Ruby: fix another SystemCommandExecution::isShellInterpreted implementation

2026-06-03 04:40:14 +02:00 · 2022-07-11 18:09:00 +01:00
1158 changed files with 11855 additions and 41352 deletions
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -10,7 +10,6 @@ on:
      - "*/ql/lib/**/*.qll"
      - "!**/experimental/**"
      - "!ql/**"
-      - "!swift/**"
      - ".github/workflows/check-change-note.yml"

 jobs:
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -10,16 +10,16 @@ env:
  CARGO_TERM_COLOR: always

 jobs:
-  analyze:
-    runs-on: ubuntu-latest-xl
+  queries:
+    runs-on: ubuntu-latest
    steps:
-      ### Build the queries ###
      - uses: actions/checkout@v3
      - name: Find codeql
        id: find-codeql
        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
        with:
          languages: javascript # does not matter
+          tools: latest
      - name: Get CodeQL version
        id: get-codeql-version
        run: |
@@ -49,7 +49,14 @@ jobs:
          name: query-pack-zip
          path: ${{ runner.temp }}/query-pack.zip

-      ### Build the extractor ###
+  extractors:
+    strategy:
+      fail-fast: false
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
      - name: Cache entire extractor
        id: cache-extractor
        uses: actions/cache@v3
@@ -93,8 +100,15 @@ jobs:
            ql/target/release/ql-extractor
            ql/target/release/ql-extractor.exe
          retention-days: 1
+  package:
+    runs-on: ubuntu-latest

-      ### Package the queries and extractor ###
+    needs:
+      - extractors
+      - queries
+
+    steps:
+      - uses: actions/checkout@v3
      - uses: actions/download-artifact@v3
        with:
          name: query-pack-zip
@@ -122,8 +136,16 @@ jobs:
          name: codeql-ql-pack
          path: codeql-ql.zip
          retention-days: 1
+  analyze:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        folder: [cpp, csharp, java, javascript, python, ql, ruby, swift, go]

-      ### Run the analysis ###
+    needs:
+      - package
+
+    steps:
      - name: Download pack
        uses: actions/download-artifact@v3
        with:
@@ -143,11 +165,14 @@ jobs:
        env:
          PACK: ${{ runner.temp }}/pack

+      - name: Checkout repository
+        uses: actions/checkout@v3
      - name: Create CodeQL config file
        run: |
+          echo "paths:" > ${CONF}
+          echo "  - ${FOLDER}" >> ${CONF}
          echo "paths-ignore:" >> ${CONF}
          echo "  - ql/ql/test" >> ${CONF} 
-          echo "  - \"*/ql/lib/upgrades/\"" >> ${CONF} 
          echo "disable-default-queries: true" >> ${CONF}
          echo "packs:" >> ${CONF}
          echo "  - codeql/ql" >> ${CONF}
@@ -155,34 +180,24 @@ jobs:
          cat ${CONF}
        env: 
          CONF: ./ql-for-ql-config.yml
+          FOLDER: ${{ matrix.folder }}
      - name: Initialize CodeQL
        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
        with:
          languages: ql
          db-location: ${{ runner.temp }}/db
          config-file: ./ql-for-ql-config.yml
+          tools: latest

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@aa93aea877e5fb8841bcb1193f672abf6e9f2980
        with: 
-          category: "ql-for-ql"
+          category: "ql-for-ql-${{ matrix.folder }}"
      - name: Copy sarif file to CWD
-        run: cp ../results/ql.sarif ./ql-for-ql.sarif
-      - name: Fixup the $scema in sarif  # Until https://github.com/microsoft/sarif-vscode-extension/pull/436/ is part in a stable release
-        run: |
-          sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ql-for-ql.sarif 
+        run: cp ../results/ql.sarif ./${{ matrix.folder }}.sarif
      - name: Sarif as artifact
        uses: actions/upload-artifact@v3
        with:
-          name: ql-for-ql.sarif
-          path: ql-for-ql.sarif
-      - name: Split out the sarif file into langs
-        run: |
-          mkdir split-sarif
-          node ./ql/scripts/split-sarif.js ql-for-ql.sarif split-sarif
-      - name: Upload langs as artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: ql-for-ql-langs
-          path: split-sarif
-          retention-days: 1
+          name: ${{ matrix.folder }}.sarif
+          path: ${{ matrix.folder }}.sarif
+
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -36,7 +36,7 @@ jobs:
            ql/target
          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
      - name: Build Extractor
-        run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./scripts/create-extractor-pack.sh
+        run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./create-extractor-pack.sh
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
      - name: Checkout ${{ matrix.repo }}
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -36,7 +36,7 @@ jobs:
        run: |
          cd ql;
          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
-          env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
+          env "PATH=$PATH:$codeqlpath" ./create-extractor-pack.sh
      - name: Run QL tests
        run: |
          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
--- a/.github/workflows/swift-codegen.yml
+++ b/.github/workflows/swift-codegen.yml
@@ -15,22 +15,18 @@ jobs:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/fetch-codeql
      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v3
-      - uses: pre-commit/action@v3.0.0
-        name: Check that python code is properly formatted
-        with:
-          extra_args: autopep8 --all-files
      - name: Run unit tests
        run: |
          bazel test //swift/codegen/test --test_output=errors
-      - uses: pre-commit/action@v3.0.0
-        name: Check that QL generated code was checked in
-        with:
-          extra_args: swift-codegen --all-files
+      - name: Check that QL generated code was checked in
+        run: |
+          bazel run //swift/codegen
+          git add swift
+          git diff --exit-code HEAD
      - name: Generate C++ files
        run: |
-          bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/swift-generated-cpp-files
+          bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/swift-generated-headers
      - uses: actions/upload-artifact@v3
        with:
-          name: swift-generated-cpp-files
-          path: swift-generated-cpp-files/**
+          name: swift-generated-headers
+          path: swift-generated-headers/*.h
--- a/.github/workflows/swift-integration-tests.yml
+++ b/.github/workflows/swift-integration-tests.yml
@@ -1,34 +0,0 @@
-name: "Swift: Run Integration Tests"
-
-on:
-  pull_request:
-    paths:
-      - "swift/**"
-      - .github/workflows/swift-integration-tests.yml
-      - codeql-workspace.yml
-    branches:
-      - main
-defaults:
-  run:
-    working-directory: swift
-
-jobs:
-  integration-tests:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - ubuntu-20.04
-#          - macos-latest  TODO
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v3
-      - name: Build Swift extractor
-        run: |
-          bazel run //swift:create-extractor-pack
-      - name: Run integration tests
-        run: |
-          python integration-tests/runner.py
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -15,12 +15,6 @@ repos:
      - id: clang-format
        files: ^swift/.*\.(h|c|cpp)$

-  - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v1.6.0
-    hooks:
-      - id: autopep8
-        files: ^swift/codegen/.*\.py
-
  - repo: local
    hooks:
      - id: codeql-format
--- a/1
+++ b/1
@@ -42,4 +42,3 @@ WORKSPACE.bazel @github/codeql-ci-reviewers
 /.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby
-/.github/workflows/swift-* @github/codeql-c
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -453,11 +453,11 @@
    "python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
  ],
  "IDE Contextual Queries": [
-    "cpp/ql/lib/IDEContextual.qll",
-    "csharp/ql/lib/IDEContextual.qll",
-    "java/ql/lib/IDEContextual.qll",
-    "javascript/ql/lib/IDEContextual.qll",
-    "python/ql/lib/analysis/IDEContextual.qll"
+    "cpp/ql/src/IDEContextual.qll",
+    "csharp/ql/src/IDEContextual.qll",
+    "java/ql/src/IDEContextual.qll",
+    "javascript/ql/src/IDEContextual.qll",
+    "python/ql/src/analysis/IDEContextual.qll"
  ],
  "SSA C#": [
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
--- a/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/exprs.ql
+++ b/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/exprs.ql
@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 330 <= kind and kind <= 334)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 0 else kind_new = kind
-select expr, kind_new, location
--- a/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/old.dbscheme
+++ b/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/old.dbscheme
--- a/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/upgrade.properties
+++ b/cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/upgrade.properties
@@ -1,3 +0,0 @@
-description: Add new builtin operations
-compatibility: partial
-exprs.rel: run exprs.qlo
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 0.3.1
-
-### Minor Analysis Improvements
-
-* `AnalysedExpr::isNullCheck` and `AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
-
 ## 0.3.0

 ### Deprecated APIs
--- a/cpp/ql/lib/change-notes/2022-06-24-unique-variable.md
+++ b/cpp/ql/lib/change-notes/2022-06-24-unique-variable.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Under certain circumstances a variable declaration that is not also a definition could be associated with a `Variable` that did not have the definition as a `VariableDeclarationEntry`. This is now fixed, and a unique `Variable` will exist that has both the declaration and the definition as a `VariableDeclarationEntry`.
--- a/cpp/ql/lib/change-notes/2022-07-26-additional-builtin-support.md
+++ b/cpp/ql/lib/change-notes/2022-07-26-additional-builtin-support.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Added subclasses of `BuiltInOperations` for `__builtin_bit_cast`, `__builtin_shuffle`, `__has_unique_object_representations`, `__is_aggregate`, and `__is_assignable`.
--- a/cpp/ql/lib/change-notes/released/0.3.1.md
+++ b/cpp/ql/lib/change-notes/released/0.3.1.md
@@ -1,5 +0,0 @@
-## 0.3.1
-
-### Minor Analysis Improvements
-
-* `AnalysedExpr::isNullCheck` and `AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.1
+lastReleaseVersion: 0.3.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.3.2-dev
+version: 0.3.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Element.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Element.qll
@@ -6,7 +6,6 @@
 import semmle.code.cpp.Location
 private import semmle.code.cpp.Enclosing
 private import semmle.code.cpp.internal.ResolveClass
-private import semmle.code.cpp.internal.ResolveGlobalVariable

 /**
 * Get the `Element` that represents this `@element`.
@@ -29,12 +28,9 @@ Element mkElement(@element e) { unresolveElement(result) = e }
 pragma[inline]
@element unresolveElement(Element e) {
  not result instanceof @usertype and
-  not result instanceof @variable and
  result = e
  or
  e = resolveClass(result)
-  or
-  e = resolveGlobalVariable(result)
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/Variable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Variable.qll
@@ -6,7 +6,6 @@ import semmle.code.cpp.Element
 import semmle.code.cpp.exprs.Access
 import semmle.code.cpp.Initializer
 private import semmle.code.cpp.internal.ResolveClass
-private import semmle.code.cpp.internal.ResolveGlobalVariable

 /**
 * A C/C++ variable. For example, in the following code there are four
@@ -33,8 +32,6 @@ private import semmle.code.cpp.internal.ResolveGlobalVariable
 * can have multiple declarations.
 */
 class Variable extends Declaration, @variable {
-  Variable() { isVariable(underlyingElement(this)) }
-
  override string getAPrimaryQlClass() { result = "Variable" }

  /** Gets the initializer of this variable, if any. */
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/Nullness.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/Nullness.qll
@@ -46,7 +46,7 @@ predicate nullCheckExpr(Expr checkExpr, Variable var) {
    or
    exists(LogicalAndExpr op, AnalysedExpr child |
      expr = op and
-      op.getAnOperand() = child and
+      op.getRightOperand() = child and
      nullCheckExpr(child, v)
    )
    or
@@ -99,7 +99,7 @@ predicate validCheckExpr(Expr checkExpr, Variable var) {
    or
    exists(LogicalAndExpr op, AnalysedExpr child |
      expr = op and
-      op.getAnOperand() = child and
+      op.getRightOperand() = child and
      validCheckExpr(child, v)
    )
    or
@@ -169,10 +169,7 @@ class AnalysedExpr extends Expr {
   */
  predicate isDef(LocalScopeVariable v) {
    this.inCondition() and
-    (
-      this.(Assignment).getLValue() = v.getAnAccess() or
-      this.(ConditionDeclExpr).getVariableAccess() = v.getAnAccess()
-    )
+    this.(Assignment).getLValue() = v.getAnAccess()
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
@@ -1,5 +1,5 @@
 /**
- * Provides classes for modeling built-in operations. Built-in operations are
+ * Provides classes for modeling built-in operations.  Built-in operations are
 * typically compiler specific and are used by libraries and generated code.
 */

@@ -120,8 +120,8 @@ class BuiltInNoOp extends BuiltInOperation, @noopexpr {

 /**
 * A C/C++ `__builtin_offsetof` built-in operation (used by some implementations
- * of `offsetof`). The operation retains its semantics even in the presence
- * of an overloaded `operator &`). This is a gcc/clang extension.
+ * of `offsetof`).  The operation retains its semantics even in the presence
+ * of an overloaded `operator &`).  This is a GNU/Clang extension.
 * ```
 * struct S {
 *   int a, b;
@@ -137,8 +137,8 @@ class BuiltInOperationBuiltInOffsetOf extends BuiltInOperation, @offsetofexpr {

 /**
 * A C/C++ `__INTADDR__` built-in operation (used by some implementations
- * of `offsetof`). The operation retains its semantics even in the presence
- * of an overloaded `operator &`). This is an EDG extension.
+ * of `offsetof`).  The operation retains its semantics even in the presence
+ * of an overloaded `operator &`).  This is an EDG extension.
 * ```
 * struct S {
 *   int a, b;
@@ -173,7 +173,7 @@ class BuiltInOperationHasAssign extends BuiltInOperation, @hasassignexpr {
 *
 * Returns `true` if the type has a copy constructor.
 * ```
- * std::integral_constant<bool, __has_copy(_Tp)> hc;
+ * std::integral_constant< bool, __has_copy(_Tp)> hc;
 * ```
 */
 class BuiltInOperationHasCopy extends BuiltInOperation, @hascopyexpr {
@@ -189,7 +189,7 @@ class BuiltInOperationHasCopy extends BuiltInOperation, @hascopyexpr {
 * Returns `true` if a copy assignment operator has an empty exception
 * specification.
 * ```
- * std::integral_constant<bool, __has_nothrow_assign(_Tp)> hnta;
+ * std::integral_constant< bool, __has_nothrow_assign(_Tp)> hnta;
 * ```
 */
 class BuiltInOperationHasNoThrowAssign extends BuiltInOperation, @hasnothrowassign {
@@ -220,7 +220,7 @@ class BuiltInOperationHasNoThrowConstructor extends BuiltInOperation, @hasnothro
 *
 * Returns `true` if the copy constructor has an empty exception specification.
 * ```
- * std::integral_constant<bool, __has_nothrow_copy(MyType) >;
+ * std::integral_constant< bool, __has_nothrow_copy(MyType) >;
 * ```
 */
 class BuiltInOperationHasNoThrowCopy extends BuiltInOperation, @hasnothrowcopy {
@@ -266,7 +266,7 @@ class BuiltInOperationHasTrivialConstructor extends BuiltInOperation, @hastrivia
 *
 * Returns true if the type has a trivial copy constructor.
 * ```
- * std::integral_constant<bool, __has_trivial_copy(MyType)> htc;
+ * std::integral_constant< bool, __has_trivial_copy(MyType) > htc;
 * ```
 */
 class BuiltInOperationHasTrivialCopy extends BuiltInOperation, @hastrivialcopy {
@@ -468,7 +468,7 @@ class BuiltInOperationIsUnion extends BuiltInOperation, @isunionexpr {
 * ```
 * template<typename _Tp1, typename _Tp2>
 *   struct types_compatible
- *   : public integral_constant<bool, __builtin_types_compatible_p(_Tp1, _Tp2)>
+ *   : public integral_constant<bool, __builtin_types_compatible_p(_Tp1, _Tp2) >
 *   { };
 * ```
 */
@@ -479,7 +479,8 @@ class BuiltInOperationBuiltInTypesCompatibleP extends BuiltInOperation, @typesco
 /**
 * A clang `__builtin_shufflevector` expression.
 *
- * It outputs a permutation of elements from one or two input vectors. See
+ * It outputs a permutation of elements from one or two input vectors.
+ * Please see
 * https://releases.llvm.org/3.7.0/tools/clang/docs/LanguageExtensions.html#langext-builtin-shufflevector
 * for more information.
 * ```
@@ -493,29 +494,11 @@ class BuiltInOperationBuiltInShuffleVector extends BuiltInOperation, @builtinshu
  override string getAPrimaryQlClass() { result = "BuiltInOperationBuiltInShuffleVector" }
 }

-/**
- * A gcc `__builtin_shuffle` expression.
- *
- * It outputs a permutation of elements from one or two input vectors.
- * See https://gcc.gnu.org/onlinedocs/gcc/Vector-Extensions.html
- * for more information.
- * ```
- * // Concatenate every other element of 4-element vectors V1 and V2.
- * M = {0, 2, 4, 6};
- * V3 = __builtin_shuffle(V1, V2, M);
- * ```
- */
-class BuiltInOperationBuiltInShuffle extends BuiltInOperation, @builtinshuffle {
-  override string toString() { result = "__builtin_shuffle" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationBuiltInShuffle" }
-}
-
 /**
 * A clang `__builtin_convertvector` expression.
 *
 * Allows for conversion of vectors of equal element count and compatible
- * element types. See
+ * element types. Please see
 * https://releases.llvm.org/3.7.0/tools/clang/docs/LanguageExtensions.html#builtin-convertvector
 * for more information.
 * ```
@@ -564,7 +547,7 @@ class BuiltInOperationBuiltInAddressOf extends UnaryOperation, BuiltInOperation,
 * ```
 * template<typename T, typename... Args>
 *   struct is_trivially_constructible
- *   : public integral_constant<bool, __is_trivially_constructible(T, Args...)>
+ *   : public integral_constant<bool, __is_trivially_constructible(T, Args...) >
 *   { };
 * ```
 */
@@ -629,10 +612,13 @@ class BuiltInOperationIsTriviallyDestructible extends BuiltInOperation, @istrivi
 * The `__is_trivially_assignable` built-in operation (used by some
 * implementations of the `<type_traits>` header).
 *
- * Returns `true` if the assignment operator `C::operator =(const D& d)` is
- * trivial (i.e., it will not call any operation that is non-trivial).
+ * Returns `true` if the assignment operator `C::operator =(const C& c)` is
+ * trivial.
 * ```
- * bool v = __is_trivially_assignable(MyType1, MyType2);
+ * template<typename T>
+ *   struct is_trivially_assignable
+ *   : public integral_constant<bool, __is_trivially_assignable(T) >
+ *   { };
 * ```
 */
 class BuiltInOperationIsTriviallyAssignable extends BuiltInOperation, @istriviallyassignableexpr {
@@ -645,10 +631,10 @@ class BuiltInOperationIsTriviallyAssignable extends BuiltInOperation, @istrivial
 * The `__is_nothrow_assignable` built-in operation (used by some
 * implementations of the `<type_traits>` header).
 *
- * Returns true if there exists a `C::operator =(const D& d) nothrow`
+ * Returns true if there exists a `C::operator =(const C& c) nothrow`
 * assignment operator (i.e, with an empty exception specification).
 * ```
- * bool v = __is_nothrow_assignable(MyType1, MyType2);
+ * bool v = __is_nothrow_assignable(MyType);
 * ```
 */
 class BuiltInOperationIsNothrowAssignable extends BuiltInOperation, @isnothrowassignableexpr {
@@ -657,30 +643,15 @@ class BuiltInOperationIsNothrowAssignable extends BuiltInOperation, @isnothrowas
  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowAssignable" }
 }

-/**
- * The `__is_assignable` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns true if there exists a `C::operator =(const D& d)` assignment
- * operator.
- * ```
- * bool v = __is_assignable(MyType1, MyType2);
- * ```
- */
-class BuiltInOperationIsAssignable extends BuiltInOperation, @isassignable {
-  override string toString() { result = "__is_assignable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsAssignable" }
-}
-
 /**
 * The `__is_standard_layout` built-in operation (used by some implementations
 * of the `<type_traits>` header).
 *
 * Returns `true` if the type is a primitive type, or a `class`, `struct` or
- * `union` without (1) virtual functions or base classes, (2) reference member
- * variable, or (3) multiple occurrences of base `class` objects, among other
- * restrictions. See https://en.cppreference.com/w/cpp/named_req/StandardLayoutType
+ * `union` WITHOUT (1) virtual functions or base classes, (2) reference member
+ * variable or (3) multiple occurrences of base `class` objects, among other
+ * restrictions.  Please see
+ * https://en.cppreference.com/w/cpp/named_req/StandardLayoutType
 * for more information.
 * ```
 * bool v = __is_standard_layout(MyType);
@@ -697,7 +668,7 @@ class BuiltInOperationIsStandardLayout extends BuiltInOperation, @isstandardlayo
 * implementations of the `<type_traits>` header).
 *
 * Returns `true` if instances of this type can be copied by trivial
- * means. The copying is done in a manner similar to the `memcpy`
+ * means.  The copying is done in a manner similar to the `memcpy`
 * function.
 */
 class BuiltInOperationIsTriviallyCopyable extends BuiltInOperation, @istriviallycopyableexpr {
@@ -711,13 +682,13 @@ class BuiltInOperationIsTriviallyCopyable extends BuiltInOperation, @istrivially
 * the `<type_traits>` header).
 *
 * Returns `true` if the type is a scalar type, a reference type or an array of
- * literal types, among others. See
+ * literal types, among others. Please see
 * https://en.cppreference.com/w/cpp/named_req/LiteralType
 * for more information.
 *
 * ```
 * template <typename _Tp>
- * std::integral_constant<bool, __is_literal_type(_Tp)> ilt;
+ * std::integral_constant< bool, __is_literal_type(_Tp)> ilt;
 * ```
 */
 class BuiltInOperationIsLiteralType extends BuiltInOperation, @isliteraltypeexpr {
@@ -734,7 +705,7 @@ class BuiltInOperationIsLiteralType extends BuiltInOperation, @isliteraltypeexpr
 * compiler, with semantics of the `memcpy` operation.
 * ```
 * template <typename _Tp>
- * std::integral_constant<bool, __has_trivial_move_constructor(_Tp)> htmc;
+ * std::integral_constant< bool, __has_trivial_move_constructor(_Tp)> htmc;
 * ```
 */
 class BuiltInOperationHasTrivialMoveConstructor extends BuiltInOperation,
@@ -752,7 +723,7 @@ class BuiltInOperationHasTrivialMoveConstructor extends BuiltInOperation,
 * ```
 * template<typename T>
 *   struct has_trivial_move_assign
- *   : public integral_constant<bool, __has_trivial_move_assign(T)>
+ *   : public integral_constant<bool, __has_trivial_move_assign(T) >
 *   { };
 * ```
 */
@@ -787,7 +758,7 @@ class BuiltInOperationHasNothrowMoveAssign extends BuiltInOperation, @hasnothrow
 * ```
 * template<typename T, typename... Args>
 *   struct is_constructible
- *   : public integral_constant<bool, __is_constructible(T, Args...)>
+ *   : public integral_constant<bool, __is_constructible(T, Args...) >
 *   { };
 * ```
 */
@@ -814,7 +785,7 @@ class BuiltInOperationIsNothrowConstructible extends BuiltInOperation, @isnothro
 }

 /**
- * The `__has_finalizer` built-in operation. This is a Microsoft extension.
+ * The `__has_finalizer` built-in operation.  This is a Microsoft extension.
 *
 * Returns `true` if the type defines a _finalizer_ `C::!C(void)`, to be called
 * from either the regular destructor or the garbage collector.
@@ -829,10 +800,10 @@ class BuiltInOperationHasFinalizer extends BuiltInOperation, @hasfinalizerexpr {
 }

 /**
- * The `__is_delegate` built-in operation. This is a Microsoft extension.
+ * The `__is_delegate` built-in operation.  This is a Microsoft extension.
 *
 * Returns `true` if the function has been declared as a `delegate`, used in
- * message forwarding. See
+ * message forwarding.  Please see
 * https://docs.microsoft.com/en-us/cpp/extensions/delegate-cpp-component-extensions
 * for more information.
 */
@@ -843,9 +814,9 @@ class BuiltInOperationIsDelegate extends BuiltInOperation, @isdelegateexpr {
 }

 /**
- * The `__is_interface_class` built-in operation. This is a Microsoft extension.
+ * The `__is_interface_class` built-in operation.  This is a Microsoft extension.
 *
- * Returns `true` if the type has been declared as an `interface`. See
+ * Returns `true` if the type has been declared as an `interface`.  Please see
 * https://docs.microsoft.com/en-us/cpp/extensions/interface-class-cpp-component-extensions
 * for more information.
 */
@@ -856,9 +827,9 @@ class BuiltInOperationIsInterfaceClass extends BuiltInOperation, @isinterfacecla
 }

 /**
- * The `__is_ref_array` built-in operation. This is a Microsoft extension.
+ * The `__is_ref_array` built-in operation.  This is a Microsoft extension.
 *
- * Returns `true` if the object passed in is a _platform array_. See
+ * Returns `true` if the object passed in is a _platform array_.  Please see
 * https://docs.microsoft.com/en-us/cpp/extensions/arrays-cpp-component-extensions
 * for more information.
 * ```
@@ -873,9 +844,9 @@ class BuiltInOperationIsRefArray extends BuiltInOperation, @isrefarrayexpr {
 }

 /**
- * The `__is_ref_class` built-in operation. This is a Microsoft extension.
+ * The `__is_ref_class` built-in operation.  This is a Microsoft extension.
 *
- * Returns `true` if the type is a _reference class_. See
+ * Returns `true` if the type is a _reference class_.  Please see
 * https://docs.microsoft.com/en-us/cpp/extensions/classes-and-structs-cpp-component-extensions
 * for more information.
 * ```
@@ -890,10 +861,10 @@ class BuiltInOperationIsRefClass extends BuiltInOperation, @isrefclassexpr {
 }

 /**
- * The `__is_sealed` built-in operation. This is a Microsoft extension.
+ * The `__is_sealed` built-in operation.  This is a Microsoft extension.
 *
 * Returns `true` if a given class or virtual function is marked as `sealed`,
- * meaning that it cannot be extended or overridden. The `sealed` keyword
+ * meaning that it cannot be extended or overridden.  The `sealed` keyword
 * is similar to the C++11 `final` keyword.
 * ```
 * ref class X sealed {
@@ -908,7 +879,7 @@ class BuiltInOperationIsSealed extends BuiltInOperation, @issealedexpr {
 }

 /**
- * The `__is_simple_value_class` built-in operation. This is a Microsoft extension.
+ * The `__is_simple_value_class` built-in operation.  This is a Microsoft extension.
 *
 * Returns `true` if passed a value type that contains no references to the
 * garbage-collected heap.
@@ -927,9 +898,9 @@ class BuiltInOperationIsSimpleValueClass extends BuiltInOperation, @issimplevalu
 }

 /**
- * The `__is_value_class` built-in operation. This is a Microsoft extension.
+ * The `__is_value_class` built-in operation.  This is a Microsoft extension.
 *
- * Returns `true` if passed a value type. See
+ * Returns `true` if passed a value type.  Please see
 * https://docs.microsoft.com/en-us/cpp/extensions/classes-and-structs-cpp-component-extensions
 * For more information.
 * ```
@@ -951,7 +922,7 @@ class BuiltInOperationIsValueClass extends BuiltInOperation, @isvalueclassexpr {
 * ```
 * template<typename T>
 *   struct is_final
- *   : public integral_constant<bool, __is_final(T)>
+ *   : public integral_constant<bool, __is_final(T) >
 *   { };
 * ```
 */
@@ -962,7 +933,7 @@ class BuiltInOperationIsFinal extends BuiltInOperation, @isfinalexpr {
 }

 /**
- * The `__builtin_choose_expr` expression. This is a gcc/clang extension.
+ * The `__builtin_choose_expr` expression.  This is a GNU/Clang extension.
 *
 * The expression functions similarly to the ternary `?:` operator, except
 * that it is evaluated at compile-time.
@@ -1007,50 +978,3 @@ class BuiltInComplexOperation extends BuiltInOperation, @builtincomplex {
  /** Gets the operand corresponding to the imaginary part of the complex number. */
  Expr getImaginaryOperand() { this.hasChild(result, 1) }
 }
-
-/**
- * A C++ `__is_aggregate` built-in operation (used by some implementations of the
- * `<type_traits>` header).
- *
- * Returns `true` if the type has is an aggregate type.
- * ```
- * std::integral_constant<bool, __is_aggregate(_Tp)> ia;
- * ```
- */
-class BuiltInOperationIsAggregate extends BuiltInOperation, @isaggregate {
-  override string toString() { result = "__is_aggregate" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsAggregate" }
-}
-
-/**
- * A C++ `__has_unique_object_representations` built-in operation (used by some
- * implementations of the `<type_traits>` header).
- *
- * Returns `true` if the type is trivially copyable and if the object representation
- * is unique for two objects with the same value.
- * ```
- * bool v = __has_unique_object_representations(MyType);
- * ```
- */
-class BuiltInOperationHasUniqueObjectRepresentations extends BuiltInOperation,
-  @hasuniqueobjectrepresentations {
-  override string toString() { result = "__has_unique_object_representations" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationHasUniqueObjectRepresentations" }
-}
-
-/**
- * A C/C++ `__builtin_bit_cast` built-in operation (used by some implementations
- * of `std::bit_cast`).
- *
- * Performs a bit cast from a value to a type.
- * ```
- * __builtin_bit_cast(Type, value);
- * ```
- */
-class BuiltInBitCast extends BuiltInOperation, @builtinbitcast {
-  override string toString() { result = "__builtin_bit_cast" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInBitCast" }
-}
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
@@ -255,10 +255,8 @@ class FunctionCall extends Call, @funbindexpr {
  /**
   * Gets the function called by this call.
   *
-   * In the case of virtual function calls, the result is the most-specific function in the override tree
-   * such that the target at runtime will be one of `result.getAnOverridingFunction*()`. The most-specific
-   * function is determined by the compiler based on the compile time type of the object the function is a
-   * member of.
+   * In the case of virtual function calls, the result is the most-specific function in the override tree (as
+   * determined by the compiler) such that the target at runtime will be one of `result.getAnOverridingFunction*()`.
   */
  override Function getTarget() { funbind(underlyingElement(this), unresolveElement(result)) }

--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -596,12 +596,9 @@ class ParenthesisExpr extends Conversion, @parexpr {
 }

 /**
- * A C/C++ expression that could not be resolved, or that can no longer be
- * represented due to a database upgrade or downgrade.
+ * A C/C++ expression that has not been resolved.
 *
- * If the expression could not be resolved, it has type `ErroneousType`. In the
- * case of a database upgrade or downgrade, the original type from before the
- * upgrade or downgrade is kept if that type can be represented.
+ * It is assigned `ErroneousType` as its type.
 */
 class ErrorExpr extends Expr, @errorexpr {
  override string toString() { result = "<error expr>" }
--- a/cpp/ql/lib/semmle/code/cpp/internal/ResolveGlobalVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/ResolveGlobalVariable.qll
@@ -1,57 +0,0 @@
-private predicate hasDefinition(@globalvariable g) {
-  exists(@var_decl vd | var_decls(vd, g, _, _, _) | var_def(vd))
-}
-
-private predicate onlyOneCompleteGlobalVariableExistsWithMangledName(@mangledname name) {
-  strictcount(@globalvariable g | hasDefinition(g) and mangled_name(g, name)) = 1
-}
-
-/** Holds if `g` is a unique global variable with a definition named `name`. */
-private predicate isGlobalWithMangledNameAndWithDefinition(@mangledname name, @globalvariable g) {
-  hasDefinition(g) and
-  mangled_name(g, name) and
-  onlyOneCompleteGlobalVariableExistsWithMangledName(name)
-}
-
-/** Holds if `g` is a global variable without a definition named `name`. */
-private predicate isGlobalWithMangledNameAndWithoutDefinition(@mangledname name, @globalvariable g) {
-  not hasDefinition(g) and
-  mangled_name(g, name)
-}
-
-/**
- * Holds if `incomplete` is a global variable without a definition, and there exists
- * a unique global variable `complete` with the same name that does have a definition.
- */
-private predicate hasTwinWithDefinition(@globalvariable incomplete, @globalvariable complete) {
-  exists(@mangledname name |
-    not variable_instantiation(incomplete, complete) and
-    isGlobalWithMangledNameAndWithoutDefinition(name, incomplete) and
-    isGlobalWithMangledNameAndWithDefinition(name, complete)
-  )
-}
-
-import Cached
-
-cached
-private module Cached {
-  /**
-   * If `v` is a global variable without a definition, and there exists a unique
-   * global variable with the same name that does have a definition, then the
-   * result is that unique global variable. Otherwise, the result is `v`.
-   */
-  cached
-  @variable resolveGlobalVariable(@variable v) {
-    hasTwinWithDefinition(v, result)
-    or
-    not hasTwinWithDefinition(v, _) and
-    result = v
-  }
-
-  cached
-  predicate isVariable(@variable v) {
-    not v instanceof @globalvariable
-    or
-    v = resolveGlobalVariable(_)
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -1650,11 +1650,6 @@ case @expr.kind of
 | 327 = @co_await
 | 328 = @co_yield
 | 329 = @temp_init
-| 330 = @isassignable
-| 331 = @isaggregate
-| 332 = @hasuniqueobjectrepresentations
-| 333 = @builtinbitcast
-| 334 = @builtinshuffle
 ;

@var_args_expr = @vastartexpr
@@ -1716,11 +1711,6 @@ case @expr.kind of
            | @isfinalexpr
            | @builtinchooseexpr
            | @builtincomplex
-            | @isassignable
-            | @isaggregate
-            | @hasuniqueobjectrepresentations
-            | @builtinbitcast
-            | @builtinshuffle
            ;

 new_allocated_type(
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/old.dbscheme
+++ b/cpp/ql/lib/upgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/old.dbscheme
--- a/cpp/ql/lib/upgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/upgrade.properties
+++ b/cpp/ql/lib/upgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/upgrade.properties
@@ -1,2 +0,0 @@
-description: Add new builtin operations
-compatibility: backwards
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 0.3.0
-
-### Breaking Changes
-
-* Contextual queries and the query libraries they depend on have been moved to the `codeql/cpp-all` package.
-
 ## 0.2.0

 ## 0.1.4
--- a/cpp/ql/src/IDEContextual.qll
+++ b/cpp/ql/src/IDEContextual.qll
--- a/Bugs/Conversion/LossyFunctionResultCast.ql
+++ b/Bugs/Conversion/LossyFunctionResultCast.ql
@@ -44,7 +44,7 @@ predicate whiteListWrapped(FunctionCall fc) {

 from FunctionCall c, FloatingPointType t1, IntegralType t2
 where
-  pragma[only_bind_into](t1) = c.getTarget().getType().getUnderlyingType() and
+  t1 = c.getTarget().getType().getUnderlyingType() and
  t2 = c.getActualType() and
  c.hasImplicitConversion() and
  not whiteListWrapped(c)
--- a/Management/ReturnStackAllocatedMemory.ql
+++ b/Management/ReturnStackAllocatedMemory.ql
@@ -18,7 +18,7 @@ import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.MustFlow
 import PathGraph

-/** Holds if `f` has a name that we interpret as evidence of intentionally returning the value of the stack pointer. */
+/** Holds if `f` has a name that we intrepret as evidence of intentionally returning the value of the stack pointer. */
 predicate intentionallyReturnsStackPointer(Function f) {
  f.getName().toLowerCase().matches(["%stack%", "%sp%"])
 }
@@ -74,12 +74,13 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {

 from
  MustFlowPathNode source, MustFlowPathNode sink, VariableAddressInstruction var,
-  ReturnStackAllocatedMemoryConfig conf
+  ReturnStackAllocatedMemoryConfig conf, Function f
 where
-  conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
+  conf.hasFlowPath(source, sink) and
  source.getNode().asInstruction() = var and
  // Only raise an alert if we're returning from the _same_ callable as the on that
  // declared the stack variable.
-  var.getEnclosingFunction() = sink.getNode().getEnclosingCallable()
+  var.getEnclosingFunction() = pragma[only_bind_into](f) and
+  sink.getNode().getEnclosingCallable() = pragma[only_bind_into](f)
 select sink.getNode(), source, sink, "May return stack-allocated memory from $@.", var.getAst(),
  var.getAst().toString()
--- a/Management/UsingExpiredStackAddress.ql
+++ b/Management/UsingExpiredStackAddress.ql
@@ -133,9 +133,7 @@ TGlobalAddress globalAddress(Instruction instr) {
  )
  or
  exists(FieldAddressInstruction fai | instr = fai |
-    result =
-      TFieldAddress(globalAddress(pragma[only_bind_into](fai.getObjectAddress())),
-        pragma[only_bind_out](fai.getField()))
+    result = TFieldAddress(globalAddress(fai.getObjectAddress()), fai.getField())
  )
  or
  result = globalAddress(instr.(PointerOffsetInstruction).getLeft())
--- a/Bugs/UseInOwnInitializer.ql
+++ b/Bugs/UseInOwnInitializer.ql
@@ -15,7 +15,6 @@ class VariableAccessInInitializer extends VariableAccess {
  Variable var;
  Initializer init;

-  pragma[nomagic]
  VariableAccessInInitializer() {
    init.getDeclaration() = var and
    init.getExpr().getAChild*() = this
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -77,7 +77,7 @@ class ExecState extends DataFlow::FlowState {
  ExecState() {
    this =
      "ExecState (" + fst.getLocation() + " | " + fst + ", " + snd.getLocation() + " | " + snd + ")" and
-    interestingConcatenation(pragma[only_bind_into](fst), pragma[only_bind_into](snd))
+    interestingConcatenation(fst, snd)
  }

  DataFlow::Node getFstNode() { result = fst }
--- a/cpp/ql/src/change-notes/released/0.3.0.md
+++ b/cpp/ql/src/change-notes/released/0.3.0.md
@@ -1,5 +0,0 @@
-## 0.3.0
-
-### Breaking Changes
-
-* Contextual queries and the query libraries they depend on have been moved to the `codeql/cpp-all` package.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.0
+lastReleaseVersion: 0.2.0
--- a/cpp/ql/src/definitions.qll
+++ b/cpp/ql/src/definitions.qll
--- a/cpp/ql/src/localDefinitions.ql
+++ b/cpp/ql/src/localDefinitions.ql
--- a/cpp/ql/src/localReferences.ql
+++ b/cpp/ql/src/localReferences.ql
--- a/cpp/ql/src/printAst.ql
+++ b/cpp/ql/src/printAst.ql
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.3.1-dev
+version: 0.2.0
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/builtins/edg/edg.c
+++ b/cpp/ql/test/library-tests/builtins/edg/edg.c
@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang
+
 struct mystruct {
    int f1;
    int f2;
@@ -13,6 +13,3 @@ void f(void) {
    int i2 = edg_offsetof(struct mystruct,f2);
 }

-void g(void) {
-    double f = __builtin_bit_cast(double,42l);
-}
--- a/cpp/ql/test/library-tests/builtins/edg/expr.expected
+++ b/cpp/ql/test/library-tests/builtins/edg/expr.expected
@@ -13,6 +13,3 @@
 | edg.c:13:14:13:45 | (size_t)... | 0 | 0 |
 | edg.c:13:14:13:45 | __INTADDR__ | 1 | 1 |
 | edg.c:13:43:13:44 | f2 | 0 | 0 |
-| edg.c:17:16:17:45 | __builtin_bit_cast | 1 | 1 |
-| edg.c:17:16:17:45 | double | 0 | 0 |
-| edg.c:17:42:17:44 | 42 | 1 | 1 |
--- a/cpp/ql/test/library-tests/builtins/type_traits/expr.expected
+++ b/cpp/ql/test/library-tests/builtins/type_traits/expr.expected
@@ -296,20 +296,3 @@
 | ms.cpp:255:24:255:43 | a_struct |  | <none> |
 | ms.cpp:256:24:256:49 | __is_final | a_final_struct | 1 |
 | ms.cpp:256:24:256:49 | a_final_struct |  | <none> |
-| ms.cpp:258:29:258:62 | __is_assignable | a_struct,a_struct | 1 |
-| ms.cpp:258:29:258:62 | a_struct |  | <none> |
-| ms.cpp:258:29:258:62 | a_struct |  | <none> |
-| ms.cpp:259:29:259:59 | __is_assignable | a_struct,empty | 0 |
-| ms.cpp:259:29:259:59 | a_struct |  | <none> |
-| ms.cpp:259:29:259:59 | empty |  | <none> |
-| ms.cpp:260:29:260:57 | __is_assignable | a_struct,int | 0 |
-| ms.cpp:260:29:260:57 | a_struct |  | <none> |
-| ms.cpp:260:29:260:57 | int |  | <none> |
-| ms.cpp:262:28:262:51 | __is_aggregate | a_struct | 1 |
-| ms.cpp:262:28:262:51 | a_struct |  | <none> |
-| ms.cpp:263:28:263:46 | __is_aggregate | int | 0 |
-| ms.cpp:263:28:263:46 | int |  | <none> |
-| ms.cpp:265:49:265:88 | __has_unique_object_representations | int | 1 |
-| ms.cpp:265:49:265:88 | int |  | <none> |
-| ms.cpp:266:49:266:90 | __has_unique_object_representations | float | 0 |
-| ms.cpp:266:49:266:90 | float |  | <none> |
--- a/cpp/ql/test/library-tests/builtins/type_traits/ms.cpp
+++ b/cpp/ql/test/library-tests/builtins/type_traits/ms.cpp
@@ -254,14 +254,5 @@ void f(void) {

    bool b_is_final1 = __is_final(a_struct);
    bool b_is_final2 = __is_final(a_final_struct);
-
-    bool b_is_assignable1 = __is_assignable(a_struct,a_struct);
-    bool b_is_assignable2 = __is_assignable(a_struct,empty);
-    bool b_is_assignable3 = __is_assignable(a_struct,int);
-
-    bool b_is_aggregate1 = __is_aggregate(a_struct);
-    bool b_is_aggregate2 = __is_aggregate(int);
-
-    bool b_has_unique_object_representations1 = __has_unique_object_representations(int);
-    bool b_has_unique_object_representations2 = __has_unique_object_representations(float);
 }
+
--- a/cpp/ql/test/library-tests/controlflow/nullness/nullness.expected
+++ b/cpp/ql/test/library-tests/controlflow/nullness/nullness.expected
@@ -1,20 +0,0 @@
-| test.cpp:9:9:9:9 | v | test.cpp:5:13:5:13 | v | is not null | is valid |
-| test.cpp:10:9:10:10 | ! ... | test.cpp:5:13:5:13 | v | is null | is not valid |
-| test.cpp:11:9:11:14 | ... == ... | test.cpp:5:13:5:13 | v | is null | is not valid |
-| test.cpp:12:9:12:17 | ... == ... | test.cpp:5:13:5:13 | v | is not null | is valid |
-| test.cpp:13:9:13:14 | ... != ... | test.cpp:5:13:5:13 | v | is not null | is valid |
-| test.cpp:14:9:14:17 | ... != ... | test.cpp:5:13:5:13 | v | is null | is not valid |
-| test.cpp:15:8:15:23 | call to __builtin_expect | test.cpp:5:13:5:13 | v | is not null | is valid |
-| test.cpp:16:8:16:23 | call to __builtin_expect | test.cpp:5:13:5:13 | v | is null | is not valid |
-| test.cpp:17:9:17:17 | ... && ... | test.cpp:5:13:5:13 | v | is not null | is valid |
-| test.cpp:18:9:18:17 | ... && ... | test.cpp:5:13:5:13 | v | is not null | is valid |
-| test.cpp:19:9:19:18 | ... && ... | test.cpp:5:13:5:13 | v | is null | is not valid |
-| test.cpp:20:9:20:18 | ... && ... | test.cpp:5:13:5:13 | v | is null | is not valid |
-| test.cpp:21:9:21:14 | ... = ... | test.cpp:5:13:5:13 | v | is null | is not valid |
-| test.cpp:21:9:21:14 | ... = ... | test.cpp:7:10:7:10 | b | is not null | is valid |
-| test.cpp:22:9:22:14 | ... = ... | test.cpp:5:13:5:13 | v | is not null | is not valid |
-| test.cpp:22:9:22:14 | ... = ... | test.cpp:7:13:7:13 | c | is not null | is not valid |
-| test.cpp:22:17:22:17 | c | test.cpp:7:13:7:13 | c | is not null | is valid |
-| test.cpp:23:21:23:21 | x | test.cpp:23:14:23:14 | x | is not null | is valid |
-| test.cpp:24:9:24:18 | (condition decl) | test.cpp:5:13:5:13 | v | is not null | is not valid |
-| test.cpp:24:9:24:18 | (condition decl) | test.cpp:24:14:24:14 | y | is not null | is valid |
--- a/cpp/ql/test/library-tests/controlflow/nullness/nullness.ql
+++ b/cpp/ql/test/library-tests/controlflow/nullness/nullness.ql
@@ -1,8 +0,0 @@
-import cpp
-
-from AnalysedExpr a, LocalScopeVariable v, string isNullCheck, string isValidCheck
-where
-  v.getAnAccess().getEnclosingStmt() = a.getParent() and
-  (if a.isNullCheck(v) then isNullCheck = "is null" else isNullCheck = "is not null") and
-  (if a.isValidCheck(v) then isValidCheck = "is valid" else isValidCheck = "is not valid")
-select a, v, isNullCheck, isValidCheck
--- a/cpp/ql/test/library-tests/controlflow/nullness/test.cpp
+++ b/cpp/ql/test/library-tests/controlflow/nullness/test.cpp
@@ -1,25 +0,0 @@
-// semmle-extractor-options: -std=c++17
-
-long __builtin_expect(long);
-     
-void f(int *v) {
-    int *w;
-    bool b, c;
-
-    if (v) {}
-    if (!v) {}
-    if (v == 0) {}
-    if ((!v) == 0) {}
-    if (v != 0) {}
-    if ((!v) != 0) {}
-    if(__builtin_expect((long)v)) {}
-    if(__builtin_expect((long)!v)) {}
-    if (true && v) {}
-    if (v && true) {}
-    if (true && !v) {}
-    if (!v && true) {}
-    if (b = !v) {}
-    if (c = !v; c) {}
-    if (int *x = v; x) {}
-    if (int *y = v) {}
-}
--- a/cpp/ql/test/library-tests/variables/global/variables.expected
+++ b/cpp/ql/test/library-tests/variables/global/variables.expected
@@ -4,7 +4,11 @@
 | c.c:6:5:6:6 | ls | array of 4 {int} | 1 |
 | c.c:8:5:8:7 | iss | array of 4 {array of 2 {int}} | 1 |
 | c.c:12:11:12:11 | i | typedef {int} as "int_alias" | 1 |
+| c.h:4:12:4:13 | ks | array of {int} | 1 |
+| c.h:8:12:8:14 | iss | array of {array of 2 {int}} | 1 |
+| c.h:10:12:10:12 | i | int | 1 |
 | d.cpp:3:7:3:8 | xs | array of {int} | 1 |
+| d.h:3:14:3:15 | xs | array of 2 {int} | 1 |
 | file://:0:0:0:0 | (unnamed parameter 0) | reference to {const {struct __va_list_tag}} | 1 |
 | file://:0:0:0:0 | (unnamed parameter 0) | rvalue reference to {struct __va_list_tag} | 1 |
 | file://:0:0:0:0 | fp_offset | unsigned int | 1 |
--- a/cpp/ql/test/library-tests/vector_types/builtin_ops.expected
+++ b/cpp/ql/test/library-tests/vector_types/builtin_ops.expected
@@ -1,4 +1,2 @@
-| vector_types2.cpp:10:15:10:42 | __builtin_shuffle |
-| vector_types2.cpp:11:15:11:45 | __builtin_shuffle |
 | vector_types.cpp:31:13:31:49 | __builtin_shufflevector |
 | vector_types.cpp:58:10:58:52 | __builtin_convertvector |
--- a/cpp/ql/test/library-tests/vector_types/variables.expected
+++ b/cpp/ql/test/library-tests/vector_types/variables.expected
@@ -13,12 +13,6 @@
 | file://:0:0:0:0 | gp_offset | gp_offset | file://:0:0:0:0 | unsigned int | 4 |
 | file://:0:0:0:0 | overflow_arg_area | overflow_arg_area | file://:0:0:0:0 | void * | 8 |
 | file://:0:0:0:0 | reg_save_area | reg_save_area | file://:0:0:0:0 | void * | 8 |
-| vector_types2.cpp:5:7:5:7 | a | a | vector_types2.cpp:2:13:2:15 | v4i | 16 |
-| vector_types2.cpp:6:7:6:7 | b | b | vector_types2.cpp:2:13:2:15 | v4i | 16 |
-| vector_types2.cpp:7:7:7:12 | mask_1 | mask_1 | vector_types2.cpp:2:13:2:15 | v4i | 16 |
-| vector_types2.cpp:8:7:8:12 | mask_2 | mask_2 | vector_types2.cpp:2:13:2:15 | v4i | 16 |
-| vector_types2.cpp:10:7:10:11 | res_1 | res_1 | vector_types2.cpp:2:13:2:15 | v4i | 16 |
-| vector_types2.cpp:11:7:11:11 | res_2 | res_2 | vector_types2.cpp:2:13:2:15 | v4i | 16 |
 | vector_types.cpp:9:21:9:21 | x | x | vector_types.cpp:6:15:6:17 | v4f | 16 |
 | vector_types.cpp:14:18:14:20 | lhs | lhs | vector_types.cpp:6:15:6:17 | v4f | 16 |
 | vector_types.cpp:14:27:14:29 | rhs | rhs | vector_types.cpp:6:15:6:17 | v4f | 16 |
--- a/cpp/ql/test/library-tests/vector_types/vector_types2.cpp
+++ b/cpp/ql/test/library-tests/vector_types/vector_types2.cpp
@@ -1,12 +0,0 @@
-// semmle-extractor-options: --gnu --gnu_version 80000
-typedef int v4i __attribute__((vector_size (16)));
-
-void f() {
-  v4i a = {1,2,3,4};
-  v4i b = {5,6,7,8};
-  v4i mask_1 = {3,0,1,2};
-  v4i mask_2 = {3,5,4,2};
-
-  v4i res_1 = __builtin_shuffle(a, mask_1);
-  v4i res_2 = __builtin_shuffle(a, b, mask_2);
-}
--- a/Bugs/Conversion/LossyFunctionResultCast/ImplicitDowncastFromBitfield.expected
+++ b/Bugs/Conversion/LossyFunctionResultCast/ImplicitDowncastFromBitfield.expected
--- a/Bugs/Conversion/LossyFunctionResultCast/ImplicitDowncastFromBitfield.qlref
+++ b/Bugs/Conversion/LossyFunctionResultCast/ImplicitDowncastFromBitfield.qlref
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,5 +1,3 @@
-## 1.2.1
-
 ## 1.2.0

 ## 1.1.4
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.1.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.1.md
@@ -1 +0,0 @@
-## 1.2.1
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.1
+lastReleaseVersion: 1.2.0
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.2.2-dev
+version: 1.2.0
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,5 +1,3 @@
-## 1.2.1
-
 ## 1.2.0

 ## 1.1.4
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.1.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.1.md
@@ -1 +0,0 @@
-## 1.2.1
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.1
+lastReleaseVersion: 1.2.0
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.2.2-dev
+version: 1.2.0
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,5 +1,3 @@
-## 0.3.1
-
 ## 0.3.0

 ### Deprecated APIs
--- a/csharp/ql/lib/change-notes/released/0.3.1.md
+++ b/csharp/ql/lib/change-notes/released/0.3.1.md
@@ -1 +0,0 @@
-## 0.3.1
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.1
+lastReleaseVersion: 0.3.0
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.3.2-dev
+version: 0.3.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll
@@ -881,12 +881,7 @@ import Cached
 * graph is restricted to nodes from `RelevantNode`.
 */
 module TestOutput {
-  abstract class RelevantNode extends Node {
-    /**
-     * Gets a string used to resolve ties in node and edge ordering.
-     */
-    string getOrderDisambuigation() { result = "" }
-  }
+  abstract class RelevantNode extends Node { }

  query predicate nodes(RelevantNode n, string attr, string val) {
    attr = "semmle.order" and
@@ -899,8 +894,7 @@ module TestOutput {
            p
            order by
              l.getFile().getBaseName(), l.getFile().getAbsolutePath(), l.getStartLine(),
-              l.getStartColumn(), l.getEndLine(), l.getEndColumn(), p.toString(),
-              p.getOrderDisambuigation()
+              l.getStartColumn(), l.getEndLine(), l.getEndColumn(), p.toString()
          )
      ).toString()
  }
@@ -922,8 +916,7 @@ module TestOutput {
            s
            order by
              l.getFile().getBaseName(), l.getFile().getAbsolutePath(), l.getStartLine(),
-              l.getStartColumn(), l.getEndLine(), l.getEndColumn(), t.toString(), s.toString(),
-              s.getOrderDisambuigation()
+              l.getStartColumn(), l.getEndLine(), l.getEndColumn(), t.toString()
          )
      ).toString()
  }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll
@@ -428,7 +428,7 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    simpleLocalFlowStepExt(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    simpleLocalFlowStepExt(n1, n2) and
    stepFilter(node1, node2, config)
  )
  or
@@ -447,7 +447,7 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config)
  )
@@ -466,7 +466,7 @@ private predicate additionalLocalStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -481,7 +481,7 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    jumpStepCached(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    jumpStepCached(n1, n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
@@ -494,7 +494,7 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), pragma[only_bind_into](n2)) and
+    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
@@ -507,7 +507,7 @@ private predicate additionalJumpStateStep(
  exists(Node n1, Node n2 |
    node1.asNode() = n1 and
    node2.asNode() = n2 and
-    config.isAdditionalFlowStep(pragma[only_bind_into](n1), s1, pragma[only_bind_into](n2), s2) and
+    config.isAdditionalFlowStep(n1, s1, n2, s2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
    stepFilter(node1, node2, config) and
    not stateBarrier(node1, s1, config) and
@@ -518,7 +518,7 @@ private predicate additionalJumpStateStep(

 pragma[nomagic]
 private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(pragma[only_bind_into](node1.asNode()), c, pragma[only_bind_into](node2.asNode())) and
+  readSet(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -562,8 +562,7 @@ pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
-  store(pragma[only_bind_into](node1.asNode()), tc, pragma[only_bind_into](node2.asNode()),
-    contentType) and
+  store(node1.asNode(), tc, node2.asNode(), contentType) and
  read(_, tc.getContent(), _, config) and
  stepFilter(node1, node2, config)
 }
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 0.3.0
-
-### Breaking Changes
-
-* Contextual queries and the query libraries they depend on have been moved to the `codeql/csharp-all` package.
-
 ## 0.2.0

 ### Query Metadata Changes
--- a/csharp/ql/src/IDEContextual.qll
+++ b/csharp/ql/src/IDEContextual.qll
--- a/csharp/ql/src/change-notes/released/0.3.0.md
+++ b/csharp/ql/src/change-notes/released/0.3.0.md
@@ -1,5 +0,0 @@
-## 0.3.0
-
-### Breaking Changes
-
-* Contextual queries and the query libraries they depend on have been moved to the `codeql/csharp-all` package.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.0
+lastReleaseVersion: 0.2.0
--- a/csharp/ql/src/definitions.qll
+++ b/csharp/ql/src/definitions.qll
--- a/Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.cs
+++ b/Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.cs
@@ -1,44 +0,0 @@
-
-{
-    SymmetricKey aesKey = new SymmetricKey(kid: "symencryptionkey");
-
-    // BAD: Using the outdated client side encryption version V1_0
-    BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(key: aesKey, keyResolver: null);
-    BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };
-
-    MemoryStream stream = new MemoryStream(buffer);
-    blob.UploadFromStream(stream, length: size, accessCondition: null, options: uploadOptions);
-}
-
-var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
-{
-    // BAD: Using an outdated SDK that does not support client side encryption version V2_0
-    ClientSideEncryption = new ClientSideEncryptionOptions() 
-    {
-        KeyEncryptionKey = myKey,
-        KeyResolver = myKeyResolver,
-        KeyWrapAlgorihm = myKeyWrapAlgorithm
-    }
-});
-
-var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
-{
-    // BAD: Using the outdated client side encryption version V1_0
-    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0) 
-    {
-        KeyEncryptionKey = myKey,
-        KeyResolver = myKeyResolver,
-        KeyWrapAlgorihm = myKeyWrapAlgorithm
-    }
-});
-
-var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
-{
-    // GOOD: Using client side encryption version V2_0
-    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V2_0) 
-    {
-        KeyEncryptionKey = myKey,
-        KeyResolver = myKeyResolver,
-        KeyWrapAlgorihm = myKeyWrapAlgorithm
-    }
-});
--- a/Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp
+++ b/Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp
@@ -1,29 +0,0 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-<qhelp>
-
-
-  <overview>
-    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
-    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
-
-  </overview>
-  <recommendation>
-
-    <p>Consider switching to <code>v2</code> client-side encryption.</p>
-
-  </recommendation>
-  <example>
-
-    <sample src="UnsafeUsageOfClientSideEncryptionVersion.cs" />
-
-  </example>
-  <references>
-    <li>
-      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
-    </li>
-    <li>
-      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30187">CVE-2022-30187</a>
-    </li>
-
-  </references>
-</qhelp>
--- a/Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+++ b/Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -1,81 +0,0 @@
-/**
- * @name Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
- * @description Unsafe usage of v1 version of Azure Storage client-side encryption, please refer to http://aka.ms/azstorageclientencryptionblog
- * @kind problem
- * @tags security
- *       cryptography
- *       external/cwe/cwe-327
- * @id cs/azure-storage/unsafe-usage-of-client-side-encryption-version
- * @problem.severity error
- * @precision high
- */
-
-import csharp
-
-/**
- * Holds if `oc` is creating an object of type `c` = `Azure.Storage.ClientSideEncryptionOptions`
- * and `e` is the `version` argument to the constructor
- */
-predicate isCreatingAzureClientSideEncryptionObject(ObjectCreation oc, Class c, Expr e) {
-  exists(Parameter p | p.hasName("version") |
-    c.hasQualifiedName("Azure.Storage.ClientSideEncryptionOptions") and
-    oc.getTarget() = c.getAConstructor() and
-    e = oc.getArgumentForParameter(p)
-  )
-}
-
-/**
- * Holds if `oc` is an object creation of the outdated type `c` = `Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy`
- */
-predicate isCreatingOutdatedAzureClientSideEncryptionObject(ObjectCreation oc, Class c) {
-  c.hasQualifiedName("Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy") and
-  oc.getTarget() = c.getAConstructor()
-}
-
-/**
- * Holds if the Azure.Storage assembly for `c` is a version known to support
- * version 2+ for client-side encryption
- */
-predicate doesAzureStorageAssemblySupportSafeClientSideEncryption(Assembly asm) {
-  exists(int versionCompare |
-    versionCompare = asm.getVersion().compareTo("12.12.0.0") and
-    versionCompare >= 0
-  ) and
-  asm.getName() = "Azure.Storage.Common"
-}
-
-/**
- * Holds if the Azure.Storage assembly for `c` is a version known to support
- * version 2+ for client-side encryption and if the argument for the constructor `version`
- * is set to a secure value.
- */
-predicate isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(Expr versionExpr, Assembly asm) {
-  // Check if the Azure.Storage assembly version has the fix
-  doesAzureStorageAssemblySupportSafeClientSideEncryption(asm) and
-  // and that the version argument for the constructor is guaranteed to be Version2
-  isExprAnAccessToSafeClientSideEncryptionVersionValue(versionExpr)
-}
-
-/**
- * Holds if the expression `e` is an access to a safe version of the enum `ClientSideEncryptionVersion`
- * or an equivalent numeric value
- */
-predicate isExprAnAccessToSafeClientSideEncryptionVersionValue(Expr e) {
-  exists(EnumConstant ec |
-    ec.hasQualifiedName("Azure.Storage.ClientSideEncryptionVersion.V2_0") and
-    ec.getAnAccess() = e
-  )
-}
-
-from Expr e, Class c, Assembly asm
-where
-  asm = c.getLocation() and
-  (
-    exists(Expr e2 |
-      isCreatingAzureClientSideEncryptionObject(e, c, e2) and
-      not isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(e2, asm)
-    )
-    or
-    isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
-  )
-select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."
--- a/csharp/ql/src/localDefinitions.ql
+++ b/csharp/ql/src/localDefinitions.ql
--- a/csharp/ql/src/localReferences.ql
+++ b/csharp/ql/src/localReferences.ql
--- a/csharp/ql/src/printAst.ql
+++ b/csharp/ql/src/printAst.ql
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.3.1-dev
+version: 0.2.0
 groups: 
  - csharp
  - queries
--- a/csharp/tools/tracing-config.lua
+++ b/csharp/tools/tracing-config.lua
@@ -2,54 +2,7 @@ function RegisterExtractorPack(id)
    local extractor = GetPlatformToolsDirectory() ..
                          'Semmle.Extraction.CSharp.Driver'
    if OperatingSystem == 'windows' then extractor = extractor .. '.exe' end
-
-    function DotnetMatcherBuild(compilerName, compilerPath, compilerArguments,
-                                _languageId)
-        if compilerName ~= 'dotnet' and compilerName ~= 'dotnet.exe' then
-            return nil
-        end
-
-        -- The dotnet CLI has the following usage instructions:
-        -- dotnet [sdk-options] [command] [command-options] [arguments]
-        -- we are interested in dotnet build, which has the following usage instructions:
-        -- dotnet [options] build [<PROJECT | SOLUTION>...]
-        -- For now, parse the command line as follows:
-        -- Everything that starts with `-` (or `/`) will be ignored.
-        -- The first non-option argument is treated as the command.
-        -- if that's `build`, we append `/p:UseSharedCompilation=false` to the command line,
-        -- otherwise we do nothing.
-        local match = false
-        local argv = compilerArguments.argv
-        if OperatingSystem == 'windows' then
-            -- let's hope that this split matches the escaping rules `dotnet` applies to command line arguments
-            -- or, at least, that it is close enough
-            argv =
-                NativeArgumentsToArgv(compilerArguments.nativeArgumentPointer)
-        end
-        for i, arg in ipairs(argv) do
-            -- dotnet options start with either - or / (both are legal)
-            local firstCharacter = string.sub(arg, 1, 1)
-            if not (firstCharacter == '-') and not (firstCharacter == '/') then
-                Log(1, 'Dotnet subcommand detected: %s', arg)
-                if arg == 'build' then match = true end
-                break
-            end
-        end
-        if match then
-            return {
-                order = ORDER_REPLACE,
-                invocation = BuildExtractorInvocation(id, compilerPath,
-                                                      compilerPath,
-                                                      compilerArguments, nil, {
-                    '/p:UseSharedCompilation=false'
-                })
-            }
-        end
-        return nil
-    end
-
    local windowsMatchers = {
-        DotnetMatcherBuild,
        CreatePatternMatcher({'^dotnet%.exe$'}, MatchCompilerName, extractor, {
            prepend = {'--dotnetexec', '--cil'},
            order = ORDER_BEFORE
@@ -57,21 +10,22 @@ function RegisterExtractorPack(id)
        CreatePatternMatcher({'^csc.*%.exe$'}, MatchCompilerName, extractor, {
            prepend = {'--compiler', '"${compiler}"', '--cil'},
            order = ORDER_BEFORE
+
        }),
        CreatePatternMatcher({'^fakes.*%.exe$', 'moles.*%.exe'},
                             MatchCompilerName, nil, {trace = false})
    }
    local posixMatchers = {
-        DotnetMatcherBuild,
-        CreatePatternMatcher({'^mono', '^dotnet$'}, MatchCompilerName,
-                             extractor, {
-            prepend = {'--dotnetexec', '--cil'},
-            order = ORDER_BEFORE
-        }),
        CreatePatternMatcher({'^mcs%.exe$', '^csc%.exe$'}, MatchCompilerName,
                             extractor, {
            prepend = {'--compiler', '"${compiler}"', '--cil'},
            order = ORDER_BEFORE
+
+        }),
+        CreatePatternMatcher({'^mono', '^dotnet$'}, MatchCompilerName,
+                             extractor, {
+            prepend = {'--dotnetexec', '--cil'},
+            order = ORDER_BEFORE
        }), function(compilerName, compilerPath, compilerArguments, _languageId)
            if MatchCompilerName('^msbuild$', compilerName, compilerPath,
                                 compilerArguments) or
@@ -95,6 +49,7 @@ function RegisterExtractorPack(id)
    else
        return posixMatchers
    end
+
 end

 -- Return a list of minimum supported versions of the configuration file format
--- a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
@@ -135,47 +135,6 @@ pack names and use the ``--download`` flag::
 The ``analyze`` command above runs the default suite from ``microsoft/coding-standards v1.0.0`` and the latest version of ``github/security-queries`` on the specified database.
 For further information about default suites, see ":ref:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`".

-Running a subset of queries in a CodeQL pack
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-If you are using CodeQL CLI v2.8.1 or later, you can include a path at the end of a pack specification to run a subset of queries inside the pack. This applies to any command that locates or runs queries within a pack.
-
-The complete way to specify a set of queries is in the form ``scope/name@range:path``, where:
-
- ``scope/name`` is the qualified name of a CodeQL pack.
- ``range`` is a `semver range <https://docs.npmjs.com/cli/v6/using-npm/semver#ranges>`_.
- ``path`` is a file system path to a single query, a directory containing queries, or a query suite file.
-
-When you specify a ``scope/name``, the ``range`` and ``path`` are
-optional. If you omit a ``range`` then the latest version of the
-specified pack is used. If you omit a ``path`` then the default query suite
-of the specified pack is used.
-
-The ``path`` can be one of a ``*.ql`` query file, a directory
-containing one or more queries, or a ``.qls`` query suite file. If
-you omit a pack name, then you must provide a ``path``,
-which will be interpreted relative to the working directory
-of the current process.
-
-If you specify a ``scope/name`` and ``path``, then the ``path`` cannot
-be absolute. It is considered relative to the root of the CodeQL
-pack.
-
-To analyze a database using all queries in the `experimental/Security` folder within the `codeql/cpp-queries` CodeQL pack you can use::
-
-    codeql database analyze --format=sarif-latest --output=results <db> \
-        codeql/cpp-queries:experimental/Security
-
-To run the `RedundantNullCheckParam.ql` query in the `codeql/cpp-queries` CodeQL pack use::
-
-    codeql database analyze --format=sarif-latest --output=results <db> \
-        'codeql/cpp-queries:experimental/Likely Bugs/RedundantNullCheckParam.ql'
-
-To analyze your database using the `cpp-security-and-quality.qls` query suite from a version of the `codeql/cpp-queries` CodeQL pack that is >= 0.0.3 and < 0.1.0 (the highest compatible version will be chosen) you can use::
-
-    codeql database analyze --format=sarif-latest --output=results <db> \
-       'codeql/cpp-queries@~0.0.3:codeql-suites/cpp-security-and-quality.qls'
-
 For more information about CodeQL packs, see :doc:`About CodeQL Packs <about-codeql-packs>`.

 Running query suites
@@ -264,7 +223,7 @@ you can include the query help for your custom queries in SARIF files generated
 After uploading the SARIF file to GitHub, the query help is shown in the code scanning UI for any
 alerts generated by the custom queries.

-From CodeQL CLI v2.7.1 onwards, you can include markdown-rendered query help in SARIF files
+From CodeQL CLI 2.7.1 onwards, you can include markdown-rendered query help in SARIF files
 by providing the ``--sarif-add-query-help`` option when running
 ``codeql database analyze``.
 For more information, see `Configuring CodeQL CLI in your CI system <https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#analyzing-a-codeql-database>`__
--- a/Show More
+++ b/Show More