void_param_list" }
+  predicate hasVoidParamList() { this.getASpecifier() = "void_param_list" }
 
   /** Holds if this declaration is also a definition of its function. */
   override predicate isDefinition() { fun_def(underlyingElement(this)) }
@@ -665,7 +666,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
   predicate isImplicit() { fun_implicit(underlyingElement(this)) }
 
   /** Gets a type that is specified to be thrown by the declared function. */
-  Type getAThrownType() { result = getThrownType(_) }
+  Type getAThrownType() { result = this.getThrownType(_) }
 
   /**
    * Gets the `i`th type specified to be thrown by the declared function
@@ -690,8 +691,8 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
   predicate hasExceptionSpecification() {
     fun_decl_throws(underlyingElement(this), _, _) or
     fun_decl_noexcept(underlyingElement(this), _) or
-    isNoThrow() or
-    isNoExcept()
+    this.isNoThrow() or
+    this.isNoExcept()
   }
 
   /**
@@ -763,7 +764,7 @@ class Operator extends Function {
  */
 class TemplateFunction extends Function {
   TemplateFunction() {
-    is_function_template(underlyingElement(this)) and exists(getATemplateArgument())
+    is_function_template(underlyingElement(this)) and exists(this.getATemplateArgument())
   }
 
   override string getAPrimaryQlClass() { result = "TemplateFunction" }

cpp/ql/lib/semmle/code/cpp/Include.qll

@@ -23,7 +23,7 @@ class Include extends PreprocessorDirective, @ppd_include {
    * Gets the token which occurs after `#include`, for example `"filename"`
    * or `<filename>`.
    */
-  string getIncludeText() { result = getHead() }
+  string getIncludeText() { result = this.getHead() }
 
   /** Gets the file directly included by this `#include`. */
   File getIncludedFile() { includes(underlyingElement(this), unresolveElement(result)) }
@@ -53,7 +53,7 @@ class Include extends PreprocessorDirective, @ppd_include {
  * ```
  */
 class IncludeNext extends Include, @ppd_include_next {
-  override string toString() { result = "#include_next " + getIncludeText() }
+  override string toString() { result = "#include_next " + this.getIncludeText() }
 }
 
 /**
@@ -65,5 +65,5 @@ class IncludeNext extends Include, @ppd_include_next {
  * ```
  */
 class Import extends Include, @ppd_objc_import {
-  override string toString() { result = "#import " + getIncludeText() }
+  override string toString() { result = "#import " + this.getIncludeText() }
 }

cpp/ql/lib/semmle/code/cpp/Initializer.qll

@@ -34,8 +34,8 @@ class Initializer extends ControlFlowNode, @initialiser {
   override predicate fromSource() { not this.getLocation() instanceof UnknownLocation }
 
   override string toString() {
-    if exists(getDeclaration())
-    then result = "initializer for " + max(getDeclaration().getName())
+    if exists(this.getDeclaration())
+    then result = "initializer for " + max(this.getDeclaration().getName())
     else result = "initializer"
   }
 

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -79,8 +79,8 @@ class Location extends @location {
 
   /** Holds if location `l` is completely contained within this one. */
   predicate subsumes(Location l) {
-    exists(File f | f = getFile() |
-      exists(int thisStart, int thisEnd | charLoc(f, thisStart, thisEnd) |
+    exists(File f | f = this.getFile() |
+      exists(int thisStart, int thisEnd | this.charLoc(f, thisStart, thisEnd) |
         exists(int lStart, int lEnd | l.charLoc(f, lStart, lEnd) |
           thisStart <= lStart and lEnd <= thisEnd
         )
@@ -97,10 +97,10 @@ class Location extends @location {
    * see `subsumes`.
    */
   predicate charLoc(File f, int start, int end) {
-    f = getFile() and
+    f = this.getFile() and
     exists(int maxCols | maxCols = maxCols(f) |
-      start = getStartLine() * maxCols + getStartColumn() and
-      end = getEndLine() * maxCols + getEndColumn()
+      start = this.getStartLine() * maxCols + this.getStartColumn() and
+      end = this.getEndLine() * maxCols + this.getEndColumn()
     )
   }
 }
@@ -144,7 +144,7 @@ class Locatable extends Element { }
  * expressions, one for statements and one for other program elements.
  */
 class UnknownLocation extends Location {
-  UnknownLocation() { getFile().getAbsolutePath() = "" }
+  UnknownLocation() { this.getFile().getAbsolutePath() = "" }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Macro.qll

@@ -44,10 +44,10 @@ class Macro extends PreprocessorDirective, @ppd_define {
    * Gets the name of the macro.  For example, `MAX` in
    * `#define MAX(x,y) (((x)>(y))?(x):(y))`.
    */
-  string getName() { result = getHead().splitAt("(", 0) }
+  string getName() { result = this.getHead().splitAt("(", 0) }
 
   /** Holds if the macro has name `name`. */
-  predicate hasName(string name) { getName() = name }
+  predicate hasName(string name) { this.getName() = name }
 }
 
 /**
@@ -130,7 +130,7 @@ class MacroAccess extends Locatable, @macroinvocation {
   override string toString() { result = this.getMacro().getHead() }
 
   /** Gets the name of the accessed macro. */
-  string getMacroName() { result = getMacro().getName() }
+  string getMacroName() { result = this.getMacro().getName() }
 }
 
 /**
@@ -197,8 +197,8 @@ class MacroInvocation extends MacroAccess {
    * expression. In other cases, it may have multiple results or no results.
    */
   Expr getExpr() {
-    result = getAnExpandedElement() and
-    not result.getParent() = getAnExpandedElement() and
+    result = this.getAnExpandedElement() and
+    not result.getParent() = this.getAnExpandedElement() and
     not result instanceof Conversion
   }
 
@@ -208,8 +208,8 @@ class MacroInvocation extends MacroAccess {
    * element is not a statement (for example if it is an expression).
    */
   Stmt getStmt() {
-    result = getAnExpandedElement() and
-    not result.getParent() = getAnExpandedElement()
+    result = this.getAnExpandedElement() and
+    not result.getParent() = this.getAnExpandedElement()
   }
 
   /**
@@ -278,7 +278,7 @@ deprecated class MacroInvocationExpr extends Expr {
   MacroInvocation getInvocation() { result.getExpr() = this }
 
   /** Gets the name of the invoked macro. */
-  string getMacroName() { result = getInvocation().getMacroName() }
+  string getMacroName() { result = this.getInvocation().getMacroName() }
 }
 
 /**
@@ -298,7 +298,7 @@ deprecated class MacroInvocationStmt extends Stmt {
   MacroInvocation getInvocation() { result.getStmt() = this }
 
   /** Gets the name of the invoked macro. */
-  string getMacroName() { result = getInvocation().getMacroName() }
+  string getMacroName() { result = this.getInvocation().getMacroName() }
 }
 
 /** Holds if `l` is the location of a macro. */

cpp/ql/lib/semmle/code/cpp/MemberFunction.qll

@@ -36,7 +36,9 @@ class MemberFunction extends Function {
    * `this` parameter.
    */
   override int getEffectiveNumberOfParameters() {
-    if isStatic() then result = getNumberOfParameters() else result = getNumberOfParameters() + 1
+    if this.isStatic()
+    then result = this.getNumberOfParameters()
+    else result = this.getNumberOfParameters() + 1
   }
 
   /** Holds if this member is private. */
@@ -49,13 +51,13 @@ class MemberFunction extends Function {
   predicate isPublic() { this.hasSpecifier("public") }
 
   /** Holds if this declaration has the lvalue ref-qualifier */
-  predicate isLValueRefQualified() { hasSpecifier("&") }
+  predicate isLValueRefQualified() { this.hasSpecifier("&") }
 
   /** Holds if this declaration has the rvalue ref-qualifier */
-  predicate isRValueRefQualified() { hasSpecifier("&&") }
+  predicate isRValueRefQualified() { this.hasSpecifier("&&") }
 
   /** Holds if this declaration has a ref-qualifier */
-  predicate isRefQualified() { isLValueRefQualified() or isRValueRefQualified() }
+  predicate isRefQualified() { this.isLValueRefQualified() or this.isRValueRefQualified() }
 
   /** Holds if this function overrides that function. */
   predicate overrides(MemberFunction that) {
@@ -73,10 +75,10 @@ class MemberFunction extends Function {
    * class body.
    */
   FunctionDeclarationEntry getClassBodyDeclarationEntry() {
-    if strictcount(getADeclarationEntry()) = 1
-    then result = getDefinition()
+    if strictcount(this.getADeclarationEntry()) = 1
+    then result = this.getDefinition()
     else (
-      result = getADeclarationEntry() and result != getDefinition()
+      result = this.getADeclarationEntry() and result != this.getDefinition()
     )
   }
 
@@ -198,7 +200,7 @@ class Constructor extends MemberFunction {
    * compiler-generated action which initializes a base class or member
    * variable.
    */
-  ConstructorInit getAnInitializer() { result = getInitializer(_) }
+  ConstructorInit getAnInitializer() { result = this.getInitializer(_) }
 
   /**
    * Gets an entry in the constructor's initializer list, or a
@@ -220,8 +222,8 @@ class ImplicitConversionFunction extends MemberFunction {
     functions(underlyingElement(this), _, 4)
     or
     // ConversionConstructor (deprecated)
-    strictcount(Parameter p | p = getAParameter() and not p.hasInitializer()) = 1 and
-    not hasSpecifier("explicit")
+    strictcount(Parameter p | p = this.getAParameter() and not p.hasInitializer()) = 1 and
+    not this.hasSpecifier("explicit")
   }
 
   /** Gets the type this `ImplicitConversionFunction` takes as input. */
@@ -248,8 +250,8 @@ class ImplicitConversionFunction extends MemberFunction {
  */
 deprecated class ConversionConstructor extends Constructor, ImplicitConversionFunction {
   ConversionConstructor() {
-    strictcount(Parameter p | p = getAParameter() and not p.hasInitializer()) = 1 and
-    not hasSpecifier("explicit")
+    strictcount(Parameter p | p = this.getAParameter() and not p.hasInitializer()) = 1 and
+    not this.hasSpecifier("explicit")
   }
 
   override string getAPrimaryQlClass() {
@@ -301,15 +303,15 @@ class CopyConstructor extends Constructor {
     hasCopySignature(this) and
     (
       // The rest of the parameters all have default values
-      forall(int i | i > 0 and exists(getParameter(i)) | getParameter(i).hasInitializer())
+      forall(int i | i > 0 and exists(this.getParameter(i)) | this.getParameter(i).hasInitializer())
       or
       // or this is a template class, in which case the default values have
       // not been extracted even if they exist. In that case, we assume that
       // there are default values present since that is the most common case
       // in real-world code.
-      getDeclaringType() instanceof TemplateClass
+      this.getDeclaringType() instanceof TemplateClass
     ) and
-    not exists(getATemplateArgument())
+    not exists(this.getATemplateArgument())
   }
 
   override string getAPrimaryQlClass() { result = "CopyConstructor" }
@@ -325,8 +327,8 @@ class CopyConstructor extends Constructor {
     // type-checked for each template instantiation; if an argument in an
     // instantiation fails to type-check then the corresponding parameter has
     // no default argument in the instantiation.
-    getDeclaringType() instanceof TemplateClass and
-    getNumberOfParameters() > 1
+    this.getDeclaringType() instanceof TemplateClass and
+    this.getNumberOfParameters() > 1
   }
 }
 
@@ -358,15 +360,15 @@ class MoveConstructor extends Constructor {
     hasMoveSignature(this) and
     (
       // The rest of the parameters all have default values
-      forall(int i | i > 0 and exists(getParameter(i)) | getParameter(i).hasInitializer())
+      forall(int i | i > 0 and exists(this.getParameter(i)) | this.getParameter(i).hasInitializer())
       or
       // or this is a template class, in which case the default values have
       // not been extracted even if they exist. In that case, we assume that
       // there are default values present since that is the most common case
       // in real-world code.
-      getDeclaringType() instanceof TemplateClass
+      this.getDeclaringType() instanceof TemplateClass
     ) and
-    not exists(getATemplateArgument())
+    not exists(this.getATemplateArgument())
   }
 
   override string getAPrimaryQlClass() { result = "MoveConstructor" }
@@ -382,8 +384,8 @@ class MoveConstructor extends Constructor {
     // type-checked for each template instantiation; if an argument in an
     // instantiation fails to type-check then the corresponding parameter has
     // no default argument in the instantiation.
-    getDeclaringType() instanceof TemplateClass and
-    getNumberOfParameters() > 1
+    this.getDeclaringType() instanceof TemplateClass and
+    this.getNumberOfParameters() > 1
   }
 }
 
@@ -426,7 +428,7 @@ class Destructor extends MemberFunction {
    * Gets a compiler-generated action which destructs a base class or member
    * variable.
    */
-  DestructorDestruction getADestruction() { result = getDestruction(_) }
+  DestructorDestruction getADestruction() { result = this.getDestruction(_) }
 
   /**
    * Gets a compiler-generated action which destructs a base class or member
@@ -475,16 +477,16 @@ class ConversionOperator extends MemberFunction, ImplicitConversionFunction {
  */
 class CopyAssignmentOperator extends Operator {
   CopyAssignmentOperator() {
-    hasName("operator=") and
+    this.hasName("operator=") and
     (
       hasCopySignature(this)
       or
       // Unlike CopyConstructor, this member allows a non-reference
       // parameter.
-      getParameter(0).getUnspecifiedType() = getDeclaringType()
+      this.getParameter(0).getUnspecifiedType() = this.getDeclaringType()
     ) and
     not exists(this.getParameter(1)) and
-    not exists(getATemplateArgument())
+    not exists(this.getATemplateArgument())
   }
 
   override string getAPrimaryQlClass() { result = "CopyAssignmentOperator" }
@@ -507,10 +509,10 @@ class CopyAssignmentOperator extends Operator {
  */
 class MoveAssignmentOperator extends Operator {
   MoveAssignmentOperator() {
-    hasName("operator=") and
+    this.hasName("operator=") and
     hasMoveSignature(this) and
     not exists(this.getParameter(1)) and
-    not exists(getATemplateArgument())
+    not exists(this.getATemplateArgument())
   }
 
   override string getAPrimaryQlClass() { result = "MoveAssignmentOperator" }

cpp/ql/lib/semmle/code/cpp/Namespace.qll

@@ -38,8 +38,8 @@ class Namespace extends NameQualifyingElement, @namespace {
    * unless the namespace has exactly one declaration entry.
    */
   override Location getLocation() {
-    if strictcount(getADeclarationEntry()) = 1
-    then result = getADeclarationEntry().getLocation()
+    if strictcount(this.getADeclarationEntry()) = 1
+    then result = this.getADeclarationEntry().getLocation()
     else result instanceof UnknownDefaultLocation
   }
 
@@ -50,7 +50,7 @@ class Namespace extends NameQualifyingElement, @namespace {
   predicate hasName(string name) { name = this.getName() }
 
   /** Holds if this namespace is anonymous. */
-  predicate isAnonymous() { hasName("(unnamed namespace)") }
+  predicate isAnonymous() { this.hasName("(unnamed namespace)") }
 
   /** Gets the name of the parent namespace, if it exists. */
   private string getParentName() {
@@ -60,9 +60,9 @@ class Namespace extends NameQualifyingElement, @namespace {
 
   /** Gets the qualified name of this namespace. For example: `a::b`. */
   string getQualifiedName() {
-    if exists(getParentName())
-    then result = getParentNamespace().getQualifiedName() + "::" + getName()
-    else result = getName()
+    if exists(this.getParentName())
+    then result = this.getParentNamespace().getQualifiedName() + "::" + this.getName()
+    else result = this.getName()
   }
 
   /** Gets the parent namespace, if any. */
@@ -99,7 +99,7 @@ class Namespace extends NameQualifyingElement, @namespace {
   /** Gets a version of the `QualifiedName` that is more suitable for display purposes. */
   string getFriendlyName() { result = this.getQualifiedName() }
 
-  final override string toString() { result = getFriendlyName() }
+  final override string toString() { result = this.getFriendlyName() }
 
   /** Gets a declaration of (part of) this namespace. */
   NamespaceDeclarationEntry getADeclarationEntry() { result.getNamespace() = this }

cpp/ql/lib/semmle/code/cpp/Parameter.qll

@@ -40,12 +40,12 @@ class Parameter extends LocalScopeVariable, @parameter {
    */
   override string getName() {
     exists(VariableDeclarationEntry vde |
-      vde = getANamedDeclarationEntry() and result = vde.getName()
+      vde = this.getANamedDeclarationEntry() and result = vde.getName()
     |
-      vde.isDefinition() or not getANamedDeclarationEntry().isDefinition()
+      vde.isDefinition() or not this.getANamedDeclarationEntry().isDefinition()
     )
     or
-    not exists(getANamedDeclarationEntry()) and
+    not exists(this.getANamedDeclarationEntry()) and
     result = "(unnamed parameter " + this.getIndex().toString() + ")"
   }
 
@@ -58,8 +58,12 @@ class Parameter extends LocalScopeVariable, @parameter {
    */
   string getTypedName() {
     exists(string typeString, string nameString |
-      (if exists(getType().getName()) then typeString = getType().getName() else typeString = "") and
-      (if exists(getName()) then nameString = getName() else nameString = "") and
+      (
+        if exists(this.getType().getName())
+        then typeString = this.getType().getName()
+        else typeString = ""
+      ) and
+      (if exists(this.getName()) then nameString = this.getName() else nameString = "") and
       (
         if typeString != "" and nameString != ""
         then result = typeString + " " + nameString
@@ -69,7 +73,7 @@ class Parameter extends LocalScopeVariable, @parameter {
   }
 
   private VariableDeclarationEntry getANamedDeclarationEntry() {
-    result = getAnEffectiveDeclarationEntry() and result.getName() != ""
+    result = this.getAnEffectiveDeclarationEntry() and result.getName() != ""
   }
 
   /**
@@ -82,13 +86,13 @@ class Parameter extends LocalScopeVariable, @parameter {
    * own).
    */
   private VariableDeclarationEntry getAnEffectiveDeclarationEntry() {
-    if getFunction().isConstructedFrom(_)
+    if this.getFunction().isConstructedFrom(_)
     then
       exists(Function prototypeInstantiation |
-        prototypeInstantiation.getParameter(getIndex()) = result.getVariable() and
-        getFunction().isConstructedFrom(prototypeInstantiation)
+        prototypeInstantiation.getParameter(this.getIndex()) = result.getVariable() and
+        this.getFunction().isConstructedFrom(prototypeInstantiation)
       )
-    else result = getADeclarationEntry()
+    else result = this.getADeclarationEntry()
   }
 
   /**
@@ -114,7 +118,7 @@ class Parameter extends LocalScopeVariable, @parameter {
    * `getName()` is not "(unnamed parameter i)" (where `i` is the index
    * of the parameter).
    */
-  predicate isNamed() { exists(getANamedDeclarationEntry()) }
+  predicate isNamed() { exists(this.getANamedDeclarationEntry()) }
 
   /**
    * Gets the function to which this parameter belongs, if it is a function
@@ -157,9 +161,9 @@ class Parameter extends LocalScopeVariable, @parameter {
    */
   override Location getLocation() {
     exists(VariableDeclarationEntry vde |
-      vde = getAnEffectiveDeclarationEntry() and result = vde.getLocation()
+      vde = this.getAnEffectiveDeclarationEntry() and result = vde.getLocation()
     |
-      vde.isDefinition() or not getAnEffectiveDeclarationEntry().isDefinition()
+      vde.isDefinition() or not this.getAnEffectiveDeclarationEntry().isDefinition()
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/Preprocessor.qll

@@ -29,8 +29,8 @@ class PreprocessorDirective extends Locatable, @preprocdirect {
   PreprocessorBranch getAGuard() {
     exists(PreprocessorEndif e, int line |
       result.getEndIf() = e and
-      e.getFile() = getFile() and
-      result.getFile() = getFile() and
+      e.getFile() = this.getFile() and
+      result.getFile() = this.getFile() and
       line = this.getLocation().getStartLine() and
       result.getLocation().getStartLine() < line and
       line < e.getLocation().getEndLine()
@@ -69,7 +69,9 @@ class PreprocessorBranchDirective extends PreprocessorDirective, TPreprocessorBr
    * directives in different translation units, then there can be more than
    * one result.
    */
-  PreprocessorEndif getEndIf() { preprocpair(unresolveElement(getIf()), unresolveElement(result)) }
+  PreprocessorEndif getEndIf() {
+    preprocpair(unresolveElement(this.getIf()), unresolveElement(result))
+  }
 
   /**
    * Gets the next `#elif`, `#else` or `#endif` matching this branching
@@ -137,7 +139,7 @@ class PreprocessorBranch extends PreprocessorBranchDirective, @ppd_branch {
    * which evaluated it, or was not taken by any translation unit which
    * evaluated it.
    */
-  predicate wasPredictable() { not (wasTaken() and wasNotTaken()) }
+  predicate wasPredictable() { not (this.wasTaken() and this.wasNotTaken()) }
 }
 
 /**
@@ -268,7 +270,7 @@ class PreprocessorUndef extends PreprocessorDirective, @ppd_undef {
   /**
    * Gets the name of the macro that is undefined.
    */
-  string getName() { result = getHead() }
+  string getName() { result = this.getHead() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Print.qll

@@ -105,8 +105,8 @@ private class DumpType extends Type {
     // for a `SpecifiedType`, insert the qualifiers after
     // `getDeclaratorSuffixBeforeQualifiers()`.
     result =
-      getTypeSpecifier() + getDeclaratorPrefix() + getDeclaratorSuffixBeforeQualifiers() +
-        getDeclaratorSuffix()
+      this.getTypeSpecifier() + this.getDeclaratorPrefix() +
+        this.getDeclaratorSuffixBeforeQualifiers() + this.getDeclaratorSuffix()
   }
 
   /**
@@ -147,29 +147,35 @@ private class DumpType extends Type {
 }
 
 private class BuiltInDumpType extends DumpType, BuiltInType {
-  override string getTypeSpecifier() { result = toString() }
+  override string getTypeSpecifier() { result = this.toString() }
 }
 
 private class IntegralDumpType extends BuiltInDumpType, IntegralType {
-  override string getTypeSpecifier() { result = getCanonicalArithmeticType().toString() }
+  override string getTypeSpecifier() { result = this.getCanonicalArithmeticType().toString() }
 }
 
 private class DerivedDumpType extends DumpType, DerivedType {
-  override string getTypeSpecifier() { result = getBaseType().(DumpType).getTypeSpecifier() }
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
 
   override string getDeclaratorSuffixBeforeQualifiers() {
-    result = getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
+    result = this.getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
   }
 
-  override string getDeclaratorSuffix() { result = getBaseType().(DumpType).getDeclaratorSuffix() }
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
 }
 
 private class DecltypeDumpType extends DumpType, Decltype {
-  override string getTypeSpecifier() { result = getBaseType().(DumpType).getTypeSpecifier() }
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
 
-  override string getDeclaratorPrefix() { result = getBaseType().(DumpType).getDeclaratorPrefix() }
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
 
-  override string getDeclaratorSuffix() { result = getBaseType().(DumpType).getDeclaratorSuffix() }
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
 }
 
 private class PointerIshDumpType extends DerivedDumpType {
@@ -180,10 +186,10 @@ private class PointerIshDumpType extends DerivedDumpType {
 
   override string getDeclaratorPrefix() {
     exists(string declarator |
-      result = getBaseType().(DumpType).getDeclaratorPrefix() + declarator and
-      if getBaseType().getUnspecifiedType() instanceof ArrayType
-      then declarator = "(" + getDeclaratorToken() + ")"
-      else declarator = getDeclaratorToken()
+      result = this.getBaseType().(DumpType).getDeclaratorPrefix() + declarator and
+      if this.getBaseType().getUnspecifiedType() instanceof ArrayType
+      then declarator = "(" + this.getDeclaratorToken() + ")"
+      else declarator = this.getDeclaratorToken()
     )
   }
 
@@ -206,13 +212,13 @@ private class RValueReferenceDumpType extends PointerIshDumpType, RValueReferenc
 }
 
 private class PointerToMemberDumpType extends DumpType, PointerToMemberType {
-  override string getTypeSpecifier() { result = getBaseType().(DumpType).getTypeSpecifier() }
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
 
   override string getDeclaratorPrefix() {
     exists(string declarator, string parenDeclarator, Type baseType |
-      declarator = getClass().(DumpType).getTypeIdentityString() + "::*" and
-      result = getBaseType().(DumpType).getDeclaratorPrefix() + " " + parenDeclarator and
-      baseType = getBaseType().getUnspecifiedType() and
+      declarator = this.getClass().(DumpType).getTypeIdentityString() + "::*" and
+      result = this.getBaseType().(DumpType).getDeclaratorPrefix() + " " + parenDeclarator and
+      baseType = this.getBaseType().getUnspecifiedType() and
       if baseType instanceof ArrayType or baseType instanceof RoutineType
       then parenDeclarator = "(" + declarator
       else parenDeclarator = declarator
@@ -221,38 +227,44 @@ private class PointerToMemberDumpType extends DumpType, PointerToMemberType {
 
   override string getDeclaratorSuffixBeforeQualifiers() {
     exists(Type baseType |
-      baseType = getBaseType().getUnspecifiedType() and
+      baseType = this.getBaseType().getUnspecifiedType() and
       if baseType instanceof ArrayType or baseType instanceof RoutineType
-      then result = ")" + getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
-      else result = getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
+      then result = ")" + this.getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
+      else result = this.getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
     )
   }
 
-  override string getDeclaratorSuffix() { result = getBaseType().(DumpType).getDeclaratorSuffix() }
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
 }
 
 private class ArrayDumpType extends DerivedDumpType, ArrayType {
-  override string getDeclaratorPrefix() { result = getBaseType().(DumpType).getDeclaratorPrefix() }
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
 
   override string getDeclaratorSuffixBeforeQualifiers() {
-    if exists(getArraySize())
+    if exists(this.getArraySize())
     then
       result =
-        "[" + getArraySize().toString() + "]" +
-          getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
-    else result = "[]" + getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
+        "[" + this.getArraySize().toString() + "]" +
+          this.getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
+    else result = "[]" + this.getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
   }
 }
 
 private class FunctionPointerIshDumpType extends DerivedDumpType, FunctionPointerIshType {
   override string getDeclaratorSuffixBeforeQualifiers() {
-    result = ")" + getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
+    result = ")" + this.getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers()
   }
 
-  override string getDeclaratorSuffix() { result = getBaseType().(DumpType).getDeclaratorSuffix() }
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
 
   override string getDeclaratorPrefix() {
-    result = getBaseType().(DumpType).getDeclaratorPrefix() + "(" + getDeclaratorToken()
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix() + "(" + this.getDeclaratorToken()
   }
 
   /**
@@ -274,10 +286,10 @@ private class BlockDumpType extends FunctionPointerIshDumpType, BlockType {
 }
 
 private class RoutineDumpType extends DumpType, RoutineType {
-  override string getTypeSpecifier() { result = getReturnType().(DumpType).getTypeSpecifier() }
+  override string getTypeSpecifier() { result = this.getReturnType().(DumpType).getTypeSpecifier() }
 
   override string getDeclaratorPrefix() {
-    result = getReturnType().(DumpType).getDeclaratorPrefix()
+    result = this.getReturnType().(DumpType).getDeclaratorPrefix()
   }
 
   language[monotonicAggregates]
@@ -285,39 +297,41 @@ private class RoutineDumpType extends DumpType, RoutineType {
     result =
       "(" +
         concat(int i |
-          exists(getParameterType(i))
+          exists(this.getParameterType(i))
         |
-          getParameterTypeString(getParameterType(i)), ", " order by i
+          getParameterTypeString(this.getParameterType(i)), ", " order by i
         ) + ")"
   }
 
   override string getDeclaratorSuffix() {
     result =
-      getReturnType().(DumpType).getDeclaratorSuffixBeforeQualifiers() +
-        getReturnType().(DumpType).getDeclaratorSuffix()
+      this.getReturnType().(DumpType).getDeclaratorSuffixBeforeQualifiers() +
+        this.getReturnType().(DumpType).getDeclaratorSuffix()
   }
 }
 
 private class SpecifiedDumpType extends DerivedDumpType, SpecifiedType {
   override string getDeclaratorPrefix() {
     exists(string basePrefix |
-      basePrefix = getBaseType().(DumpType).getDeclaratorPrefix() and
-      if getBaseType().getUnspecifiedType() instanceof RoutineType
+      basePrefix = this.getBaseType().(DumpType).getDeclaratorPrefix() and
+      if this.getBaseType().getUnspecifiedType() instanceof RoutineType
       then result = basePrefix
-      else result = basePrefix + " " + getSpecifierString()
+      else result = basePrefix + " " + this.getSpecifierString()
     )
   }
 
   override string getDeclaratorSuffixBeforeQualifiers() {
     exists(string baseSuffix |
-      baseSuffix = getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers() and
-      if getBaseType().getUnspecifiedType() instanceof RoutineType
-      then result = baseSuffix + " " + getSpecifierString()
+      baseSuffix = this.getBaseType().(DumpType).getDeclaratorSuffixBeforeQualifiers() and
+      if this.getBaseType().getUnspecifiedType() instanceof RoutineType
+      then result = baseSuffix + " " + this.getSpecifierString()
       else result = baseSuffix
     )
   }
 
-  override string getDeclaratorSuffix() { result = getBaseType().(DumpType).getDeclaratorSuffix() }
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
 }
 
 private class UserDumpType extends DumpType, DumpDeclaration, UserType {
@@ -330,18 +344,18 @@ private class UserDumpType extends DumpType, DumpDeclaration, UserType {
           // "lambda [] type at line 12, col. 40"
           // Use `min(getSimpleName())` to work around an extractor bug where a lambda can have different names
           // from different compilation units.
-          simpleName = "(" + min(getSimpleName()) + ")"
-        else simpleName = getSimpleName()
+          simpleName = "(" + min(this.getSimpleName()) + ")"
+        else simpleName = this.getSimpleName()
       ) and
-      result = getScopePrefix(this) + simpleName + getTemplateArgumentsString()
+      result = getScopePrefix(this) + simpleName + this.getTemplateArgumentsString()
     )
   }
 
-  override string getTypeSpecifier() { result = getIdentityString() }
+  override string getTypeSpecifier() { result = this.getIdentityString() }
 }
 
 private class DumpProxyClass extends UserDumpType, ProxyClass {
-  override string getIdentityString() { result = getName() }
+  override string getIdentityString() { result = this.getName() }
 }
 
 private class DumpVariable extends DumpDeclaration, Variable {
@@ -360,9 +374,9 @@ private class DumpVariable extends DumpDeclaration, Variable {
 private class DumpFunction extends DumpDeclaration, Function {
   override string getIdentityString() {
     result =
-      getType().(DumpType).getTypeSpecifier() + getType().(DumpType).getDeclaratorPrefix() + " " +
-        getScopePrefix(this) + getName() + getTemplateArgumentsString() +
-        getDeclaratorSuffixBeforeQualifiers() + getDeclaratorSuffix()
+      this.getType().(DumpType).getTypeSpecifier() + this.getType().(DumpType).getDeclaratorPrefix()
+        + " " + getScopePrefix(this) + this.getName() + this.getTemplateArgumentsString() +
+        this.getDeclaratorSuffixBeforeQualifiers() + this.getDeclaratorSuffix()
   }
 
   language[monotonicAggregates]
@@ -370,28 +384,29 @@ private class DumpFunction extends DumpDeclaration, Function {
     result =
       "(" +
         concat(int i |
-          exists(getParameter(i).getType())
+          exists(this.getParameter(i).getType())
         |
-          getParameterTypeString(getParameter(i).getType()), ", " order by i
-        ) + ")" + getQualifierString()
+          getParameterTypeString(this.getParameter(i).getType()), ", " order by i
+        ) + ")" + this.getQualifierString()
   }
 
   private string getQualifierString() {
-    if exists(getACVQualifier())
+    if exists(this.getACVQualifier())
     then
-      result = " " + strictconcat(string qualifier | qualifier = getACVQualifier() | qualifier, " ")
+      result =
+        " " + strictconcat(string qualifier | qualifier = this.getACVQualifier() | qualifier, " ")
     else result = ""
   }
 
   private string getACVQualifier() {
-    result = getASpecifier().getName() and
+    result = this.getASpecifier().getName() and
     result = ["const", "volatile"]
   }
 
   private string getDeclaratorSuffix() {
     result =
-      getType().(DumpType).getDeclaratorSuffixBeforeQualifiers() +
-        getType().(DumpType).getDeclaratorSuffix()
+      this.getType().(DumpType).getDeclaratorSuffixBeforeQualifiers() +
+        this.getType().(DumpType).getDeclaratorSuffix()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -31,11 +31,7 @@ class Specifier extends Element, @specifier {
  * A C/C++ function specifier: `inline`, `virtual`, or `explicit`.
  */
 class FunctionSpecifier extends Specifier {
-  FunctionSpecifier() {
-    this.hasName("inline") or
-    this.hasName("virtual") or
-    this.hasName("explicit")
-  }
+  FunctionSpecifier() { this.hasName(["inline", "virtual", "explicit"]) }
 
   override string getAPrimaryQlClass() { result = "FunctionSpecifier" }
 }
@@ -45,13 +41,7 @@ class FunctionSpecifier extends Specifier {
  * or `mutable".
  */
 class StorageClassSpecifier extends Specifier {
-  StorageClassSpecifier() {
-    this.hasName("auto") or
-    this.hasName("register") or
-    this.hasName("static") or
-    this.hasName("extern") or
-    this.hasName("mutable")
-  }
+  StorageClassSpecifier() { this.hasName(["auto", "register", "static", "extern", "mutable"]) }
 
   override string getAPrimaryQlClass() { result = "StorageClassSpecifier" }
 }
@@ -60,11 +50,7 @@ class StorageClassSpecifier extends Specifier {
  * A C++ access specifier: `public`, `protected`, or `private`.
  */
 class AccessSpecifier extends Specifier {
-  AccessSpecifier() {
-    this.hasName("public") or
-    this.hasName("protected") or
-    this.hasName("private")
-  }
+  AccessSpecifier() { this.hasName(["public", "protected", "private"]) }
 
   /**
    * Gets the visibility of a field with access specifier `this` if it is
@@ -140,7 +126,7 @@ class Attribute extends Element, @attribute {
   AttributeArgument getArgument(int i) { result.getAttribute() = this and result.getIndex() = i }
 
   /** Gets an argument of the attribute. */
-  AttributeArgument getAnArgument() { result = getArgument(_) }
+  AttributeArgument getAnArgument() { result = this.getArgument(_) }
 }
 
 /**
@@ -166,7 +152,7 @@ class StdAttribute extends Attribute, @stdattribute {
    * Holds if this attribute has the given namespace and name.
    */
   predicate hasQualifiedName(string namespace, string name) {
-    namespace = getNamespace() and hasName(name)
+    namespace = this.getNamespace() and this.hasName(name)
   }
 }
 
@@ -184,7 +170,7 @@ class Declspec extends Attribute, @declspec { }
  */
 class MicrosoftAttribute extends Attribute, @msattribute {
   AttributeArgument getNamedArgument(string name) {
-    result = getAnArgument() and result.getName() = name
+    result = this.getAnArgument() and result.getName() = name
   }
 }
 
@@ -212,13 +198,13 @@ class AlignAs extends Attribute, @alignas {
  * ```
  */
 class FormatAttribute extends GnuAttribute {
-  FormatAttribute() { getName() = "format" }
+  FormatAttribute() { this.getName() = "format" }
 
   /**
    * Gets the archetype of this format attribute, for example
    * `"printf"`.
    */
-  string getArchetype() { result = getArgument(0).getValueText() }
+  string getArchetype() { result = this.getArgument(0).getValueText() }
 
   /**
    * Gets the index in (1-based) format attribute notation associated
@@ -236,7 +222,7 @@ class FormatAttribute extends GnuAttribute {
    * Gets the (0-based) index of the format string,
    * according to this attribute.
    */
-  int getFormatIndex() { result = getArgument(1).getValueInt() - firstArgumentNumber() }
+  int getFormatIndex() { result = this.getArgument(1).getValueInt() - this.firstArgumentNumber() }
 
   /**
    * Gets the (0-based) index of the first format argument (if any),
@@ -244,8 +230,8 @@ class FormatAttribute extends GnuAttribute {
    */
   int getFirstFormatArgIndex() {
     exists(int val |
-      val = getArgument(2).getValueInt() and
-      result = val - firstArgumentNumber() and
+      val = this.getArgument(2).getValueInt() and
+      result = val - this.firstArgumentNumber() and
       not val = 0 // indicates a `vprintf` style format function with arguments not directly available.
     )
   }
@@ -277,7 +263,7 @@ class AttributeArgument extends Element, @attribute_arg {
   /**
    * Gets the value of this argument, if its value is integral.
    */
-  int getValueInt() { result = getValueText().toInt() }
+  int getValueInt() { result = this.getValueText().toInt() }
 
   /**
    * Gets the value of this argument, if its value is a type.
@@ -304,11 +290,11 @@ class AttributeArgument extends Element, @attribute_arg {
     then result = "empty argument"
     else
       exists(string prefix, string tail |
-        (if exists(getName()) then prefix = getName() + "=" else prefix = "") and
+        (if exists(this.getName()) then prefix = this.getName() + "=" else prefix = "") and
         (
           if exists(@attribute_arg_type self | self = underlyingElement(this))
-          then tail = getValueType().getName()
-          else tail = getValueText()
+          then tail = this.getValueType().getName()
+          else tail = this.getValueText()
         ) and
         result = prefix + tail
       )

cpp/ql/lib/semmle/code/cpp/Struct.qll

@@ -41,7 +41,7 @@ class Struct extends Class {
  * ```
  */
 class LocalStruct extends Struct {
-  LocalStruct() { isLocal() }
+  LocalStruct() { this.isLocal() }
 
   override string getAPrimaryQlClass() { not this instanceof LocalUnion and result = "LocalStruct" }
 }

cpp/ql/lib/semmle/code/cpp/TestFile.qll

@@ -10,8 +10,8 @@ import semmle.code.cpp.File
  */
 private class GoogleTestHeader extends File {
   GoogleTestHeader() {
-    getBaseName() = "gtest.h" and
-    getParentContainer().getBaseName() = "gtest"
+    this.getBaseName() = "gtest.h" and
+    this.getParentContainer().getBaseName() = "gtest"
   }
 }
 
@@ -30,8 +30,8 @@ private class GoogleTest extends MacroInvocation {
  */
 private class BoostTestFolder extends Folder {
   BoostTestFolder() {
-    getBaseName() = "test" and
-    getParentContainer().getBaseName() = "boost"
+    this.getBaseName() = "test" and
+    this.getParentContainer().getBaseName() = "boost"
   }
 }
 
@@ -49,7 +49,7 @@ private class BoostTest extends MacroInvocation {
  * The `cppunit` directory.
  */
 private class CppUnitFolder extends Folder {
-  CppUnitFolder() { getBaseName() = "cppunit" }
+  CppUnitFolder() { this.getBaseName() = "cppunit" }
 }
 
 /**
@@ -57,8 +57,8 @@ private class CppUnitFolder extends Folder {
  */
 private class CppUnitClass extends Class {
   CppUnitClass() {
-    getFile().getParentContainer+() instanceof CppUnitFolder and
-    getNamespace().getParentNamespace*().getName() = "CppUnit"
+    this.getFile().getParentContainer+() instanceof CppUnitFolder and
+    this.getNamespace().getParentNamespace*().getName() = "CppUnit"
   }
 }
 

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -81,7 +81,7 @@ class Type extends Locatable, @type {
    * Holds if this type refers to type `t` (by default,
    * a type always refers to itself).
    */
-  predicate refersTo(Type t) { refersToDirectly*(t) }
+  predicate refersTo(Type t) { this.refersToDirectly*(t) }
 
   /**
    * Holds if this type refers to type `t` directly.
@@ -1080,11 +1080,11 @@ class DerivedType extends Type, @derivedtype {
 
   override predicate refersToDirectly(Type t) { t = this.getBaseType() }
 
-  override predicate involvesReference() { getBaseType().involvesReference() }
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
 
-  override predicate involvesTemplateParameter() { getBaseType().involvesTemplateParameter() }
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
 
-  override Type stripType() { result = getBaseType().stripType() }
+  override Type stripType() { result = this.getBaseType().stripType() }
 
   /**
    * Holds if this type has the `__autoreleasing` specifier or if it points to
@@ -1165,33 +1165,35 @@ class Decltype extends Type, @decltype {
    */
   predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, true) }
 
-  override Type getUnderlyingType() { result = getBaseType().getUnderlyingType() }
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
 
-  override Type stripTopLevelSpecifiers() { result = getBaseType().stripTopLevelSpecifiers() }
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
 
-  override Type stripType() { result = getBaseType().stripType() }
+  override Type stripType() { result = this.getBaseType().stripType() }
 
-  override Type resolveTypedefs() { result = getBaseType().resolveTypedefs() }
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
 
-  override Location getLocation() { result = getExpr().getLocation() }
+  override Location getLocation() { result = this.getExpr().getLocation() }
 
   override string toString() { result = "decltype(...)" }
 
   override string getName() { none() }
 
-  override int getSize() { result = getBaseType().getSize() }
+  override int getSize() { result = this.getBaseType().getSize() }
 
-  override int getAlignment() { result = getBaseType().getAlignment() }
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
 
-  override int getPointerIndirectionLevel() { result = getBaseType().getPointerIndirectionLevel() }
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
 
   override string explain() {
     result = "decltype resulting in {" + this.getBaseType().explain() + "}"
   }
 
-  override predicate involvesReference() { getBaseType().involvesReference() }
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
 
-  override predicate involvesTemplateParameter() { getBaseType().involvesTemplateParameter() }
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
 
   override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
 
@@ -1223,7 +1225,7 @@ class PointerType extends DerivedType {
   override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConst() }
 
   override Type resolveTypedefs() {
-    result.(PointerType).getBaseType() = getBaseType().resolveTypedefs()
+    result.(PointerType).getBaseType() = this.getBaseType().resolveTypedefs()
   }
 }
 
@@ -1240,7 +1242,9 @@ class ReferenceType extends DerivedType {
 
   override string getAPrimaryQlClass() { result = "ReferenceType" }
 
-  override int getPointerIndirectionLevel() { result = getBaseType().getPointerIndirectionLevel() }
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
 
   override string explain() { result = "reference to {" + this.getBaseType().explain() + "}" }
 
@@ -1251,7 +1255,7 @@ class ReferenceType extends DerivedType {
   override predicate involvesReference() { any() }
 
   override Type resolveTypedefs() {
-    result.(ReferenceType).getBaseType() = getBaseType().resolveTypedefs()
+    result.(ReferenceType).getBaseType() = this.getBaseType().resolveTypedefs()
   }
 }
 
@@ -1330,11 +1334,11 @@ class SpecifiedType extends DerivedType {
   }
 
   override Type resolveTypedefs() {
-    result.(SpecifiedType).getBaseType() = getBaseType().resolveTypedefs() and
-    result.getASpecifier() = getASpecifier()
+    result.(SpecifiedType).getBaseType() = this.getBaseType().resolveTypedefs() and
+    result.getASpecifier() = this.getASpecifier()
   }
 
-  override Type stripTopLevelSpecifiers() { result = getBaseType().stripTopLevelSpecifiers() }
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
 }
 
 /**
@@ -1433,7 +1437,8 @@ class GNUVectorType extends DerivedType {
   override int getAlignment() { arraysizes(underlyingElement(this), _, _, result) }
 
   override string explain() {
-    result = "GNU " + getNumElements() + " element vector of {" + this.getBaseType().explain() + "}"
+    result =
+      "GNU " + this.getNumElements() + " element vector of {" + this.getBaseType().explain() + "}"
   }
 
   override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConst() }
@@ -1468,7 +1473,9 @@ class FunctionReferenceType extends FunctionPointerIshType {
 
   override string getAPrimaryQlClass() { result = "FunctionReferenceType" }
 
-  override int getPointerIndirectionLevel() { result = getBaseType().getPointerIndirectionLevel() }
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
 
   override string explain() {
     result = "reference to {" + this.getBaseType().(RoutineType).explain() + "}"
@@ -1535,8 +1542,8 @@ class FunctionPointerIshType extends DerivedType {
   int getNumberOfParameters() { result = count(int i | exists(this.getParameterType(i))) }
 
   override predicate involvesTemplateParameter() {
-    getReturnType().involvesTemplateParameter() or
-    getAParameterType().involvesTemplateParameter()
+    this.getReturnType().involvesTemplateParameter() or
+    this.getAParameterType().involvesTemplateParameter()
   }
 
   override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConst() }
@@ -1581,7 +1588,7 @@ class PointerToMemberType extends Type, @ptrtomember {
         this.getBaseType().explain() + "}"
   }
 
-  override predicate involvesTemplateParameter() { getBaseType().involvesTemplateParameter() }
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
 
   override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConst() }
 }
@@ -1670,8 +1677,8 @@ class RoutineType extends Type, @routinetype {
   override predicate isDeeplyConstBelow() { none() } // Current limitation: no such thing as a const routine type
 
   override predicate involvesTemplateParameter() {
-    getReturnType().involvesTemplateParameter() or
-    getAParameterType().involvesTemplateParameter()
+    this.getReturnType().involvesTemplateParameter() or
+    this.getAParameterType().involvesTemplateParameter()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/TypedefType.qll

@@ -25,7 +25,7 @@ class TypedefType extends UserType {
 
   override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
 
-  override Type stripTopLevelSpecifiers() { result = getBaseType().stripTopLevelSpecifiers() }
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
 
   override int getSize() { result = this.getBaseType().getSize() }
 
@@ -43,11 +43,11 @@ class TypedefType extends UserType {
     result = this.getBaseType().getASpecifier()
   }
 
-  override predicate involvesReference() { getBaseType().involvesReference() }
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
 
-  override Type resolveTypedefs() { result = getBaseType().resolveTypedefs() }
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
 
-  override Type stripType() { result = getBaseType().stripType() }
+  override Type stripType() { result = this.getBaseType().stripType() }
 }
 
 /**
@@ -90,7 +90,7 @@ class UsingAliasTypedefType extends TypedefType {
  * ```
  */
 class LocalTypedefType extends TypedefType {
-  LocalTypedefType() { isLocal() }
+  LocalTypedefType() { this.isLocal() }
 
   override string getAPrimaryQlClass() { result = "LocalTypedefType" }
 }

cpp/ql/lib/semmle/code/cpp/Union.qll

@@ -37,7 +37,7 @@ class Union extends Struct {
  * ```
  */
 class LocalUnion extends Union {
-  LocalUnion() { isLocal() }
+  LocalUnion() { this.isLocal() }
 
   override string getAPrimaryQlClass() { result = "LocalUnion" }
 }

cpp/ql/lib/semmle/code/cpp/UserType.qll

@@ -30,19 +30,19 @@ class UserType extends Type, Declaration, NameQualifyingElement, AccessHolder, @
    * Gets the simple name of this type, without any template parameters.  For example
    * if the name of the type is `"myType<int>"`, the simple name is just `"myType"`.
    */
-  string getSimpleName() { result = getName().regexpReplaceAll("<.*", "") }
+  string getSimpleName() { result = this.getName().regexpReplaceAll("<.*", "") }
 
   override predicate hasName(string name) { usertypes(underlyingElement(this), name, _) }
 
   /** Holds if this type is anonymous. */
-  predicate isAnonymous() { getName().matches("(unnamed%") }
+  predicate isAnonymous() { this.getName().matches("(unnamed%") }
 
   override predicate hasSpecifier(string s) { Type.super.hasSpecifier(s) }
 
   override Specifier getASpecifier() { result = Type.super.getASpecifier() }
 
   override Location getLocation() {
-    if hasDefinition()
+    if this.hasDefinition()
     then result = this.getDefinitionLocation()
     else result = this.getADeclarationLocation()
   }
@@ -53,16 +53,16 @@ class UserType extends Type, Declaration, NameQualifyingElement, AccessHolder, @
     else exists(Class t | this.(Class).isConstructedFrom(t) and result = t.getADeclarationEntry())
   }
 
-  override Location getADeclarationLocation() { result = getADeclarationEntry().getLocation() }
+  override Location getADeclarationLocation() { result = this.getADeclarationEntry().getLocation() }
 
   override TypeDeclarationEntry getDefinition() {
-    result = getADeclarationEntry() and
+    result = this.getADeclarationEntry() and
     result.isDefinition()
   }
 
   override Location getDefinitionLocation() {
-    if exists(getDefinition())
-    then result = getDefinition().getLocation()
+    if exists(this.getDefinition())
+    then result = this.getDefinition().getLocation()
     else
       exists(Class t |
         this.(Class).isConstructedFrom(t) and result = t.getDefinition().getLocation()
@@ -80,7 +80,7 @@ class UserType extends Type, Declaration, NameQualifyingElement, AccessHolder, @
    * Holds if this is a local type (that is, a type that has a directly-enclosing
    * function).
    */
-  predicate isLocal() { exists(getEnclosingFunction()) }
+  predicate isLocal() { exists(this.getEnclosingFunction()) }
 
   /*
    * Dummy implementations of inherited methods. This class must not be
@@ -107,9 +107,9 @@ class UserType extends Type, Declaration, NameQualifyingElement, AccessHolder, @
  * ```
  */
 class TypeDeclarationEntry extends DeclarationEntry, @type_decl {
-  override UserType getDeclaration() { result = getType() }
+  override UserType getDeclaration() { result = this.getType() }
 
-  override string getName() { result = getType().getName() }
+  override string getName() { result = this.getType().getName() }
 
   override string getAPrimaryQlClass() { result = "TypeDeclarationEntry" }
 

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -104,17 +104,17 @@ class Variable extends Declaration, @variable {
 
   override VariableDeclarationEntry getADeclarationEntry() { result.getDeclaration() = this }
 
-  override Location getADeclarationLocation() { result = getADeclarationEntry().getLocation() }
+  override Location getADeclarationLocation() { result = this.getADeclarationEntry().getLocation() }
 
   override VariableDeclarationEntry getDefinition() {
-    result = getADeclarationEntry() and
+    result = this.getADeclarationEntry() and
     result.isDefinition()
   }
 
-  override Location getDefinitionLocation() { result = getDefinition().getLocation() }
+  override Location getDefinitionLocation() { result = this.getDefinition().getLocation() }
 
   override Location getLocation() {
-    if exists(getDefinition())
+    if exists(this.getDefinition())
     then result = this.getDefinitionLocation()
     else result = this.getADeclarationLocation()
   }
@@ -199,7 +199,7 @@ class Variable extends Declaration, @variable {
  * ```
  */
 class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
-  override Variable getDeclaration() { result = getVariable() }
+  override Variable getDeclaration() { result = this.getVariable() }
 
   override string getAPrimaryQlClass() { result = "VariableDeclarationEntry" }
 
@@ -276,32 +276,33 @@ class ParameterDeclarationEntry extends VariableDeclarationEntry {
   int getIndex() { param_decl_bind(underlyingElement(this), result, _) }
 
   private string getAnonymousParameterDescription() {
-    not exists(getName()) and
+    not exists(this.getName()) and
     exists(string idx |
       idx =
-        ((getIndex() + 1).toString() + "th")
+        ((this.getIndex() + 1).toString() + "th")
             .replaceAll("1th", "1st")
             .replaceAll("2th", "2nd")
             .replaceAll("3th", "3rd")
             .replaceAll("11st", "11th")
             .replaceAll("12nd", "12th")
             .replaceAll("13rd", "13th") and
-      if exists(getCanonicalName())
-      then result = "declaration of " + getCanonicalName() + " as anonymous " + idx + " parameter"
+      if exists(this.getCanonicalName())
+      then
+        result = "declaration of " + this.getCanonicalName() + " as anonymous " + idx + " parameter"
       else result = "declaration of " + idx + " parameter"
     )
   }
 
   override string toString() {
-    isDefinition() and
-    result = "definition of " + getName()
+    this.isDefinition() and
+    result = "definition of " + this.getName()
     or
-    not isDefinition() and
-    if getName() = getCanonicalName()
-    then result = "declaration of " + getName()
-    else result = "declaration of " + getCanonicalName() + " as " + getName()
+    not this.isDefinition() and
+    if this.getName() = this.getCanonicalName()
+    then result = "declaration of " + this.getName()
+    else result = "declaration of " + this.getCanonicalName() + " as " + this.getName()
     or
-    result = getAnonymousParameterDescription()
+    result = this.getAnonymousParameterDescription()
   }
 
   /**
@@ -311,8 +312,12 @@ class ParameterDeclarationEntry extends VariableDeclarationEntry {
    */
   string getTypedName() {
     exists(string typeString, string nameString |
-      (if exists(getType().getName()) then typeString = getType().getName() else typeString = "") and
-      (if exists(getName()) then nameString = getName() else nameString = "") and
+      (
+        if exists(this.getType().getName())
+        then typeString = this.getType().getName()
+        else typeString = ""
+      ) and
+      (if exists(this.getName()) then nameString = this.getName() else nameString = "") and
       if typeString != "" and nameString != ""
       then result = typeString + " " + nameString
       else result = typeString + nameString
@@ -540,7 +545,7 @@ class MemberVariable extends Variable, @membervariable {
   }
 
   /** Holds if this member is mutable. */
-  predicate isMutable() { getADeclarationEntry().hasSpecifier("mutable") }
+  predicate isMutable() { this.getADeclarationEntry().hasSpecifier("mutable") }
 
   private Type getAType() { membervariables(underlyingElement(this), unresolveElement(result), _) }
 }

cpp/ql/lib/semmle/code/cpp/commons/CommonType.qll

@@ -375,8 +375,8 @@ class Wchar_t extends Type {
 class MicrosoftInt8Type extends IntegralType {
   MicrosoftInt8Type() {
     this instanceof CharType and
-    not isExplicitlyUnsigned() and
-    not isExplicitlySigned()
+    not this.isExplicitlyUnsigned() and
+    not this.isExplicitlySigned()
   }
 }
 
@@ -391,8 +391,8 @@ class MicrosoftInt8Type extends IntegralType {
 class MicrosoftInt16Type extends IntegralType {
   MicrosoftInt16Type() {
     this instanceof ShortType and
-    not isExplicitlyUnsigned() and
-    not isExplicitlySigned()
+    not this.isExplicitlyUnsigned() and
+    not this.isExplicitlySigned()
   }
 }
 
@@ -407,8 +407,8 @@ class MicrosoftInt16Type extends IntegralType {
 class MicrosoftInt32Type extends IntegralType {
   MicrosoftInt32Type() {
     this instanceof IntType and
-    not isExplicitlyUnsigned() and
-    not isExplicitlySigned()
+    not this.isExplicitlyUnsigned() and
+    not this.isExplicitlySigned()
   }
 }
 
@@ -423,8 +423,8 @@ class MicrosoftInt32Type extends IntegralType {
 class MicrosoftInt64Type extends IntegralType {
   MicrosoftInt64Type() {
     this instanceof LongLongType and
-    not isExplicitlyUnsigned() and
-    not isExplicitlySigned()
+    not this.isExplicitlyUnsigned() and
+    not this.isExplicitlySigned()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/commons/Dependency.qll

@@ -33,7 +33,7 @@ DependencyOptions getDependencyOptions() { any() }
 class DependsSource extends Element {
   DependsSource() {
     // not inside a template instantiation
-    not exists(Element other | isFromTemplateInstantiation(other)) or
+    not exists(Element other | this.isFromTemplateInstantiation(other)) or
     // allow DeclarationEntrys of template specializations
     this.(DeclarationEntry).getDeclaration().(Function).isConstructedFrom(_) or
     this.(DeclarationEntry).getDeclaration().(Class).isConstructedFrom(_)
@@ -275,7 +275,7 @@ private predicate dependsOnDeclarationEntry(Element src, DeclarationEntry dest)
     dependsOnTransitive(src, mid) and
     not mid instanceof Type and
     not mid instanceof EnumConstant and
-    getDeclarationEntries(mid, dest.(DeclarationEntry)) and
+    getDeclarationEntries(mid, dest) and
     not dest instanceof TypeDeclarationEntry
   )
   or
@@ -283,9 +283,9 @@ private predicate dependsOnDeclarationEntry(Element src, DeclarationEntry dest)
     // dependency from a Type / Variable / Function use -> any (visible) definition
     dependsOnTransitive(src, mid) and
     not mid instanceof EnumConstant and
-    getDeclarationEntries(mid, dest.(DeclarationEntry)) and
+    getDeclarationEntries(mid, dest) and
     // must be definition
-    dest.(DeclarationEntry).isDefinition()
+    dest.isDefinition()
   )
 }
 
@@ -307,7 +307,7 @@ private predicate dependsOnFull(DependsSource src, Symbol dest, int category) {
     // dependency from a Variable / Function use -> non-visible definition (link time)
     dependsOnTransitive(src, mid) and
     not mid instanceof EnumConstant and
-    getDeclarationEntries(mid, dest.(DeclarationEntry)) and
+    getDeclarationEntries(mid, dest) and
     not dest instanceof TypeDeclarationEntry and
     // must be definition
     dest.(DeclarationEntry).isDefinition() and

cpp/ql/lib/semmle/code/cpp/commons/Exclusions.qll

@@ -81,8 +81,8 @@ predicate functionContainsPreprocCode(Function f) {
 }
 
 /**
- * Holds if `e` is completely or partially from a macro definition, as opposed
- * to being passed in as an argument.
+ * Holds if `e` is completely or partially from a macro invocation `mi`, as
+ * opposed to being passed in as an argument.
  *
  * In the following example, the call to `f` is from a macro definition,
  * while `y`, `+`, `1`, and `;` are not. This assumes that no identifier apart
@@ -93,8 +93,8 @@ predicate functionContainsPreprocCode(Function f) {
  *   M(y + 1);
  * ```
  */
-predicate isFromMacroDefinition(Element e) {
-  exists(MacroInvocation mi, Location eLocation, Location miLocation |
+private predicate isFromMacroInvocation(Element e, MacroInvocation mi) {
+  exists(Location eLocation, Location miLocation |
     mi.getAnExpandedElement() = e and
     eLocation = e.getLocation() and
     miLocation = mi.getLocation() and
@@ -109,3 +109,36 @@ predicate isFromMacroDefinition(Element e) {
     eLocation.getEndColumn() >= miLocation.getEndColumn()
   )
 }
+
+/**
+ * Holds if `e` is completely or partially from a macro definition, as opposed
+ * to being passed in as an argument.
+ *
+ * In the following example, the call to `f` is from a macro definition,
+ * while `y`, `+`, `1`, and `;` are not. This assumes that no identifier apart
+ * from `M` refers to a macro.
+ * ```
+ * #define M(x) f(x)
+ * ...
+ *   M(y + 1);
+ * ```
+ */
+predicate isFromMacroDefinition(Element e) { isFromMacroInvocation(e, _) }
+
+/**
+ * Holds if `e` is completely or partially from a _system macro_ definition, as
+ * opposed to being passed in as an argument. A system macro is a macro whose
+ * definition is outside the source directory of the database.
+ *
+ * If the system macro is invoked through a non-system macro, then this
+ * predicate does not hold.
+ *
+ * See also `isFromMacroDefinition`.
+ */
+predicate isFromSystemMacroDefinition(Element e) {
+  exists(MacroInvocation mi |
+    isFromMacroInvocation(e, mi) and
+    // Has no relative path in the database, meaning it's a system file.
+    not exists(mi.getMacro().getFile().getRelativePath())
+  )
+}

cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll

@@ -3,17 +3,33 @@ private import semmle.code.cpp.models.interfaces.ArrayFunction
 private import semmle.code.cpp.models.implementations.Strcat
 import semmle.code.cpp.dataflow.DataFlow
 
-private predicate mayAddNullTerminatorHelper(Expr e, VariableAccess va, Expr e0) {
-  exists(StackVariable v0, Expr val |
-    exprDefinition(v0, e, val) and
-    val.getAChild*() = va and
-    mayAddNullTerminator(e0, v0.getAnAccess())
+/**
+ * Holds if the expression `e` assigns something including `va` to a
+ * stack variable `v0`.
+ */
+private predicate mayAddNullTerminatorHelper(Expr e, VariableAccess va, StackVariable v0) {
+  exists(Expr val |
+    exprDefinition(v0, e, val) and // `e` is `v0 := val`
+    val.getAChild*() = va
+  )
+}
+
+bindingset[n1, n2]
+private predicate controlFlowNodeSuccessorTransitive(ControlFlowNode n1, ControlFlowNode n2) {
+  exists(BasicBlock bb1, int pos1, BasicBlock bb2, int pos2 |
+    pragma[only_bind_into](bb1).getNode(pos1) = n1 and
+    pragma[only_bind_into](bb2).getNode(pos2) = n2 and
+    (
+      bb1 = bb2 and pos1 < pos2
+      or
+      bb1.getASuccessor+() = bb2
+    )
   )
 }
 
 /**
- * Holds if the expression `e` may add a null terminator to the string in
- * variable `v`.
+ * Holds if the expression `e` may add a null terminator to the string
+ * accessed by `va`.
  */
 predicate mayAddNullTerminator(Expr e, VariableAccess va) {
   // Assignment: dereferencing or array access
@@ -30,14 +46,10 @@ predicate mayAddNullTerminator(Expr e, VariableAccess va) {
   )
   or
   // Assignment to another stack variable
-  exists(Expr e0, BasicBlock bb, int pos, BasicBlock bb0, int pos0 |
-    mayAddNullTerminatorHelper(e, va, e0) and
-    bb.getNode(pos) = e and
-    bb0.getNode(pos0) = e0
-  |
-    bb = bb0 and pos < pos0
-    or
-    bb.getASuccessor+() = bb0
+  exists(StackVariable v0, Expr e0 |
+    mayAddNullTerminatorHelper(e, va, v0) and
+    mayAddNullTerminator(pragma[only_bind_into](e0), pragma[only_bind_into](v0.getAnAccess())) and
+    controlFlowNodeSuccessorTransitive(e, e0)
   )
   or
   // Assignment to non-stack variable
@@ -119,14 +131,9 @@ predicate variableMustBeNullTerminated(VariableAccess va) {
       variableMustBeNullTerminated(use) and
       // Simplified: check that `p` may not be null terminated on *any*
       // path to `use` (including the one found via `parameterUsePair`)
-      not exists(Expr e, BasicBlock bb1, int pos1, BasicBlock bb2, int pos2 |
-        mayAddNullTerminator(e, p.getAnAccess()) and
-        bb1.getNode(pos1) = e and
-        bb2.getNode(pos2) = use
-      |
-        bb1 = bb2 and pos1 < pos2
-        or
-        bb1.getASuccessor+() = bb2
+      not exists(Expr e |
+        mayAddNullTerminator(pragma[only_bind_into](e), p.getAnAccess()) and
+        controlFlowNodeSuccessorTransitive(e, use)
       )
     )
   )

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -8,7 +8,7 @@ import semmle.code.cpp.commons.StringAnalysis
 import semmle.code.cpp.models.interfaces.FormattingFunction
 
 class PrintfFormatAttribute extends FormatAttribute {
-  PrintfFormatAttribute() { getArchetype() = ["printf", "__printf__"] }
+  PrintfFormatAttribute() { this.getArchetype() = ["printf", "__printf__"] }
 }
 
 /**
@@ -20,13 +20,13 @@ class AttributeFormattingFunction extends FormattingFunction {
 
   AttributeFormattingFunction() {
     exists(PrintfFormatAttribute printf_attrib |
-      printf_attrib = getAnAttribute() and
+      printf_attrib = this.getAnAttribute() and
       exists(printf_attrib.getFirstFormatArgIndex()) // exclude `vprintf` style format functions
     )
   }
 
   override int getFormatParameterIndex() {
-    forex(PrintfFormatAttribute printf_attrib | printf_attrib = getAnAttribute() |
+    forex(PrintfFormatAttribute printf_attrib | printf_attrib = this.getAnAttribute() |
       result = printf_attrib.getFormatIndex()
     )
   }
@@ -132,7 +132,7 @@ deprecated predicate variadicFormatter(Function f, int formatParamIndex) {
 class UserDefinedFormattingFunction extends FormattingFunction {
   override string getAPrimaryQlClass() { result = "UserDefinedFormattingFunction" }
 
-  UserDefinedFormattingFunction() { isVarargs() and callsVariadicFormatter(this, _, _, _) }
+  UserDefinedFormattingFunction() { this.isVarargs() and callsVariadicFormatter(this, _, _, _) }
 
   override int getFormatParameterIndex() { callsVariadicFormatter(this, _, result, _) }
 
@@ -175,9 +175,7 @@ class FormattingFunctionCall extends Expr {
   /**
    * Gets the index at which the format string occurs in the argument list.
    */
-  int getFormatParameterIndex() {
-    result = this.getTarget().(FormattingFunction).getFormatParameterIndex()
-  }
+  int getFormatParameterIndex() { result = this.getTarget().getFormatParameterIndex() }
 
   /**
    * Gets the format expression used in this call.
@@ -191,7 +189,7 @@ class FormattingFunctionCall extends Expr {
     exists(int i |
       result = this.getArgument(i) and
       n >= 0 and
-      n = i - getTarget().(FormattingFunction).getFirstFormatArgumentIndex()
+      n = i - this.getTarget().getFirstFormatArgumentIndex()
     )
   }
 
@@ -251,7 +249,7 @@ class FormattingFunctionCall extends Expr {
   int getNumFormatArgument() {
     result = count(this.getFormatArgument(_)) and
     // format arguments must be known
-    exists(getTarget().(FormattingFunction).getFirstFormatArgumentIndex())
+    exists(this.getTarget().getFirstFormatArgumentIndex())
   }
 
   /**
@@ -289,33 +287,27 @@ class FormatLiteral extends Literal {
    * a `char *` (either way, `%S` will have the opposite meaning).
    * DEPRECATED: Use getDefaultCharType() instead.
    */
-  deprecated predicate isWideCharDefault() {
-    getUse().getTarget().(FormattingFunction).isWideCharDefault()
-  }
+  deprecated predicate isWideCharDefault() { this.getUse().getTarget().isWideCharDefault() }
 
   /**
    * Gets the default character type expected for `%s` by this format literal.  Typically
    * `char` or `wchar_t`.
    */
-  Type getDefaultCharType() {
-    result = getUse().getTarget().(FormattingFunction).getDefaultCharType()
-  }
+  Type getDefaultCharType() { result = this.getUse().getTarget().getDefaultCharType() }
 
   /**
    * Gets the non-default character type expected for `%S` by this format literal.  Typically
    * `wchar_t` or `char`.  On some snapshots there may be multiple results where we can't tell
    * which is correct for a particular function.
    */
-  Type getNonDefaultCharType() {
-    result = getUse().getTarget().(FormattingFunction).getNonDefaultCharType()
-  }
+  Type getNonDefaultCharType() { result = this.getUse().getTarget().getNonDefaultCharType() }
 
   /**
    * Gets the wide character type for this format literal.  This is usually `wchar_t`.  On some
    * snapshots there may be multiple results where we can't tell which is correct for a
    * particular function.
    */
-  Type getWideCharType() { result = getUse().getTarget().(FormattingFunction).getWideCharType() }
+  Type getWideCharType() { result = this.getUse().getTarget().getWideCharType() }
 
   /**
    * Holds if this `FormatLiteral` is in a context that supports
@@ -353,7 +345,7 @@ class FormatLiteral extends Literal {
   }
 
   private string getFlagRegexp() {
-    if isMicrosoft() then result = "[-+ #0']*" else result = "[-+ #0'I]*"
+    if this.isMicrosoft() then result = "[-+ #0']*" else result = "[-+ #0'I]*"
   }
 
   private string getFieldWidthRegexp() { result = "(?:[1-9][0-9]*|\\*|\\*[0-9]+\\$)?" }
@@ -361,13 +353,13 @@ class FormatLiteral extends Literal {
   private string getPrecRegexp() { result = "(?:\\.(?:[0-9]*|\\*|\\*[0-9]+\\$))?" }
 
   private string getLengthRegexp() {
-    if isMicrosoft()
+    if this.isMicrosoft()
     then result = "(?:hh?|ll?|L|q|j|z|t|w|I32|I64|I)?"
     else result = "(?:hh?|ll?|L|q|j|z|Z|t)?"
   }
 
   private string getConvCharRegexp() {
-    if isMicrosoft()
+    if this.isMicrosoft()
     then result = "[aAcCdeEfFgGimnopsSuxXZ@]"
     else result = "[aAcCdeEfFgGimnopsSuxX@]"
   }
@@ -747,16 +739,16 @@ class FormatLiteral extends Literal {
    * Gets the argument type required by the nth conversion specifier.
    */
   Type getConversionType(int n) {
-    result = getConversionType1(n) or
-    result = getConversionType1b(n) or
-    result = getConversionType2(n) or
-    result = getConversionType3(n) or
-    result = getConversionType4(n) or
-    result = getConversionType6(n) or
-    result = getConversionType7(n) or
-    result = getConversionType8(n) or
-    result = getConversionType9(n) or
-    result = getConversionType10(n)
+    result = this.getConversionType1(n) or
+    result = this.getConversionType1b(n) or
+    result = this.getConversionType2(n) or
+    result = this.getConversionType3(n) or
+    result = this.getConversionType4(n) or
+    result = this.getConversionType6(n) or
+    result = this.getConversionType7(n) or
+    result = this.getConversionType8(n) or
+    result = this.getConversionType9(n) or
+    result = this.getConversionType10(n)
   }
 
   private Type getConversionType1(int n) {
@@ -786,15 +778,15 @@ class FormatLiteral extends Literal {
         or
         conv = ["c", "C"] and
         len = ["l", "w"] and
-        result = getWideCharType()
+        result = this.getWideCharType()
         or
         conv = "c" and
         (len != "l" and len != "w" and len != "h") and
-        result = getDefaultCharType()
+        result = this.getDefaultCharType()
         or
         conv = "C" and
         (len != "l" and len != "w" and len != "h") and
-        result = getNonDefaultCharType()
+        result = this.getNonDefaultCharType()
       )
     )
   }
@@ -831,15 +823,15 @@ class FormatLiteral extends Literal {
         or
         conv = ["s", "S"] and
         len = ["l", "w"] and
-        result.(PointerType).getBaseType() = getWideCharType()
+        result.(PointerType).getBaseType() = this.getWideCharType()
         or
         conv = "s" and
         (len != "l" and len != "w" and len != "h") and
-        result.(PointerType).getBaseType() = getDefaultCharType()
+        result.(PointerType).getBaseType() = this.getDefaultCharType()
         or
         conv = "S" and
         (len != "l" and len != "w" and len != "h") and
-        result.(PointerType).getBaseType() = getNonDefaultCharType()
+        result.(PointerType).getBaseType() = this.getNonDefaultCharType()
       )
     )
   }
@@ -894,19 +886,19 @@ class FormatLiteral extends Literal {
     exists(string len, string conv |
       this.parseConvSpec(n, _, _, _, _, _, len, conv) and
       (len != "l" and len != "w" and len != "h") and
-      getUse().getTarget().(FormattingFunction).getFormatCharType().getSize() > 1 and // wide function
+      this.getUse().getTarget().getFormatCharType().getSize() > 1 and // wide function
       (
         conv = "c" and
-        result = getNonDefaultCharType()
+        result = this.getNonDefaultCharType()
         or
         conv = "C" and
-        result = getDefaultCharType()
+        result = this.getDefaultCharType()
         or
         conv = "s" and
-        result.(PointerType).getBaseType() = getNonDefaultCharType()
+        result.(PointerType).getBaseType() = this.getNonDefaultCharType()
         or
         conv = "S" and
-        result.(PointerType).getBaseType() = getDefaultCharType()
+        result.(PointerType).getBaseType() = this.getDefaultCharType()
       )
     )
   }
@@ -939,9 +931,13 @@ class FormatLiteral extends Literal {
    * not account for positional arguments (`$`).
    */
   int getFormatArgumentIndexFor(int n, int mode) {
-    hasFormatArgumentIndexFor(n, mode) and
+    this.hasFormatArgumentIndexFor(n, mode) and
     (3 * n) + mode =
-      rank[result + 1](int n2, int mode2 | hasFormatArgumentIndexFor(n2, mode2) | (3 * n2) + mode2)
+      rank[result + 1](int n2, int mode2 |
+        this.hasFormatArgumentIndexFor(n2, mode2)
+      |
+        (3 * n2) + mode2
+      )
   }
 
   /**
@@ -951,7 +947,7 @@ class FormatLiteral extends Literal {
   int getNumArgNeeded(int n) {
     exists(this.getConvSpecOffset(n)) and
     exists(this.getConversionChar(n)) and
-    result = count(int mode | hasFormatArgumentIndexFor(n, mode))
+    result = count(int mode | this.hasFormatArgumentIndexFor(n, mode))
   }
 
   /**
@@ -963,7 +959,7 @@ class FormatLiteral extends Literal {
       // At least one conversion specifier has a parameter field, in which case,
       // they all should have.
       result = max(string s | this.getParameterField(_) = s + "$" | s.toInt())
-    else result = count(int n, int mode | hasFormatArgumentIndexFor(n, mode))
+    else result = count(int n, int mode | this.hasFormatArgumentIndexFor(n, mode))
   }
 
   /**
@@ -1053,10 +1049,10 @@ class FormatLiteral extends Literal {
         exists(int sizeBits |
           sizeBits =
             min(int bits |
-              bits = getIntegralDisplayType(n).getSize() * 8
+              bits = this.getIntegralDisplayType(n).getSize() * 8
               or
               exists(IntegralType t |
-                t = getUse().getConversionArgument(n).getType().getUnderlyingType()
+                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
               |
                 t.isSigned() and bits = t.getSize() * 8
               )
@@ -1071,10 +1067,10 @@ class FormatLiteral extends Literal {
         exists(int sizeBits |
           sizeBits =
             min(int bits |
-              bits = getIntegralDisplayType(n).getSize() * 8
+              bits = this.getIntegralDisplayType(n).getSize() * 8
               or
               exists(IntegralType t |
-                t = getUse().getConversionArgument(n).getType().getUnderlyingType()
+                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
               |
                 t.isUnsigned() and bits = t.getSize() * 8
               )
@@ -1089,26 +1085,26 @@ class FormatLiteral extends Literal {
         exists(int sizeBytes, int baseLen |
           sizeBytes =
             min(int bytes |
-              bytes = getIntegralDisplayType(n).getSize()
+              bytes = this.getIntegralDisplayType(n).getSize()
               or
               exists(IntegralType t |
-                t = getUse().getConversionArgument(n).getType().getUnderlyingType()
+                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
               |
                 t.isUnsigned() and bytes = t.getSize()
               )
             ) and
           baseLen = sizeBytes * 2 and
           (
-            if hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
+            if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
           )
         )
         or
         this.getConversionChar(n).toLowerCase() = "p" and
         exists(PointerType ptrType, int baseLen |
-          ptrType = getFullyConverted().getType() and
+          ptrType = this.getFullyConverted().getType() and
           baseLen = max(ptrType.getSize() * 2) and // e.g. "0x1234567812345678"; exact format is platform dependent
           (
-            if hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
+            if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
           )
         )
         or
@@ -1117,17 +1113,17 @@ class FormatLiteral extends Literal {
         exists(int sizeBits, int baseLen |
           sizeBits =
             min(int bits |
-              bits = getIntegralDisplayType(n).getSize() * 8
+              bits = this.getIntegralDisplayType(n).getSize() * 8
               or
               exists(IntegralType t |
-                t = getUse().getConversionArgument(n).getType().getUnderlyingType()
+                t = this.getUse().getConversionArgument(n).getType().getUnderlyingType()
               |
                 t.isUnsigned() and bits = t.getSize() * 8
               )
             ) and
           baseLen = (sizeBits / 3.0).ceil() and
           (
-            if hasAlternateFlag(n) then len = 1 + baseLen else len = baseLen // "0"
+            if this.hasAlternateFlag(n) then len = 1 + baseLen else len = baseLen // "0"
           )
         )
         or
@@ -1150,8 +1146,8 @@ class FormatLiteral extends Literal {
    */
   int getMaxConvertedLengthLimited(int n) {
     if this.getConversionChar(n).toLowerCase() = "f"
-    then result = getMaxConvertedLength(n).minimum(8)
-    else result = getMaxConvertedLength(n)
+    then result = this.getMaxConvertedLength(n).minimum(8)
+    else result = this.getMaxConvertedLength(n)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -24,7 +24,7 @@ abstract class ScanfFunction extends Function {
    * Holds if the default meaning of `%s` is a `wchar_t*` string
    * (rather than a `char*`).
    */
-  predicate isWideCharDefault() { exists(getName().indexOf("wscanf")) }
+  predicate isWideCharDefault() { exists(this.getName().indexOf("wscanf")) }
 }
 
 /**
@@ -34,10 +34,10 @@ class Scanf extends ScanfFunction {
   Scanf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
-      hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
-      hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
-      hasGlobalName("_wscanf_l") // _wscanf_l(format, locale, args...)
+      this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
+      this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
+      this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
+      this.hasGlobalName("_wscanf_l") // _wscanf_l(format, locale, args...)
     )
   }
 
@@ -53,10 +53,10 @@ class Fscanf extends ScanfFunction {
   Fscanf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
-      hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
-      hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
-      hasGlobalName("_fwscanf_l") // _fwscanf_l(src_stream, format, locale, args...)
+      this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
+      this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
+      this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
+      this.hasGlobalName("_fwscanf_l") // _fwscanf_l(src_stream, format, locale, args...)
     )
   }
 
@@ -72,10 +72,10 @@ class Sscanf extends ScanfFunction {
   Sscanf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
-      hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
-      hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-      hasGlobalName("_swscanf_l") // _swscanf_l(src, format, locale, args...)
+      this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
+      this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
+      this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
+      this.hasGlobalName("_swscanf_l") // _swscanf_l(src, format, locale, args...)
     )
   }
 
@@ -91,10 +91,10 @@ class Snscanf extends ScanfFunction {
   Snscanf() {
     this instanceof TopLevelFunction and
     (
-      hasGlobalName("_snscanf") or // _snscanf(src, max_amount, format, args...)
-      hasGlobalName("_snwscanf") or // _snwscanf(src, max_amount, format, args...)
-      hasGlobalName("_snscanf_l") or // _snscanf_l(src, max_amount, format, locale, args...)
-      hasGlobalName("_snwscanf_l") // _snwscanf_l(src, max_amount, format, locale, args...)
+      this.hasGlobalName("_snscanf") or // _snscanf(src, max_amount, format, args...)
+      this.hasGlobalName("_snwscanf") or // _snwscanf(src, max_amount, format, args...)
+      this.hasGlobalName("_snscanf_l") or // _snscanf_l(src, max_amount, format, locale, args...)
+      this.hasGlobalName("_snwscanf_l") // _snwscanf_l(src, max_amount, format, locale, args...)
       // note that the max_amount is not a limit on the output length, it's an input length
       // limit used with non null-terminated strings.
     )
@@ -120,18 +120,18 @@ class ScanfFunctionCall extends FunctionCall {
   /**
    * Gets the `scanf`-like function that is called.
    */
-  ScanfFunction getScanfFunction() { result = getTarget() }
+  ScanfFunction getScanfFunction() { result = this.getTarget() }
 
   /**
    * Gets the position at which the input string or stream parameter occurs,
    * if this function call does not read from standard input.
    */
-  int getInputParameterIndex() { result = getScanfFunction().getInputParameterIndex() }
+  int getInputParameterIndex() { result = this.getScanfFunction().getInputParameterIndex() }
 
   /**
    * Gets the position at which the format parameter occurs.
    */
-  int getFormatParameterIndex() { result = getScanfFunction().getFormatParameterIndex() }
+  int getFormatParameterIndex() { result = this.getScanfFunction().getFormatParameterIndex() }
 
   /**
    * Gets the format expression used in this call.
@@ -142,7 +142,7 @@ class ScanfFunctionCall extends FunctionCall {
    * Holds if the default meaning of `%s` is a `wchar_t*` string
    * (rather than a `char*`).
    */
-  predicate isWideCharDefault() { getScanfFunction().isWideCharDefault() }
+  predicate isWideCharDefault() { this.getScanfFunction().isWideCharDefault() }
 }
 
 /**
@@ -158,7 +158,7 @@ class ScanfFormatLiteral extends Expr {
   ScanfFunctionCall getUse() { result.getFormat() = this }
 
   /** Holds if the default meaning of `%s` is a `wchar_t*` (rather than a `char*`). */
-  predicate isWideCharDefault() { getUse().getTarget().(ScanfFunction).isWideCharDefault() }
+  predicate isWideCharDefault() { this.getUse().getTarget().(ScanfFunction).isWideCharDefault() }
 
   /**
    * Gets the format string itself, transformed as follows:

cpp/ql/lib/semmle/code/cpp/commons/Synchronization.qll

@@ -40,8 +40,8 @@ abstract class MutexType extends Type {
    * Gets a call that locks or tries to lock any mutex of this type.
    */
   FunctionCall getLockAccess() {
-    result = getMustlockAccess() or
-    result = getTrylockAccess()
+    result = this.getMustlockAccess() or
+    result = this.getTrylockAccess()
   }
 
   /**
@@ -63,22 +63,22 @@ abstract class MutexType extends Type {
   /**
    * DEPRECATED: use mustlockAccess(fc, arg) instead.
    */
-  deprecated Function getMustlockFunction() { result = getMustlockAccess().getTarget() }
+  deprecated Function getMustlockFunction() { result = this.getMustlockAccess().getTarget() }
 
   /**
    * DEPRECATED: use trylockAccess(fc, arg) instead.
    */
-  deprecated Function getTrylockFunction() { result = getTrylockAccess().getTarget() }
+  deprecated Function getTrylockFunction() { result = this.getTrylockAccess().getTarget() }
 
   /**
    * DEPRECATED: use lockAccess(fc, arg) instead.
    */
-  deprecated Function getLockFunction() { result = getLockAccess().getTarget() }
+  deprecated Function getLockFunction() { result = this.getLockAccess().getTarget() }
 
   /**
    * DEPRECATED: use unlockAccess(fc, arg) instead.
    */
-  deprecated Function getUnlockFunction() { result = getUnlockAccess().getTarget() }
+  deprecated Function getUnlockFunction() { result = this.getUnlockAccess().getTarget() }
 }
 
 /**
@@ -155,17 +155,17 @@ class DefaultMutexType extends MutexType {
 
   override predicate mustlockAccess(FunctionCall fc, Expr arg) {
     fc.getTarget() = mustlockCandidate() and
-    lockArgType(fc, arg)
+    this.lockArgType(fc, arg)
   }
 
   override predicate trylockAccess(FunctionCall fc, Expr arg) {
     fc.getTarget() = trylockCandidate() and
-    lockArgType(fc, arg)
+    this.lockArgType(fc, arg)
   }
 
   override predicate unlockAccess(FunctionCall fc, Expr arg) {
     fc.getTarget() = unlockCandidate() and
-    lockArgType(fc, arg)
+    this.lockArgType(fc, arg)
   }
 }
 

cpp/ql/lib/semmle/code/cpp/controlflow/BasicBlocks.qll

@@ -201,7 +201,7 @@ class BasicBlock extends ControlFlowNodeBase {
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    hasLocationInfoInternal(filepath, startline, startcolumn, filepath, endline, endcolumn)
+    this.hasLocationInfoInternal(filepath, startline, startcolumn, filepath, endline, endcolumn)
   }
 
   pragma[noinline]
@@ -276,7 +276,7 @@ class EntryBasicBlock extends BasicBlock {
  */
 class ExitBasicBlock extends BasicBlock {
   ExitBasicBlock() {
-    getEnd() instanceof Function or
-    aborting(getEnd())
+    this.getEnd() instanceof Function or
+    aborting(this.getEnd())
   }
 }

cpp/ql/lib/semmle/code/cpp/controlflow/ControlFlowGraph.qll

@@ -66,7 +66,7 @@ class ControlFlowNode extends Locatable, ControlFlowNodeBase {
    */
   ControlFlowNode getATrueSuccessor() {
     qlCFGTrueSuccessor(this, result) and
-    result = getASuccessor()
+    result = this.getASuccessor()
   }
 
   /**
@@ -75,7 +75,7 @@ class ControlFlowNode extends Locatable, ControlFlowNodeBase {
    */
   ControlFlowNode getAFalseSuccessor() {
     qlCFGFalseSuccessor(this, result) and
-    result = getASuccessor()
+    result = this.getASuccessor()
   }
 
   /** Gets the `BasicBlock` containing this control-flow node. */

cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll

@@ -25,7 +25,7 @@ predicate definitionUsePair(SemanticStackVariable var, Expr def, Expr use) {
  * Holds if the definition `def` of some stack variable can reach `node`, which
  * is a definition or use, without crossing definitions of the same variable.
  */
-predicate definitionReaches(Expr def, Expr node) { def.(Def).reaches(true, _, node.(DefOrUse)) }
+predicate definitionReaches(Expr def, Expr node) { def.(Def).reaches(true, _, node) }
 
 private predicate hasAddressOfAccess(SemanticStackVariable var) {
   var.getAnAccess().isAddressOfAccessNonConst()

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -121,7 +121,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
 
   override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
     exists(boolean testIsTrue |
-      comparesLt(left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
+      this.comparesLt(left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
     )
   }
 
@@ -135,7 +135,7 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
 
   override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
     exists(boolean testIsTrue |
-      comparesEq(left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
+      this.comparesEq(left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
     )
   }
 }
@@ -147,27 +147,29 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
 private class GuardConditionFromShortCircuitNot extends GuardCondition, NotExpr {
   GuardConditionFromShortCircuitNot() {
     not exists(Instruction inst | this.getFullyConverted() = inst.getAST()) and
-    exists(IRGuardCondition ir | getOperand() = ir.getAST())
+    exists(IRGuardCondition ir | this.getOperand() = ir.getAST())
   }
 
   override predicate controls(BasicBlock controlled, boolean testIsTrue) {
-    getOperand().(GuardCondition).controls(controlled, testIsTrue.booleanNot())
+    this.getOperand().(GuardCondition).controls(controlled, testIsTrue.booleanNot())
   }
 
   override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
-    getOperand().(GuardCondition).comparesLt(left, right, k, isLessThan, testIsTrue.booleanNot())
+    this.getOperand()
+        .(GuardCondition)
+        .comparesLt(left, right, k, isLessThan, testIsTrue.booleanNot())
   }
 
   override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
-    getOperand().(GuardCondition).ensuresLt(left, right, k, block, isLessThan.booleanNot())
+    this.getOperand().(GuardCondition).ensuresLt(left, right, k, block, isLessThan.booleanNot())
   }
 
   override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
-    getOperand().(GuardCondition).comparesEq(left, right, k, areEqual, testIsTrue.booleanNot())
+    this.getOperand().(GuardCondition).comparesEq(left, right, k, areEqual, testIsTrue.booleanNot())
   }
 
   override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
-    getOperand().(GuardCondition).ensuresEq(left, right, k, block, areEqual.booleanNot())
+    this.getOperand().(GuardCondition).ensuresEq(left, right, k, block, areEqual.booleanNot())
   }
 }
 
@@ -303,9 +305,9 @@ class IRGuardCondition extends Instruction {
   cached
   predicate controlsEdge(IRBlock pred, IRBlock succ, boolean testIsTrue) {
     pred.getASuccessor() = succ and
-    controls(pred, testIsTrue)
+    this.controls(pred, testIsTrue)
     or
-    succ = getBranchSuccessor(testIsTrue) and
+    succ = this.getBranchSuccessor(testIsTrue) and
     branch.getCondition() = this and
     branch.getBlock() = pred
   }

cpp/ql/lib/semmle/code/cpp/controlflow/LocalScopeVariableReachability.qll

@@ -73,19 +73,19 @@ abstract deprecated class LocalScopeVariableReachability extends string {
      */
 
     exists(BasicBlock bb, int i |
-      isSource(source, v) and
+      this.isSource(source, v) and
       bb.getNode(i) = source and
       not bb.isUnreachable()
     |
       exists(int j |
         j > i and
         sink = bb.getNode(j) and
-        isSink(sink, v) and
-        not exists(int k | isBarrier(bb.getNode(k), v) | k in [i + 1 .. j - 1])
+        this.isSink(sink, v) and
+        not exists(int k | this.isBarrier(bb.getNode(k), v) | k in [i + 1 .. j - 1])
       )
       or
-      not exists(int k | isBarrier(bb.getNode(k), v) | k > i) and
-      bbSuccessorEntryReaches(bb, v, sink, _)
+      not exists(int k | this.isBarrier(bb.getNode(k), v) | k > i) and
+      this.bbSuccessorEntryReaches(bb, v, sink, _)
     )
   }
 
@@ -97,11 +97,11 @@ abstract deprecated class LocalScopeVariableReachability extends string {
       bbSuccessorEntryReachesLoopInvariant(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
         succSkipsFirstLoopAlwaysTrueUponEntry)
     |
-      bbEntryReachesLocally(succ, v, node) and
+      this.bbEntryReachesLocally(succ, v, node) and
       succSkipsFirstLoopAlwaysTrueUponEntry = false
       or
-      not isBarrier(succ.getNode(_), v) and
-      bbSuccessorEntryReaches(succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
+      not this.isBarrier(succ.getNode(_), v) and
+      this.bbSuccessorEntryReaches(succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
     )
   }
 
@@ -110,7 +110,7 @@ abstract deprecated class LocalScopeVariableReachability extends string {
   ) {
     exists(int n |
       node = bb.getNode(n) and
-      isSink(node, v)
+      this.isSink(node, v)
     |
       not exists(this.firstBarrierIndexIn(bb, v))
       or
@@ -119,7 +119,7 @@ abstract deprecated class LocalScopeVariableReachability extends string {
   }
 
   private int firstBarrierIndexIn(BasicBlock bb, SemanticStackVariable v) {
-    result = min(int m | isBarrier(bb.getNode(m), v))
+    result = min(int m | this.isBarrier(bb.getNode(m), v))
   }
 }
 
@@ -271,7 +271,7 @@ abstract deprecated class LocalScopeVariableReachabilityWithReassignment extends
    * accounts for loops where the condition is provably true upon entry.
    */
   override predicate reaches(ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink) {
-    reachesTo(source, v, sink, _)
+    this.reachesTo(source, v, sink, _)
   }
 
   /**
@@ -281,21 +281,21 @@ abstract deprecated class LocalScopeVariableReachabilityWithReassignment extends
     ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink, SemanticStackVariable v0
   ) {
     exists(ControlFlowNode def |
-      actualSourceReaches(source, v, def, v0) and
+      this.actualSourceReaches(source, v, def, v0) and
       LocalScopeVariableReachability.super.reaches(def, v0, sink) and
-      isSinkActual(sink, v0)
+      this.isSinkActual(sink, v0)
     )
   }
 
   private predicate actualSourceReaches(
     ControlFlowNode source, SemanticStackVariable v, ControlFlowNode def, SemanticStackVariable v0
   ) {
-    isSourceActual(source, v) and def = source and v0 = v
+    this.isSourceActual(source, v) and def = source and v0 = v
     or
     exists(ControlFlowNode source1, SemanticStackVariable v1 |
-      actualSourceReaches(source, v, source1, v1)
+      this.actualSourceReaches(source, v, source1, v1)
     |
-      reassignment(source1, v1, def, v0)
+      this.reassignment(source1, v1, def, v0)
     )
   }
 
@@ -307,14 +307,14 @@ abstract deprecated class LocalScopeVariableReachabilityWithReassignment extends
   }
 
   final override predicate isSource(ControlFlowNode node, LocalScopeVariable v) {
-    isSourceActual(node, v)
+    this.isSourceActual(node, v)
     or
     // Reassignment generates a new (non-actual) source
-    reassignment(_, _, node, v)
+    this.reassignment(_, _, node, v)
   }
 
   final override predicate isSink(ControlFlowNode node, LocalScopeVariable v) {
-    isSinkActual(node, v)
+    this.isSinkActual(node, v)
     or
     // Reassignment generates a new (non-actual) sink
     exprDefinition(_, node, v.getAnAccess())
@@ -347,21 +347,21 @@ abstract deprecated class LocalScopeVariableReachabilityExt extends string {
   /** See `LocalScopeVariableReachability.reaches`. */
   predicate reaches(ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink) {
     exists(BasicBlock bb, int i |
-      isSource(source, v) and
+      this.isSource(source, v) and
       bb.getNode(i) = source and
       not bb.isUnreachable()
     |
       exists(int j |
         j > i and
         sink = bb.getNode(j) and
-        isSink(sink, v) and
-        not exists(int k | isBarrier(source, bb.getNode(k), bb.getNode(k + 1), v) |
+        this.isSink(sink, v) and
+        not exists(int k | this.isBarrier(source, bb.getNode(k), bb.getNode(k + 1), v) |
           k in [i .. j - 1]
         )
       )
       or
-      not exists(int k | isBarrier(source, bb.getNode(k), bb.getNode(k + 1), v) | k >= i) and
-      bbSuccessorEntryReaches(source, bb, v, sink, _)
+      not exists(int k | this.isBarrier(source, bb.getNode(k), bb.getNode(k + 1), v) | k >= i) and
+      this.bbSuccessorEntryReaches(source, bb, v, sink, _)
     )
   }
 
@@ -372,22 +372,22 @@ abstract deprecated class LocalScopeVariableReachabilityExt extends string {
     exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry |
       bbSuccessorEntryReachesLoopInvariant(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
         succSkipsFirstLoopAlwaysTrueUponEntry) and
-      not isBarrier(source, bb.getEnd(), succ.getStart(), v)
+      not this.isBarrier(source, bb.getEnd(), succ.getStart(), v)
     |
-      bbEntryReachesLocally(source, succ, v, node) and
+      this.bbEntryReachesLocally(source, succ, v, node) and
       succSkipsFirstLoopAlwaysTrueUponEntry = false
       or
-      not exists(int k | isBarrier(source, succ.getNode(k), succ.getNode(k + 1), v)) and
-      bbSuccessorEntryReaches(source, succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
+      not exists(int k | this.isBarrier(source, succ.getNode(k), succ.getNode(k + 1), v)) and
+      this.bbSuccessorEntryReaches(source, succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
     )
   }
 
   private predicate bbEntryReachesLocally(
     ControlFlowNode source, BasicBlock bb, SemanticStackVariable v, ControlFlowNode node
   ) {
-    isSource(source, v) and
-    exists(int n | node = bb.getNode(n) and isSink(node, v) |
-      not exists(int m | m < n | isBarrier(source, bb.getNode(m), bb.getNode(m + 1), v))
+    this.isSource(source, v) and
+    exists(int n | node = bb.getNode(n) and this.isSink(node, v) |
+      not exists(int m | m < n | this.isBarrier(source, bb.getNode(m), bb.getNode(m + 1), v))
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll

@@ -59,10 +59,10 @@ class SsaDefinition extends ControlFlowNodeBase {
   ControlFlowNode getDefinition() { result = this }
 
   /** Gets the `BasicBlock` containing this definition. */
-  BasicBlock getBasicBlock() { result.contains(getDefinition()) }
+  BasicBlock getBasicBlock() { result.contains(this.getDefinition()) }
 
   /** Holds if this definition is a phi node for variable `v`. */
-  predicate isPhiNode(StackVariable v) { exists(StandardSSA x | x.phi_node(v, this.(BasicBlock))) }
+  predicate isPhiNode(StackVariable v) { exists(StandardSSA x | x.phi_node(v, this)) }
 
   /** Gets the location of this definition. */
   Location getLocation() { result = this.(ControlFlowNode).getLocation() }

cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll

@@ -292,7 +292,7 @@ library class SSAHelper extends int {
    */
   cached
   string toString(ControlFlowNode node, StackVariable v) {
-    if phi_node(v, node.(BasicBlock))
+    if phi_node(v, node)
     then result = "SSA phi(" + v.getName() + ")"
     else (
       ssa_defn(v, node, _, _) and result = "SSA def(" + v.getName() + ")"

cpp/ql/lib/semmle/code/cpp/controlflow/StackVariableReachability.qll

@@ -72,19 +72,19 @@ abstract class StackVariableReachability extends string {
      */
 
     exists(BasicBlock bb, int i |
-      isSource(source, v) and
+      this.isSource(source, v) and
       bb.getNode(i) = source and
       not bb.isUnreachable()
     |
       exists(int j |
         j > i and
         sink = bb.getNode(j) and
-        isSink(sink, v) and
-        not exists(int k | isBarrier(bb.getNode(k), v) | k in [i + 1 .. j - 1])
+        this.isSink(sink, v) and
+        not exists(int k | this.isBarrier(bb.getNode(k), v) | k in [i + 1 .. j - 1])
       )
       or
-      not exists(int k | isBarrier(bb.getNode(k), v) | k > i) and
-      bbSuccessorEntryReaches(bb, v, sink, _)
+      not exists(int k | this.isBarrier(bb.getNode(k), v) | k > i) and
+      this.bbSuccessorEntryReaches(bb, v, sink, _)
     )
   }
 
@@ -96,11 +96,11 @@ abstract class StackVariableReachability extends string {
       bbSuccessorEntryReachesLoopInvariant(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
         succSkipsFirstLoopAlwaysTrueUponEntry)
     |
-      bbEntryReachesLocally(succ, v, node) and
+      this.bbEntryReachesLocally(succ, v, node) and
       succSkipsFirstLoopAlwaysTrueUponEntry = false
       or
-      not isBarrier(succ.getNode(_), v) and
-      bbSuccessorEntryReaches(succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
+      not this.isBarrier(succ.getNode(_), v) and
+      this.bbSuccessorEntryReaches(succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
     )
   }
 
@@ -109,7 +109,7 @@ abstract class StackVariableReachability extends string {
   ) {
     exists(int n |
       node = bb.getNode(n) and
-      isSink(node, v)
+      this.isSink(node, v)
     |
       not exists(this.firstBarrierIndexIn(bb, v))
       or
@@ -118,7 +118,7 @@ abstract class StackVariableReachability extends string {
   }
 
   private int firstBarrierIndexIn(BasicBlock bb, SemanticStackVariable v) {
-    result = min(int m | isBarrier(bb.getNode(m), v))
+    result = min(int m | this.isBarrier(bb.getNode(m), v))
   }
 }
 
@@ -268,7 +268,7 @@ abstract class StackVariableReachabilityWithReassignment extends StackVariableRe
    * accounts for loops where the condition is provably true upon entry.
    */
   override predicate reaches(ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink) {
-    reachesTo(source, v, sink, _)
+    this.reachesTo(source, v, sink, _)
   }
 
   /**
@@ -278,21 +278,21 @@ abstract class StackVariableReachabilityWithReassignment extends StackVariableRe
     ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink, SemanticStackVariable v0
   ) {
     exists(ControlFlowNode def |
-      actualSourceReaches(source, v, def, v0) and
+      this.actualSourceReaches(source, v, def, v0) and
       StackVariableReachability.super.reaches(def, v0, sink) and
-      isSinkActual(sink, v0)
+      this.isSinkActual(sink, v0)
     )
   }
 
   private predicate actualSourceReaches(
     ControlFlowNode source, SemanticStackVariable v, ControlFlowNode def, SemanticStackVariable v0
   ) {
-    isSourceActual(source, v) and def = source and v0 = v
+    this.isSourceActual(source, v) and def = source and v0 = v
     or
     exists(ControlFlowNode source1, SemanticStackVariable v1 |
-      actualSourceReaches(source, v, source1, v1)
+      this.actualSourceReaches(source, v, source1, v1)
     |
-      reassignment(source1, v1, def, v0)
+      this.reassignment(source1, v1, def, v0)
     )
   }
 
@@ -304,14 +304,14 @@ abstract class StackVariableReachabilityWithReassignment extends StackVariableRe
   }
 
   final override predicate isSource(ControlFlowNode node, StackVariable v) {
-    isSourceActual(node, v)
+    this.isSourceActual(node, v)
     or
     // Reassignment generates a new (non-actual) source
-    reassignment(_, _, node, v)
+    this.reassignment(_, _, node, v)
   }
 
   final override predicate isSink(ControlFlowNode node, StackVariable v) {
-    isSinkActual(node, v)
+    this.isSinkActual(node, v)
     or
     // Reassignment generates a new (non-actual) sink
     exprDefinition(_, node, v.getAnAccess())
@@ -342,21 +342,21 @@ abstract class StackVariableReachabilityExt extends string {
   /** See `StackVariableReachability.reaches`. */
   predicate reaches(ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink) {
     exists(BasicBlock bb, int i |
-      isSource(source, v) and
+      this.isSource(source, v) and
       bb.getNode(i) = source and
       not bb.isUnreachable()
     |
       exists(int j |
         j > i and
         sink = bb.getNode(j) and
-        isSink(sink, v) and
-        not exists(int k | isBarrier(source, bb.getNode(k), bb.getNode(k + 1), v) |
+        this.isSink(sink, v) and
+        not exists(int k | this.isBarrier(source, bb.getNode(k), bb.getNode(k + 1), v) |
           k in [i .. j - 1]
         )
       )
       or
-      not exists(int k | isBarrier(source, bb.getNode(k), bb.getNode(k + 1), v) | k >= i) and
-      bbSuccessorEntryReaches(source, bb, v, sink, _)
+      not exists(int k | this.isBarrier(source, bb.getNode(k), bb.getNode(k + 1), v) | k >= i) and
+      this.bbSuccessorEntryReaches(source, bb, v, sink, _)
     )
   }
 
@@ -367,22 +367,22 @@ abstract class StackVariableReachabilityExt extends string {
     exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry |
       bbSuccessorEntryReachesLoopInvariant(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
         succSkipsFirstLoopAlwaysTrueUponEntry) and
-      not isBarrier(source, bb.getEnd(), succ.getStart(), v)
+      not this.isBarrier(source, bb.getEnd(), succ.getStart(), v)
     |
-      bbEntryReachesLocally(source, succ, v, node) and
+      this.bbEntryReachesLocally(source, succ, v, node) and
       succSkipsFirstLoopAlwaysTrueUponEntry = false
       or
-      not exists(int k | isBarrier(source, succ.getNode(k), succ.getNode(k + 1), v)) and
-      bbSuccessorEntryReaches(source, succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
+      not exists(int k | this.isBarrier(source, succ.getNode(k), succ.getNode(k + 1), v)) and
+      this.bbSuccessorEntryReaches(source, succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
     )
   }
 
   private predicate bbEntryReachesLocally(
     ControlFlowNode source, BasicBlock bb, SemanticStackVariable v, ControlFlowNode node
   ) {
-    isSource(source, v) and
-    exists(int n | node = bb.getNode(n) and isSink(node, v) |
-      not exists(int m | m < n | isBarrier(source, bb.getNode(m), bb.getNode(m + 1), v))
+    this.isSource(source, v) and
+    exists(int n | node = bb.getNode(n) and this.isSink(node, v) |
+      not exists(int m | m < n | this.isBarrier(source, bb.getNode(m), bb.getNode(m + 1), v))
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll

@@ -80,7 +80,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
    * returns a 0-based position, while `getRankInBasicBlock` returns a 1-based
    * position.
    */
-  deprecated int getPosInBasicBlock(BasicBlock bb) { result = getRankInBasicBlock(bb) - 1 }
+  deprecated int getPosInBasicBlock(BasicBlock bb) { result = this.getRankInBasicBlock(bb) - 1 }
 
   pragma[noinline]
   private int getIndexInBasicBlock(BasicBlock bb) { this = bb.getNode(result) }
@@ -102,7 +102,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
     exists(BasicBlock bb |
       exists(int outerIndex |
         result = bb.getNode(outerIndex) and
-        index = outerToInnerIndex(bb, outerIndex)
+        index = this.outerToInnerIndex(bb, outerIndex)
       )
     )
   }

cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -231,7 +231,7 @@ private class PostOrderInitializer extends Initializer {
       or
       this.getDeclaration() = for.getRangeVariable()
       or
-      this.getDeclaration() = for.getBeginEndDeclaration().(DeclStmt).getADeclaration()
+      this.getDeclaration() = for.getBeginEndDeclaration().getADeclaration()
     )
   }
 }
@@ -1143,7 +1143,7 @@ private class ExceptionSource extends Node {
       this.reachesParent(mid) and
       not mid = any(TryStmt try).getStmt() and
       not mid = any(MicrosoftTryStmt try).getStmt() and
-      parent = mid.(Node).getParentNode()
+      parent = mid.getParentNode()
     )
   }
 

cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll

@@ -385,7 +385,7 @@ library class ExprEvaluator extends int {
   abstract predicate interesting(Expr e);
 
   /** Gets the value of (interesting) expression `e`, if any. */
-  int getValue(Expr e) { result = getValueInternal(e, e) }
+  int getValue(Expr e) { result = this.getValueInternal(e, e) }
 
   /**
    * When evaluating a syntactic subexpression of `e`, we may
@@ -425,9 +425,9 @@ library class ExprEvaluator extends int {
    * calculates the values bottom-up.
    */
   predicate interestingInternal(Expr e, Expr req, boolean sub) {
-    interesting(e) and req = e and sub = true
+    this.interesting(e) and req = e and sub = true
     or
-    exists(Expr mid | interestingInternal(e, mid, sub) |
+    exists(Expr mid | this.interestingInternal(e, mid, sub) |
       req = mid.(NotExpr).getOperand() or
       req = mid.(BinaryLogicalOperation).getAnOperand() or
       req = mid.(RelationalOperation).getAnOperand() or
@@ -442,36 +442,36 @@ library class ExprEvaluator extends int {
     )
     or
     exists(VariableAccess va, Variable v, boolean sub1 |
-      interestingVariableAccess(e, va, v, sub1) and
+      this.interestingVariableAccess(e, va, v, sub1) and
       req = v.getAnAssignedValue() and
-      (sub1 = true implies not ignoreVariableAssignment(e, v, req)) and
+      (sub1 = true implies not this.ignoreVariableAssignment(e, v, req)) and
       sub = false
     )
     or
     exists(Function f |
-      interestingFunction(e, f) and
+      this.interestingFunction(e, f) and
       returnStmt(f, req) and
       sub = false
     )
   }
 
   private predicate interestingVariableAccess(Expr e, VariableAccess va, Variable v, boolean sub) {
-    interestingInternal(e, va, sub) and
+    this.interestingInternal(e, va, sub) and
     v = getVariableTarget(va) and
     (
       v.hasInitializer()
       or
-      sub = true and allowVariableWithoutInitializer(e, v)
+      sub = true and this.allowVariableWithoutInitializer(e, v)
     ) and
     tractableVariable(v) and
     forall(StmtParent def | nonAnalyzableVariableDefinition(v, def) |
       sub = true and
-      ignoreNonAnalyzableVariableDefinition(e, v, def)
+      this.ignoreNonAnalyzableVariableDefinition(e, v, def)
     )
   }
 
   private predicate interestingFunction(Expr e, Function f) {
-    exists(FunctionCall fc | interestingInternal(e, fc, _) |
+    exists(FunctionCall fc | this.interestingInternal(e, fc, _) |
       f = fc.getTarget() and
       not obviouslyNonConstant(f) and
       not f.getUnspecifiedType() instanceof VoidType
@@ -481,10 +481,10 @@ library class ExprEvaluator extends int {
   /** Gets the value of subexpressions `req` for expression `e`, if any. */
   private int getValueInternal(Expr e, Expr req) {
     (
-      interestingInternal(e, req, true) and
+      this.interestingInternal(e, req, true) and
       (
         result = req.(CompileTimeConstantInt).getIntValue() or
-        result = getCompoundValue(e, req.(CompileTimeVariableExpr))
+        result = this.getCompoundValue(e, req)
       ) and
       (
         req.getUnderlyingType().(IntegralType).isSigned() or
@@ -495,109 +495,126 @@ library class ExprEvaluator extends int {
 
   /** Gets the value of compound subexpressions `val` for expression `e`, if any. */
   private int getCompoundValue(Expr e, CompileTimeVariableExpr val) {
-    interestingInternal(e, val, true) and
+    this.interestingInternal(e, val, true) and
     (
       exists(NotExpr req | req = val |
-        result = 1 and getValueInternal(e, req.getOperand()) = 0
+        result = 1 and this.getValueInternal(e, req.getOperand()) = 0
         or
-        result = 0 and getValueInternal(e, req.getOperand()) != 0
+        result = 0 and this.getValueInternal(e, req.getOperand()) != 0
       )
       or
       exists(LogicalAndExpr req | req = val |
         result = 1 and
-        getValueInternal(e, req.getLeftOperand()) != 0 and
-        getValueInternal(e, req.getRightOperand()) != 0
+        this.getValueInternal(e, req.getLeftOperand()) != 0 and
+        this.getValueInternal(e, req.getRightOperand()) != 0
         or
-        result = 0 and getValueInternal(e, req.getAnOperand()) = 0
+        result = 0 and this.getValueInternal(e, req.getAnOperand()) = 0
       )
       or
       exists(LogicalOrExpr req | req = val |
-        result = 1 and getValueInternal(e, req.getAnOperand()) != 0
+        result = 1 and this.getValueInternal(e, req.getAnOperand()) != 0
         or
         result = 0 and
-        getValueInternal(e, req.getLeftOperand()) = 0 and
-        getValueInternal(e, req.getRightOperand()) = 0
+        this.getValueInternal(e, req.getLeftOperand()) = 0 and
+        this.getValueInternal(e, req.getRightOperand()) = 0
       )
       or
       exists(LTExpr req | req = val |
         result = 1 and
-        getValueInternal(e, req.getLeftOperand()) < getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) <
+          this.getValueInternal(e, req.getRightOperand())
         or
         result = 0 and
-        getValueInternal(e, req.getLeftOperand()) >= getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) >=
+          this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(GTExpr req | req = val |
         result = 1 and
-        getValueInternal(e, req.getLeftOperand()) > getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) >
+          this.getValueInternal(e, req.getRightOperand())
         or
         result = 0 and
-        getValueInternal(e, req.getLeftOperand()) <= getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) <=
+          this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(LEExpr req | req = val |
         result = 1 and
-        getValueInternal(e, req.getLeftOperand()) <= getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) <=
+          this.getValueInternal(e, req.getRightOperand())
         or
         result = 0 and
-        getValueInternal(e, req.getLeftOperand()) > getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) >
+          this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(GEExpr req | req = val |
         result = 1 and
-        getValueInternal(e, req.getLeftOperand()) >= getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) >=
+          this.getValueInternal(e, req.getRightOperand())
         or
         result = 0 and
-        getValueInternal(e, req.getLeftOperand()) < getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) <
+          this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(EQExpr req | req = val |
         result = 1 and
-        getValueInternal(e, req.getLeftOperand()) = getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) =
+          this.getValueInternal(e, req.getRightOperand())
         or
         result = 0 and
-        getValueInternal(e, req.getLeftOperand()) != getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) !=
+          this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(NEExpr req | req = val |
         result = 0 and
-        getValueInternal(e, req.getLeftOperand()) = getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) =
+          this.getValueInternal(e, req.getRightOperand())
         or
         result = 1 and
-        getValueInternal(e, req.getLeftOperand()) != getValueInternal(e, req.getRightOperand())
+        this.getValueInternal(e, req.getLeftOperand()) !=
+          this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(AddExpr req | req = val |
         result =
-          getValueInternal(e, req.getLeftOperand()) + getValueInternal(e, req.getRightOperand())
+          this.getValueInternal(e, req.getLeftOperand()) +
+            this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(SubExpr req | req = val |
         result =
-          getValueInternal(e, req.getLeftOperand()) - getValueInternal(e, req.getRightOperand())
+          this.getValueInternal(e, req.getLeftOperand()) -
+            this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(MulExpr req | req = val |
         result =
-          getValueInternal(e, req.getLeftOperand()) * getValueInternal(e, req.getRightOperand())
+          this.getValueInternal(e, req.getLeftOperand()) *
+            this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(RemExpr req | req = val |
         result =
-          getValueInternal(e, req.getLeftOperand()) % getValueInternal(e, req.getRightOperand())
+          this.getValueInternal(e, req.getLeftOperand()) %
+            this.getValueInternal(e, req.getRightOperand())
       )
       or
       exists(DivExpr req | req = val |
         result =
-          getValueInternal(e, req.getLeftOperand()) / getValueInternal(e, req.getRightOperand())
+          this.getValueInternal(e, req.getLeftOperand()) /
+            this.getValueInternal(e, req.getRightOperand())
       )
       or
-      exists(AssignExpr req | req = val | result = getValueInternal(e, req.getRValue()))
+      exists(AssignExpr req | req = val | result = this.getValueInternal(e, req.getRValue()))
       or
-      result = getVariableValue(e, val.(VariableAccess))
+      result = this.getVariableValue(e, val)
       or
       exists(FunctionCall call | call = val and not callWithMultipleTargets(call) |
-        result = getFunctionValue(call.getTarget())
+        result = this.getFunctionValue(call.getTarget())
       )
     )
   }
@@ -605,7 +622,7 @@ library class ExprEvaluator extends int {
   language[monotonicAggregates]
   private int getVariableValue(Expr e, VariableAccess va) {
     exists(Variable v |
-      interestingVariableAccess(e, va, v, true) and
+      this.interestingVariableAccess(e, va, v, true) and
       // All assignments must have the same int value
       result =
         unique(Expr value |
@@ -619,14 +636,16 @@ library class ExprEvaluator extends int {
   /** Holds if the function `f` is considered by the analysis and may return `ret`. */
   pragma[noinline]
   private predicate interestingReturnValue(Function f, Expr ret) {
-    interestingFunction(_, f) and
+    this.interestingFunction(_, f) and
     returnStmt(f, ret)
   }
 
   private int getFunctionValue(Function f) {
     // All returns must have the same int value
     // And it must have at least one return
-    forex(Expr ret | interestingReturnValue(f, ret) | result = getValueInternalNonSubExpr(ret))
+    forex(Expr ret | this.interestingReturnValue(f, ret) |
+      result = this.getValueInternalNonSubExpr(ret)
+    )
   }
 
   /**
@@ -641,10 +660,10 @@ library class ExprEvaluator extends int {
    * omitted).
    */
   private int getValueInternalNonSubExpr(Expr req) {
-    interestingInternal(_, req, false) and
+    this.interestingInternal(_, req, false) and
     (
       result = req.(CompileTimeConstantInt).getIntValue() or
-      result = getCompoundValueNonSubExpr(req.(CompileTimeVariableExpr))
+      result = this.getCompoundValueNonSubExpr(req)
     ) and
     (
       req.getUnderlyingType().(IntegralType).isSigned() or
@@ -655,131 +674,131 @@ library class ExprEvaluator extends int {
   private int getCompoundValueNonSubExpr(CompileTimeVariableExpr val) {
     (
       exists(NotExpr req | req = val |
-        result = 1 and getValueInternalNonSubExpr(req.getOperand()) = 0
+        result = 1 and this.getValueInternalNonSubExpr(req.getOperand()) = 0
         or
-        result = 0 and getValueInternalNonSubExpr(req.getOperand()) != 0
+        result = 0 and this.getValueInternalNonSubExpr(req.getOperand()) != 0
       )
       or
       exists(LogicalAndExpr req | req = val |
         result = 1 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) != 0 and
-        getValueInternalNonSubExpr(req.getRightOperand()) != 0
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) != 0 and
+        this.getValueInternalNonSubExpr(req.getRightOperand()) != 0
         or
-        result = 0 and getValueInternalNonSubExpr(req.getAnOperand()) = 0
+        result = 0 and this.getValueInternalNonSubExpr(req.getAnOperand()) = 0
       )
       or
       exists(LogicalOrExpr req | req = val |
-        result = 1 and getValueInternalNonSubExpr(req.getAnOperand()) != 0
+        result = 1 and this.getValueInternalNonSubExpr(req.getAnOperand()) != 0
         or
         result = 0 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) = 0 and
-        getValueInternalNonSubExpr(req.getRightOperand()) = 0
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) = 0 and
+        this.getValueInternalNonSubExpr(req.getRightOperand()) = 0
       )
       or
       exists(LTExpr req | req = val |
         result = 1 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) <
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) <
+          this.getValueInternalNonSubExpr(req.getRightOperand())
         or
         result = 0 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) >=
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) >=
+          this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(GTExpr req | req = val |
         result = 1 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) >
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) >
+          this.getValueInternalNonSubExpr(req.getRightOperand())
         or
         result = 0 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) <=
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) <=
+          this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(LEExpr req | req = val |
         result = 1 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) <=
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) <=
+          this.getValueInternalNonSubExpr(req.getRightOperand())
         or
         result = 0 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) >
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) >
+          this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(GEExpr req | req = val |
         result = 1 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) >=
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) >=
+          this.getValueInternalNonSubExpr(req.getRightOperand())
         or
         result = 0 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) <
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) <
+          this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(EQExpr req | req = val |
         result = 1 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) =
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) =
+          this.getValueInternalNonSubExpr(req.getRightOperand())
         or
         result = 0 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) !=
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) !=
+          this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(NEExpr req | req = val |
         result = 0 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) =
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) =
+          this.getValueInternalNonSubExpr(req.getRightOperand())
         or
         result = 1 and
-        getValueInternalNonSubExpr(req.getLeftOperand()) !=
-          getValueInternalNonSubExpr(req.getRightOperand())
+        this.getValueInternalNonSubExpr(req.getLeftOperand()) !=
+          this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(AddExpr req | req = val |
         result =
-          getValueInternalNonSubExpr(req.getLeftOperand()) +
-            getValueInternalNonSubExpr(req.getRightOperand())
+          this.getValueInternalNonSubExpr(req.getLeftOperand()) +
+            this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(SubExpr req | req = val |
         result =
-          getValueInternalNonSubExpr(req.getLeftOperand()) -
-            getValueInternalNonSubExpr(req.getRightOperand())
+          this.getValueInternalNonSubExpr(req.getLeftOperand()) -
+            this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(MulExpr req | req = val |
         result =
-          getValueInternalNonSubExpr(req.getLeftOperand()) *
-            getValueInternalNonSubExpr(req.getRightOperand())
+          this.getValueInternalNonSubExpr(req.getLeftOperand()) *
+            this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(RemExpr req | req = val |
         result =
-          getValueInternalNonSubExpr(req.getLeftOperand()) %
-            getValueInternalNonSubExpr(req.getRightOperand())
+          this.getValueInternalNonSubExpr(req.getLeftOperand()) %
+            this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
       exists(DivExpr req | req = val |
         result =
-          getValueInternalNonSubExpr(req.getLeftOperand()) /
-            getValueInternalNonSubExpr(req.getRightOperand())
+          this.getValueInternalNonSubExpr(req.getLeftOperand()) /
+            this.getValueInternalNonSubExpr(req.getRightOperand())
       )
       or
-      exists(AssignExpr req | req = val | result = getValueInternalNonSubExpr(req.getRValue()))
+      exists(AssignExpr req | req = val | result = this.getValueInternalNonSubExpr(req.getRValue()))
       or
-      result = getVariableValueNonSubExpr(val.(VariableAccess))
+      result = this.getVariableValueNonSubExpr(val)
       or
       exists(FunctionCall call | call = val and not callWithMultipleTargets(call) |
-        result = getFunctionValue(call.getTarget())
+        result = this.getFunctionValue(call.getTarget())
       )
     )
   }
 
   private int getVariableValueNonSubExpr(VariableAccess va) {
     // All assignments must have the same int value
-    result = getMinVariableValueNonSubExpr(va) and
-    result = getMaxVariableValueNonSubExpr(va)
+    result = this.getMinVariableValueNonSubExpr(va) and
+    result = this.getMaxVariableValueNonSubExpr(va)
   }
 
   /**
@@ -790,8 +809,9 @@ library class ExprEvaluator extends int {
   pragma[noopt]
   private int getMinVariableValueNonSubExpr(VariableAccess va) {
     exists(Variable v |
-      interestingVariableAccess(_, va, v, false) and
-      result = min(Expr value | value = v.getAnAssignedValue() | getValueInternalNonSubExpr(value))
+      this.interestingVariableAccess(_, va, v, false) and
+      result =
+        min(Expr value | value = v.getAnAssignedValue() | this.getValueInternalNonSubExpr(value))
     )
   }
 
@@ -803,8 +823,9 @@ library class ExprEvaluator extends int {
   pragma[noopt]
   private int getMaxVariableValueNonSubExpr(VariableAccess va) {
     exists(Variable v |
-      interestingVariableAccess(_, va, v, false) and
-      result = max(Expr value | value = v.getAnAssignedValue() | getValueInternalNonSubExpr(value))
+      this.interestingVariableAccess(_, va, v, false) and
+      result =
+        max(Expr value | value = v.getAnAssignedValue() | this.getValueInternalNonSubExpr(value))
     )
   }
 }
@@ -967,9 +988,9 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
   abstract predicate isLoopBody(Expr e, StmtParent s);
 
   private predicate isLoopBodyDescendant(Expr e, StmtParent s) {
-    isLoopBody(e, s)
+    this.isLoopBody(e, s)
     or
-    exists(StmtParent mid | isLoopBodyDescendant(e, mid) |
+    exists(StmtParent mid | this.isLoopBodyDescendant(e, mid) |
       s = mid.(Stmt).getAChild() or
       s = mid.(Expr).getAChild()
     )
@@ -977,13 +998,13 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
 
   // Same as `interestingInternal(e, sub, true)` but avoids negative recursion
   private predicate interestingSubExpr(Expr e, Expr sub) {
-    interesting(e) and e = sub
+    this.interesting(e) and e = sub
     or
-    exists(Expr mid | interestingSubExpr(e, mid) and sub = mid.getAChild())
+    exists(Expr mid | this.interestingSubExpr(e, mid) and sub = mid.getAChild())
   }
 
   private predicate maybeInterestingVariable(Expr e, Variable v) {
-    exists(VariableAccess va | interestingSubExpr(e, va) | va.getTarget() = v)
+    exists(VariableAccess va | this.interestingSubExpr(e, va) | va.getTarget() = v)
   }
 
   /**
@@ -995,9 +1016,9 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
    * definition of `v`.
    */
   private predicate reachesLoopEntryFromLoopBody(Expr e, Variable v, StmtParent valueOrDef) {
-    maybeInterestingVariable(e, v) and
+    this.maybeInterestingVariable(e, v) and
     (valueOrDef = v.getAnAssignedValue() or nonAnalyzableVariableDefinition(v, valueOrDef)) and
-    isLoopBodyDescendant(e, valueOrDef) and
+    this.isLoopBodyDescendant(e, valueOrDef) and
     /*
      * Use primitive basic blocks in reachability analysis for better performance.
      * This is similar to the pattern used in e.g. `DefinitionsAndUses` and
@@ -1007,16 +1028,16 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
     exists(PrimitiveBasicBlock bb1, int pos1 | bb1.getNode(pos1) = valueOrDef |
       // Reaches in same basic block
       exists(int pos2 |
-        loopEntryAt(bb1, pos2, e) and
+        this.loopEntryAt(bb1, pos2, e) and
         pos2 > pos1 and
-        not exists(int k | assignmentAt(bb1, k, v) | k in [pos1 + 1 .. pos2 - 1])
+        not exists(int k | this.assignmentAt(bb1, k, v) | k in [pos1 + 1 .. pos2 - 1])
       )
       or
       // Reaches in a successor block
       exists(PrimitiveBasicBlock bb2 |
         bb2 = bb1.getASuccessor() and
-        not exists(int pos3 | assignmentAt(bb1, pos3, v) and pos3 > pos1) and
-        bbReachesLoopEntry(bb2, e, v)
+        not exists(int pos3 | this.assignmentAt(bb1, pos3, v) and pos3 > pos1) and
+        this.bbReachesLoopEntry(bb2, e, v)
       )
     )
   }
@@ -1024,12 +1045,12 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
   private predicate loopEntryAt(PrimitiveBasicBlock bb, int pos, Expr e) {
     exists(Node cfn |
       bb.getNode(pos) = cfn and
-      isLoopEntry(e, cfn)
+      this.isLoopEntry(e, cfn)
     )
   }
 
   private predicate assignmentAt(PrimitiveBasicBlock bb, int pos, Variable v) {
-    maybeInterestingVariable(_, v) and
+    this.maybeInterestingVariable(_, v) and
     bb.getNode(pos) = v.getAnAssignedValue()
   }
 
@@ -1038,19 +1059,19 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
    * the loop belonging to `e` without crossing an assignment to `v`.
    */
   private predicate bbReachesLoopEntry(PrimitiveBasicBlock bb, Expr e, Variable v) {
-    bbReachesLoopEntryLocally(bb, e, v)
+    this.bbReachesLoopEntryLocally(bb, e, v)
     or
     exists(PrimitiveBasicBlock succ | succ = bb.getASuccessor() |
-      bbReachesLoopEntry(succ, e, v) and
-      not assignmentAt(bb, _, v)
+      this.bbReachesLoopEntry(succ, e, v) and
+      not this.assignmentAt(bb, _, v)
     )
   }
 
   private predicate bbReachesLoopEntryLocally(PrimitiveBasicBlock bb, Expr e, Variable v) {
     exists(int pos |
-      loopEntryAt(bb, pos, e) and
-      maybeInterestingVariable(e, v) and
-      not exists(int pos1 | assignmentAt(bb, pos1, v) | pos1 < pos)
+      this.loopEntryAt(bb, pos, e) and
+      this.maybeInterestingVariable(e, v) and
+      not exists(int pos1 | this.assignmentAt(bb, pos1, v) | pos1 < pos)
     )
   }
 
@@ -1084,10 +1105,10 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
    * ```
    */
   override predicate ignoreNonAnalyzableVariableDefinition(Expr e, Variable v, StmtParent def) {
-    maybeInterestingVariable(e, v) and
+    this.maybeInterestingVariable(e, v) and
     nonAnalyzableVariableDefinition(v, def) and
-    isLoopBodyDescendant(e, def) and
-    not reachesLoopEntryFromLoopBody(e, v, def)
+    this.isLoopBodyDescendant(e, def) and
+    not this.reachesLoopEntryFromLoopBody(e, v, def)
   }
 
   /**
@@ -1120,10 +1141,10 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
    * ```
    */
   override predicate ignoreVariableAssignment(Expr e, Variable v, Expr value) {
-    maybeInterestingVariable(e, v) and
+    this.maybeInterestingVariable(e, v) and
     value = v.getAnAssignedValue() and
-    isLoopBodyDescendant(e, value) and
-    not reachesLoopEntryFromLoopBody(e, v, value)
+    this.isLoopBodyDescendant(e, value) and
+    not this.reachesLoopEntryFromLoopBody(e, v, value)
   }
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -2,6 +2,42 @@ private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 import Cached
 
+module DataFlowImplCommonPublic {
+  private newtype TFlowFeature =
+    TFeatureHasSourceCallContext() or
+    TFeatureHasSinkCallContext() or
+    TFeatureEqualSourceSinkCallContext()
+
+  /** A flow configuration feature for use in `Configuration::getAFeature()`. */
+  class FlowFeature extends TFlowFeature {
+    string toString() { none() }
+  }
+
+  /**
+   * A flow configuration feature that implies that sources have some existing
+   * call context.
+   */
+  class FeatureHasSourceCallContext extends FlowFeature, TFeatureHasSourceCallContext {
+    override string toString() { result = "FeatureHasSourceCallContext" }
+  }
+
+  /**
+   * A flow configuration feature that implies that sinks have some existing
+   * call context.
+   */
+  class FeatureHasSinkCallContext extends FlowFeature, TFeatureHasSinkCallContext {
+    override string toString() { result = "FeatureHasSinkCallContext" }
+  }
+
+  /**
+   * A flow configuration feature that implies that source-sink pairs have some
+   * shared existing call context.
+   */
+  class FeatureEqualSourceSinkCallContext extends FlowFeature, TFeatureEqualSourceSinkCallContext {
+    override string toString() { result = "FeatureEqualSourceSinkCallContext" }
+  }
+}
+
 /**
  * The cost limits for the `AccessPathFront` to `AccessPathApprox` expansion.
  *
@@ -251,7 +287,7 @@ private module Cached {
   predicate forceCachingInSameStage() { any() }
 
   cached
-  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = n.getEnclosingCallable() }
+  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = nodeGetEnclosingCallable(n) }
 
   cached
   predicate callEnclosingCallable(DataFlowCall call, DataFlowCallable c) {
@@ -316,9 +352,7 @@ private module Cached {
   }
 
   cached
-  predicate parameterNode(Node n, DataFlowCallable c, int i) {
-    n.(ParameterNode).isParameterOf(c, i)
-  }
+  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }
 
   cached
   predicate argumentNode(Node n, DataFlowCall call, int pos) {
@@ -801,6 +835,9 @@ private module Cached {
     exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
+  cached
+  predicate allowParameterReturnInSelfCached(ParamNode p) { allowParameterReturnInSelf(p) }
+
   cached
   newtype TCallContext =
     TAnyCallContext() or

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -31,7 +31,7 @@ module Consistency {
   query predicate uniqueEnclosingCallable(Node n, string msg) {
     exists(int c |
       n instanceof RelevantNode and
-      c = count(n.getEnclosingCallable()) and
+      c = count(nodeGetEnclosingCallable(n)) and
       c != 1 and
       msg = "Node should have one enclosing callable but has " + c + "."
     )
@@ -85,13 +85,13 @@ module Consistency {
   }
 
   query predicate parameterCallable(ParameterNode p, string msg) {
-    exists(DataFlowCallable c | p.isParameterOf(c, _) and c != p.getEnclosingCallable()) and
+    exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
     msg = "Callable mismatch for parameter."
   }
 
   query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
     simpleLocalFlowStep(n1, n2) and
-    n1.getEnclosingCallable() != n2.getEnclosingCallable() and
+    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
     msg = "Local flow step does not preserve enclosing callable."
   }
 
@@ -106,7 +106,7 @@ module Consistency {
   query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
     isUnreachableInCall(n, call) and
     exists(DataFlowCallable c |
-      c = n.getEnclosingCallable() and
+      c = nodeGetEnclosingCallable(n) and
       not viableCallable(call) = c
     ) and
     msg = "Call context for isUnreachableInCall is inconsistent with call graph."
@@ -120,7 +120,7 @@ module Consistency {
       n.(ArgumentNode).argumentOf(call, _) and
       msg = "ArgumentNode and call does not share enclosing callable."
     ) and
-    n.getEnclosingCallable() != call.getEnclosingCallable()
+    nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
   }
 
   // This predicate helps the compiler forget that in some languages
@@ -151,7 +151,7 @@ module Consistency {
   }
 
   query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
-    n.getEnclosingCallable() != n.getPreUpdateNode().getEnclosingCallable() and
+    nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
     msg = "PostUpdateNode does not share callable with its pre-update node."
   }
 
@@ -175,6 +175,7 @@ module Consistency {
 
   query predicate postWithInFlow(Node n, string msg) {
     isPostUpdateNode(n) and
+    not clearsContent(n, _) and
     simpleLocalFlowStep(_, n) and
     msg = "PostUpdateNode should not be the target of local flow."
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -3,6 +3,12 @@ private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
 
+/** Gets the callable in which this node occurs. */
+DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
+
+/** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }
+
 /** Gets the instance argument of a non-static call. */
 private Node getInstanceArgument(Call call) {
   result.asExpr() = call.getQualifier()
@@ -287,3 +293,12 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { no
 
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
+
+/**
+ * Holds if flow is allowed to pass from parameter `p` and back to itself as a
+ * side-effect, resulting in a summary from `p` to itself.
+ *
+ * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed
+ * by default as a heuristic.
+ */
+predicate allowParameterReturnInSelf(ParameterNode p) { none() }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -106,13 +106,13 @@ class Node extends TNode {
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
   }
 
   /**
    * Gets an upper bound on the type of this node.
    */
-  Type getTypeBound() { result = getType() }
+  Type getTypeBound() { result = this.getType() }
 }
 
 /**
@@ -293,11 +293,11 @@ abstract class PostUpdateNode extends Node {
    */
   abstract Node getPreUpdateNode();
 
-  override Function getFunction() { result = getPreUpdateNode().getFunction() }
+  override Function getFunction() { result = this.getPreUpdateNode().getFunction() }
 
-  override Type getType() { result = getPreUpdateNode().getType() }
+  override Type getType() { result = this.getPreUpdateNode().getType() }
 
-  override Location getLocation() { result = getPreUpdateNode().getLocation() }
+  override Location getLocation() { result = this.getPreUpdateNode().getLocation() }
 }
 
 abstract private class PartialDefinitionNode extends PostUpdateNode, TPartialDefinitionNode {
@@ -309,7 +309,7 @@ abstract private class PartialDefinitionNode extends PostUpdateNode, TPartialDef
 
   PartialDefinition getPartialDefinition() { result = pd }
 
-  override string toString() { result = getPreUpdateNode().toString() + " [post update]" }
+  override string toString() { result = this.getPreUpdateNode().toString() + " [post update]" }
 }
 
 private class VariablePartialDefinitionNode extends PartialDefinitionNode {
@@ -380,13 +380,13 @@ private class ObjectInitializerNode extends PostUpdateNode, TExprNode {
 class PreObjectInitializerNode extends Node, TPreObjectInitializerNode {
   Expr getExpr() { this = TPreObjectInitializerNode(result) }
 
-  override Function getFunction() { result = getExpr().getEnclosingFunction() }
+  override Function getFunction() { result = this.getExpr().getEnclosingFunction() }
 
-  override Type getType() { result = getExpr().getType() }
+  override Type getType() { result = this.getExpr().getType() }
 
-  override Location getLocation() { result = getExpr().getLocation() }
+  override Location getLocation() { result = this.getExpr().getLocation() }
 
-  override string toString() { result = getExpr().toString() + " [pre init]" }
+  override string toString() { result = this.getExpr().toString() + " [pre init]" }
 }
 
 /**
@@ -401,7 +401,7 @@ private class PostConstructorInitThis extends PostUpdateNode, TPostConstructorIn
   }
 
   override string toString() {
-    result = getPreUpdateNode().getConstructorFieldInit().toString() + " [post-this]"
+    result = this.getPreUpdateNode().getConstructorFieldInit().toString() + " [post-this]"
   }
 }
 
@@ -416,15 +416,17 @@ private class PostConstructorInitThis extends PostUpdateNode, TPostConstructorIn
 class PreConstructorInitThis extends Node, TPreConstructorInitThis {
   ConstructorFieldInit getConstructorFieldInit() { this = TPreConstructorInitThis(result) }
 
-  override Constructor getFunction() { result = getConstructorFieldInit().getEnclosingFunction() }
-
-  override PointerType getType() {
-    result.getBaseType() = getConstructorFieldInit().getEnclosingFunction().getDeclaringType()
+  override Constructor getFunction() {
+    result = this.getConstructorFieldInit().getEnclosingFunction()
   }
 
-  override Location getLocation() { result = getConstructorFieldInit().getLocation() }
+  override PointerType getType() {
+    result.getBaseType() = this.getConstructorFieldInit().getEnclosingFunction().getDeclaringType()
+  }
 
-  override string toString() { result = getConstructorFieldInit().toString() + " [pre-this]" }
+  override Location getLocation() { result = this.getConstructorFieldInit().getLocation() }
+
+  override string toString() { result = this.getConstructorFieldInit().toString() + " [pre-this]" }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll

@@ -354,7 +354,7 @@ module FlowVar_internal {
         result = def.getAUse(v)
         or
         exists(SsaDefinition descendentDef |
-          getASuccessorSsaVar+() = TSsaVar(descendentDef, _) and
+          this.getASuccessorSsaVar+() = TSsaVar(descendentDef, _) and
           result = descendentDef.getAUse(v)
         )
       )
@@ -515,7 +515,7 @@ module FlowVar_internal {
       this.bbInLoopCondition(bbInside) and
       not this.bbInLoop(bbOutside) and
       bbOutside = bbInside.getASuccessor() and
-      not reachesWithoutAssignment(bbInside, v)
+      not this.reachesWithoutAssignment(bbInside, v)
     }
 
     /**
@@ -546,7 +546,7 @@ module FlowVar_internal {
     private predicate bbInLoop(BasicBlock bb) {
       bbDominates(this.(Loop).getStmt(), bb)
       or
-      bbInLoopCondition(bb)
+      this.bbInLoopCondition(bb)
     }
 
     /** Holds if `sbb` is inside this loop. */
@@ -563,7 +563,7 @@ module FlowVar_internal {
         bb = this.(Loop).getStmt() and
         v = this.getARelevantVariable()
         or
-        reachesWithoutAssignment(bb.getAPredecessor(), v) and
+        this.reachesWithoutAssignment(bb.getAPredecessor(), v) and
         this.bbInLoop(bb)
       ) and
       not assignsToVar(bb, v)

cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll

@@ -80,7 +80,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
    * returns a 0-based position, while `getRankInBasicBlock` returns a 1-based
    * position.
    */
-  deprecated int getPosInBasicBlock(BasicBlock bb) { result = getRankInBasicBlock(bb) - 1 }
+  deprecated int getPosInBasicBlock(BasicBlock bb) { result = this.getRankInBasicBlock(bb) - 1 }
 
   pragma[noinline]
   private int getIndexInBasicBlock(BasicBlock bb) { this = bb.getNode(result) }
@@ -102,7 +102,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
     exists(BasicBlock bb |
       exists(int outerIndex |
         result = bb.getNode(outerIndex) and
-        index = outerToInnerIndex(bb, outerIndex)
+        index = this.outerToInnerIndex(bb, outerIndex)
       )
     )
   }

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -203,7 +203,7 @@ class PointerFieldAccess extends FieldAccess {
 
   PointerFieldAccess() {
     exists(PointerType t |
-      t = getQualifier().getFullyConverted().getUnspecifiedType() and
+      t = this.getQualifier().getFullyConverted().getUnspecifiedType() and
       t.getBaseType() instanceof Class
     )
   }
@@ -218,7 +218,9 @@ class PointerFieldAccess extends FieldAccess {
 class DotFieldAccess extends FieldAccess {
   override string getAPrimaryQlClass() { result = "DotFieldAccess" }
 
-  DotFieldAccess() { exists(Class c | c = getQualifier().getFullyConverted().getUnspecifiedType()) }
+  DotFieldAccess() {
+    exists(Class c | c = this.getQualifier().getFullyConverted().getUnspecifiedType())
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/ArithmeticOperation.qll

@@ -148,7 +148,7 @@ class PostfixIncrExpr extends IncrementOperation, PostfixCrementOperation, @post
 
   override int getPrecedence() { result = 17 }
 
-  override string toString() { result = "... " + getOperator() }
+  override string toString() { result = "... " + this.getOperator() }
 }
 
 /**
@@ -166,7 +166,7 @@ class PostfixDecrExpr extends DecrementOperation, PostfixCrementOperation, @post
 
   override int getPrecedence() { result = 17 }
 
-  override string toString() { result = "... " + getOperator() }
+  override string toString() { result = "... " + this.getOperator() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -35,12 +35,12 @@ class BuiltInVarArgsStart extends VarArgsExpr, @vastartexpr {
   /**
    * Gets the `va_list` argument.
    */
-  final Expr getVAList() { result = getChild(0) }
+  final Expr getVAList() { result = this.getChild(0) }
 
   /**
    * Gets the argument that specifies the last named parameter before the ellipsis.
    */
-  final VariableAccess getLastNamedParameter() { result = getChild(1) }
+  final VariableAccess getLastNamedParameter() { result = this.getChild(1) }
 }
 
 /**
@@ -60,7 +60,7 @@ class BuiltInVarArgsEnd extends VarArgsExpr, @vaendexpr {
   /**
    * Gets the `va_list` argument.
    */
-  final Expr getVAList() { result = getChild(0) }
+  final Expr getVAList() { result = this.getChild(0) }
 }
 
 /**
@@ -78,7 +78,7 @@ class BuiltInVarArg extends VarArgsExpr, @vaargexpr {
   /**
    * Gets the `va_list` argument.
    */
-  final Expr getVAList() { result = getChild(0) }
+  final Expr getVAList() { result = this.getChild(0) }
 }
 
 /**
@@ -98,12 +98,12 @@ class BuiltInVarArgCopy extends VarArgsExpr, @vacopyexpr {
   /**
    * Gets the destination `va_list` argument.
    */
-  final Expr getDestinationVAList() { result = getChild(0) }
+  final Expr getDestinationVAList() { result = this.getChild(0) }
 
   /**
    * Gets the the source `va_list` argument.
    */
-  final Expr getSourceVAList() { result = getChild(1) }
+  final Expr getSourceVAList() { result = this.getChild(1) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -71,10 +71,10 @@ class Call extends Expr, NameQualifiableElement, TCall {
    * at index 2, respectively.
    */
   Expr getAnArgumentSubExpr(int index) {
-    result = getArgument(index)
+    result = this.getArgument(index)
     or
     exists(Expr mid |
-      mid = getAnArgumentSubExpr(index) and
+      mid = this.getAnArgumentSubExpr(index) and
       not mid instanceof Call and
       not mid instanceof SizeofOperator and
       result = mid.getAChild()
@@ -167,27 +167,27 @@ class FunctionCall extends Call, @funbindexpr {
   override string getAPrimaryQlClass() { result = "FunctionCall" }
 
   /** Gets an explicit template argument for this call. */
-  Locatable getAnExplicitTemplateArgument() { result = getExplicitTemplateArgument(_) }
+  Locatable getAnExplicitTemplateArgument() { result = this.getExplicitTemplateArgument(_) }
 
   /** Gets an explicit template argument value for this call. */
-  Locatable getAnExplicitTemplateArgumentKind() { result = getExplicitTemplateArgumentKind(_) }
+  Locatable getAnExplicitTemplateArgumentKind() { result = this.getExplicitTemplateArgumentKind(_) }
 
   /** Gets a template argument for this call. */
-  Locatable getATemplateArgument() { result = getTarget().getATemplateArgument() }
+  Locatable getATemplateArgument() { result = this.getTarget().getATemplateArgument() }
 
   /** Gets a template argument value for this call. */
-  Locatable getATemplateArgumentKind() { result = getTarget().getATemplateArgumentKind() }
+  Locatable getATemplateArgumentKind() { result = this.getTarget().getATemplateArgumentKind() }
 
   /** Gets the nth explicit template argument for this call. */
   Locatable getExplicitTemplateArgument(int n) {
-    n < getNumberOfExplicitTemplateArguments() and
-    result = getTemplateArgument(n)
+    n < this.getNumberOfExplicitTemplateArguments() and
+    result = this.getTemplateArgument(n)
   }
 
   /** Gets the nth explicit template argument value for this call. */
   Locatable getExplicitTemplateArgumentKind(int n) {
-    n < getNumberOfExplicitTemplateArguments() and
-    result = getTemplateArgumentKind(n)
+    n < this.getNumberOfExplicitTemplateArguments() and
+    result = this.getTemplateArgumentKind(n)
   }
 
   /** Gets the number of explicit template arguments for this call. */
@@ -198,19 +198,19 @@ class FunctionCall extends Call, @funbindexpr {
   }
 
   /** Gets the number of template arguments for this call. */
-  int getNumberOfTemplateArguments() { result = count(int i | exists(getTemplateArgument(i))) }
+  int getNumberOfTemplateArguments() { result = count(int i | exists(this.getTemplateArgument(i))) }
 
   /** Gets the nth template argument for this call (indexed from 0). */
-  Locatable getTemplateArgument(int n) { result = getTarget().getTemplateArgument(n) }
+  Locatable getTemplateArgument(int n) { result = this.getTarget().getTemplateArgument(n) }
 
   /** Gets the nth template argument value for this call (indexed from 0). */
-  Locatable getTemplateArgumentKind(int n) { result = getTarget().getTemplateArgumentKind(n) }
+  Locatable getTemplateArgumentKind(int n) { result = this.getTarget().getTemplateArgumentKind(n) }
 
   /** Holds if any template arguments for this call are implicit / deduced. */
   predicate hasImplicitTemplateArguments() {
     exists(int i |
-      exists(getTemplateArgument(i)) and
-      not exists(getExplicitTemplateArgument(i))
+      exists(this.getTemplateArgument(i)) and
+      not exists(this.getExplicitTemplateArgument(i))
     )
   }
 
@@ -233,9 +233,9 @@ class FunctionCall extends Call, @funbindexpr {
    * visible at the call site.
    */
   Type getExpectedReturnType() {
-    if getTargetType() instanceof RoutineType
-    then result = getTargetType().(RoutineType).getReturnType()
-    else result = getTarget().getType()
+    if this.getTargetType() instanceof RoutineType
+    then result = this.getTargetType().(RoutineType).getReturnType()
+    else result = this.getTarget().getType()
   }
 
   /**
@@ -247,9 +247,9 @@ class FunctionCall extends Call, @funbindexpr {
    * was visible at the call site.
    */
   Type getExpectedParameterType(int n) {
-    if getTargetType() instanceof RoutineType
-    then result = getTargetType().(RoutineType).getParameterType(n)
-    else result = getTarget().getParameter(n).getType()
+    if this.getTargetType() instanceof RoutineType
+    then result = this.getTargetType().(RoutineType).getParameterType(n)
+    else result = this.getTarget().getParameter(n).getType()
   }
 
   /**
@@ -263,7 +263,7 @@ class FunctionCall extends Call, @funbindexpr {
   /**
    * Gets the type of this expression, that is, the return type of the function being called.
    */
-  override Type getType() { result = getExpectedReturnType() }
+  override Type getType() { result = this.getExpectedReturnType() }
 
   /**
    * Holds if this is a call to a virtual function.
@@ -280,7 +280,7 @@ class FunctionCall extends Call, @funbindexpr {
 
   /** Gets a textual representation of this function call. */
   override string toString() {
-    if exists(getTarget())
+    if exists(this.getTarget())
     then result = "call to " + this.getTarget().getName()
     else result = "call to unknown function"
   }
@@ -288,15 +288,15 @@ class FunctionCall extends Call, @funbindexpr {
   override predicate mayBeImpure() {
     this.getChild(_).mayBeImpure() or
     this.getTarget().mayHaveSideEffects() or
-    isVirtual() or
-    getTarget().getAnAttribute().getName() = "weak"
+    this.isVirtual() or
+    this.getTarget().getAnAttribute().getName() = "weak"
   }
 
   override predicate mayBeGloballyImpure() {
     this.getChild(_).mayBeGloballyImpure() or
     this.getTarget().mayHaveSideEffects() or
-    isVirtual() or
-    getTarget().getAnAttribute().getName() = "weak"
+    this.isVirtual() or
+    this.getTarget().getAnAttribute().getName() = "weak"
   }
 }
 
@@ -367,7 +367,7 @@ class OverloadedPointerDereferenceExpr extends FunctionCall {
  * ```
  */
 class OverloadedArrayExpr extends FunctionCall {
-  OverloadedArrayExpr() { getTarget().hasName("operator[]") }
+  OverloadedArrayExpr() { this.getTarget().hasName("operator[]") }
 
   override string getAPrimaryQlClass() { result = "OverloadedArrayExpr" }
 
@@ -585,7 +585,7 @@ class ConstructorFieldInit extends ConstructorInit, @ctorfieldinit {
    */
   Expr getExpr() { result = this.getChild(0) }
 
-  override string toString() { result = "constructor init of field " + getTarget().getName() }
+  override string toString() { result = "constructor init of field " + this.getTarget().getName() }
 
   override predicate mayBeImpure() { this.getExpr().mayBeImpure() }
 

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -188,8 +188,8 @@ private predicate isPointerToMemberOrNullPointer(Type type) {
 class ArithmeticConversion extends Cast {
   ArithmeticConversion() {
     conversionkinds(underlyingElement(this), 0) and
-    isArithmeticOrEnum(getUnspecifiedType()) and
-    isArithmeticOrEnum(getExpr().getUnspecifiedType())
+    isArithmeticOrEnum(this.getUnspecifiedType()) and
+    isArithmeticOrEnum(this.getExpr().getUnspecifiedType())
   }
 
   override string getSemanticConversionString() { result = "arithmetic conversion" }
@@ -204,8 +204,8 @@ class ArithmeticConversion extends Cast {
  */
 class IntegralConversion extends ArithmeticConversion {
   IntegralConversion() {
-    isIntegralOrEnum(getUnspecifiedType()) and
-    isIntegralOrEnum(getExpr().getUnspecifiedType())
+    isIntegralOrEnum(this.getUnspecifiedType()) and
+    isIntegralOrEnum(this.getExpr().getUnspecifiedType())
   }
 
   override string getAPrimaryQlClass() {
@@ -224,8 +224,8 @@ class IntegralConversion extends ArithmeticConversion {
  */
 class FloatingPointConversion extends ArithmeticConversion {
   FloatingPointConversion() {
-    getUnspecifiedType() instanceof FloatingPointType and
-    getExpr().getUnspecifiedType() instanceof FloatingPointType
+    this.getUnspecifiedType() instanceof FloatingPointType and
+    this.getExpr().getUnspecifiedType() instanceof FloatingPointType
   }
 
   override string getAPrimaryQlClass() {
@@ -244,8 +244,8 @@ class FloatingPointConversion extends ArithmeticConversion {
  */
 class FloatingPointToIntegralConversion extends ArithmeticConversion {
   FloatingPointToIntegralConversion() {
-    isIntegralOrEnum(getUnspecifiedType()) and
-    getExpr().getUnspecifiedType() instanceof FloatingPointType
+    isIntegralOrEnum(this.getUnspecifiedType()) and
+    this.getExpr().getUnspecifiedType() instanceof FloatingPointType
   }
 
   override string getAPrimaryQlClass() {
@@ -264,8 +264,8 @@ class FloatingPointToIntegralConversion extends ArithmeticConversion {
  */
 class IntegralToFloatingPointConversion extends ArithmeticConversion {
   IntegralToFloatingPointConversion() {
-    getUnspecifiedType() instanceof FloatingPointType and
-    isIntegralOrEnum(getExpr().getUnspecifiedType())
+    this.getUnspecifiedType() instanceof FloatingPointType and
+    isIntegralOrEnum(this.getExpr().getUnspecifiedType())
   }
 
   override string getAPrimaryQlClass() {
@@ -290,8 +290,8 @@ class IntegralToFloatingPointConversion extends ArithmeticConversion {
 class PointerConversion extends Cast {
   PointerConversion() {
     conversionkinds(underlyingElement(this), 0) and
-    isPointerOrNullPointer(getUnspecifiedType()) and
-    isPointerOrNullPointer(getExpr().getUnspecifiedType())
+    isPointerOrNullPointer(this.getUnspecifiedType()) and
+    isPointerOrNullPointer(this.getExpr().getUnspecifiedType())
   }
 
   override string getAPrimaryQlClass() { not exists(qlCast(this)) and result = "PointerConversion" }
@@ -315,8 +315,8 @@ class PointerToMemberConversion extends Cast {
   PointerToMemberConversion() {
     conversionkinds(underlyingElement(this), 0) and
     exists(Type fromType, Type toType |
-      fromType = getExpr().getUnspecifiedType() and
-      toType = getUnspecifiedType() and
+      fromType = this.getExpr().getUnspecifiedType() and
+      toType = this.getUnspecifiedType() and
       isPointerToMemberOrNullPointer(fromType) and
       isPointerToMemberOrNullPointer(toType) and
       // A conversion from nullptr to nullptr is a `PointerConversion`, not a
@@ -345,8 +345,8 @@ class PointerToMemberConversion extends Cast {
 class PointerToIntegralConversion extends Cast {
   PointerToIntegralConversion() {
     conversionkinds(underlyingElement(this), 0) and
-    isIntegralOrEnum(getUnspecifiedType()) and
-    isPointerOrNullPointer(getExpr().getUnspecifiedType())
+    isIntegralOrEnum(this.getUnspecifiedType()) and
+    isPointerOrNullPointer(this.getExpr().getUnspecifiedType())
   }
 
   override string getAPrimaryQlClass() {
@@ -366,8 +366,8 @@ class PointerToIntegralConversion extends Cast {
 class IntegralToPointerConversion extends Cast {
   IntegralToPointerConversion() {
     conversionkinds(underlyingElement(this), 0) and
-    isPointerOrNullPointer(getUnspecifiedType()) and
-    isIntegralOrEnum(getExpr().getUnspecifiedType())
+    isPointerOrNullPointer(this.getUnspecifiedType()) and
+    isIntegralOrEnum(this.getExpr().getUnspecifiedType())
   }
 
   override string getAPrimaryQlClass() {
@@ -403,7 +403,7 @@ class BoolConversion extends Cast {
 class VoidConversion extends Cast {
   VoidConversion() {
     conversionkinds(underlyingElement(this), 0) and
-    getUnspecifiedType() instanceof VoidType
+    this.getUnspecifiedType() instanceof VoidType
   }
 
   override string getAPrimaryQlClass() { not exists(qlCast(this)) and result = "VoidConversion" }
@@ -434,8 +434,8 @@ class InheritanceConversion extends Cast {
    * conversion is to an indirect virtual base class.
    */
   final ClassDerivation getDerivation() {
-    result.getBaseClass() = getBaseClass() and
-    result.getDerivedClass() = getDerivedClass()
+    result.getBaseClass() = this.getBaseClass() and
+    result.getDerivedClass() = this.getDerivedClass()
   }
 
   /**
@@ -490,12 +490,12 @@ class BaseClassConversion extends InheritanceConversion {
 
   override Class getBaseClass() { result = getConversionClass(this) }
 
-  override Class getDerivedClass() { result = getConversionClass(getExpr()) }
+  override Class getDerivedClass() { result = getConversionClass(this.getExpr()) }
 
   /**
    * Holds if this conversion is to a virtual base class.
    */
-  predicate isVirtual() { getDerivation().isVirtual() or not exists(getDerivation()) }
+  predicate isVirtual() { this.getDerivation().isVirtual() or not exists(this.getDerivation()) }
 }
 
 /**
@@ -515,7 +515,7 @@ class DerivedClassConversion extends InheritanceConversion {
 
   override string getSemanticConversionString() { result = "derived class conversion" }
 
-  override Class getBaseClass() { result = getConversionClass(getExpr()) }
+  override Class getBaseClass() { result = getConversionClass(this.getExpr()) }
 
   override Class getDerivedClass() { result = getConversionClass(this) }
 }
@@ -637,8 +637,8 @@ class DynamicCast extends Cast, @dynamic_cast {
  */
 class UuidofOperator extends Expr, @uuidof {
   override string toString() {
-    if exists(getTypeOperand())
-    then result = "__uuidof(" + getTypeOperand().getName() + ")"
+    if exists(this.getTypeOperand())
+    then result = "__uuidof(" + this.getTypeOperand().getName() + ")"
     else result = "__uuidof(0)"
   }
 

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -26,12 +26,12 @@ class Expr extends StmtParent, @expr {
   Function getEnclosingFunction() { result = exprEnclosingElement(this) }
 
   /** Gets the nearest enclosing set of curly braces around this expression in the source, if any. */
-  BlockStmt getEnclosingBlock() { result = getEnclosingStmt().getEnclosingBlock() }
+  BlockStmt getEnclosingBlock() { result = this.getEnclosingStmt().getEnclosingBlock() }
 
   override Stmt getEnclosingStmt() {
     result = this.getParent().(Expr).getEnclosingStmt()
     or
-    result = this.getParent().(Stmt)
+    result = this.getParent()
     or
     exists(Expr other | result = other.getEnclosingStmt() and other.getConversion() = this)
     or
@@ -219,13 +219,13 @@ class Expr extends StmtParent, @expr {
    * Holds if this expression is a _glvalue_. A _glvalue_ is either an _lvalue_ or an
    * _xvalue_.
    */
-  predicate isGLValueCategory() { isLValueCategory() or isXValueCategory() }
+  predicate isGLValueCategory() { this.isLValueCategory() or this.isXValueCategory() }
 
   /**
    * Holds if this expression is an _rvalue_. An _rvalue_ is either a _prvalue_ or an
    * _xvalue_.
    */
-  predicate isRValueCategory() { isPRValueCategory() or isXValueCategory() }
+  predicate isRValueCategory() { this.isPRValueCategory() or this.isXValueCategory() }
 
   /**
    * Gets a string representation of the value category of the expression.
@@ -240,15 +240,15 @@ class Expr extends StmtParent, @expr {
    * `hasLValueToRvalueConversion()` holds.
    */
   string getValueCategoryString() {
-    isLValueCategory() and
+    this.isLValueCategory() and
     result = "lvalue"
     or
-    isXValueCategory() and
+    this.isXValueCategory() and
     result = "xvalue"
     or
     (
-      isPRValueCategory() and
-      if hasLValueToRValueConversion() then result = "prvalue(load)" else result = "prvalue"
+      this.isPRValueCategory() and
+      if this.hasLValueToRValueConversion() then result = "prvalue(load)" else result = "prvalue"
     )
   }
 
@@ -263,7 +263,7 @@ class Expr extends StmtParent, @expr {
    * such as an expression inside a sizeof.
    */
   predicate isUnevaluated() {
-    exists(Element e | e = getParentWithConversions+() |
+    exists(Element e | e = this.getParentWithConversions+() |
       e instanceof SizeofOperator
       or
       exists(Expr e2 |
@@ -279,7 +279,7 @@ class Expr extends StmtParent, @expr {
       e instanceof AlignofOperator
     )
     or
-    exists(Decltype d | d.getExpr() = getParentWithConversions*())
+    exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
   }
 
   /**
@@ -725,7 +725,7 @@ class PointerDereferenceExpr extends UnaryOperation, @indirect {
    *
    * Gets the expression that is being dereferenced.
    */
-  deprecated Expr getExpr() { result = getOperand() }
+  deprecated Expr getExpr() { result = this.getOperand() }
 
   override string getOperator() { result = "*" }
 
@@ -780,15 +780,15 @@ class NewOrNewArrayExpr extends Expr, @any_new_expr {
    * Gets the alignment argument passed to the allocation function, if any.
    */
   Expr getAlignmentArgument() {
-    hasAlignedAllocation() and
+    this.hasAlignedAllocation() and
     (
       // If we have an allocator call, the alignment is the second argument to
       // that call.
-      result = getAllocatorCall().getArgument(1)
+      result = this.getAllocatorCall().getArgument(1)
       or
       // Otherwise, the alignment winds up as child number 3 of the `new`
       // itself.
-      result = getChild(3)
+      result = this.getChild(3)
     )
   }
 
@@ -916,7 +916,7 @@ class NewArrayExpr extends NewOrNewArrayExpr, @new_array_expr {
    * Gets the element type of the array being allocated.
    */
   Type getAllocatedElementType() {
-    result = getType().getUnderlyingType().(PointerType).getBaseType()
+    result = this.getType().getUnderlyingType().(PointerType).getBaseType()
   }
 
   /**
@@ -946,7 +946,12 @@ class DeleteExpr extends Expr, @delete_expr {
    */
   Type getDeletedObjectType() {
     result =
-      getExpr().getFullyConverted().getType().stripTopLevelSpecifiers().(PointerType).getBaseType()
+      this.getExpr()
+          .getFullyConverted()
+          .getType()
+          .stripTopLevelSpecifiers()
+          .(PointerType)
+          .getBaseType()
   }
 
   /**
@@ -957,7 +962,7 @@ class DeleteExpr extends Expr, @delete_expr {
   /**
    * Gets the destructor to be called to destroy the object, if any.
    */
-  Destructor getDestructor() { result = getDestructorCall().getTarget() }
+  Destructor getDestructor() { result = this.getDestructorCall().getTarget() }
 
   /**
    * Gets the `operator delete` that deallocates storage. Does not hold
@@ -1020,7 +1025,12 @@ class DeleteArrayExpr extends Expr, @delete_array_expr {
    */
   Type getDeletedElementType() {
     result =
-      getExpr().getFullyConverted().getType().stripTopLevelSpecifiers().(PointerType).getBaseType()
+      this.getExpr()
+          .getFullyConverted()
+          .getType()
+          .stripTopLevelSpecifiers()
+          .(PointerType)
+          .getBaseType()
   }
 
   /**
@@ -1034,7 +1044,7 @@ class DeleteArrayExpr extends Expr, @delete_array_expr {
   /**
    * Gets the destructor to be called to destroy each element in the array, if any.
    */
-  Destructor getDestructor() { result = getDestructorCall().getTarget() }
+  Destructor getDestructor() { result = this.getDestructorCall().getTarget() }
 
   /**
    * Gets the `operator delete[]` that deallocates storage.
@@ -1101,7 +1111,7 @@ class StmtExpr extends Expr, @expr_stmt {
    * x = ({ dosomething(); a+b; });
    * ```
    */
-  Expr getResultExpr() { result = getStmtResultExpr(getStmt()) }
+  Expr getResultExpr() { result = getStmtResultExpr(this.getStmt()) }
 }
 
 /** Get the result expression of a statement. (Helper function for StmtExpr.) */
@@ -1230,20 +1240,20 @@ class FoldExpr extends Expr, @foldexpr {
   predicate isRightFold() { fold(underlyingElement(this), _, false) }
 
   /** Holds if this is a unary fold expression. */
-  predicate isUnaryFold() { getNumChild() = 1 }
+  predicate isUnaryFold() { this.getNumChild() = 1 }
 
   /** Holds if this is a binary fold expression. */
-  predicate isBinaryFold() { getNumChild() = 2 }
+  predicate isBinaryFold() { this.getNumChild() = 2 }
 
   /**
    * Gets the child expression containing the unexpanded parameter pack.
    */
   Expr getPackExpr() {
     this.isUnaryFold() and
-    result = getChild(0)
+    result = this.getChild(0)
     or
     this.isBinaryFold() and
-    if this.isRightFold() then result = getChild(0) else result = getChild(1)
+    if this.isRightFold() then result = this.getChild(0) else result = this.getChild(1)
   }
 
   /**
@@ -1251,7 +1261,7 @@ class FoldExpr extends Expr, @foldexpr {
    */
   Expr getInitExpr() {
     this.isBinaryFold() and
-    if this.isRightFold() then result = getChild(1) else result = getChild(0)
+    if this.isRightFold() then result = this.getChild(1) else result = this.getChild(0)
   }
 }
 

cpp/ql/lib/semmle/code/cpp/exprs/Lambda.qll

@@ -24,7 +24,7 @@ class LambdaExpression extends Expr, @lambdaexpr {
   /**
    * Gets an implicitly or explicitly captured value of this lambda expression.
    */
-  LambdaCapture getACapture() { result = getCapture(_) }
+  LambdaCapture getACapture() { result = this.getCapture(_) }
 
   /**
    * Gets the nth implicitly or explicitly captured value of this lambda expression.
@@ -58,13 +58,13 @@ class LambdaExpression extends Expr, @lambdaexpr {
    *   - The return type.
    *   - The statements comprising the lambda body.
    */
-  Operator getLambdaFunction() { result = getType().(Closure).getLambdaFunction() }
+  Operator getLambdaFunction() { result = this.getType().(Closure).getLambdaFunction() }
 
   /**
    * Gets the initializer that initializes the captured variables in the closure, if any.
    * A lambda that does not capture any variables will not have an initializer.
    */
-  ClassAggregateLiteral getInitializer() { result = getChild(0) }
+  ClassAggregateLiteral getInitializer() { result = this.getChild(0) }
 }
 
 /**
@@ -103,7 +103,7 @@ class Closure extends Class {
  * ```
  */
 class LambdaCapture extends Locatable, @lambdacapture {
-  override string toString() { result = getField().getName() }
+  override string toString() { result = this.getField().getName() }
 
   override string getAPrimaryQlClass() { result = "LambdaCapture" }
 

cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll

@@ -60,12 +60,12 @@ class TextLiteral extends Literal {
 
   /** Gets a hex escape sequence that appears in the character or string literal (see [lex.ccon] in the C++ Standard). */
   string getAHexEscapeSequence(int occurrence, int offset) {
-    result = getValueText().regexpFind("(?<!\\\\)\\\\x[0-9a-fA-F]+", occurrence, offset)
+    result = this.getValueText().regexpFind("(?<!\\\\)\\\\x[0-9a-fA-F]+", occurrence, offset)
   }
 
   /** Gets an octal escape sequence that appears in the character or string literal (see [lex.ccon] in the C++ Standard). */
   string getAnOctalEscapeSequence(int occurrence, int offset) {
-    result = getValueText().regexpFind("(?<!\\\\)\\\\[0-7]{1,3}", occurrence, offset)
+    result = this.getValueText().regexpFind("(?<!\\\\)\\\\[0-7]{1,3}", occurrence, offset)
   }
 
   /**
@@ -75,27 +75,27 @@ class TextLiteral extends Literal {
   string getANonStandardEscapeSequence(int occurrence, int offset) {
     // Find all single character escape sequences (ignoring the start of octal escape sequences),
     // together with anything starting like a hex escape sequence but not followed by a hex digit.
-    result = getValueText().regexpFind("\\\\[^x0-7\\s]|\\\\x[^0-9a-fA-F]", occurrence, offset) and
+    result = this.getValueText().regexpFind("\\\\[^x0-7\\s]|\\\\x[^0-9a-fA-F]", occurrence, offset) and
     // From these, exclude all standard escape sequences.
-    not result = getAStandardEscapeSequence(_, _)
+    not result = this.getAStandardEscapeSequence(_, _)
   }
 
   /** Gets a simple escape sequence that appears in the char or string literal (see [lex.ccon] in the C++ Standard). */
   string getASimpleEscapeSequence(int occurrence, int offset) {
-    result = getValueText().regexpFind("\\\\['\"?\\\\abfnrtv]", occurrence, offset)
+    result = this.getValueText().regexpFind("\\\\['\"?\\\\abfnrtv]", occurrence, offset)
   }
 
   /** Gets a standard escape sequence that appears in the char or string literal (see [lex.ccon] in the C++ Standard). */
   string getAStandardEscapeSequence(int occurrence, int offset) {
-    result = getASimpleEscapeSequence(occurrence, offset) or
-    result = getAnOctalEscapeSequence(occurrence, offset) or
-    result = getAHexEscapeSequence(occurrence, offset)
+    result = this.getASimpleEscapeSequence(occurrence, offset) or
+    result = this.getAnOctalEscapeSequence(occurrence, offset) or
+    result = this.getAHexEscapeSequence(occurrence, offset)
   }
 
   /**
    * Gets the length of the string literal (including null) before escape sequences added by the extractor.
    */
-  int getOriginalLength() { result = getValue().length() + 1 }
+  int getOriginalLength() { result = this.getValue().length() + 1 }
 }
 
 /**
@@ -216,7 +216,7 @@ class ClassAggregateLiteral extends AggregateLiteral {
     (
       // If the field has an explicit initializer expression, then the field is
       // initialized.
-      exists(getFieldExpr(field))
+      exists(this.getFieldExpr(field))
       or
       // If the type is not a union, all fields without initializers are value
       // initialized.
@@ -224,7 +224,7 @@ class ClassAggregateLiteral extends AggregateLiteral {
       or
       // If the type is a union, and there are no explicit initializers, then
       // the first declared field is value initialized.
-      not exists(getAChild()) and
+      not exists(this.getAChild()) and
       field.getInitializationOrder() = 0
     )
   }
@@ -239,8 +239,8 @@ class ClassAggregateLiteral extends AggregateLiteral {
    */
   pragma[inline]
   predicate isValueInitialized(Field field) {
-    isInitialized(field) and
-    not exists(getFieldExpr(field))
+    this.isInitialized(field) and
+    not exists(this.getFieldExpr(field))
   }
 }
 
@@ -285,7 +285,7 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
   bindingset[elementIndex]
   predicate isInitialized(int elementIndex) {
     elementIndex >= 0 and
-    elementIndex < getArraySize()
+    elementIndex < this.getArraySize()
   }
 
   /**
@@ -298,8 +298,8 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
    */
   bindingset[elementIndex]
   predicate isValueInitialized(int elementIndex) {
-    isInitialized(elementIndex) and
-    not exists(getElementExpr(elementIndex))
+    this.isInitialized(elementIndex) and
+    not exists(this.getElementExpr(elementIndex))
   }
 }
 

cpp/ql/lib/semmle/code/cpp/internal/AddressConstantExpression.qll

@@ -31,7 +31,7 @@ private predicate addressConstantVariable(Variable v) {
 private predicate constantAddressLValue(Expr lvalue) {
   lvalue.(VariableAccess).getTarget() =
     any(Variable v |
-      v.(Variable).isStatic()
+      v.isStatic()
       or
       v instanceof GlobalOrNamespaceVariable
     )

cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll

@@ -173,7 +173,7 @@ class LocalVariable extends LocalScopeVariable, @localvariable { }
 class VariableDeclarationEntry extends @var_decl {
   string toString() { result = "QualifiedName DeclarationEntry" }
 
-  Variable getDeclaration() { result = getVariable() }
+  Variable getDeclaration() { result = this.getVariable() }
 
   /**
    * Gets the variable which is being declared or defined.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -474,6 +474,24 @@ module TaintedWithPath {
     }
   }
 
+  /**
+   * INTERNAL: Do not use.
+   */
+  module Private {
+    /** Gets a predecessor `PathNode` of `pathNode`, if any. */
+    PathNode getAPredecessor(PathNode pathNode) { edges(result, pathNode) }
+
+    /** Gets the element that `pathNode` wraps, if any. */
+    Element getElementFromPathNode(PathNode pathNode) {
+      exists(DataFlow::Node node | node = pathNode.(WrapPathNode).inner().getNode() |
+        result = node.asExpr() or
+        result = node.asParameter()
+      )
+      or
+      result = pathNode.(EndpointPathNode).inner()
+    }
+  }
+
   private class WrapPathNode extends PathNode, TWrapPathNode {
     DataFlow3::PathNode inner() { this = TWrapPathNode(result) }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -63,8 +63,10 @@ private module VirtualDispatch {
       |
         // Call argument
         exists(DataFlowCall call, int i |
-          other.(DataFlow::ParameterNode).isParameterOf(call.getStaticCallTarget(), i) and
-          src.(ArgumentNode).argumentOf(call, i)
+          other
+              .(DataFlow::ParameterNode)
+              .isParameterOf(pragma[only_bind_into](call).getStaticCallTarget(), i) and
+          src.(ArgumentNode).argumentOf(call, pragma[only_bind_into](pragma[only_bind_out](i)))
         ) and
         allowOtherFromArg = true and
         allowFromArg = true
@@ -128,6 +130,7 @@ private module VirtualDispatch {
    *
    * Used to fix a join ordering issue in flowsFrom.
    */
+  pragma[noinline]
   private predicate returnNodeWithKindAndEnclosingCallable(
     ReturnNode node, ReturnKind kind, DataFlowCallable callable
   ) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -10,6 +10,7 @@
 private import DataFlowImplCommon
 private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
+import DataFlowImplCommonPublic
 
 /**
  * A configuration of interprocedural data flow analysis. This defines
@@ -94,6 +95,22 @@ abstract class Configuration extends string {
    */
   int fieldFlowBranchLimit() { result = 2 }
 
+  /**
+   * Gets a data flow configuration feature to add restrictions to the set of
+   * valid flow paths.
+   *
+   * - `FeatureHasSourceCallContext`:
+   *    Assume that sources have some existing call context to disallow
+   *    conflicting return-flow directly following the source.
+   * - `FeatureHasSinkCallContext`:
+   *    Assume that sinks have some existing call context to disallow
+   *    conflicting argument-to-parameter flow directly preceding the sink.
+   * - `FeatureEqualSourceSinkCallContext`:
+   *    Implies both of the above and additionally ensures that the entire flow
+   *    path preserves the call context.
+   */
+  FlowFeature getAFeature() { none() }
+
   /**
    * Holds if data may flow from `source` to `sink` for this configuration.
    */
@@ -110,12 +127,12 @@ abstract class Configuration extends string {
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
 
   /**
    * Holds if data may flow from some source to `sink` for this configuration.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
   /**
    * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
@@ -244,6 +261,8 @@ private class ParamNodeEx extends NodeEx {
   }
 
   int getPosition() { this.isParameterOf(_, result) }
+
+  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
 
 private class RetNodeEx extends NodeEx {
@@ -347,7 +366,8 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -363,7 +383,8 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
     not outBarrier(node1, config) and
     not inBarrier(node2, config) and
     not fullBarrier(node1, config) and
-    not fullBarrier(node2, config)
+    not fullBarrier(node2, config) and
+    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
   )
 }
 
@@ -399,6 +420,20 @@ private predicate viableParamArgEx(DataFlowCall call, ParamNodeEx p, ArgNodeEx a
  */
 private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
 
+private predicate hasSourceCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSourceCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
+private predicate hasSinkCallCtx(Configuration config) {
+  exists(FlowFeature feature | feature = config.getAFeature() |
+    feature instanceof FeatureHasSinkCallContext or
+    feature instanceof FeatureEqualSourceSinkCallContext
+  )
+}
+
 private module Stage1 {
   class ApApprox = Unit;
 
@@ -419,7 +454,7 @@ private module Stage1 {
     not fullBarrier(node, config) and
     (
       sourceNode(node, config) and
-      cc = false
+      if hasSourceCallCtx(config) then cc = true else cc = false
       or
       exists(NodeEx mid |
         fwdFlow(mid, cc, config) and
@@ -549,7 +584,7 @@ private module Stage1 {
   private predicate revFlow0(NodeEx node, boolean toReturn, Configuration config) {
     fwdFlow(node, config) and
     sinkNode(node, config) and
-    toReturn = false
+    if hasSinkCallCtx(config) then toReturn = true else toReturn = false
     or
     exists(NodeEx mid |
       localFlowStep(node, mid, config) and
@@ -744,8 +779,12 @@ private module Stage1 {
       returnFlowCallableNodeCand(c, kind, config) and
       p.getEnclosingCallable() = c and
       exists(ap) and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -931,6 +970,8 @@ private module Stage2 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -998,7 +1039,7 @@ private module Stage2 {
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1209,7 +1250,7 @@ private module Stage2 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -1394,8 +1435,12 @@ private module Stage2 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -1606,6 +1651,8 @@ private module Stage3 {
 
   Cc ccNone() { result = false }
 
+  CcCall ccSomeCall() { result = true }
+
   private class LocalCc = Unit;
 
   bindingset[call, c, outercc]
@@ -1687,7 +1734,7 @@ private module Stage3 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -1898,7 +1945,7 @@ private module Stage3 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2083,8 +2130,12 @@ private module Stage3 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2352,6 +2403,8 @@ private module Stage4 {
 
   Cc ccNone() { result instanceof CallContextAny }
 
+  CcCall ccSomeCall() { result instanceof CallContextSomeCall }
+
   private class LocalCc = LocalCallContext;
 
   bindingset[call, c, outercc]
@@ -2447,7 +2500,7 @@ private module Stage4 {
   private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
-    cc = ccNone() and
+    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
     argAp = apNone() and
     ap = getApNil(node)
     or
@@ -2658,7 +2711,7 @@ private module Stage4 {
   ) {
     fwdFlow(node, _, _, ap, config) and
     sinkNode(node, config) and
-    toReturn = false and
+    (if hasSinkCallCtx(config) then toReturn = true else toReturn = false) and
     returnAp = apNone() and
     ap instanceof ApNil
     or
@@ -2843,8 +2896,12 @@ private module Stage4 {
       fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
       kind = ret.getKind() and
       p.getPosition() = pos and
-      // we don't expect a parameter to return stored in itself
-      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      // we don't expect a parameter to return stored in itself, unless explicitly allowed
+      (
+        not kind.(ParamUpdateReturnKind).getPosition() = pos
+        or
+        p.allowParameterReturnInSelf()
+      )
     )
   }
 
@@ -2917,6 +2974,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   int getParameterPos() { p.isParameterOf(_, result) }
 
+  ParamNodeEx getParamNode() { result = p }
+
   override string toString() { result = p + ": " + ap }
 
   predicate hasLocationInfo(
@@ -3044,7 +3103,11 @@ private newtype TPathNode =
     // A PathNode is introduced by a source ...
     Stage4::revFlow(node, config) and
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap = TAccessPathNil(node.getDataFlowType())
     or
@@ -3056,17 +3119,10 @@ private newtype TPathNode =
     )
   } or
   TPathNodeSink(NodeEx node, Configuration config) {
-    sinkNode(node, pragma[only_bind_into](config)) and
-    Stage4::revFlow(node, pragma[only_bind_into](config)) and
-    (
-      // A sink that is also a source ...
-      sourceNode(node, config)
-      or
-      // ... or a sink that can be reached from a source
-      exists(PathNodeMid mid |
-        pathStep(mid, node, _, _, TAccessPathNil(_)) and
-        pragma[only_bind_into](config) = mid.getConfiguration()
-      )
+    exists(PathNodeMid sink |
+      sink.isAtSink() and
+      node = sink.getNodeEx() and
+      config = sink.getConfiguration()
     )
   }
 
@@ -3170,7 +3226,7 @@ private class AccessPathCons extends AccessPath, TAccessPathCons {
   }
 
   override string toString() {
-    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    result = "[" + this.toStringImpl(true) + this.length().toString() + ")]"
     or
     result = "[" + this.toStringImpl(false)
   }
@@ -3309,9 +3365,11 @@ abstract private class PathNodeImpl extends PathNode {
     result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
   }
 
-  override string toString() { result = this.getNodeEx().toString() + ppAp() }
+  override string toString() { result = this.getNodeEx().toString() + this.ppAp() }
 
-  override string toStringWithContext() { result = this.getNodeEx().toString() + ppAp() + ppCtx() }
+  override string toStringWithContext() {
+    result = this.getNodeEx().toString() + this.ppAp() + this.ppCtx()
+  }
 
   override predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -3379,24 +3437,48 @@ private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
 
   override PathNodeImpl getASuccessorImpl() {
     // an intermediate step to another intermediate node
-    result = getSuccMid()
+    result = this.getSuccMid()
     or
-    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
-    exists(PathNodeMid mid, PathNodeSink sink |
-      mid = getSuccMid() and
-      mid.getNodeEx() = sink.getNodeEx() and
-      mid.getAp() instanceof AccessPathNil and
-      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
-      result = sink
-    )
+    // a final step to a sink
+    result = this.getSuccMid().projectToSink()
   }
 
   override predicate isSource() {
     sourceNode(node, config) and
-    cc instanceof CallContextAny and
+    (
+      if hasSourceCallCtx(config)
+      then cc instanceof CallContextSomeCall
+      else cc instanceof CallContextAny
+    ) and
     sc instanceof SummaryCtxNone and
     ap instanceof AccessPathNil
   }
+
+  predicate isAtSink() {
+    sinkNode(node, config) and
+    ap instanceof AccessPathNil and
+    if hasSinkCallCtx(config)
+    then
+      // For `FeatureHasSinkCallContext` the condition `cc instanceof CallContextNoCall`
+      // is exactly what we need to check. This also implies
+      // `sc instanceof SummaryCtxNone`.
+      // For `FeatureEqualSourceSinkCallContext` the initial call context was
+      // set to `CallContextSomeCall` and jumps are disallowed, so
+      // `cc instanceof CallContextNoCall` never holds. On the other hand,
+      // in this case there's never any need to enter a call except to identify
+      // a summary, so the condition in `pathIntoCallable` enforces this, which
+      // means that `sc instanceof SummaryCtxNone` holds if and only if we are
+      // in the call context of the source.
+      sc instanceof SummaryCtxNone or
+      cc instanceof CallContextNoCall
+    else any()
+  }
+
+  PathNodeSink projectToSink() {
+    this.isAtSink() and
+    result.getNodeEx() = node and
+    result.getConfiguration() = unbindConf(config)
+  }
 }
 
 /**
@@ -3460,7 +3542,7 @@ private predicate pathStep(
   exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
   or
-  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  pathIntoCallable(mid, node, _, cc, sc, _, _) and ap = mid.getAp()
   or
   pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
   or
@@ -3537,18 +3619,20 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(ArgNode arg |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
     ap = mid.getAp() and
-    apa = ap.getApprox()
+    apa = ap.getApprox() and
+    config = mid.getConfiguration()
   )
 }
 
-pragma[noinline]
+pragma[nomagic]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
@@ -3561,12 +3645,14 @@ private predicate parameterCand(
 pragma[nomagic]
 private predicate pathIntoCallable0(
   PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap
+  AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+      pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+      pragma[only_bind_into](config))
   )
 }
 
@@ -3575,18 +3661,23 @@ private predicate pathIntoCallable0(
  * before and after entering the callable are `outercc` and `innercc`,
  * respectively.
  */
+pragma[nomagic]
 private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
-  DataFlowCall call
+  DataFlowCall call, Configuration config
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
     p.isParameterOf(callable, i) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
       not exists(TSummaryCtxSome(p, ap)) and
-      sc = TSummaryCtxNone()
+      sc = TSummaryCtxNone() and
+      // When the call contexts of source and sink needs to match then there's
+      // never any reason to enter a callable except to find a summary. See also
+      // the comment in `PathNodeMid::isAtSink`.
+      not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
     )
   |
     if recordDataFlowCallSite(call, callable)
@@ -3610,18 +3701,23 @@ private predicate paramFlowsThrough(
     ap = mid.getAp() and
     apa = ap.getApprox() and
     pos = sc.getParameterPos() and
-    not kind.(ParamUpdateReturnKind).getPosition() = pos
+    // we don't expect a parameter to return stored in itself, unless explicitly allowed
+    (
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+      or
+      sc.getParamNode().allowParameterReturnInSelf()
+    )
   )
 }
 
 pragma[nomagic]
 private predicate pathThroughCallable0(
   DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
-  AccessPathApprox apa
+  AccessPathApprox apa, Configuration config
 ) {
   exists(CallContext innercc, SummaryCtx sc |
-    pathIntoCallable(mid, _, cc, innercc, sc, call) and
-    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+    pathIntoCallable(mid, _, cc, innercc, sc, call, config) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, config)
   )
 }
 
@@ -3631,9 +3727,9 @@ private predicate pathThroughCallable0(
  */
 pragma[noinline]
 private predicate pathThroughCallable(PathNodeMid mid, NodeEx out, CallContext cc, AccessPath ap) {
-  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
-    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
-    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa, Configuration config |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
   )
 }
 
@@ -3647,10 +3743,11 @@ private module Subpaths {
     PathNode arg, ParamNodeEx par, SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind,
     NodeEx out, AccessPath apout
   ) {
-    pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
-    pathIntoCallable(arg, par, _, innercc, sc, _) and
-    paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _,
-      unbindConf(arg.getConfiguration()))
+    exists(Configuration config |
+      pathThroughCallable(arg, out, _, pragma[only_bind_into](apout)) and
+      pathIntoCallable(arg, par, _, innercc, sc, _, config) and
+      paramFlowsThrough(kind, innercc, sc, pragma[only_bind_into](apout), _, unbindConf(config))
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -2,6 +2,42 @@ private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 import Cached
 
+module DataFlowImplCommonPublic {
+  private newtype TFlowFeature =
+    TFeatureHasSourceCallContext() or
+    TFeatureHasSinkCallContext() or
+    TFeatureEqualSourceSinkCallContext()
+
+  /** A flow configuration feature for use in `Configuration::getAFeature()`. */
+  class FlowFeature extends TFlowFeature {
+    string toString() { none() }
+  }
+
+  /**
+   * A flow configuration feature that implies that sources have some existing
+   * call context.
+   */
+  class FeatureHasSourceCallContext extends FlowFeature, TFeatureHasSourceCallContext {
+    override string toString() { result = "FeatureHasSourceCallContext" }
+  }
+
+  /**
+   * A flow configuration feature that implies that sinks have some existing
+   * call context.
+   */
+  class FeatureHasSinkCallContext extends FlowFeature, TFeatureHasSinkCallContext {
+    override string toString() { result = "FeatureHasSinkCallContext" }
+  }
+
+  /**
+   * A flow configuration feature that implies that source-sink pairs have some
+   * shared existing call context.
+   */
+  class FeatureEqualSourceSinkCallContext extends FlowFeature, TFeatureEqualSourceSinkCallContext {
+    override string toString() { result = "FeatureEqualSourceSinkCallContext" }
+  }
+}
+
 /**
  * The cost limits for the `AccessPathFront` to `AccessPathApprox` expansion.
  *
@@ -251,7 +287,7 @@ private module Cached {
   predicate forceCachingInSameStage() { any() }
 
   cached
-  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = n.getEnclosingCallable() }
+  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = nodeGetEnclosingCallable(n) }
 
   cached
   predicate callEnclosingCallable(DataFlowCall call, DataFlowCallable c) {
@@ -316,9 +352,7 @@ private module Cached {
   }
 
   cached
-  predicate parameterNode(Node n, DataFlowCallable c, int i) {
-    n.(ParameterNode).isParameterOf(c, i)
-  }
+  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }
 
   cached
   predicate argumentNode(Node n, DataFlowCall call, int pos) {
@@ -801,6 +835,9 @@ private module Cached {
     exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
+  cached
+  predicate allowParameterReturnInSelfCached(ParamNode p) { allowParameterReturnInSelf(p) }
+
   cached
   newtype TCallContext =
     TAnyCallContext() or

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -31,7 +31,7 @@ module Consistency {
   query predicate uniqueEnclosingCallable(Node n, string msg) {
     exists(int c |
       n instanceof RelevantNode and
-      c = count(n.getEnclosingCallable()) and
+      c = count(nodeGetEnclosingCallable(n)) and
       c != 1 and
       msg = "Node should have one enclosing callable but has " + c + "."
     )
@@ -85,13 +85,13 @@ module Consistency {
   }
 
   query predicate parameterCallable(ParameterNode p, string msg) {
-    exists(DataFlowCallable c | p.isParameterOf(c, _) and c != p.getEnclosingCallable()) and
+    exists(DataFlowCallable c | isParameterNode(p, c, _) and c != nodeGetEnclosingCallable(p)) and
     msg = "Callable mismatch for parameter."
   }
 
   query predicate localFlowIsLocal(Node n1, Node n2, string msg) {
     simpleLocalFlowStep(n1, n2) and
-    n1.getEnclosingCallable() != n2.getEnclosingCallable() and
+    nodeGetEnclosingCallable(n1) != nodeGetEnclosingCallable(n2) and
     msg = "Local flow step does not preserve enclosing callable."
   }
 
@@ -106,7 +106,7 @@ module Consistency {
   query predicate unreachableNodeCCtx(Node n, DataFlowCall call, string msg) {
     isUnreachableInCall(n, call) and
     exists(DataFlowCallable c |
-      c = n.getEnclosingCallable() and
+      c = nodeGetEnclosingCallable(n) and
       not viableCallable(call) = c
     ) and
     msg = "Call context for isUnreachableInCall is inconsistent with call graph."
@@ -120,7 +120,7 @@ module Consistency {
       n.(ArgumentNode).argumentOf(call, _) and
       msg = "ArgumentNode and call does not share enclosing callable."
     ) and
-    n.getEnclosingCallable() != call.getEnclosingCallable()
+    nodeGetEnclosingCallable(n) != call.getEnclosingCallable()
   }
 
   // This predicate helps the compiler forget that in some languages
@@ -151,7 +151,7 @@ module Consistency {
   }
 
   query predicate postIsInSameCallable(PostUpdateNode n, string msg) {
-    n.getEnclosingCallable() != n.getPreUpdateNode().getEnclosingCallable() and
+    nodeGetEnclosingCallable(n) != nodeGetEnclosingCallable(n.getPreUpdateNode()) and
     msg = "PostUpdateNode does not share callable with its pre-update node."
   }
 
@@ -175,6 +175,7 @@ module Consistency {
 
   query predicate postWithInFlow(Node n, string msg) {
     isPostUpdateNode(n) and
+    not clearsContent(n, _) and
     simpleLocalFlowStep(_, n) and
     msg = "PostUpdateNode should not be the target of local flow."
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -3,6 +3,12 @@ private import DataFlowUtil
 private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
 
+/** Gets the callable in which this node occurs. */
+DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
+
+/** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }
+
 /**
  * A data flow node that occurs as the argument of a call and is passed as-is
  * to the callable. Instance arguments (`this` pointer) and read side effects
@@ -106,11 +112,9 @@ class ReturnNode extends InstructionNode {
   Instruction primary;
 
   ReturnNode() {
-    exists(ReturnValueInstruction ret | instr = ret.getReturnValue() and primary = ret)
+    exists(ReturnValueInstruction ret | instr = ret and primary = ret)
     or
-    exists(ReturnIndirectionInstruction rii |
-      instr = rii.getSideEffectOperand().getAnyDef() and primary = rii
-    )
+    exists(ReturnIndirectionInstruction rii | instr = rii and primary = rii)
   }
 
   /** Gets the kind of this returned value. */
@@ -184,108 +188,16 @@ OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
  */
 predicate jumpStep(Node n1, Node n2) { none() }
 
-private predicate fieldStoreStepNoChi(Node node1, FieldContent f, PostUpdateNode node2) {
-  exists(StoreInstruction store, Class c |
-    store = node2.asInstruction() and
-    store.getSourceValueOperand() = node1.asOperand() and
-    getWrittenField(store, f.(FieldContent).getAField(), c) and
-    f.hasOffset(c, _, _)
-  )
-}
-
-private FieldAddressInstruction getFieldInstruction(Instruction instr) {
-  result = instr or
-  result = instr.(CopyValueInstruction).getUnary()
-}
-
-pragma[noinline]
-private predicate getWrittenField(Instruction instr, Field f, Class c) {
-  exists(FieldAddressInstruction fa |
-    fa =
-      getFieldInstruction([
-          instr.(StoreInstruction).getDestinationAddress(),
-          instr.(WriteSideEffectInstruction).getDestinationAddress()
-        ]) and
-    f = fa.getField() and
-    c = f.getDeclaringType()
-  )
-}
-
-private predicate fieldStoreStepChi(Node node1, FieldContent f, PostUpdateNode node2) {
-  exists(ChiPartialOperand operand, ChiInstruction chi |
-    chi.getPartialOperand() = operand and
-    node1.asOperand() = operand and
-    node2.asInstruction() = chi and
-    exists(Class c |
-      c = chi.getResultType() and
-      exists(int startBit, int endBit |
-        chi.getUpdatedInterval(startBit, endBit) and
-        f.hasOffset(c, startBit, endBit)
-      )
-      or
-      getWrittenField(operand.getDef(), f.getAField(), c) and
-      f.hasOffset(c, _, _)
-    )
-  )
-}
-
-private predicate arrayStoreStepChi(Node node1, ArrayContent a, PostUpdateNode node2) {
-  exists(a) and
-  exists(ChiPartialOperand operand, ChiInstruction chi, StoreInstruction store |
-    chi.getPartialOperand() = operand and
-    store = operand.getDef() and
-    node1.asOperand() = operand and
-    // This `ChiInstruction` will always have a non-conflated result because both `ArrayStoreNode`
-    // and `PointerStoreNode` require it in their characteristic predicates.
-    node2.asInstruction() = chi and
-    (
-      // `x[i] = taint()`
-      // This matches the characteristic predicate in `ArrayStoreNode`.
-      store.getDestinationAddress() instanceof PointerAddInstruction
-      or
-      // `*p = taint()`
-      // This matches the characteristic predicate in `PointerStoreNode`.
-      store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
-    )
-  )
-}
-
 /**
  * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
  * Thus, `node2` references an object with a field `f` that contains the
  * value of `node1`.
  */
-predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
-  fieldStoreStepNoChi(node1, f, node2) or
-  fieldStoreStepChi(node1, f, node2) or
-  arrayStoreStepChi(node1, f, node2) or
-  fieldStoreStepAfterArraySuppression(node1, f, node2)
-}
-
-// This predicate pushes the correct `FieldContent` onto the access path when the
-// `suppressArrayRead` predicate has popped off an `ArrayContent`.
-private predicate fieldStoreStepAfterArraySuppression(
-  Node node1, FieldContent f, PostUpdateNode node2
-) {
-  exists(WriteSideEffectInstruction write, ChiInstruction chi, Class c |
-    not chi.isResultConflated() and
-    node1.asInstruction() = chi and
-    node2.asInstruction() = chi and
-    chi.getPartial() = write and
-    getWrittenField(write, f.getAField(), c) and
-    f.hasOffset(c, _, _)
-  )
-}
-
-bindingset[result, i]
-private int unbindInt(int i) { i <= result and i >= result }
-
-pragma[noinline]
-private predicate getLoadedField(LoadInstruction load, Field f, Class c) {
-  exists(FieldAddressInstruction fa |
-    fa = load.getSourceAddress() and
-    f = fa.getField() and
-    c = f.getDeclaringType()
+predicate storeStep(StoreNodeInstr node1, FieldContent f, StoreNodeInstr node2) {
+  exists(FieldAddressInstruction fai |
+    node1.getInstruction() = fai and
+    node2.getInstruction() = fai.getObjectAddress() and
+    f.getField() = fai.getField()
   )
 }
 
@@ -294,122 +206,14 @@ private predicate getLoadedField(LoadInstruction load, Field f, Class c) {
  * Thus, `node1` references an object with a field `f` whose value ends up in
  * `node2`.
  */
-private predicate fieldReadStep(Node node1, FieldContent f, Node node2) {
-  exists(LoadOperand operand |
-    node2.asOperand() = operand and
-    node1.asInstruction() = operand.getAnyDef() and
-    exists(Class c |
-      c = operand.getAnyDef().getResultType() and
-      exists(int startBit, int endBit |
-        operand.getUsedInterval(unbindInt(startBit), unbindInt(endBit)) and
-        f.hasOffset(c, startBit, endBit)
-      )
-      or
-      getLoadedField(operand.getUse(), f.getAField(), c) and
-      f.hasOffset(c, _, _)
-    )
+predicate readStep(ReadNode node1, FieldContent f, ReadNode node2) {
+  exists(FieldAddressInstruction fai |
+    node1.getInstruction() = fai.getObjectAddress() and
+    node2.getInstruction() = fai and
+    f.getField() = fai.getField()
   )
 }
 
-/**
- * When a store step happens in a function that looks like an array write such as:
- * ```cpp
- * void f(int* pa) {
- *   pa = source();
- * }
- * ```
- * it can be a write to an array, but it can also happen that `f` is called as `f(&a.x)`. If that is
- * the case, the `ArrayContent` that was written by the call to `f` should be popped off the access
- * path, and a `FieldContent` containing `x` should be pushed instead.
- * So this case pops `ArrayContent` off the access path, and the `fieldStoreStepAfterArraySuppression`
- * predicate in `storeStep` ensures that we push the right `FieldContent` onto the access path.
- */
-predicate suppressArrayRead(Node node1, ArrayContent a, Node node2) {
-  exists(a) and
-  exists(WriteSideEffectInstruction write, ChiInstruction chi |
-    node1.asInstruction() = write and
-    node2.asInstruction() = chi and
-    chi.getPartial() = write and
-    getWrittenField(write, _, _)
-  )
-}
-
-private class ArrayToPointerConvertInstruction extends ConvertInstruction {
-  ArrayToPointerConvertInstruction() {
-    this.getUnary().getResultType() instanceof ArrayType and
-    this.getResultType() instanceof PointerType
-  }
-}
-
-private Instruction skipOneCopyValueInstructionRec(CopyValueInstruction copy) {
-  copy.getUnary() = result and not result instanceof CopyValueInstruction
-  or
-  result = skipOneCopyValueInstructionRec(copy.getUnary())
-}
-
-private Instruction skipCopyValueInstructions(Operand op) {
-  not result instanceof CopyValueInstruction and result = op.getDef()
-  or
-  result = skipOneCopyValueInstructionRec(op.getDef())
-}
-
-private predicate arrayReadStep(Node node1, ArrayContent a, Node node2) {
-  exists(a) and
-  // Explicit dereferences such as `*p` or `p[i]` where `p` is a pointer or array.
-  exists(LoadOperand operand, Instruction address |
-    operand.isDefinitionInexact() and
-    node1.asInstruction() = operand.getAnyDef() and
-    operand = node2.asOperand() and
-    address = skipCopyValueInstructions(operand.getAddressOperand()) and
-    (
-      address instanceof LoadInstruction or
-      address instanceof ArrayToPointerConvertInstruction or
-      address instanceof PointerOffsetInstruction
-    )
-  )
-}
-
-/**
- * In cases such as:
- * ```cpp
- * void f(int* pa) {
- *   *pa = source();
- * }
- * ...
- * int x;
- * f(&x);
- * use(x);
- * ```
- * the load on `x` in `use(x)` will exactly overlap with its definition (in this case the definition
- * is a `WriteSideEffect`). This predicate pops the `ArrayContent` (pushed by the store in `f`)
- * from the access path.
- */
-private predicate exactReadStep(Node node1, ArrayContent a, Node node2) {
-  exists(a) and
-  exists(WriteSideEffectInstruction write, ChiInstruction chi |
-    not chi.isResultConflated() and
-    chi.getPartial() = write and
-    node1.asInstruction() = write and
-    node2.asInstruction() = chi and
-    // To distinquish this case from the `arrayReadStep` case we require that the entire variable was
-    // overwritten by the `WriteSideEffectInstruction` (i.e., there is a load that reads the
-    // entire variable).
-    exists(LoadInstruction load | load.getSourceValue() = chi)
-  )
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` via a read of `f`.
- * Thus, `node1` references an object with a field `f` whose value ends up in
- * `node2`.
- */
-predicate readStep(Node node1, Content f, Node node2) {
-  fieldReadStep(node1, f, node2) or
-  arrayReadStep(node1, f, node2) or
-  exactReadStep(node1, f, node2) or
-  suppressArrayRead(node1, f, node2)
-}
-
 /**
  * Holds if values stored inside content `c` are cleared at node `n`.
  */
@@ -441,7 +245,7 @@ private predicate suppressUnusedNode(Node n) { any() }
 // Java QL library compatibility wrappers
 //////////////////////////////////////////////////////////////////////////////
 /** A node that performs a type cast. */
-class CastNode extends InstructionNode {
+class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
@@ -507,3 +311,12 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { no
 
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
+
+/**
+ * Holds if flow is allowed to pass from parameter `p` and back to itself as a
+ * side-effect, resulting in a summary from `p` to itself.
+ *
+ * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed
+ * by default as a heuristic.
+ */
+predicate allowParameterReturnInSelf(ParameterNode p) { none() }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -10,19 +10,78 @@ private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.controlflow.IRGuards
 private import semmle.code.cpp.models.interfaces.DataFlow
+private import DataFlowPrivate
+private import SsaInternals as Ssa
 
 cached
 private module Cached {
+  /**
+   * The IR dataflow graph consists of the following nodes:
+   * - `InstructionNode`, which represents an `Instruction` in the graph.
+   * - `OperandNode`, which represents an `Operand` in the graph.
+   * - `VariableNode`, which is used to model global variables.
+   * - Two kinds of `StoreNode`s:
+   *   1. `StoreNodeInstr`, which represents the value of an address computed by an `Instruction` that
+   *      has been updated by a write operation.
+   *   2. `StoreNodeOperand`, which represents the value of an address in an `ArgumentOperand` after a
+   *      function call that may have changed the value.
+   * - `ReadNode`, which represents the result of reading a field of an object.
+   * - `SsaPhiNode`, which represents phi nodes as computed by the shared SSA library.
+   *
+   * The following section describes how flow is generally transferred between these nodes:
+   * - Flow between `InstructionNode`s and `OperandNode`s follow the def-use information as computed by
+   *   the IR. Because the IR compute must-alias information for memory operands, we only follow def-use
+   *   flow for register operands.
+   * - Flow can enter a `StoreNode` in two ways (both done in `StoreNode.flowInto`):
+   *   1. Flow is transferred from a `StoreValueOperand` to a `StoreNodeInstr`. Flow will then proceed
+   *      along the chain of addresses computed by `StoreNodeInstr.getInner` to identify field writes
+   *      and call `storeStep` accordingly (i.e., for an expression like `a.b.c = x`, we visit `c`, then
+   *      `b`, then `a`).
+   *   2. Flow is transfered from a `WriteSideEffectInstruction` to a `StoreNodeOperand` after flow
+   *      returns to a caller. Flow will then proceed to the defining instruction of the operand (because
+   *      the `StoreNodeInstr` computed by `StoreNodeOperand.getInner()` is the `StoreNode` containing
+   *      the defining instruction), and then along the chain computed by `StoreNodeInstr.getInner` like
+   *      above.
+   *   In both cases, flow leaves a `StoreNode` once the entire chain has been traversed, and the shared
+   *   SSA library is used to find the next use of the variable at the end of the chain.
+   * - Flow can enter a `ReadNode` through an `OperandNode` that represents an address of some variable.
+   *   Flow will then proceed along the chain of addresses computed by `ReadNode.getOuter` (i.e., for an
+   *   expression like `use(a.b.c)` we visit `a`, then `b`, then `c`) and call `readStep` accordingly.
+   *   Once the entire chain has been traversed, flow is transferred to the load instruction that reads
+   *   the final address of the chain.
+   * - Flow can enter a `SsaPhiNode` from an `InstructionNode`, a `StoreNode` or another `SsaPhiNode`
+   *   (in `toPhiNode`), depending on which node provided the previous definition of the underlying
+   *   variable. Flow leaves a `SsaPhiNode` (in `fromPhiNode`) by using the shared SSA library to
+   *   determine the next use of the variable.
+   */
   cached
   newtype TIRDataFlowNode =
     TInstructionNode(Instruction i) or
     TOperandNode(Operand op) or
-    TVariableNode(Variable var)
+    TVariableNode(Variable var) or
+    TStoreNodeInstr(Instruction i) { Ssa::explicitWrite(_, _, i) } or
+    TStoreNodeOperand(ArgumentOperand op) { Ssa::explicitWrite(_, _, op.getDef()) } or
+    TReadNode(Instruction i) { needsPostReadNode(i) } or
+    TSsaPhiNode(Ssa::PhiNode phi)
 
   cached
   predicate localFlowStepCached(Node nodeFrom, Node nodeTo) {
     simpleLocalFlowStep(nodeFrom, nodeTo)
   }
+
+  private predicate needsPostReadNode(Instruction iFrom) {
+    // If the instruction generates an address that flows to a load.
+    Ssa::addressFlowTC(iFrom, Ssa::getSourceAddress(_)) and
+    (
+      // And it is either a field address
+      iFrom instanceof FieldAddressInstruction
+      or
+      // Or it is instruction that either uses or is used for an address that needs a post read node.
+      exists(Instruction mid | needsPostReadNode(mid) |
+        Ssa::addressFlow(mid, iFrom) or Ssa::addressFlow(iFrom, mid)
+      )
+    )
+  }
 }
 
 private import Cached
@@ -110,7 +169,7 @@ class Node extends TIRDataFlowNode {
   /**
    * Gets an upper bound on the type of this node.
    */
-  IRType getTypeBound() { result = getType() }
+  IRType getTypeBound() { result = this.getType() }
 
   /** Gets the location of this element. */
   Location getLocation() { none() } // overridden by subclasses
@@ -180,6 +239,234 @@ class OperandNode extends Node, TOperandNode {
   override string toString() { result = this.getOperand().toString() }
 }
 
+/**
+ * INTERNAL: do not use.
+ *
+ * A `StoreNode` is a node that has been (or is about to be) the
+ * source or target of a `storeStep`.
+ */
+abstract private class StoreNode extends Node {
+  /** Holds if this node should receive flow from `addr`. */
+  abstract predicate flowInto(Instruction addr);
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  /** Holds if this `StoreNode` is the root of the address computation used by a store operation. */
+  predicate isTerminal() {
+    not exists(this.getInner()) and
+    not storeStep(this, _, _)
+  }
+
+  /** Gets the store operation that uses the address computed by this `StoreNode`. */
+  abstract Instruction getStoreInstruction();
+
+  /** Holds if the store operation associated with this `StoreNode` overwrites the entire variable. */
+  final predicate isCertain() { Ssa::explicitWrite(true, this.getStoreInstruction(), _) }
+
+  /**
+   * Gets the `StoreNode` that computes the address used by this `StoreNode`.
+   */
+  abstract StoreNode getInner();
+
+  /** The inverse of `StoreNode.getInner`. */
+  final StoreNode getOuter() { result.getInner() = this }
+}
+
+class StoreNodeInstr extends StoreNode, TStoreNodeInstr {
+  Instruction instr;
+
+  StoreNodeInstr() { this = TStoreNodeInstr(instr) }
+
+  override predicate flowInto(Instruction addr) { this.getInstruction() = addr }
+
+  /** Gets the underlying instruction. */
+  Instruction getInstruction() { result = instr }
+
+  override Function getFunction() { result = this.getInstruction().getEnclosingFunction() }
+
+  override IRType getType() { result = this.getInstruction().getResultIRType() }
+
+  override Location getLocation() { result = this.getInstruction().getLocation() }
+
+  override string toString() {
+    result = instructionNode(this.getInstruction()).toString() + " [store]"
+  }
+
+  override Instruction getStoreInstruction() {
+    Ssa::explicitWrite(_, result, this.getInstruction())
+  }
+
+  override StoreNodeInstr getInner() {
+    Ssa::addressFlow(result.getInstruction(), this.getInstruction())
+  }
+}
+
+/**
+ * To avoid having `PostUpdateNode`s with multiple pre-update nodes (which can cause performance
+ * problems) we attach the `PostUpdateNode` that represent output arguments to an operand instead of
+ * an instruction.
+ *
+ * To see why we need this, consider the expression `b->set(new C())`. The IR of this expression looks
+ * like (simplified):
+ * ```
+ * r1(glval<unknown>) = FunctionAddress[set]            :
+ * r2(glval<unknown>) = FunctionAddress[operator new]   :
+ * r3(unsigned long)  = Constant[8]                     :
+ * r4(void *)         = Call[operator new]              : func:r2, 0:r3
+ * r5(C *)            = Convert                         : r4
+ * r6(glval<unknown>) = FunctionAddress[C]              :
+ * v1(void)           = Call[C]                         : func:r6, this:r5
+ * v2(void)           = Call[set]                       : func:r1, this:r0, 0:r5
+ * ```
+ *
+ * Notice that both the call to `C` and the call to `set` will have an argument that is the
+ * result of calling `operator new` (i.e., `r4`). If we only have `PostUpdateNode`s that are
+ * instructions, both `PostUpdateNode`s would have `r4` as their pre-update node.
+ *
+ * We avoid this issue by having a `PostUpdateNode` for each argument, and let the pre-update node of
+ * each `PostUpdateNode` be the argument _operand_, instead of the defining instruction.
+ */
+class StoreNodeOperand extends StoreNode, TStoreNodeOperand {
+  ArgumentOperand operand;
+
+  StoreNodeOperand() { this = TStoreNodeOperand(operand) }
+
+  override predicate flowInto(Instruction addr) { this.getOperand().getDef() = addr }
+
+  /** Gets the underlying operand. */
+  Operand getOperand() { result = operand }
+
+  override Function getFunction() { result = operand.getDef().getEnclosingFunction() }
+
+  override IRType getType() { result = operand.getIRType() }
+
+  override Location getLocation() { result = operand.getLocation() }
+
+  override string toString() { result = operandNode(this.getOperand()).toString() + " [store]" }
+
+  override WriteSideEffectInstruction getStoreInstruction() {
+    Ssa::explicitWrite(_, result, operand.getDef())
+  }
+
+  /**
+   * The result of `StoreNodeOperand.getInner` is the `StoreNodeInstr` representation the instruction
+   * that defines this operand. This means the graph of `getInner` looks like this:
+   * ```
+   * I---I---I
+   *  \   \   \
+   *   O   O   O
+   * ```
+   * where each `StoreNodeOperand` "hooks" into the chain computed by `StoreNodeInstr.getInner`.
+   * This means that the chain of `getInner` calls on the argument `&o.f` on an expression
+   * like `func(&o.f)` is:
+   * ```
+   * r4---r3---r2
+   *  \
+   *   0:r4
+   * ```
+   * where the IR for `func(&o.f)` looks like (simplified):
+   * ```
+   * r1(glval<unknown>) = FunctionAddress[func]        :
+   * r2(glval<O>)       = VariableAddress[o]           :
+   * r3(glval<int>)     = FieldAddress[f]              : r2
+   * r4(int *)          = CopyValue                    : r3
+   * v1(void)           = Call[func]                   : func:r1, 0:r4
+   * ```
+   */
+  override StoreNodeInstr getInner() { operand.getDef() = result.getInstruction() }
+}
+
+/**
+ * INTERNAL: do not use.
+ *
+ * A `ReadNode` is a node that has been (or is about to be) the
+ * source or target of a `readStep`.
+ */
+class ReadNode extends Node, TReadNode {
+  Instruction i;
+
+  ReadNode() { this = TReadNode(i) }
+
+  /** Gets the underlying instruction. */
+  Instruction getInstruction() { result = i }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Function getFunction() { result = this.getInstruction().getEnclosingFunction() }
+
+  override IRType getType() { result = this.getInstruction().getResultIRType() }
+
+  override Location getLocation() { result = this.getInstruction().getLocation() }
+
+  override string toString() {
+    result = instructionNode(this.getInstruction()).toString() + " [read]"
+  }
+
+  /** Gets a load instruction that uses the address computed by this read node. */
+  final Instruction getALoadInstruction() {
+    Ssa::addressFlowTC(this.getInstruction(), Ssa::getSourceAddress(result))
+  }
+
+  /**
+   * Gets a read node with an underlying instruction that is used by this
+   * underlying instruction to compute an address of a load instruction.
+   */
+  final ReadNode getInner() { Ssa::addressFlow(result.getInstruction(), this.getInstruction()) }
+
+  /** The inverse of `ReadNode.getInner`. */
+  final ReadNode getOuter() { result.getInner() = this }
+
+  /** Holds if this read node computes a value that will not be used for any future read nodes. */
+  final predicate isTerminal() {
+    not exists(this.getOuter()) and
+    not readStep(this, _, _)
+  }
+
+  /** Holds if this read node computes a value that has not yet been used for any read operations. */
+  final predicate isInitial() {
+    not exists(this.getInner()) and
+    not readStep(_, _, this)
+  }
+}
+
+/**
+ * INTERNAL: do not use.
+ *
+ * A phi node produced by the shared SSA library, viewed as a node in a data flow graph.
+ */
+class SsaPhiNode extends Node, TSsaPhiNode {
+  Ssa::PhiNode phi;
+
+  SsaPhiNode() { this = TSsaPhiNode(phi) }
+
+  /* Get the phi node associated with this node. */
+  Ssa::PhiNode getPhiNode() { result = phi }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override Function getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
+
+  override IRType getType() { result instanceof IRVoidType }
+
+  override Location getLocation() { result = phi.getBasicBlock().getLocation() }
+
+  /** Holds if this phi node has input from the `rnk`'th write operation in block `block`. */
+  final predicate hasInputAtRankInBlock(IRBlock block, int rnk) {
+    hasInputAtRankInBlock(block, rnk, _)
+  }
+
+  /**
+   * Holds if this phi node has input from the definition `input` (which is the `rnk`'th write
+   * operation in block `block`).
+   */
+  cached
+  final predicate hasInputAtRankInBlock(IRBlock block, int rnk, Ssa::Definition input) {
+    Ssa::phiHasInputFromBlock(phi, input, _) and input.definesAt(_, block, rnk)
+  }
+
+  override string toString() { result = "Phi" }
+}
+
 /**
  * An expression, viewed as a node in a data flow graph.
  */
@@ -313,15 +600,14 @@ deprecated class UninitializedNode extends Node {
  * Nodes corresponding to AST elements, for example `ExprNode`, usually refer
  * to the value before the update with the exception of `ClassInstanceExpr`,
  * which represents the value after the constructor has run.
- *
- * This class exists to match the interface used by Java. There are currently no non-abstract
- * classes that extend it. When we implement field flow, we can revisit this.
  */
-abstract class PostUpdateNode extends InstructionNode {
+abstract class PostUpdateNode extends Node {
   /**
    * Gets the node before the state update.
    */
   abstract Node getPreUpdateNode();
+
+  override string toString() { result = this.getPreUpdateNode() + " [post update]" }
 }
 
 /**
@@ -332,7 +618,7 @@ abstract class PostUpdateNode extends InstructionNode {
  * value, but does not necessarily replace it entirely. For example:
  * ```
  * x.y = 1; // a partial definition of the object `x`.
- * x.y.z = 1; // a partial definition of the object `x.y`.
+ * x.y.z = 1; // a partial definition of the object `x.y` and `x`.
  * x.setY(1); // a partial definition of the object `x`.
  * setY(&x); // a partial definition of the object `x`.
  * ```
@@ -341,135 +627,34 @@ abstract private class PartialDefinitionNode extends PostUpdateNode {
   abstract Expr getDefinedExpr();
 }
 
-private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
-  override ChiInstruction instr;
-  StoreInstruction store;
-
-  ExplicitFieldStoreQualifierNode() {
-    not instr.isResultConflated() and
-    instr.getPartial() = store and
-    (
-      instr.getUpdatedInterval(_, _) or
-      store.getDestinationAddress() instanceof FieldAddressInstruction
-    )
+private class FieldPartialDefinitionNode extends PartialDefinitionNode, StoreNodeInstr {
+  FieldPartialDefinitionNode() {
+    this.getInstruction() = any(FieldAddressInstruction fai).getObjectAddress()
   }
 
-  // By using an operand as the result of this predicate we avoid the dataflow inconsistency errors
-  // caused by having multiple nodes sharing the same pre update node. This inconsistency error can cause
-  // a tuple explosion in the big step dataflow relation since it can make many nodes be the entry node
-  // into a big step.
-  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
+  override Node getPreUpdateNode() { result.asInstruction() = this.getInstruction() }
+
+  override Expr getDefinedExpr() { result = this.getInstruction().getUnconvertedResultExpression() }
+
+  override string toString() { result = PartialDefinitionNode.super.toString() }
+}
+
+private class NonPartialDefinitionPostUpdate extends PostUpdateNode, StoreNodeInstr {
+  NonPartialDefinitionPostUpdate() { not this instanceof PartialDefinitionNode }
+
+  override Node getPreUpdateNode() { result.asInstruction() = this.getInstruction() }
+
+  override string toString() { result = PostUpdateNode.super.toString() }
+}
+
+private class ArgumentPostUpdateNode extends PartialDefinitionNode, StoreNodeOperand {
+  override ArgumentNode getPreUpdateNode() { result.asOperand() = operand }
 
   override Expr getDefinedExpr() {
-    result =
-      store
-          .getDestinationAddress()
-          .(FieldAddressInstruction)
-          .getObjectAddress()
-          .getUnconvertedResultExpression()
-  }
-}
-
-/**
- * Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
- * For instance, an update to a field of a struct containing only one field. Even if the store does
- * have a chi instruction, a subsequent use of the result of the store may be linked directly to the
- * result of the store as an inexact definition if the store totally overlaps the use. For these
- * cases we attach the PostUpdateNode to the store instruction. There's no obvious pre update node
- * for this case (as the entire memory is updated), so `getPreUpdateNode` is implemented as
- * `none()`.
- */
-private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
-  override StoreInstruction instr;
-
-  ExplicitSingleFieldStoreQualifierNode() {
-    (
-      instr.getAUse().isDefinitionInexact()
-      or
-      not exists(ChiInstruction chi | chi.getPartial() = instr)
-    ) and
-    // Without this condition any store would create a `PostUpdateNode`.
-    instr.getDestinationAddress() instanceof FieldAddressInstruction
+    result = this.getOperand().getDef().getUnconvertedResultExpression()
   }
 
-  override Node getPreUpdateNode() { none() }
-
-  override Expr getDefinedExpr() {
-    result =
-      instr
-          .getDestinationAddress()
-          .(FieldAddressInstruction)
-          .getObjectAddress()
-          .getUnconvertedResultExpression()
-  }
-}
-
-private FieldAddressInstruction getFieldInstruction(Instruction instr) {
-  result = instr or
-  result = instr.(CopyValueInstruction).getUnary()
-}
-
-/**
- * The target of a `fieldStoreStepAfterArraySuppression` store step, which is used to convert
- * an `ArrayContent` to a `FieldContent` when the `WriteSideEffect` instruction stores
- * into a field. See the QLDoc for `suppressArrayRead` for an example of where such a conversion
- * is inserted.
- */
-private class WriteSideEffectFieldStoreQualifierNode extends PartialDefinitionNode {
-  override ChiInstruction instr;
-  WriteSideEffectInstruction write;
-  FieldAddressInstruction field;
-
-  WriteSideEffectFieldStoreQualifierNode() {
-    not instr.isResultConflated() and
-    instr.getPartial() = write and
-    field = getFieldInstruction(write.getDestinationAddress())
-  }
-
-  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
-
-  override Expr getDefinedExpr() {
-    result = field.getObjectAddress().getUnconvertedResultExpression()
-  }
-}
-
-/**
- * The `PostUpdateNode` that is the target of a `arrayStoreStepChi` store step. The overriden
- * `ChiInstruction` corresponds to the instruction represented by `node2` in `arrayStoreStepChi`.
- */
-private class ArrayStoreNode extends PartialDefinitionNode {
-  override ChiInstruction instr;
-  PointerAddInstruction add;
-
-  ArrayStoreNode() {
-    not instr.isResultConflated() and
-    exists(StoreInstruction store |
-      instr.getPartial() = store and
-      add = store.getDestinationAddress()
-    )
-  }
-
-  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
-
-  override Expr getDefinedExpr() { result = add.getLeft().getUnconvertedResultExpression() }
-}
-
-/**
- * The `PostUpdateNode` that is the target of a `arrayStoreStepChi` store step. The overriden
- * `ChiInstruction` corresponds to the instruction represented by `node2` in `arrayStoreStepChi`.
- */
-private class PointerStoreNode extends PostUpdateNode {
-  override ChiInstruction instr;
-
-  PointerStoreNode() {
-    not instr.isResultConflated() and
-    exists(StoreInstruction store |
-      instr.getPartial() = store and
-      store.getDestinationAddress().(CopyValueInstruction).getUnary() instanceof LoadInstruction
-    )
-  }
-
-  override Node getPreUpdateNode() { result.asOperand() = instr.getTotalOperand() }
+  override string toString() { result = PartialDefinitionNode.super.toString() }
 }
 
 /**
@@ -548,6 +733,11 @@ class VariableNode extends Node, TVariableNode {
  */
 InstructionNode instructionNode(Instruction instr) { result.getInstruction() = instr }
 
+/**
+ * Gets the node corresponding to `operand`.
+ */
+OperandNode operandNode(Operand operand) { result.getOperand() = operand }
+
 /**
  * DEPRECATED: use `definitionByReferenceNodeFromArgument` instead.
  *
@@ -614,61 +804,167 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   or
   // Instruction -> Operand flow
   simpleOperandLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asOperand())
+  or
+  // Flow into, through, and out of store nodes
+  StoreNodeFlow::flowInto(nodeFrom, nodeTo)
+  or
+  StoreNodeFlow::flowThrough(nodeFrom, nodeTo)
+  or
+  StoreNodeFlow::flowOutOf(nodeFrom, nodeTo)
+  or
+  // Flow into, through, and out of read nodes
+  ReadNodeFlow::flowInto(nodeFrom, nodeTo)
+  or
+  ReadNodeFlow::flowThrough(nodeFrom, nodeTo)
+  or
+  ReadNodeFlow::flowOutOf(nodeFrom, nodeTo)
+  or
+  // Adjacent-def-use and adjacent-use-use flow
+  adjacentDefUseFlow(nodeFrom, nodeTo)
 }
 
-pragma[noinline]
-private predicate getFieldSizeOfClass(Class c, Type type, int size) {
-  exists(Field f |
-    f.getDeclaringType() = c and
-    f.getUnderlyingType() = type and
-    type.getSize() = size
+private predicate adjacentDefUseFlow(Node nodeFrom, Node nodeTo) {
+  // Flow that isn't already covered by field flow out of store/read nodes.
+  not nodeFrom.asInstruction() = any(StoreNode pun).getStoreInstruction() and
+  not nodeFrom.asInstruction() = any(ReadNode pun).getALoadInstruction() and
+  (
+    //Def-use flow
+    Ssa::ssaFlow(nodeFrom, nodeTo)
+    or
+    exists(Instruction loadAddress | loadAddress = Ssa::getSourceAddressFromNode(nodeFrom) |
+      // Use-use flow through reads
+      exists(Node address |
+        Ssa::addressFlowTC(address.asInstruction(), loadAddress) and
+        Ssa::ssaFlow(address, nodeTo)
+      )
+      or
+      // Use-use flow through stores.
+      exists(Node store |
+        Ssa::explicitWrite(_, store.asInstruction(), loadAddress) and
+        Ssa::ssaFlow(store, nodeTo)
+      )
+    )
   )
 }
 
-private predicate isSingleFieldClass(Type type, Operand op) {
-  exists(int size, Class c |
-    c = op.getType().getUnderlyingType() and
-    c.getSize() = size and
-    getFieldSizeOfClass(c, type, size)
-  )
+private module ReadNodeFlow {
+  /** Holds if the read node `nodeTo` should receive flow from `nodeFrom`. */
+  predicate flowInto(Node nodeFrom, ReadNode nodeTo) {
+    nodeTo.isInitial() and
+    (
+      // If we entered through an address operand.
+      nodeFrom.asOperand().getDef() = nodeTo.getInstruction()
+      or
+      // If we entered flow through a memory-producing instruction.
+      // This can happen if we have flow to an `InitializeParameterIndirection` through
+      // a `ReadSideEffectInstruction`.
+      exists(Instruction load, Instruction def |
+        def = nodeFrom.asInstruction() and
+        def = Ssa::getSourceValueOperand(load).getAnyDef() and
+        not def = any(StoreNode store).getStoreInstruction() and
+        pragma[only_bind_into](nodeTo).getALoadInstruction() = load
+      )
+    )
+  }
+
+  /** Holds if the read node `nodeTo` should receive flow from the read node `nodeFrom`. */
+  predicate flowThrough(ReadNode nodeFrom, ReadNode nodeTo) {
+    not readStep(nodeFrom, _, _) and
+    nodeFrom.getOuter() = nodeTo
+  }
+
+  /**
+   * Holds if flow should leave the read node `nFrom` and enter the node `nodeTo`.
+   * This happens either because there is use-use flow from one of the variables used in
+   * the read operation, or because we have traversed all the field dereferences in the
+   * read operation.
+   */
+  predicate flowOutOf(ReadNode nFrom, Node nodeTo) {
+    // Use-use flow to another use of the same variable instruction
+    Ssa::ssaFlow(nFrom, nodeTo)
+    or
+    not exists(nFrom.getInner()) and
+    exists(Node store |
+      Ssa::explicitWrite(_, store.asInstruction(), nFrom.getInstruction()) and
+      Ssa::ssaFlow(store, nodeTo)
+    )
+    or
+    // Flow out of read nodes and into memory instructions if we cannot move any further through
+    // read nodes.
+    nFrom.isTerminal() and
+    (
+      exists(Instruction load |
+        load = nodeTo.asInstruction() and
+        Ssa::getSourceAddress(load) = nFrom.getInstruction()
+      )
+      or
+      exists(CallInstruction call, int i |
+        call.getArgument(i) = nodeTo.asInstruction() and
+        call.getArgument(i) = nFrom.getInstruction()
+      )
+    )
+  }
+}
+
+private module StoreNodeFlow {
+  /** Holds if the store node `nodeTo` should receive flow from `nodeFrom`. */
+  predicate flowInto(Node nodeFrom, StoreNode nodeTo) {
+    nodeTo.flowInto(Ssa::getDestinationAddress(nodeFrom.asInstruction()))
+  }
+
+  /** Holds if the store node `nodeTo` should receive flow from `nodeFom`. */
+  predicate flowThrough(StoreNode nFrom, StoreNode nodeTo) {
+    // Flow through a post update node that doesn't need a store step.
+    not storeStep(nFrom, _, _) and
+    nodeTo.getOuter() = nFrom
+  }
+
+  /**
+   * Holds if flow should leave the store node `nodeFrom` and enter the node `nodeTo`.
+   * This happens because we have traversed an entire chain of field dereferences
+   * after a store operation.
+   */
+  predicate flowOutOf(StoreNodeInstr nFrom, Node nodeTo) {
+    nFrom.isTerminal() and
+    Ssa::ssaFlow(nFrom, nodeTo)
+  }
 }
 
 private predicate simpleOperandLocalFlowStep(Instruction iFrom, Operand opTo) {
   // Propagate flow from an instruction to its exact uses.
+  // We do this for all instruction/operand pairs, except when the operand is the
+  // side effect operand of a ReturnIndirectionInstruction, or the load operand of a LoadInstruction.
+  // This is because we get these flows through the shared SSA library already, and including this
+  // flow here will create multiple dataflow paths which creates a blowup in stage 3 of dataflow.
+  (
+    not any(ReturnIndirectionInstruction ret).getSideEffectOperand() = opTo and
+    not any(LoadInstruction load).getSourceValueOperand() = opTo and
+    not any(ReturnValueInstruction ret).getReturnValueOperand() = opTo
+  ) and
   opTo.getDef() = iFrom
-  or
-  opTo = any(ReadSideEffectInstruction read).getSideEffectOperand() and
-  not iFrom.isResultConflated() and
-  iFrom = opTo.getAnyDef()
-  or
-  // Loading a single `int` from an `int *` parameter is not an exact load since
-  // the parameter may point to an entire array rather than a single `int`. The
-  // following rule ensures that any flow going into the
-  // `InitializeIndirectionInstruction`, even if it's for a different array
-  // element, will propagate to a load of the first element.
-  //
-  // Since we're linking `InitializeIndirectionInstruction` and
-  // `LoadInstruction` together directly, this rule will break if there's any
-  // reassignment of the parameter indirection, including a conditional one that
-  // leads to a phi node.
-  exists(InitializeIndirectionInstruction init |
-    iFrom = init and
-    opTo.(LoadOperand).getAnyDef() = init and
-    // Check that the types match. Otherwise we can get flow from an object to
-    // its fields, which leads to field conflation when there's flow from other
-    // fields to the object elsewhere.
-    init.getParameter().getType().getUnspecifiedType().(DerivedType).getBaseType() =
-      opTo.getType().getUnspecifiedType()
-  )
-  or
-  // Flow from stores to structs with a single field to a load of that field.
-  exists(LoadInstruction load |
-    load.getSourceValueOperand() = opTo and
-    opTo.getAnyDef() = iFrom and
-    isSingleFieldClass(pragma[only_bind_out](pragma[only_bind_out](iFrom).getResultType()), opTo)
+}
+
+pragma[noinline]
+private predicate getAddressType(LoadInstruction load, Type t) {
+  exists(Instruction address |
+    address = load.getSourceAddress() and
+    t = address.getResultType()
   )
 }
 
+/**
+ * Like the AST dataflow library, we want to conflate the address and value of a reference. This class
+ * represents the `LoadInstruction` that is generated from a reference dereference.
+ */
+private class ReferenceDereferenceInstruction extends LoadInstruction {
+  ReferenceDereferenceInstruction() {
+    exists(ReferenceType ref |
+      getAddressType(this, ref) and
+      this.getResultType() = ref.getBaseType()
+    )
+  }
+}
+
 private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
   iTo.(CopyInstruction).getSourceValueOperand() = opFrom
   or
@@ -681,40 +977,8 @@ private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo
   or
   iTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom
   or
-  // A chi instruction represents a point where a new value (the _partial_
-  // operand) may overwrite an old value (the _total_ operand), but the alias
-  // analysis couldn't determine that it surely will overwrite every bit of it or
-  // that it surely will overwrite no bit of it.
-  //
-  // By allowing flow through the total operand, we ensure that flow is not lost
-  // due to shortcomings of the alias analysis. We may get false flow in cases
-  // where the data is indeed overwritten.
-  //
-  // Flow through the partial operand belongs in the taint-tracking libraries
-  // for now.
-  iTo.getAnOperand().(ChiTotalOperand) = opFrom
-  or
-  // Add flow from write side-effects to non-conflated chi instructions through their
-  // partial operands. From there, a `readStep` will find subsequent reads of that field.
-  // Consider the following example:
-  // ```
-  // void setX(Point* p, int new_x) {
-  //   p->x = new_x;
-  // }
-  // ...
-  // setX(&p, taint());
-  // ```
-  // Here, a `WriteSideEffectInstruction` will provide a new definition for `p->x` after the call to
-  // `setX`, which will be melded into `p` through a chi instruction.
-  exists(ChiInstruction chi | chi = iTo |
-    opFrom.getAnyDef() instanceof WriteSideEffectInstruction and
-    chi.getPartialOperand() = opFrom and
-    not chi.isResultConflated() and
-    // In a call such as `set_value(&x->val);` we don't want the memory representing `x` to receive
-    // dataflow by a simple step. Instead, this is handled by field flow. If we add a simple step here
-    // we can get field-to-object flow.
-    not chi.isPartialUpdate()
-  )
+  // Conflate references and values like in AST dataflow.
+  iTo.(ReferenceDereferenceInstruction).getSourceAddressOperand() = opFrom
   or
   // Flow through modeled functions
   modelFlow(opFrom, iTo)
@@ -788,25 +1052,14 @@ predicate localInstructionFlow(Instruction e1, Instruction e2) {
  */
 predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
 
-/**
- * Gets a field corresponding to the bit range `[startBit..endBit)` of class `c`, if any.
- */
-private Field getAField(Class c, int startBit, int endBit) {
-  result.getDeclaringType() = c and
-  startBit = 8 * result.getByteOffset() and
-  endBit = 8 * result.getType().getSize() + startBit
-  or
-  exists(Field f, Class cInner |
-    f = c.getAField() and
-    cInner = f.getUnderlyingType() and
-    result = getAField(cInner, startBit - 8 * f.getByteOffset(), endBit - 8 * f.getByteOffset())
-  )
-}
-
 private newtype TContent =
-  TFieldContent(Class c, int startBit, int endBit) { exists(getAField(c, startBit, endBit)) } or
-  TCollectionContent() or
-  TArrayContent()
+  TFieldContent(Field f) {
+    // As reads and writes to union fields can create flow even though the reads and writes
+    // target different fields, we don't want a read (write) to create a read (write) step.
+    not f.getDeclaringType() instanceof Union
+  } or
+  TCollectionContent() or // Not used in C/C++
+  TArrayContent() // Not used in C/C++.
 
 /**
  * A description of the way data may be stored inside an object. Examples
@@ -824,18 +1077,13 @@ class Content extends TContent {
 
 /** A reference through an instance field. */
 class FieldContent extends Content, TFieldContent {
-  Class c;
-  int startBit;
-  int endBit;
+  Field f;
 
-  FieldContent() { this = TFieldContent(c, startBit, endBit) }
+  FieldContent() { this = TFieldContent(f) }
 
-  // Ensure that there's just 1 result for `toString`.
-  override string toString() { result = min(Field f | f = getAField() | f.toString()) }
+  override string toString() { result = f.toString() }
 
-  predicate hasOffset(Class cl, int start, int end) { cl = c and start = startBit and end = endBit }
-
-  Field getAField() { result = getAField(c, startBit, endBit) }
+  Field getField() { result = f }
 }
 
 /** A reference through an array. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -0,0 +1,636 @@
+/**
+ * Provides a language-independent implementation of static single assignment
+ * (SSA) form.
+ */
+
+private import SsaImplSpecific
+
+private BasicBlock getABasicBlockPredecessor(BasicBlock bb) { getABasicBlockSuccessor(result) = bb }
+
+/**
+ * Liveness analysis (based on source variables) to restrict the size of the
+ * SSA representation.
+ */
+private module Liveness {
+  /**
+   * A classification of variable references into reads (of a given kind) and
+   * (certain or uncertain) writes.
+   */
+  private newtype TRefKind =
+    Read(boolean certain) { certain in [false, true] } or
+    Write(boolean certain) { certain in [false, true] }
+
+  private class RefKind extends TRefKind {
+    string toString() {
+      exists(boolean certain | this = Read(certain) and result = "read (" + certain + ")")
+      or
+      exists(boolean certain | this = Write(certain) and result = "write (" + certain + ")")
+    }
+
+    int getOrder() {
+      this = Read(_) and
+      result = 0
+      or
+      this = Write(_) and
+      result = 1
+    }
+  }
+
+  /**
+   * Holds if the `i`th node of basic block `bb` is a reference to `v` of kind `k`.
+   */
+  private predicate ref(BasicBlock bb, int i, SourceVariable v, RefKind k) {
+    exists(boolean certain | variableRead(bb, i, v, certain) | k = Read(certain))
+    or
+    exists(boolean certain | variableWrite(bb, i, v, certain) | k = Write(certain))
+  }
+
+  private newtype OrderedRefIndex =
+    MkOrderedRefIndex(int i, int tag) {
+      exists(RefKind rk | ref(_, i, _, rk) | tag = rk.getOrder())
+    }
+
+  private OrderedRefIndex refOrd(BasicBlock bb, int i, SourceVariable v, RefKind k, int ord) {
+    ref(bb, i, v, k) and
+    result = MkOrderedRefIndex(i, ord) and
+    ord = k.getOrder()
+  }
+
+  /**
+   * Gets the (1-based) rank of the reference to `v` at the `i`th node of
+   * basic block `bb`, which has the given reference kind `k`.
+   *
+   * Reads are considered before writes when they happen at the same index.
+   */
+  private int refRank(BasicBlock bb, int i, SourceVariable v, RefKind k) {
+    refOrd(bb, i, v, k, _) =
+      rank[result](int j, int ord, OrderedRefIndex res |
+        res = refOrd(bb, j, v, _, ord)
+      |
+        res order by j, ord
+      )
+  }
+
+  private int maxRefRank(BasicBlock bb, SourceVariable v) {
+    result = refRank(bb, _, v, _) and
+    not result + 1 = refRank(bb, _, v, _)
+  }
+
+  /**
+   * Gets the (1-based) rank of the first reference to `v` inside basic block `bb`
+   * that is either a read or a certain write.
+   */
+  private int firstReadOrCertainWrite(BasicBlock bb, SourceVariable v) {
+    result =
+      min(int r, RefKind k |
+        r = refRank(bb, _, v, k) and
+        k != Write(false)
+      |
+        r
+      )
+  }
+
+  /**
+   * Holds if source variable `v` is live at the beginning of basic block `bb`.
+   */
+  predicate liveAtEntry(BasicBlock bb, SourceVariable v) {
+    // The first read or certain write to `v` inside `bb` is a read
+    refRank(bb, _, v, Read(_)) = firstReadOrCertainWrite(bb, v)
+    or
+    // There is no certain write to `v` inside `bb`, but `v` is live at entry
+    // to a successor basic block of `bb`
+    not exists(firstReadOrCertainWrite(bb, v)) and
+    liveAtExit(bb, v)
+  }
+
+  /**
+   * Holds if source variable `v` is live at the end of basic block `bb`.
+   */
+  predicate liveAtExit(BasicBlock bb, SourceVariable v) {
+    liveAtEntry(getABasicBlockSuccessor(bb), v)
+  }
+
+  /**
+   * Holds if variable `v` is live in basic block `bb` at index `i`.
+   * The rank of `i` is `rnk` as defined by `refRank()`.
+   */
+  private predicate liveAtRank(BasicBlock bb, int i, SourceVariable v, int rnk) {
+    exists(RefKind kind | rnk = refRank(bb, i, v, kind) |
+      rnk = maxRefRank(bb, v) and
+      liveAtExit(bb, v)
+      or
+      ref(bb, i, v, kind) and
+      kind = Read(_)
+      or
+      exists(RefKind nextKind |
+        liveAtRank(bb, _, v, rnk + 1) and
+        rnk + 1 = refRank(bb, _, v, nextKind) and
+        nextKind != Write(true)
+      )
+    )
+  }
+
+  /**
+   * Holds if variable `v` is live after the (certain or uncertain) write at
+   * index `i` inside basic block `bb`.
+   */
+  predicate liveAfterWrite(BasicBlock bb, int i, SourceVariable v) {
+    exists(int rnk | rnk = refRank(bb, i, v, Write(_)) | liveAtRank(bb, i, v, rnk))
+  }
+}
+
+private import Liveness
+
+/**
+ * Holds if `df` is in the dominance frontier of `bb`.
+ *
+ * This is equivalent to:
+ *
+ * ```ql
+ * bb = getImmediateBasicBlockDominator*(getABasicBlockPredecessor(df)) and
+ * not bb = getImmediateBasicBlockDominator+(df)
+ * ```
+ */
+private predicate inDominanceFrontier(BasicBlock bb, BasicBlock df) {
+  bb = getABasicBlockPredecessor(df) and not bb = getImmediateBasicBlockDominator(df)
+  or
+  exists(BasicBlock prev | inDominanceFrontier(prev, df) |
+    bb = getImmediateBasicBlockDominator(prev) and
+    not bb = getImmediateBasicBlockDominator(df)
+  )
+}
+
+/**
+ * Holds if `bb` is in the dominance frontier of a block containing a
+ * definition of `v`.
+ */
+pragma[noinline]
+private predicate inDefDominanceFrontier(BasicBlock bb, SourceVariable v) {
+  exists(BasicBlock defbb, Definition def |
+    def.definesAt(v, defbb, _) and
+    inDominanceFrontier(defbb, bb)
+  )
+}
+
+cached
+newtype TDefinition =
+  TWriteDef(SourceVariable v, BasicBlock bb, int i) {
+    variableWrite(bb, i, v, _) and
+    liveAfterWrite(bb, i, v)
+  } or
+  TPhiNode(SourceVariable v, BasicBlock bb) {
+    inDefDominanceFrontier(bb, v) and
+    liveAtEntry(bb, v)
+  }
+
+private module SsaDefReaches {
+  newtype TSsaRefKind =
+    SsaRead() or
+    SsaDef()
+
+  /**
+   * A classification of SSA variable references into reads and definitions.
+   */
+  class SsaRefKind extends TSsaRefKind {
+    string toString() {
+      this = SsaRead() and
+      result = "SsaRead"
+      or
+      this = SsaDef() and
+      result = "SsaDef"
+    }
+
+    int getOrder() {
+      this = SsaRead() and
+      result = 0
+      or
+      this = SsaDef() and
+      result = 1
+    }
+  }
+
+  /**
+   * Holds if the `i`th node of basic block `bb` is a reference to `v`,
+   * either a read (when `k` is `SsaRead()`) or an SSA definition (when `k`
+   * is `SsaDef()`).
+   *
+   * Unlike `Liveness::ref`, this includes `phi` nodes.
+   */
+  predicate ssaRef(BasicBlock bb, int i, SourceVariable v, SsaRefKind k) {
+    variableRead(bb, i, v, _) and
+    k = SsaRead()
+    or
+    exists(Definition def | def.definesAt(v, bb, i)) and
+    k = SsaDef()
+  }
+
+  private newtype OrderedSsaRefIndex =
+    MkOrderedSsaRefIndex(int i, SsaRefKind k) { ssaRef(_, i, _, k) }
+
+  private OrderedSsaRefIndex ssaRefOrd(BasicBlock bb, int i, SourceVariable v, SsaRefKind k, int ord) {
+    ssaRef(bb, i, v, k) and
+    result = MkOrderedSsaRefIndex(i, k) and
+    ord = k.getOrder()
+  }
+
+  /**
+   * Gets the (1-based) rank of the reference to `v` at the `i`th node of basic
+   * block `bb`, which has the given reference kind `k`.
+   *
+   * For example, if `bb` is a basic block with a phi node for `v` (considered
+   * to be at index -1), reads `v` at node 2, and defines it at node 5, we have:
+   *
+   * ```ql
+   * ssaRefRank(bb, -1, v, SsaDef()) = 1    // phi node
+   * ssaRefRank(bb,  2, v, Read())   = 2    // read at node 2
+   * ssaRefRank(bb,  5, v, SsaDef()) = 3    // definition at node 5
+   * ```
+   *
+   * Reads are considered before writes when they happen at the same index.
+   */
+  int ssaRefRank(BasicBlock bb, int i, SourceVariable v, SsaRefKind k) {
+    ssaRefOrd(bb, i, v, k, _) =
+      rank[result](int j, int ord, OrderedSsaRefIndex res |
+        res = ssaRefOrd(bb, j, v, _, ord)
+      |
+        res order by j, ord
+      )
+  }
+
+  int maxSsaRefRank(BasicBlock bb, SourceVariable v) {
+    result = ssaRefRank(bb, _, v, _) and
+    not result + 1 = ssaRefRank(bb, _, v, _)
+  }
+
+  /**
+   * Holds if the SSA definition `def` reaches rank index `rnk` in its own
+   * basic block `bb`.
+   */
+  predicate ssaDefReachesRank(BasicBlock bb, Definition def, int rnk, SourceVariable v) {
+    exists(int i |
+      rnk = ssaRefRank(bb, i, v, SsaDef()) and
+      def.definesAt(v, bb, i)
+    )
+    or
+    ssaDefReachesRank(bb, def, rnk - 1, v) and
+    rnk = ssaRefRank(bb, _, v, SsaRead())
+  }
+
+  /**
+   * Holds if the SSA definition of `v` at `def` reaches index `i` in the same
+   * basic block `bb`, without crossing another SSA definition of `v`.
+   */
+  predicate ssaDefReachesReadWithinBlock(SourceVariable v, Definition def, BasicBlock bb, int i) {
+    exists(int rnk |
+      ssaDefReachesRank(bb, def, rnk, v) and
+      rnk = ssaRefRank(bb, i, v, SsaRead())
+    )
+  }
+
+  /**
+   * Holds if the SSA definition of `v` at `def` reaches uncertain SSA definition
+   * `redef` in the same basic block, without crossing another SSA definition of `v`.
+   */
+  predicate ssaDefReachesUncertainDefWithinBlock(
+    SourceVariable v, Definition def, UncertainWriteDefinition redef
+  ) {
+    exists(BasicBlock bb, int rnk, int i |
+      ssaDefReachesRank(bb, def, rnk, v) and
+      rnk = ssaRefRank(bb, i, v, SsaDef()) - 1 and
+      redef.definesAt(v, bb, i)
+    )
+  }
+
+  /**
+   * Same as `ssaRefRank()`, but restricted to a particular SSA definition `def`.
+   */
+  int ssaDefRank(Definition def, SourceVariable v, BasicBlock bb, int i, SsaRefKind k) {
+    v = def.getSourceVariable() and
+    result = ssaRefRank(bb, i, v, k) and
+    (
+      ssaDefReachesRead(_, def, bb, i)
+      or
+      def.definesAt(_, bb, i)
+    )
+  }
+
+  /**
+   * Holds if the reference to `def` at index `i` in basic block `bb` is the
+   * last reference to `v` inside `bb`.
+   */
+  pragma[noinline]
+  predicate lastSsaRef(Definition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v)
+  }
+
+  predicate defOccursInBlock(Definition def, BasicBlock bb, SourceVariable v) {
+    exists(ssaDefRank(def, v, bb, _, _))
+  }
+
+  pragma[noinline]
+  private predicate ssaDefReachesThroughBlock(Definition def, BasicBlock bb) {
+    ssaDefReachesEndOfBlock(bb, def, _) and
+    not defOccursInBlock(_, bb, def.getSourceVariable())
+  }
+
+  /**
+   * Holds if `def` is accessed in basic block `bb1` (either a read or a write),
+   * `bb2` is a transitive successor of `bb1`, `def` is live at the end of `bb1`,
+   * and the underlying variable for `def` is neither read nor written in any block
+   * on the path between `bb1` and `bb2`.
+   */
+  predicate varBlockReaches(Definition def, BasicBlock bb1, BasicBlock bb2) {
+    defOccursInBlock(def, bb1, _) and
+    bb2 = getABasicBlockSuccessor(bb1)
+    or
+    exists(BasicBlock mid |
+      varBlockReaches(def, bb1, mid) and
+      ssaDefReachesThroughBlock(def, mid) and
+      bb2 = getABasicBlockSuccessor(mid)
+    )
+  }
+
+  /**
+   * Holds if `def` is accessed in basic block `bb1` (either a read or a write),
+   * `def` is read at index `i2` in basic block `bb2`, `bb2` is in a transitive
+   * successor block of `bb1`, and `def` is neither read nor written in any block
+   * on a path between `bb1` and `bb2`.
+   */
+  predicate defAdjacentRead(Definition def, BasicBlock bb1, BasicBlock bb2, int i2) {
+    varBlockReaches(def, bb1, bb2) and
+    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1
+  }
+}
+
+private import SsaDefReaches
+
+pragma[nomagic]
+predicate liveThrough(BasicBlock bb, SourceVariable v) {
+  liveAtExit(bb, v) and
+  not ssaRef(bb, _, v, SsaDef())
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if the SSA definition of `v` at `def` reaches the end of basic
+ * block `bb`, at which point it is still live, without crossing another
+ * SSA definition of `v`.
+ */
+pragma[nomagic]
+predicate ssaDefReachesEndOfBlock(BasicBlock bb, Definition def, SourceVariable v) {
+  exists(int last | last = maxSsaRefRank(bb, v) |
+    ssaDefReachesRank(bb, def, last, v) and
+    liveAtExit(bb, v)
+  )
+  or
+  // The construction of SSA form ensures that each read of a variable is
+  // dominated by its definition. An SSA definition therefore reaches a
+  // control flow node if it is the _closest_ SSA definition that dominates
+  // the node. If two definitions dominate a node then one must dominate the
+  // other, so therefore the definition of _closest_ is given by the dominator
+  // tree. Thus, reaching definitions can be calculated in terms of dominance.
+  ssaDefReachesEndOfBlock(getImmediateBasicBlockDominator(bb), def, pragma[only_bind_into](v)) and
+  liveThrough(bb, pragma[only_bind_into](v))
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if `inp` is an input to the phi node `phi` along the edge originating in `bb`.
+ */
+pragma[nomagic]
+predicate phiHasInputFromBlock(PhiNode phi, Definition inp, BasicBlock bb) {
+  exists(SourceVariable v, BasicBlock bbDef |
+    phi.definesAt(v, bbDef, _) and
+    getABasicBlockPredecessor(bbDef) = bb and
+    ssaDefReachesEndOfBlock(bb, inp, v)
+  )
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if the SSA definition of `v` at `def` reaches a read at index `i` in
+ * basic block `bb`, without crossing another SSA definition of `v`. The read
+ * is of kind `rk`.
+ */
+pragma[nomagic]
+predicate ssaDefReachesRead(SourceVariable v, Definition def, BasicBlock bb, int i) {
+  ssaDefReachesReadWithinBlock(v, def, bb, i)
+  or
+  variableRead(bb, i, v, _) and
+  ssaDefReachesEndOfBlock(getABasicBlockPredecessor(bb), def, v) and
+  not ssaDefReachesReadWithinBlock(v, _, bb, i)
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if `def` is accessed at index `i1` in basic block `bb1` (either a read
+ * or a write), `def` is read at index `i2` in basic block `bb2`, and there is a
+ * path between them without any read of `def`.
+ */
+pragma[nomagic]
+predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2) {
+  exists(int rnk |
+    rnk = ssaDefRank(def, _, bb1, i1, _) and
+    rnk + 1 = ssaDefRank(def, _, bb1, i2, SsaRead()) and
+    variableRead(bb1, i2, _, _) and
+    bb2 = bb1
+  )
+  or
+  lastSsaRef(def, _, bb1, i1) and
+  defAdjacentRead(def, bb1, bb2, i2)
+}
+
+pragma[noinline]
+private predicate adjacentDefRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2, SourceVariable v
+) {
+  adjacentDefRead(def, bb1, i1, bb2, i2) and
+  v = def.getSourceVariable()
+}
+
+private predicate adjacentDefReachesRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
+) {
+  exists(SourceVariable v | adjacentDefRead(def, bb1, i1, bb2, i2, v) |
+    ssaRef(bb1, i1, v, SsaDef())
+    or
+    variableRead(bb1, i1, v, true)
+  )
+  or
+  exists(BasicBlock bb3, int i3 |
+    adjacentDefReachesRead(def, bb1, i1, bb3, i3) and
+    variableRead(bb3, i3, _, false) and
+    adjacentDefRead(def, bb3, i3, bb2, i2)
+  )
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Same as `adjacentDefRead`, but ignores uncertain reads.
+ */
+pragma[nomagic]
+predicate adjacentDefNoUncertainReads(Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2) {
+  adjacentDefReachesRead(def, bb1, i1, bb2, i2) and
+  variableRead(bb2, i2, _, true)
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if the node at index `i` in `bb` is a last reference to SSA definition
+ * `def`. The reference is last because it can reach another write `next`,
+ * without passing through another read or write.
+ */
+pragma[nomagic]
+predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
+  exists(SourceVariable v |
+    // Next reference to `v` inside `bb` is a write
+    exists(int rnk, int j |
+      rnk = ssaDefRank(def, v, bb, i, _) and
+      next.definesAt(v, bb, j) and
+      rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    )
+    or
+    // Can reach a write using one or more steps
+    lastSsaRef(def, v, bb, i) and
+    exists(BasicBlock bb2 |
+      varBlockReaches(def, bb, bb2) and
+      1 = ssaDefRank(next, v, bb2, _, SsaDef())
+    )
+  )
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if `inp` is an immediately preceding definition of uncertain definition
+ * `def`. Since `def` is uncertain, the value from the preceding definition might
+ * still be valid.
+ */
+pragma[nomagic]
+predicate uncertainWriteDefinitionInput(UncertainWriteDefinition def, Definition inp) {
+  lastRefRedef(inp, _, _, def)
+}
+
+private predicate adjacentDefReachesUncertainRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
+) {
+  adjacentDefReachesRead(def, bb1, i1, bb2, i2) and
+  variableRead(bb2, i2, _, false)
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Same as `lastRefRedef`, but ignores uncertain reads.
+ */
+pragma[nomagic]
+predicate lastRefRedefNoUncertainReads(Definition def, BasicBlock bb, int i, Definition next) {
+  lastRefRedef(def, bb, i, next) and
+  not variableRead(bb, i, def.getSourceVariable(), false)
+  or
+  exists(BasicBlock bb0, int i0 |
+    lastRefRedef(def, bb0, i0, next) and
+    adjacentDefReachesUncertainRead(def, bb, i, bb0, i0)
+  )
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Holds if the node at index `i` in `bb` is a last reference to SSA
+ * definition `def`.
+ *
+ * That is, the node can reach the end of the enclosing callable, or another
+ * SSA definition for the underlying source variable, without passing through
+ * another read.
+ */
+pragma[nomagic]
+predicate lastRef(Definition def, BasicBlock bb, int i) {
+  lastRefRedef(def, bb, i, _)
+  or
+  lastSsaRef(def, _, bb, i) and
+  (
+    // Can reach exit directly
+    bb instanceof ExitBasicBlock
+    or
+    // Can reach a block using one or more steps, where `def` is no longer live
+    exists(BasicBlock bb2 | varBlockReaches(def, bb, bb2) |
+      not defOccursInBlock(def, bb2, _) and
+      not ssaDefReachesEndOfBlock(bb2, def, _)
+    )
+  )
+}
+
+/**
+ * NB: If this predicate is exposed, it should be cached.
+ *
+ * Same as `lastRefRedef`, but ignores uncertain reads.
+ */
+pragma[nomagic]
+predicate lastRefNoUncertainReads(Definition def, BasicBlock bb, int i) {
+  lastRef(def, bb, i) and
+  not variableRead(bb, i, def.getSourceVariable(), false)
+  or
+  exists(BasicBlock bb0, int i0 |
+    lastRef(def, bb0, i0) and
+    adjacentDefReachesUncertainRead(def, bb, i, bb0, i0)
+  )
+}
+
+/** A static single assignment (SSA) definition. */
+class Definition extends TDefinition {
+  /** Gets the source variable underlying this SSA definition. */
+  SourceVariable getSourceVariable() { this.definesAt(result, _, _) }
+
+  /**
+   * Holds if this SSA definition defines `v` at index `i` in basic block `bb`.
+   * Phi nodes are considered to be at index `-1`, while normal variable writes
+   * are at the index of the control flow node they wrap.
+   */
+  final predicate definesAt(SourceVariable v, BasicBlock bb, int i) {
+    this = TWriteDef(v, bb, i)
+    or
+    this = TPhiNode(v, bb) and i = -1
+  }
+
+  /** Gets the basic block to which this SSA definition belongs. */
+  final BasicBlock getBasicBlock() { this.definesAt(_, result, _) }
+
+  /** Gets a textual representation of this SSA definition. */
+  string toString() { none() }
+}
+
+/** An SSA definition that corresponds to a write. */
+class WriteDefinition extends Definition, TWriteDef {
+  private SourceVariable v;
+  private BasicBlock bb;
+  private int i;
+
+  WriteDefinition() { this = TWriteDef(v, bb, i) }
+
+  override string toString() { result = "WriteDef" }
+}
+
+/** A phi node. */
+class PhiNode extends Definition, TPhiNode {
+  override string toString() { result = "Phi" }
+}
+
+/**
+ * An SSA definition that represents an uncertain update of the underlying
+ * source variable.
+ */
+class UncertainWriteDefinition extends WriteDefinition {
+  UncertainWriteDefinition() {
+    exists(SourceVariable v, BasicBlock bb, int i |
+      this.definesAt(v, bb, i) and
+      variableWrite(bb, i, v, false)
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplSpecific.qll

@@ -0,0 +1,18 @@
+private import semmle.code.cpp.ir.IR
+private import SsaInternals as Ssa
+
+class BasicBlock = IRBlock;
+
+class SourceVariable = Ssa::SourceVariable;
+
+BasicBlock getImmediateBasicBlockDominator(BasicBlock bb) { result.immediatelyDominates(bb) }
+
+BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
+
+class ExitBasicBlock extends IRBlock {
+  ExitBasicBlock() { this.getLastInstruction() instanceof ExitFunctionInstruction }
+}
+
+predicate variableWrite = Ssa::variableWrite/4;
+
+predicate variableRead = Ssa::variableRead/4;

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -0,0 +1,600 @@
+import SsaImplCommon
+private import cpp as Cpp
+private import semmle.code.cpp.ir.IR
+private import DataFlowUtil
+private import DataFlowImplCommon as DataFlowImplCommon
+private import semmle.code.cpp.models.interfaces.Allocation as Alloc
+private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
+
+private module SourceVariables {
+  private newtype TSourceVariable =
+    TSourceIRVariable(IRVariable var) or
+    TSourceIRVariableIndirection(InitializeIndirectionInstruction init)
+
+  abstract class SourceVariable extends TSourceVariable {
+    IRVariable var;
+
+    abstract string toString();
+  }
+
+  class SourceIRVariable extends SourceVariable, TSourceIRVariable {
+    SourceIRVariable() { this = TSourceIRVariable(var) }
+
+    IRVariable getIRVariable() { result = var }
+
+    override string toString() { result = this.getIRVariable().toString() }
+  }
+
+  class SourceIRVariableIndirection extends SourceVariable, TSourceIRVariableIndirection {
+    InitializeIndirectionInstruction init;
+
+    SourceIRVariableIndirection() {
+      this = TSourceIRVariableIndirection(init) and var = init.getIRVariable()
+    }
+
+    IRVariable getUnderlyingIRVariable() { result = var }
+
+    override string toString() { result = "*" + this.getUnderlyingIRVariable().toString() }
+  }
+}
+
+import SourceVariables
+
+cached
+private newtype TDefOrUse =
+  TExplicitDef(Instruction store) { explicitWrite(_, store, _) } or
+  TInitializeParam(Instruction instr) {
+    instr instanceof InitializeParameterInstruction
+    or
+    instr instanceof InitializeIndirectionInstruction
+  } or
+  TExplicitUse(Operand op) { isExplicitUse(op) } or
+  TReturnParamIndirection(Operand op) { returnParameterIndirection(op, _) }
+
+pragma[nomagic]
+private int getRank(DefOrUse defOrUse, IRBlock block) {
+  defOrUse =
+    rank[result](int i, DefOrUse cand |
+      block.getInstruction(i) = toInstruction(cand)
+    |
+      cand order by i
+    )
+}
+
+private class DefOrUse extends TDefOrUse {
+  /** Gets the instruction associated with this definition, if any. */
+  Instruction asDef() { none() }
+
+  /** Gets the operand associated with this use, if any. */
+  Operand asUse() { none() }
+
+  /** Gets a textual representation of this element. */
+  abstract string toString();
+
+  /** Gets the block of this definition or use. */
+  abstract IRBlock getBlock();
+
+  /** Holds if this definition or use has rank `rank` in block `block`. */
+  cached
+  final predicate hasRankInBlock(IRBlock block, int rnk) { rnk = getRank(this, block) }
+
+  /** Gets the location of this element. */
+  abstract Cpp::Location getLocation();
+}
+
+private Instruction toInstruction(DefOrUse defOrUse) {
+  result = defOrUse.asDef()
+  or
+  result = defOrUse.asUse().getUse()
+}
+
+abstract class Def extends DefOrUse {
+  Instruction store;
+
+  /** Gets the instruction of this definition. */
+  Instruction getInstruction() { result = store }
+
+  /** Gets the variable that is defined by this definition. */
+  abstract SourceVariable getSourceVariable();
+
+  /** Holds if this definition is guaranteed to happen. */
+  abstract predicate isCertain();
+
+  override Instruction asDef() { result = this.getInstruction() }
+
+  override string toString() { result = "Def" }
+
+  override IRBlock getBlock() { result = this.getInstruction().getBlock() }
+
+  override Cpp::Location getLocation() { result = store.getLocation() }
+}
+
+private class ExplicitDef extends Def, TExplicitDef {
+  ExplicitDef() { this = TExplicitDef(store) }
+
+  override SourceVariable getSourceVariable() {
+    exists(VariableInstruction var |
+      explicitWrite(_, this.getInstruction(), var) and
+      result.(SourceIRVariable).getIRVariable() = var.getIRVariable()
+    )
+  }
+
+  override predicate isCertain() { explicitWrite(true, this.getInstruction(), _) }
+}
+
+private class ParameterDef extends Def, TInitializeParam {
+  ParameterDef() { this = TInitializeParam(store) }
+
+  override SourceVariable getSourceVariable() {
+    result.(SourceIRVariable).getIRVariable() =
+      store.(InitializeParameterInstruction).getIRVariable()
+    or
+    result.(SourceIRVariableIndirection).getUnderlyingIRVariable() =
+      store.(InitializeIndirectionInstruction).getIRVariable()
+  }
+
+  override predicate isCertain() { any() }
+}
+
+abstract class Use extends DefOrUse {
+  Operand use;
+
+  override Operand asUse() { result = use }
+
+  /** Gets the underlying operand of this use. */
+  Operand getOperand() { result = use }
+
+  override string toString() { result = "Use" }
+
+  /** Gets the variable that is used by this use. */
+  abstract SourceVariable getSourceVariable();
+
+  override IRBlock getBlock() { result = use.getUse().getBlock() }
+
+  override Cpp::Location getLocation() { result = use.getLocation() }
+}
+
+private class ExplicitUse extends Use, TExplicitUse {
+  ExplicitUse() { this = TExplicitUse(use) }
+
+  override SourceVariable getSourceVariable() {
+    exists(VariableInstruction var |
+      use.getDef() = var and
+      if use.getUse() instanceof ReadSideEffectInstruction
+      then result.(SourceIRVariableIndirection).getUnderlyingIRVariable() = var.getIRVariable()
+      else result.(SourceIRVariable).getIRVariable() = var.getIRVariable()
+    )
+  }
+}
+
+private class ReturnParameterIndirection extends Use, TReturnParamIndirection {
+  ReturnParameterIndirection() { this = TReturnParamIndirection(use) }
+
+  override SourceVariable getSourceVariable() {
+    exists(ReturnIndirectionInstruction ret |
+      returnParameterIndirection(use, ret) and
+      result.(SourceIRVariableIndirection).getUnderlyingIRVariable() = ret.getIRVariable()
+    )
+  }
+}
+
+private predicate isExplicitUse(Operand op) {
+  op.getDef() instanceof VariableAddressInstruction and
+  not exists(LoadInstruction load |
+    load.getSourceAddressOperand() = op and
+    load.getAUse().getUse() instanceof InitializeIndirectionInstruction
+  )
+}
+
+private predicate returnParameterIndirection(Operand op, ReturnIndirectionInstruction ret) {
+  ret.getSourceAddressOperand() = op
+}
+
+/**
+ * Holds if `iFrom` computes an address that is used by `iTo`.
+ */
+predicate addressFlow(Instruction iFrom, Instruction iTo) {
+  iTo.(CopyValueInstruction).getSourceValue() = iFrom
+  or
+  iTo.(ConvertInstruction).getUnary() = iFrom
+  or
+  iTo.(CheckedConvertOrNullInstruction).getUnary() = iFrom
+  or
+  iTo.(InheritanceConversionInstruction).getUnary() = iFrom
+  or
+  iTo.(PointerArithmeticInstruction).getLeft() = iFrom
+  or
+  iTo.(FieldAddressInstruction).getObjectAddress() = iFrom
+  or
+  // We traverse `LoadInstruction`s since we want to conclude that the
+  // destination of the store operation `*x = source()` is derived from `x`.
+  iTo.(LoadInstruction).getSourceAddress() = iFrom
+  or
+  // We want to include `ReadSideEffectInstruction`s for the same reason that we include
+  // `LoadInstruction`s, but only when a `WriteSideEffectInstruction` for the same index exists as well
+  // (as otherwise we know that the callee won't override the data). However, given an index `i`, the
+  // destination of the `WriteSideEffectInstruction` for `i` is identical to the source address of the
+  // `ReadSideEffectInstruction` for `i`. So we don't have to talk about the `ReadSideEffectInstruction`
+  // at all.
+  exists(WriteSideEffectInstruction write |
+    write.getPrimaryInstruction() = iTo and
+    write.getDestinationAddress() = iFrom
+  )
+}
+
+/**
+ * The reflexive, transitive closure of `addressFlow` that ends as the address of a
+ * store or read operation.
+ */
+cached
+predicate addressFlowTC(Instruction iFrom, Instruction iTo) {
+  iTo = [getDestinationAddress(_), getSourceAddress(_)] and
+  addressFlow*(iFrom, iTo)
+}
+
+/**
+ * Gets the destination address of `instr` if it is a `StoreInstruction` or
+ * a `WriteSideEffectInstruction`.
+ */
+Instruction getDestinationAddress(Instruction instr) {
+  result =
+    [
+      instr.(StoreInstruction).getDestinationAddress(),
+      instr.(WriteSideEffectInstruction).getDestinationAddress()
+    ]
+}
+
+class ReferenceToInstruction extends CopyValueInstruction {
+  ReferenceToInstruction() {
+    this.getResultType() instanceof Cpp::ReferenceType and
+    not this.getUnary().getResultType() instanceof Cpp::ReferenceType
+  }
+
+  Instruction getSourceAddress() { result = getSourceAddressOperand().getDef() }
+
+  Operand getSourceAddressOperand() { result = this.getUnaryOperand() }
+}
+
+/** Gets the source address of `instr` if it is an instruction that behaves like a `LoadInstruction`. */
+Instruction getSourceAddress(Instruction instr) { result = getSourceAddressOperand(instr).getDef() }
+
+/**
+ * Gets the operand that represents the source address of `instr` if it is an
+ * instruction that behaves like a `LoadInstruction`.
+ */
+Operand getSourceAddressOperand(Instruction instr) {
+  result =
+    [
+      instr.(LoadInstruction).getSourceAddressOperand(),
+      instr.(ReadSideEffectInstruction).getArgumentOperand(),
+      // `ReferenceToInstruction` is really more of an address-of operation,
+      // but by including it in this list we break out of `flowOutOfAddressStep` at an
+      // instruction that, at the source level, looks like a use of a variable.
+      instr.(ReferenceToInstruction).getSourceAddressOperand()
+    ]
+}
+
+/**
+ * Gets the source address of `node` if it's an instruction or operand that
+ * behaves like a `LoadInstruction`.
+ */
+Instruction getSourceAddressFromNode(Node node) {
+  result = getSourceAddress(node.asInstruction())
+  or
+  result = getSourceAddress(node.asOperand().(SideEffectOperand).getUse())
+}
+
+/** Gets the source value of `instr` if it's an instruction that behaves like a `LoadInstruction`. */
+Instruction getSourceValue(Instruction instr) { result = getSourceValueOperand(instr).getDef() }
+
+/**
+ * Gets the operand that represents the source value of `instr` if it's an instruction
+ * that behaves like a `LoadInstruction`.
+ */
+Operand getSourceValueOperand(Instruction instr) {
+  result = instr.(LoadInstruction).getSourceValueOperand()
+  or
+  result = instr.(ReadSideEffectInstruction).getSideEffectOperand()
+  or
+  // See the comment on the `ReferenceToInstruction` disjunct in `getSourceAddressOperand` for why
+  // this case is included.
+  result = instr.(ReferenceToInstruction).getSourceValueOperand()
+}
+
+/**
+ * Holds if `instr` is a `StoreInstruction` or a `WriteSideEffectInstruction` that writes to an address.
+ * The addresses is computed using `address`, and `certain` is `true` if the write is guaranteed to overwrite
+ * the entire variable.
+ */
+cached
+predicate explicitWrite(boolean certain, Instruction instr, Instruction address) {
+  exists(StoreInstruction store |
+    store = instr and addressFlowTC(address, store.getDestinationAddress())
+  |
+    // Set `certain = false` if the address is derived from any instructions that prevents us from
+    // concluding that the entire variable is overridden.
+    if
+      addressFlowTC(any(Instruction i |
+          i instanceof FieldAddressInstruction or
+          i instanceof PointerArithmeticInstruction or
+          i instanceof LoadInstruction or
+          i instanceof InheritanceConversionInstruction
+        ), store.getDestinationAddress())
+    then certain = false
+    else certain = true
+  )
+  or
+  addressFlowTC(address, instr.(WriteSideEffectInstruction).getDestinationAddress()) and
+  certain = false
+}
+
+cached
+private module Cached {
+  private predicate defUseFlow(Node nodeFrom, Node nodeTo) {
+    exists(IRBlock bb1, int i1, IRBlock bb2, int i2, DefOrUse defOrUse, Use use |
+      defOrUse.hasRankInBlock(bb1, i1) and
+      use.hasRankInBlock(bb2, i2) and
+      adjacentDefRead(_, bb1, i1, bb2, i2) and
+      nodeFrom.asInstruction() = toInstruction(defOrUse) and
+      flowOutOfAddressStep(use.getOperand(), nodeTo)
+    )
+  }
+
+  private predicate fromStoreNode(StoreNodeInstr nodeFrom, Node nodeTo) {
+    // Def-use flow from a `StoreNode`.
+    exists(IRBlock bb1, int i1, IRBlock bb2, int i2, Def def, Use use |
+      nodeFrom.isTerminal() and
+      def.getInstruction() = nodeFrom.getStoreInstruction() and
+      def.hasRankInBlock(bb1, i1) and
+      adjacentDefRead(_, bb1, i1, bb2, i2) and
+      use.hasRankInBlock(bb2, i2) and
+      flowOutOfAddressStep(use.getOperand(), nodeTo)
+    )
+    or
+    // This final case is a bit annoying. The write side effect on an expression like `a = new A;` writes
+    // to a fresh address returned by `operator new`, and there's no easy way to use the shared SSA
+    // library to hook that up to the assignment to `a`. So instead we flow to the _first_ use of the
+    // value computed by `operator new` that occurs after `nodeFrom` (to avoid a loop in the
+    // dataflow graph).
+    exists(WriteSideEffectInstruction write, IRBlock bb, int i1, int i2, Operand op |
+      nodeFrom.getInstruction().(CallInstruction).getStaticCallTarget() instanceof
+        Alloc::OperatorNewAllocationFunction and
+      write = nodeFrom.getStoreInstruction() and
+      bb.getInstruction(i1) = write and
+      bb.getInstruction(i2) = op.getUse() and
+      // Flow to an instruction that occurs later in the block.
+      conversionFlow*(nodeFrom.getInstruction(), op.getDef()) and
+      nodeTo.asOperand() = op and
+      i2 > i1 and
+      // There is no previous instruction that also occurs after `nodeFrom`.
+      not exists(Instruction instr, int i |
+        bb.getInstruction(i) = instr and
+        conversionFlow(instr, op.getDef()) and
+        i1 < i and
+        i < i2
+      )
+    )
+  }
+
+  private predicate fromReadNode(ReadNode nodeFrom, Node nodeTo) {
+    exists(IRBlock bb1, int i1, IRBlock bb2, int i2, Use use1, Use use2 |
+      use1.hasRankInBlock(bb1, i1) and
+      use2.hasRankInBlock(bb2, i2) and
+      use1.getOperand().getDef() = nodeFrom.getInstruction() and
+      adjacentDefRead(_, bb1, i1, bb2, i2) and
+      flowOutOfAddressStep(use2.getOperand(), nodeTo)
+    )
+  }
+
+  private predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
+    exists(PhiNode phi, Use use, IRBlock block, int rnk |
+      phi = nodeFrom.getPhiNode() and
+      adjacentDefRead(phi, _, _, block, rnk) and
+      use.hasRankInBlock(block, rnk) and
+      flowOutOfAddressStep(use.getOperand(), nodeTo)
+    )
+  }
+
+  private predicate toPhiNode(Node nodeFrom, SsaPhiNode nodeTo) {
+    // Flow to phi nodes
+    exists(Def def, IRBlock block, int rnk |
+      def.hasRankInBlock(block, rnk) and
+      nodeTo.hasInputAtRankInBlock(block, rnk)
+    |
+      exists(StoreNodeInstr storeNode |
+        storeNode = nodeFrom and
+        storeNode.isTerminal() and
+        def.getInstruction() = storeNode.getStoreInstruction()
+      )
+      or
+      def.getInstruction() = nodeFrom.asInstruction()
+    )
+    or
+    // Phi -> phi flow
+    nodeTo.hasInputAtRankInBlock(_, _, nodeFrom.(SsaPhiNode).getPhiNode())
+  }
+
+  /**
+   * Holds if `nodeFrom` is a read or write, and `nTo` is the next subsequent read of the variable
+   * written (or read) by `storeOrRead`.
+   */
+  cached
+  predicate ssaFlow(Node nodeFrom, Node nodeTo) {
+    // Def-use/use-use flow from an `InstructionNode`.
+    defUseFlow(nodeFrom, nodeTo)
+    or
+    // Def-use flow from a `StoreNode`.
+    fromStoreNode(nodeFrom, nodeTo)
+    or
+    // Use-use flow from a `ReadNode`.
+    fromReadNode(nodeFrom, nodeTo)
+    or
+    fromPhiNode(nodeFrom, nodeTo)
+    or
+    toPhiNode(nodeFrom, nodeTo)
+    or
+    // When we want to transfer flow out of a `StoreNode` we perform two steps:
+    // 1. Find the next use of the address being stored to
+    // 2. Find the `LoadInstruction` that loads the address
+    // When the address being stored into doesn't have a `LoadInstruction` associated with it because it's
+    // passed into a `CallInstruction` we transfer flow to the `ReadSideEffect`, which will then flow into
+    // the callee. We then pickup the flow from the `InitializeIndirectionInstruction` and use the shared
+    // SSA library to determine where the next use of the address that received the flow is.
+    exists(Node init, Node mid |
+      nodeFrom.asInstruction().(InitializeIndirectionInstruction).getIRVariable() =
+        init.asInstruction().(InitializeParameterInstruction).getIRVariable() and
+      // No need for the flow if the next use is the instruction that returns the flow out of the callee.
+      not mid.asInstruction() instanceof ReturnIndirectionInstruction and
+      // Find the next use of the address
+      ssaFlow(init, mid) and
+      // And flow to the next load of that address
+      flowOutOfAddressStep([mid.asInstruction().getAUse(), mid.asOperand()], nodeTo)
+    )
+  }
+
+  /**
+   * Holds if `iTo` is a conversion-like instruction that copies
+   * the value computed by `iFrom`.
+   *
+   * This predicate is used by `fromStoreNode` to find the next use of a pointer that
+   * points to freshly allocated memory.
+   */
+  private predicate conversionFlow(Instruction iFrom, Instruction iTo) {
+    iTo.(CopyValueInstruction).getSourceValue() = iFrom
+    or
+    iTo.(ConvertInstruction).getUnary() = iFrom
+    or
+    iTo.(CheckedConvertOrNullInstruction).getUnary() = iFrom
+    or
+    iTo.(InheritanceConversionInstruction).getUnary() = iFrom
+  }
+
+  pragma[noinline]
+  private predicate callTargetHasInputOutput(
+    CallInstruction call, DataFlow::FunctionInput input, DataFlow::FunctionOutput output
+  ) {
+    exists(DataFlow::DataFlowFunction func |
+      call.getStaticCallTarget() = func and
+      func.hasDataFlow(input, output)
+    )
+  }
+
+  /**
+   * The role of `flowOutOfAddressStep` is to select the node for which we want dataflow to end up in
+   * after the shared SSA library's `adjacentDefRead` predicate has determined that `operand` is the
+   * next use of some variable.
+   *
+   * More precisely, this predicate holds if `operand` is an operand that represents an address, and:
+   * - `nodeTo` is the next load of that address, or
+   * - `nodeTo` is a `ReadNode` that uses the definition of `operand` to start a sequence of reads, or
+   * - `nodeTo` is the outer-most `StoreNode` that uses the address represented by `operand`. We obtain
+   *    use-use flow in this case since `StoreNodeFlow::flowOutOf` will then provide flow to the next of
+   *    of `operand`.
+   *
+   * There is one final (slightly annoying) case: When `operand` is a an argument to a modeled function
+   * without any `ReadSideEffect` (such as `std::move`). Here, the address flows from the argument to
+   * the return value, which might then be read later.
+   */
+  private predicate flowOutOfAddressStep(Operand operand, Node nodeTo) {
+    // Flow into a read node
+    exists(ReadNode readNode | readNode = nodeTo |
+      readNode.isInitial() and
+      operand.getDef() = readNode.getInstruction()
+    )
+    or
+    exists(StoreNodeInstr storeNode, Instruction def |
+      storeNode = nodeTo and
+      def = operand.getDef()
+    |
+      storeNode.isTerminal() and
+      not addressFlow(def, _) and
+      // Only transfer flow to a store node if it doesn't immediately overwrite the address
+      // we've just written to.
+      explicitWrite(false, storeNode.getStoreInstruction(), def)
+    )
+    or
+    operand = getSourceAddressOperand(nodeTo.asInstruction())
+    or
+    exists(ReturnIndirectionInstruction ret |
+      ret.getSourceAddressOperand() = operand and
+      ret = nodeTo.asInstruction()
+    )
+    or
+    exists(ReturnValueInstruction ret |
+      ret.getReturnAddressOperand() = operand and
+      nodeTo.asInstruction() = ret
+    )
+    or
+    exists(CallInstruction call, int index, ReadSideEffectInstruction read |
+      call.getArgumentOperand(index) = operand and
+      read = getSideEffectFor(call, index) and
+      nodeTo.asOperand() = read.getSideEffectOperand()
+    )
+    or
+    exists(CopyInstruction copy |
+      not exists(getSourceAddressOperand(copy)) and
+      copy.getSourceValueOperand() = operand and
+      flowOutOfAddressStep(copy.getAUse(), nodeTo)
+    )
+    or
+    exists(ConvertInstruction convert |
+      convert.getUnaryOperand() = operand and
+      flowOutOfAddressStep(convert.getAUse(), nodeTo)
+    )
+    or
+    exists(CheckedConvertOrNullInstruction convert |
+      convert.getUnaryOperand() = operand and
+      flowOutOfAddressStep(convert.getAUse(), nodeTo)
+    )
+    or
+    exists(InheritanceConversionInstruction convert |
+      convert.getUnaryOperand() = operand and
+      flowOutOfAddressStep(convert.getAUse(), nodeTo)
+    )
+    or
+    exists(PointerArithmeticInstruction arith |
+      arith.getLeftOperand() = operand and
+      flowOutOfAddressStep(arith.getAUse(), nodeTo)
+    )
+    or
+    // Flow through a modeled function that has parameter -> return value flow.
+    exists(
+      CallInstruction call, int index, DataFlow::FunctionInput input,
+      DataFlow::FunctionOutput output
+    |
+      callTargetHasInputOutput(call, input, output) and
+      call.getArgumentOperand(index) = operand and
+      not getSideEffectFor(call, index) instanceof ReadSideEffectInstruction and
+      input.isParameter(index) and
+      output.isReturnValue() and
+      flowOutOfAddressStep(call.getAUse(), nodeTo)
+    )
+  }
+}
+
+import Cached
+
+/**
+ * Holds if the `i`'th write in block `bb` writes to the variable `v`.
+ * `certain` is `true` if the write is guaranteed to overwrite the entire variable.
+ */
+predicate variableWrite(IRBlock bb, int i, SourceVariable v, boolean certain) {
+  DataFlowImplCommon::forceCachingInSameStage() and
+  exists(Def def |
+    def.hasRankInBlock(bb, i) and
+    v = def.getSourceVariable() and
+    (if def.isCertain() then certain = true else certain = false)
+  )
+}
+
+/**
+ * Holds if the `i`'th read in block `bb` reads to the variable `v`.
+ * `certain` is `true` if the read is guaranteed. For C++, this is always the case.
+ */
+predicate variableRead(IRBlock bb, int i, SourceVariable v, boolean certain) {
+  exists(Use use |
+    use.hasRankInBlock(bb, i) and
+    v = use.getSourceVariable() and
+    certain = true
+  )
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -44,8 +44,6 @@ private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand t
     fromInstr = readInstr.getArgumentDef() and
     toOperand = readInstr.getSideEffectOperand()
   )
-  or
-  toOperand.(LoadOperand).getAnyDef() = fromInstr
 }
 
 /**
@@ -84,8 +82,6 @@ private predicate operandToInstructionTaintStep(Operand opFrom, Instruction inst
     instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
   )
   or
-  instrTo.(LoadInstruction).getSourceAddressOperand() = opFrom
-  or
   // Flow from an element to an array or union that contains it.
   instrTo.(ChiInstruction).getPartialOperand() = opFrom and
   not instrTo.isResultConflated() and

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -762,11 +762,21 @@ class ReturnValueInstruction extends ReturnInstruction {
    */
   final LoadOperand getReturnValueOperand() { result = this.getAnOperand() }
 
+  /**
+   * Gets the operand that provides the address of the value being returned by the function.
+   */
+  final AddressOperand getReturnAddressOperand() { result = this.getAnOperand() }
+
   /**
    * Gets the instruction whose result provides the value being returned by the function, if an
    * exact definition is available.
    */
   final Instruction getReturnValue() { result = this.getReturnValueOperand().getDef() }
+
+  /**
+   * Gets the instruction whose result provides the address of the value being returned by the function.
+   */
+  final Instruction getReturnAddress() { result = this.getReturnAddressOperand().getDef() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -762,11 +762,21 @@ class ReturnValueInstruction extends ReturnInstruction {
    */
   final LoadOperand getReturnValueOperand() { result = this.getAnOperand() }
 
+  /**
+   * Gets the operand that provides the address of the value being returned by the function.
+   */
+  final AddressOperand getReturnAddressOperand() { result = this.getAnOperand() }
+
   /**
    * Gets the instruction whose result provides the value being returned by the function, if an
    * exact definition is available.
    */
   final Instruction getReturnValue() { result = this.getReturnValueOperand().getDef() }
+
+  /**
+   * Gets the instruction whose result provides the address of the value being returned by the function.
+   */
+  final Instruction getReturnAddress() { result = this.getReturnAddressOperand().getDef() }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -103,9 +103,7 @@ class TranslatedDeclStmt extends TranslatedStmt {
 class TranslatedExprStmt extends TranslatedStmt {
   override ExprStmt stmt;
 
-  TranslatedExpr getExpr() {
-    result = getTranslatedExpr(stmt.(ExprStmt).getExpr().getFullyConverted())
-  }
+  TranslatedExpr getExpr() { result = getTranslatedExpr(stmt.getExpr().getFullyConverted()) }
 
   override TranslatedElement getChild(int id) { id = 0 and result = getExpr() }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -762,11 +762,21 @@ class ReturnValueInstruction extends ReturnInstruction {
    */
   final LoadOperand getReturnValueOperand() { result = this.getAnOperand() }
 
+  /**
+   * Gets the operand that provides the address of the value being returned by the function.
+   */
+  final AddressOperand getReturnAddressOperand() { result = this.getAnOperand() }
+
   /**
    * Gets the instruction whose result provides the value being returned by the function, if an
    * exact definition is available.
    */
   final Instruction getReturnValue() { result = this.getReturnValueOperand().getDef() }
+
+  /**
+   * Gets the instruction whose result provides the address of the value being returned by the function.
+   */
+  final Instruction getReturnAddress() { result = this.getReturnAddressOperand().getDef() }
 }
 
 /**