Ruby: remove duplicated word

Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>

.codeqlmanifest.json

@@ -10,7 +10,14 @@
         "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
         "misc/legacy-support/*/qlpack.yml",
         "misc/suite-helpers/qlpack.yml",
-        "ruby/ql/consistency-queries/qlpack.yml",
-        "ruby/extractor-pack/codeql-extractor.yml"
-   ]
-}
+        "ruby/extractor-pack/codeql-extractor.yml",
+        "ruby/ql/consistency-queries/qlpack.yml"
+    ],
+    "versionPolicies": {
+      "default": {
+        "requireChangeNotes": true,
+        "committedPrereleaseSuffix": "dev",
+        "committedVersion": "nextPatchRelease"
+      }
+    }
+}

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
+    <PackageReference Include="Microsoft.Build" Version="16.11.0" />
   </ItemGroup>
 
   <ItemGroup>

cpp/ql/lib/CHANGELOG.md

@@ -0,0 +1,7 @@
+## 0.0.4
+
+### New Features
+
+* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
+  `isFromSystemMacroDefinition` for identifying code that originates from a
+  macro outside the project being analyzed.

cpp/ql/lib/change-notes/released/0.0.4.md

@@ -0,0 +1,7 @@
+## 0.0.4
+
+### New Features
+
+* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
+  `isFromSystemMacroDefinition` for identifying code that originates from a
+  macro outside the project being analyzed.

cpp/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

cpp/ql/lib/qlpack.yml

@@ -1,7 +1,8 @@
 name: codeql/cpp-all
-version: 0.0.2
+version: 0.0.5-dev
+groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
 dependencies:
-  codeql/cpp-upgrades: 0.0.2
+  codeql/cpp-upgrades: ^0.0.3

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -9,6 +9,83 @@ import semmle.code.cpp.models.interfaces.FormattingFunction
 private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 
+private newtype TBufferWriteEstimationReason =
+  TNoSpecifiedEstimateReason() or
+  TTypeBoundsAnalysis() or
+  TValueFlowAnalysis()
+
+/**
+ * A reason for a specific buffer write size estimate.
+ */
+abstract class BufferWriteEstimationReason extends TBufferWriteEstimationReason {
+  /**
+   * Returns the name of the concrete class.
+   */
+  abstract string toString();
+
+  /**
+   * Returns a human readable representation of this reason.
+   */
+  abstract string getDescription();
+
+  /**
+   * Combine estimate reasons. Used to give a reason for the size of a format string
+   * conversion given reasons coming from its individual specifiers.
+   */
+  abstract BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other);
+}
+
+/**
+ * No particular reason given. This is currently used for backward compatibility so that
+ * classes derived from BufferWrite and overriding `getMaxData/0` still work with the
+ * queries as intended.
+ */
+class NoSpecifiedEstimateReason extends BufferWriteEstimationReason, TNoSpecifiedEstimateReason {
+  override string toString() { result = "NoSpecifiedEstimateReason" }
+
+  override string getDescription() { result = "no reason specified" }
+
+  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
+    // this reason should not be used in format specifiers, so it should not be combined
+    // with other reasons
+    none()
+  }
+}
+
+/**
+ * The estimation comes from rough bounds just based on the type (e.g.
+ * `0 <= x < 2^32` for an unsigned 32 bit integer).
+ */
+class TypeBoundsAnalysis extends BufferWriteEstimationReason, TTypeBoundsAnalysis {
+  override string toString() { result = "TypeBoundsAnalysis" }
+
+  override string getDescription() { result = "based on type bounds" }
+
+  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
+    other != TNoSpecifiedEstimateReason() and result = TTypeBoundsAnalysis()
+  }
+}
+
+/**
+ * The estimation comes from non trivial bounds found via actual flow analysis.
+ * For example
+ * ```
+ * unsigned u = x;
+ * if (u < 1000) {
+ *    //...  <- estimation done here based on u
+ * }
+ * ```
+ */
+class ValueFlowAnalysis extends BufferWriteEstimationReason, TValueFlowAnalysis {
+  override string toString() { result = "ValueFlowAnalysis" }
+
+  override string getDescription() { result = "based on flow analysis of value bounds" }
+
+  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
+    other != TNoSpecifiedEstimateReason() and result = other
+  }
+}
+
 class PrintfFormatAttribute extends FormatAttribute {
   PrintfFormatAttribute() { this.getArchetype() = ["printf", "__printf__"] }
 }
@@ -990,7 +1067,14 @@ class FormatLiteral extends Literal {
    * conversion specifier of this format string; has no result if this cannot
    * be determined.
    */
-  int getMaxConvertedLength(int n) {
+  int getMaxConvertedLength(int n) { result = max(getMaxConvertedLength(n, _)) }
+
+  /**
+   * Gets the maximum length of the string that can be produced by the nth
+   * conversion specifier of this format string, specifying the estimation reason;
+   * has no result if this cannot be determined.
+   */
+  int getMaxConvertedLength(int n, BufferWriteEstimationReason reason) {
     exists(int len |
       (
         (
@@ -1002,10 +1086,12 @@ class FormatLiteral extends Literal {
       ) and
       (
         this.getConversionChar(n) = "%" and
-        len = 1
+        len = 1 and
+        reason = TValueFlowAnalysis()
         or
         this.getConversionChar(n).toLowerCase() = "c" and
-        len = 1 // e.g. 'a'
+        len = 1 and
+        reason = TValueFlowAnalysis() // e.g. 'a'
         or
         this.getConversionChar(n).toLowerCase() = "f" and
         exists(int dot, int afterdot |
@@ -1019,7 +1105,8 @@ class FormatLiteral extends Literal {
             afterdot = 6
           ) and
           len = 1 + 309 + dot + afterdot
-        ) // e.g. -1e308="-100000"...
+        ) and
+        reason = TTypeBoundsAnalysis() // e.g. -1e308="-100000"...
         or
         this.getConversionChar(n).toLowerCase() = "e" and
         exists(int dot, int afterdot |
@@ -1033,7 +1120,8 @@ class FormatLiteral extends Literal {
             afterdot = 6
           ) and
           len = 1 + 1 + dot + afterdot + 1 + 1 + 3
-        ) // -1e308="-1.000000e+308"
+        ) and
+        reason = TTypeBoundsAnalysis() // -1e308="-1.000000e+308"
         or
         this.getConversionChar(n).toLowerCase() = "g" and
         exists(int dot, int afterdot |
@@ -1056,67 +1144,80 @@ class FormatLiteral extends Literal {
           //       (e.g. 123456, 0.000123456 are just OK)
           //       so case %f can be at most P characters + 4 zeroes, sign, dot = P + 6
           len = (afterdot.maximum(1) + 6).maximum(1 + 1 + dot + afterdot + 1 + 1 + 3)
-        ) // (e.g. "-1.59203e-319")
+        ) and
+        reason = TTypeBoundsAnalysis() // (e.g. "-1.59203e-319")
         or
         this.getConversionChar(n).toLowerCase() = ["d", "i"] and
         // e.g. -2^31 = "-2147483648"
-        len =
-          min(float cand |
-            // The first case handles length sub-specifiers
-            // Subtract one in the exponent because one bit is for the sign.
-            // Add 1 to account for the possible sign in the output.
-            cand = 1 + lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8 - 1))
-            or
-            // The second case uses range analysis to deduce a length that's shorter than the length
-            // of the number -2^31.
-            exists(Expr arg, float lower, float upper |
-              arg = this.getUse().getConversionArgument(n) and
-              lower = lowerBound(arg.getFullyConverted()) and
-              upper = upperBound(arg.getFullyConverted())
-            |
-              cand =
-                max(int cand0 |
-                  // Include the sign bit in the length if it can be negative
-                  (
-                    if lower < 0
-                    then cand0 = 1 + lengthInBase10(lower.abs())
-                    else cand0 = lengthInBase10(lower)
-                  )
-                  or
-                  (
-                    if upper < 0
-                    then cand0 = 1 + lengthInBase10(upper.abs())
-                    else cand0 = lengthInBase10(upper)
-                  )
+        exists(float typeBasedBound, float valueBasedBound |
+          // The first case handles length sub-specifiers
+          // Subtract one in the exponent because one bit is for the sign.
+          // Add 1 to account for the possible sign in the output.
+          typeBasedBound =
+            1 + lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8 - 1)) and
+          // The second case uses range analysis to deduce a length that's shorter than the length
+          // of the number -2^31.
+          exists(Expr arg, float lower, float upper, float typeLower, float typeUpper |
+            arg = this.getUse().getConversionArgument(n) and
+            lower = lowerBound(arg.getFullyConverted()) and
+            upper = upperBound(arg.getFullyConverted()) and
+            typeLower = exprMinVal(arg.getFullyConverted()) and
+            typeUpper = exprMaxVal(arg.getFullyConverted())
+          |
+            valueBasedBound =
+              max(int cand |
+                // Include the sign bit in the length if it can be negative
+                (
+                  if lower < 0
+                  then cand = 1 + lengthInBase10(lower.abs())
+                  else cand = lengthInBase10(lower)
                 )
+                or
+                (
+                  if upper < 0
+                  then cand = 1 + lengthInBase10(upper.abs())
+                  else cand = lengthInBase10(upper)
+                )
+              ) and
+            (
+              if lower > typeLower or upper < typeUpper
+              then reason = TValueFlowAnalysis()
+              else reason = TTypeBoundsAnalysis()
             )
-          )
+          ) and
+          len = valueBasedBound.minimum(typeBasedBound)
+        )
         or
         this.getConversionChar(n).toLowerCase() = "u" and
         // e.g. 2^32 - 1 = "4294967295"
-        len =
-          min(float cand |
-            // The first case handles length sub-specifiers
-            cand = 2.pow(this.getIntegralDisplayType(n).getSize() * 8)
-            or
-            // The second case uses range analysis to deduce a length that's shorter than
-            // the length of the number 2^31 - 1.
-            exists(Expr arg, float lower |
-              arg = this.getUse().getConversionArgument(n) and
-              lower = lowerBound(arg.getFullyConverted())
-            |
-              cand =
-                max(float cand0 |
+        exists(float typeBasedBound, float valueBasedBound |
+          // The first case handles length sub-specifiers
+          typeBasedBound = lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8) - 1) and
+          // The second case uses range analysis to deduce a length that's shorter than
+          // the length of the number 2^31 - 1.
+          exists(Expr arg, float lower, float upper, float typeLower, float typeUpper |
+            arg = this.getUse().getConversionArgument(n) and
+            lower = lowerBound(arg.getFullyConverted()) and
+            upper = upperBound(arg.getFullyConverted()) and
+            typeLower = exprMinVal(arg.getFullyConverted()) and
+            typeUpper = exprMaxVal(arg.getFullyConverted())
+          |
+            valueBasedBound =
+              lengthInBase10(max(float cand |
                   // If lower can be negative we use `(unsigned)-1` as the candidate value.
                   lower < 0 and
-                  cand0 = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
+                  cand = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
                   or
-                  cand0 = upperBound(arg.getFullyConverted())
-                )
+                  cand = upper
+                )) and
+            (
+              if lower > typeLower or upper < typeUpper
+              then reason = TValueFlowAnalysis()
+              else reason = TTypeBoundsAnalysis()
             )
-          |
-            lengthInBase10(cand)
-          )
+          ) and
+          len = valueBasedBound.minimum(typeBasedBound)
+        )
         or
         this.getConversionChar(n).toLowerCase() = "x" and
         // e.g. "12345678"
@@ -1135,7 +1236,8 @@ class FormatLiteral extends Literal {
           (
             if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
           )
-        )
+        ) and
+        reason = TTypeBoundsAnalysis()
         or
         this.getConversionChar(n).toLowerCase() = "p" and
         exists(PointerType ptrType, int baseLen |
@@ -1144,7 +1246,8 @@ class FormatLiteral extends Literal {
           (
             if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
           )
-        )
+        ) and
+        reason = TValueFlowAnalysis()
         or
         this.getConversionChar(n).toLowerCase() = "o" and
         // e.g. 2^32 - 1 = "37777777777"
@@ -1163,14 +1266,16 @@ class FormatLiteral extends Literal {
           (
             if this.hasAlternateFlag(n) then len = 1 + baseLen else len = baseLen // "0"
           )
-        )
+        ) and
+        reason = TTypeBoundsAnalysis()
         or
         this.getConversionChar(n).toLowerCase() = "s" and
         len =
           min(int v |
             v = this.getPrecision(n) or
             v = this.getUse().getFormatArgument(n).(AnalysedString).getMaxLength() - 1 // (don't count null terminator)
-          )
+          ) and
+        reason = TValueFlowAnalysis()
       )
     )
   }
@@ -1182,10 +1287,19 @@ class FormatLiteral extends Literal {
    * determining whether a buffer overflow is caused by long float to string
    * conversions.
    */
-  int getMaxConvertedLengthLimited(int n) {
+  int getMaxConvertedLengthLimited(int n) { result = max(getMaxConvertedLengthLimited(n, _)) }
+
+  /**
+   * Gets the maximum length of the string that can be produced by the nth
+   * conversion specifier of this format string, specifying the reason for the
+   * estimation, except that float to string conversions are assumed to be 8
+   * characters.  This is helpful for determining whether a buffer overflow is
+   * caused by long float to string conversions.
+   */
+  int getMaxConvertedLengthLimited(int n, BufferWriteEstimationReason reason) {
     if this.getConversionChar(n).toLowerCase() = "f"
-    then result = this.getMaxConvertedLength(n).minimum(8)
-    else result = this.getMaxConvertedLength(n)
+    then result = this.getMaxConvertedLength(n, reason).minimum(8)
+    else result = this.getMaxConvertedLength(n, reason)
   }
 
   /**
@@ -1225,29 +1339,35 @@ class FormatLiteral extends Literal {
     )
   }
 
-  private int getMaxConvertedLengthAfter(int n) {
+  private int getMaxConvertedLengthAfter(int n, BufferWriteEstimationReason reason) {
     if n = this.getNumConvSpec()
-    then result = this.getConstantSuffix().length() + 1
+    then result = this.getConstantSuffix().length() + 1 and reason = TValueFlowAnalysis()
     else
-      result =
-        this.getConstantPart(n).length() + this.getMaxConvertedLength(n) +
-          this.getMaxConvertedLengthAfter(n + 1)
+      exists(BufferWriteEstimationReason headReason, BufferWriteEstimationReason tailReason |
+        result =
+          this.getConstantPart(n).length() + this.getMaxConvertedLength(n, headReason) +
+            this.getMaxConvertedLengthAfter(n + 1, tailReason) and
+        reason = headReason.combineWith(tailReason)
+      )
   }
 
-  private int getMaxConvertedLengthAfterLimited(int n) {
+  private int getMaxConvertedLengthAfterLimited(int n, BufferWriteEstimationReason reason) {
     if n = this.getNumConvSpec()
-    then result = this.getConstantSuffix().length() + 1
+    then result = this.getConstantSuffix().length() + 1 and reason = TValueFlowAnalysis()
     else
-      result =
-        this.getConstantPart(n).length() + this.getMaxConvertedLengthLimited(n) +
-          this.getMaxConvertedLengthAfterLimited(n + 1)
+      exists(BufferWriteEstimationReason headReason, BufferWriteEstimationReason tailReason |
+        result =
+          this.getConstantPart(n).length() + this.getMaxConvertedLengthLimited(n, headReason) +
+            this.getMaxConvertedLengthAfterLimited(n + 1, tailReason) and
+        reason = headReason.combineWith(tailReason)
+      )
   }
 
   /**
    * Gets the maximum length of the string that can be produced by this format
    * string.  Has no result if this cannot be determined.
    */
-  int getMaxConvertedLength() { result = this.getMaxConvertedLengthAfter(0) }
+  int getMaxConvertedLength() { result = this.getMaxConvertedLengthAfter(0, _) }
 
   /**
    * Gets the maximum length of the string that can be produced by this format
@@ -1255,5 +1375,24 @@ class FormatLiteral extends Literal {
    * characters.  This is helpful for determining whether a buffer overflow
    * is caused by long float to string conversions.
    */
-  int getMaxConvertedLengthLimited() { result = this.getMaxConvertedLengthAfterLimited(0) }
+  int getMaxConvertedLengthLimited() { result = this.getMaxConvertedLengthAfterLimited(0, _) }
+
+  /**
+   * Gets the maximum length of the string that can be produced by this format
+   * string, specifying the reason for the estimate. Has no result if no estimate
+   * can be found.
+   */
+  int getMaxConvertedLengthWithReason(BufferWriteEstimationReason reason) {
+    result = this.getMaxConvertedLengthAfter(0, reason)
+  }
+
+  /**
+   * Gets the maximum length of the string that can be produced by this format
+   * string, specifying the reason for the estimate, except that float to string
+   * conversions are assumed to be 8 characters.  This is helpful for determining
+   * whether a buffer overflow is caused by long float to string conversions.
+   */
+  int getMaxConvertedLengthLimitedWithReason(BufferWriteEstimationReason reason) {
+    result = this.getMaxConvertedLengthAfterLimited(0, reason)
+  }
 }

cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll

@@ -626,9 +626,9 @@ library class ExprEvaluator extends int {
       // All assignments must have the same int value
       result =
         unique(Expr value |
-          value = v.getAnAssignedValue() and not ignoreVariableAssignment(e, v, value)
+          value = v.getAnAssignedValue() and not this.ignoreVariableAssignment(e, v, value)
         |
-          getValueInternalNonSubExpr(value)
+          this.getValueInternalNonSubExpr(value)
         )
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll

@@ -1,4 +1,6 @@
 private import cpp
+private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.dataflow.internal.DataFlowUtil
 
 /**
  * Gets a function that might be called by `call`.
@@ -63,3 +65,17 @@ predicate mayBenefitFromCallContext(Call call, Function f) { none() }
  * restricted to those `call`s for which a context might make a difference.
  */
 Function viableImplInCallContext(Call call, Call ctx) { none() }
+
+/** A parameter position represented by an integer. */
+class ParameterPosition extends int {
+  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
+}
+
+/** An argument position represented by an integer. */
+class ArgumentPosition extends int {
+  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
+}
+
+/** Holds if arguments at position `apos` match parameters at position `ppos`. */
+pragma[inline]
+predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -62,6 +62,18 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
   tupleLimit = 1000
 }
 
+/**
+ * Holds if `arg` is an argument of `call` with an argument position that matches
+ * parameter position `ppos`.
+ */
+pragma[noinline]
+predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
+  exists(ArgumentPosition apos |
+    arg.argumentOf(call, apos) and
+    parameterMatch(ppos, apos)
+  )
+}
+
 /**
  * Provides a simple data-flow analysis for resolving lambda calls. The analysis
  * currently excludes read-steps, store-steps, and flow-through.
@@ -71,25 +83,27 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallable(call), i)
+  pragma[noinline]
+  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallable(call), ppos)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), i)
+  pragma[noinline]
+  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), ppos)
   }
 
   private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParamNonLambda(call, i, p) and
-      arg.argumentOf(call, i)
+    exists(ParameterPosition ppos |
+      viableParamNonLambda(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos)
     )
   }
 
   private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParamLambda(call, i, p) and
-      arg.argumentOf(call, i)
+    exists(ParameterPosition ppos |
+      viableParamLambda(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos)
     )
   }
 
@@ -322,7 +336,7 @@ private module Cached {
     or
     exists(ArgNode arg |
       result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
     )
   }
 
@@ -330,7 +344,7 @@ private module Cached {
   predicate returnNodeExt(Node n, ReturnKindExt k) {
     k = TValueReturn(n.(ReturnNode).getKind())
     or
-    exists(ParamNode p, int pos |
+    exists(ParamNode p, ParameterPosition pos |
       parameterValueFlowsToPreUpdate(p, n) and
       p.isParameterOf(_, pos) and
       k = TParamUpdate(pos)
@@ -352,11 +366,13 @@ private module Cached {
   }
 
   cached
-  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }
+  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
+    isParameterNode(p, c, pos)
+  }
 
   cached
-  predicate argumentNode(Node n, DataFlowCall call, int pos) {
-    n.(ArgumentNode).argumentOf(call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
+    isArgumentNode(n, call, pos)
   }
 
   /**
@@ -374,12 +390,12 @@ private module Cached {
   }
 
   /**
-   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
-   * The instance parameter is considered to have index `-1`.
+   * Holds if `p` is the parameter of a viable dispatch target of `call`,
+   * and `p` has position `ppos`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), i)
+  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), ppos)
   }
 
   /**
@@ -388,9 +404,9 @@ private module Cached {
    */
   cached
   predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParam(call, i, p) and
-      arg.argumentOf(call, i) and
+    exists(ParameterPosition ppos |
+      viableParam(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos) and
       compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
     )
   }
@@ -862,7 +878,7 @@ private module Cached {
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -1054,9 +1070,9 @@ class ParamNode extends Node {
 
   /**
    * Holds if this node is the parameter of callable `c` at the specified
-   * (zero-based) position.
+   * position.
    */
-  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
 }
 
 /** A data-flow node that represents a call argument. */
@@ -1064,7 +1080,9 @@ class ArgNode extends Node {
   ArgNode() { argumentNode(this, _, _) }
 
   /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+    argumentNode(this, call, pos)
+  }
 }
 
 /**
@@ -1110,11 +1128,14 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }
 
 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private int pos;
+  private ParameterPosition pos;
 
   ParamUpdateReturnKind() { this = TParamUpdate(pos) }
 
-  int getPosition() { result = pos }
+  ParameterPosition getPosition() { result = pos }
+
+  pragma[nomagic]
+  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }
 
   override string toString() { result = "param update " + pos }
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -8,7 +8,14 @@ private import DataFlowImplConsistency
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+  p.isParameterOf(c, pos)
+}
+
+/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
+predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
+  arg.argumentOf(c, pos)
+}
 
 /** Gets the instance argument of a non-static call. */
 private Node getInstanceArgument(Call call) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -2,6 +2,7 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
 
 /**
@@ -266,3 +267,17 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
     result = ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget()
   )
 }
+
+/** A parameter position represented by an integer. */
+class ParameterPosition extends int {
+  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
+}
+
+/** An argument position represented by an integer. */
+class ArgumentPosition extends int {
+  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
+}
+
+/** Holds if arguments at position `apos` match parameters at position `ppos`. */
+pragma[inline]
+predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
   ParamNodeEx() { this.asNode() instanceof ParamNode }
 
-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
   }
 
-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }
 
   predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1447,7 +1447,7 @@ private module Stage2 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2142,7 +2142,7 @@ private module Stage3 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2908,7 +2908,7 @@ private module Stage4 {
   }
 
   predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = ret.getEnclosingCallable() and
       revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
 
-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
 
   ParamNodeEx getParamNode() { result = p }
 
@@ -3639,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
  */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
     arg = mid.getNodeEx().asNode() and
     cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
     ap = mid.getAp() and
     apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
   )
 }
 
 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
   exists(ParamNodeEx p |
     Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
   )
 }
 
 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
   exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
       pragma[only_bind_into](config)) and
     callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
       pragma[only_bind_into](config))
   )
 }
@@ -3686,9 +3687,9 @@ private predicate pathIntoCallable(
   PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
     (
       sc = TSummaryCtxSome(p, ap)
       or
@@ -3712,7 +3713,7 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
   Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
     mid.getNodeEx() = ret and
     kind = ret.getKind() and
     cc = mid.getCallContext() and
@@ -4441,24 +4442,25 @@ private module FlowExploration {
 
   pragma[noinline]
   private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
   ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
       arg = mid.getNodeEx().asNode() and
       cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
     DataFlowCall call, PartialAccessPath ap, Configuration config
   ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
     callable = resolveCall(call, outercc)
   }
 
@@ -4467,9 +4469,9 @@ private module FlowExploration {
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
       sc1 = TSummaryCtx1Param(p) and
       sc2 = TSummaryCtx2Some(ap)
     |
@@ -4633,22 +4635,23 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
       mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
     )
   }
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
     Configuration config
   ) {
     exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4661,7 +4664,7 @@ private module FlowExploration {
   private predicate revPartialPathThroughCallable(
     PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
   ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
       node.asNode().(ArgNode).argumentOf(call, pos)
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -62,6 +62,18 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
   tupleLimit = 1000
 }
 
+/**
+ * Holds if `arg` is an argument of `call` with an argument position that matches
+ * parameter position `ppos`.
+ */
+pragma[noinline]
+predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
+  exists(ArgumentPosition apos |
+    arg.argumentOf(call, apos) and
+    parameterMatch(ppos, apos)
+  )
+}
+
 /**
  * Provides a simple data-flow analysis for resolving lambda calls. The analysis
  * currently excludes read-steps, store-steps, and flow-through.
@@ -71,25 +83,27 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallable(call), i)
+  pragma[noinline]
+  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallable(call), ppos)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), i)
+  pragma[noinline]
+  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), ppos)
   }
 
   private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParamNonLambda(call, i, p) and
-      arg.argumentOf(call, i)
+    exists(ParameterPosition ppos |
+      viableParamNonLambda(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos)
     )
   }
 
   private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParamLambda(call, i, p) and
-      arg.argumentOf(call, i)
+    exists(ParameterPosition ppos |
+      viableParamLambda(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos)
     )
   }
 
@@ -322,7 +336,7 @@ private module Cached {
     or
     exists(ArgNode arg |
       result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
     )
   }
 
@@ -330,7 +344,7 @@ private module Cached {
   predicate returnNodeExt(Node n, ReturnKindExt k) {
     k = TValueReturn(n.(ReturnNode).getKind())
     or
-    exists(ParamNode p, int pos |
+    exists(ParamNode p, ParameterPosition pos |
       parameterValueFlowsToPreUpdate(p, n) and
       p.isParameterOf(_, pos) and
       k = TParamUpdate(pos)
@@ -352,11 +366,13 @@ private module Cached {
   }
 
   cached
-  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }
+  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
+    isParameterNode(p, c, pos)
+  }
 
   cached
-  predicate argumentNode(Node n, DataFlowCall call, int pos) {
-    n.(ArgumentNode).argumentOf(call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
+    isArgumentNode(n, call, pos)
   }
 
   /**
@@ -374,12 +390,12 @@ private module Cached {
   }
 
   /**
-   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
-   * The instance parameter is considered to have index `-1`.
+   * Holds if `p` is the parameter of a viable dispatch target of `call`,
+   * and `p` has position `ppos`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), i)
+  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), ppos)
   }
 
   /**
@@ -388,9 +404,9 @@ private module Cached {
    */
   cached
   predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParam(call, i, p) and
-      arg.argumentOf(call, i) and
+    exists(ParameterPosition ppos |
+      viableParam(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos) and
       compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
     )
   }
@@ -862,7 +878,7 @@ private module Cached {
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -1054,9 +1070,9 @@ class ParamNode extends Node {
 
   /**
    * Holds if this node is the parameter of callable `c` at the specified
-   * (zero-based) position.
+   * position.
    */
-  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
 }
 
 /** A data-flow node that represents a call argument. */
@@ -1064,7 +1080,9 @@ class ArgNode extends Node {
   ArgNode() { argumentNode(this, _, _) }
 
   /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+    argumentNode(this, call, pos)
+  }
 }
 
 /**
@@ -1110,11 +1128,14 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }
 
 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private int pos;
+  private ParameterPosition pos;
 
   ParamUpdateReturnKind() { this = TParamUpdate(pos) }
 
-  int getPosition() { result = pos }
+  ParameterPosition getPosition() { result = pos }
+
+  pragma[nomagic]
+  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }
 
   override string toString() { result = "param update " + pos }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -8,7 +8,14 @@ private import DataFlowImplConsistency
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
 
 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+  p.isParameterOf(c, pos)
+}
+
+/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
+predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
+  arg.argumentOf(c, pos)
+}
 
 /**
  * A data flow node that occurs as the argument of a call and is passed as-is

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -452,7 +452,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 
   /** Holds if this phi node has input from the `rnk`'th write operation in block `block`. */
   final predicate hasInputAtRankInBlock(IRBlock block, int rnk) {
-    hasInputAtRankInBlock(block, rnk, _)
+    this.hasInputAtRankInBlock(block, rnk, _)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
   final override string toString() { result = tag.toString() }
 
   final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
   }
 
   final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll

@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
   final override string toString() { result = tag.toString() }
 
   final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
   }
 
   final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll

@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
   final override string toString() { result = tag.toString() }
 
   final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
   }
 
   final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }

cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll

@@ -71,13 +71,30 @@ abstract class BufferWrite extends Expr {
    */
   int getMaxData() { none() }
 
+  /**
+   * Gets an upper bound to the amount of data that's being written (if one
+   * can be found), specifying the reason for the estimation.
+   */
+  int getMaxData(BufferWriteEstimationReason reason) {
+    reason instanceof NoSpecifiedEstimateReason and result = getMaxData()
+  }
+
   /**
    * Gets an upper bound to the amount of data that's being written (if one
    * can be found), except that float to string conversions are assumed to be
    * much smaller (8 bytes) than their true maximum length.  This can be
    * helpful in determining the cause of a buffer overflow issue.
    */
-  int getMaxDataLimited() { result = this.getMaxData() }
+  int getMaxDataLimited() { result = getMaxData() }
+
+  /**
+   * Gets an upper bound to the amount of data that's being written (if one
+   * can be found), specifying the reason for the estimation, except that
+   * float to string conversions are assumed to be much smaller (8 bytes)
+   * than their true maximum length.  This can be helpful in determining the
+   * cause of a buffer overflow issue.
+   */
+  int getMaxDataLimited(BufferWriteEstimationReason reason) { result = getMaxData(reason) }
 
   /**
    * Gets the size of a single character of the type this
@@ -135,10 +152,16 @@ class StrCopyBW extends BufferWriteCall {
     result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
   }
 
-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+    // when result exists, it is an exact flow analysis
+    reason instanceof ValueFlowAnalysis and
     result =
       this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
   }
+
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
 }
 
 /**
@@ -173,10 +196,16 @@ class StrCatBW extends BufferWriteCall {
     result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
   }
 
-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+    // when result exists, it is an exact flow analysis
+    reason instanceof ValueFlowAnalysis and
     result =
       this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
   }
+
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
 }
 
 /**
@@ -233,19 +262,29 @@ class SprintfBW extends BufferWriteCall {
 
   override Expr getDest() { result = this.getArgument(f.getOutputParameterIndex(false)) }
 
-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
     exists(FormatLiteral fl |
       fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLength() * this.getCharSize()
+      result = fl.getMaxConvertedLengthWithReason(reason) * this.getCharSize()
     )
   }
 
-  override int getMaxDataLimited() {
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+
+  private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
     exists(FormatLiteral fl |
       fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLengthLimited() * this.getCharSize()
+      result = fl.getMaxConvertedLengthLimitedWithReason(reason) * this.getCharSize()
     )
   }
+
+  override int getMaxDataLimited(BufferWriteEstimationReason reason) {
+    result = getMaxDataLimitedImpl(reason)
+  }
+
+  override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
 }
 
 /**
@@ -336,19 +375,29 @@ class SnprintfBW extends BufferWriteCall {
     result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
   }
 
-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
     exists(FormatLiteral fl |
       fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLength() * this.getCharSize()
+      result = fl.getMaxConvertedLengthWithReason(reason) * this.getCharSize()
     )
   }
 
-  override int getMaxDataLimited() {
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+
+  private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
     exists(FormatLiteral fl |
       fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLengthLimited() * this.getCharSize()
+      result = fl.getMaxConvertedLengthLimitedWithReason(reason) * this.getCharSize()
     )
   }
+
+  override int getMaxDataLimited(BufferWriteEstimationReason reason) {
+    result = getMaxDataLimitedImpl(reason)
+  }
+
+  override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
 }
 
 /**
@@ -436,7 +485,9 @@ class ScanfBW extends BufferWrite {
 
   override Expr getDest() { result = this }
 
-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+    // when this returns, it is based on exact flow analysis
+    reason instanceof ValueFlowAnalysis and
     exists(ScanfFunctionCall fc, ScanfFormatLiteral fl, int arg |
       this = fc.getArgument(arg) and
       fl = fc.getFormat() and
@@ -444,6 +495,10 @@ class ScanfBW extends BufferWrite {
     )
   }
 
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+
   override string getBWDesc() {
     exists(FunctionCall fc |
       this = fc.getArgument(_) and
@@ -474,8 +529,14 @@ class RealpathBW extends BufferWriteCall {
 
   override Expr getASource() { result = this.getArgument(0) }
 
-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+    // although there may be some unknown invariants guaranteeing that a real path is shorter than PATH_MAX, we can consider providing less than PATH_MAX a problem with high precision
+    reason instanceof ValueFlowAnalysis and
     result = path_max() and
     this = this // Suppress a compiler warning
   }
+
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
 }

cpp/ql/src/AlertSuppression.ql

@@ -18,12 +18,12 @@ class SuppressionComment extends Comment {
     (
       this instanceof CppStyleComment and
       // strip the beginning slashes
-      text = getContents().suffix(2)
+      text = this.getContents().suffix(2)
       or
       this instanceof CStyleComment and
       // strip both the beginning /* and the end */ the comment
       exists(string text0 |
-        text0 = getContents().suffix(2) and
+        text0 = this.getContents().suffix(2) and
         text = text0.prefix(text0.length() - 2)
       ) and
       // The /* */ comment must be a single-line comment

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql

@@ -153,12 +153,12 @@ class ExtClass extends Class {
   }
 
   predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
-    if hasOneVariableGroup()
+    if this.hasOneVariableGroup()
     then
       exists(VariableDeclarationGroup vdg | vdg.getClass() = this |
         vdg.hasLocationInfo(path, startline, startcol, endline, endcol)
       )
-    else getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
+    else this.getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
   }
 }
 

cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql

@@ -50,6 +50,16 @@ predicate reachableThing(Thing t) {
   exists(Thing mid | reachableThing(mid) and mid.callsOrAccesses() = t)
 }
 
+pragma[nomagic]
+predicate callsOrAccessesPlus(Thing thing1, FunctionToRemove thing2) {
+  thing1.callsOrAccesses() = thing2
+  or
+  exists(Thing mid |
+    thing1.callsOrAccesses() = mid and
+    callsOrAccessesPlus(mid, thing2)
+  )
+}
+
 class Thing extends Locatable {
   Thing() {
     this instanceof Function or
@@ -81,7 +91,7 @@ class FunctionToRemove extends Function {
   }
 
   Thing getOther() {
-    result.callsOrAccesses+() = this and
+    callsOrAccessesPlus(result, this) and
     this != result and
     // We will already be reporting the enclosing function of a
     // local variable, so don't also report the variable

cpp/ql/src/CHANGELOG.md

@@ -0,0 +1,5 @@
+## 0.0.4
+
+### New Queries
+
+* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.

cpp/ql/src/Critical/OverflowStatic.ql

@@ -103,9 +103,9 @@ class CallWithBufferSize extends FunctionCall {
     // `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
     // result in this case we pick the minimum value obtainable from dataflow and range analysis.
     result =
-      upperBound(statedSizeExpr())
+      upperBound(this.statedSizeExpr())
           .minimum(min(Expr statedSizeSrc |
-              DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
+              DataFlow::localExprFlow(statedSizeSrc, this.statedSizeExpr())
             |
               statedSizeSrc.getValue().toInt()
             ))

cpp/ql/src/JPL_C/LOC-2/Rule 09/Semaphores.qll

@@ -22,7 +22,7 @@ abstract class LockOperation extends FunctionCall {
   ControlFlowNode getAReachedNode() {
     result = this
     or
-    exists(ControlFlowNode mid | mid = getAReachedNode() |
+    exists(ControlFlowNode mid | mid = this.getAReachedNode() |
       not mid != this.getMatchingUnlock() and
       result = mid.getASuccessor()
     )

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -156,8 +156,8 @@ abstract class LeapYearFieldAccess extends YearFieldAccess {
     //
     // https://aa.usno.navy.mil/faq/docs/calendars.php
     this.isUsedInMod4Operation() and
-    additionalModulusCheckForLeapYear(400) and
-    additionalModulusCheckForLeapYear(100)
+    this.additionalModulusCheckForLeapYear(400) and
+    this.additionalModulusCheckForLeapYear(100)
   }
 }
 
@@ -176,17 +176,17 @@ class StructTmLeapYearFieldAccess extends LeapYearFieldAccess {
 
   override predicate isUsedInCorrectLeapYearCheck() {
     this.isUsedInMod4Operation() and
-    additionalModulusCheckForLeapYear(400) and
-    additionalModulusCheckForLeapYear(100) and
+    this.additionalModulusCheckForLeapYear(400) and
+    this.additionalModulusCheckForLeapYear(100) and
     // tm_year represents years since 1900
     (
-      additionalAdditionOrSubstractionCheckForLeapYear(1900)
+      this.additionalAdditionOrSubstractionCheckForLeapYear(1900)
       or
       // some systems may use 2000 for 2-digit year conversions
-      additionalAdditionOrSubstractionCheckForLeapYear(2000)
+      this.additionalAdditionOrSubstractionCheckForLeapYear(2000)
       or
       // converting from/to Unix epoch
-      additionalAdditionOrSubstractionCheckForLeapYear(1970)
+      this.additionalAdditionOrSubstractionCheckForLeapYear(1970)
     )
   }
 }

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -57,7 +57,7 @@ class LoopWithAlloca extends Stmt {
     or
     // `e == 0`
     exists(EQExpr eq |
-      conditionRequires(eq, truth.booleanNot()) and
+      this.conditionRequires(eq, truth.booleanNot()) and
       eq.getAnOperand().getValue().toInt() = 0 and
       e = eq.getAnOperand() and
       not exists(e.getValue())
@@ -65,7 +65,7 @@ class LoopWithAlloca extends Stmt {
     or
     // `e != 0`
     exists(NEExpr eq |
-      conditionRequires(eq, truth) and
+      this.conditionRequires(eq, truth) and
       eq.getAnOperand().getValue().toInt() = 0 and
       e = eq.getAnOperand() and
       not exists(e.getValue())
@@ -73,7 +73,7 @@ class LoopWithAlloca extends Stmt {
     or
     // `(bool)e == true`
     exists(EQExpr eq |
-      conditionRequires(eq, truth) and
+      this.conditionRequires(eq, truth) and
       eq.getAnOperand().getValue().toInt() = 1 and
       e = eq.getAnOperand() and
       e.getUnspecifiedType() instanceof BoolType and
@@ -82,7 +82,7 @@ class LoopWithAlloca extends Stmt {
     or
     // `(bool)e != true`
     exists(NEExpr eq |
-      conditionRequires(eq, truth.booleanNot()) and
+      this.conditionRequires(eq, truth.booleanNot()) and
       eq.getAnOperand().getValue().toInt() = 1 and
       e = eq.getAnOperand() and
       e.getUnspecifiedType() instanceof BoolType and
@@ -90,7 +90,7 @@ class LoopWithAlloca extends Stmt {
     )
     or
     exists(NotExpr notExpr |
-      conditionRequires(notExpr, truth.booleanNot()) and
+      this.conditionRequires(notExpr, truth.booleanNot()) and
       e = notExpr.getOperand()
     )
     or
@@ -98,7 +98,7 @@ class LoopWithAlloca extends Stmt {
     // requires both of its operand to be true as well.
     exists(LogicalAndExpr andExpr |
       truth = true and
-      conditionRequires(andExpr, truth) and
+      this.conditionRequires(andExpr, truth) and
       e = andExpr.getAnOperand()
     )
     or
@@ -106,7 +106,7 @@ class LoopWithAlloca extends Stmt {
     // it requires both of its operand to be false as well.
     exists(LogicalOrExpr orExpr |
       truth = false and
-      conditionRequires(orExpr, truth) and
+      this.conditionRequires(orExpr, truth) and
       e = orExpr.getAnOperand()
     )
   }
@@ -141,9 +141,9 @@ class LoopWithAlloca extends Stmt {
    * `conditionRequiresInequality`.
    */
   private Variable getAControllingVariable() {
-    conditionRequires(result.getAnAccess(), _)
+    this.conditionRequires(result.getAnAccess(), _)
     or
-    conditionRequiresInequality(result.getAnAccess(), _, _)
+    this.conditionRequiresInequality(result.getAnAccess(), _, _)
   }
 
   /**

cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll

@@ -61,72 +61,72 @@ class PointerArithmeticAccess extends BufferAccess, Expr {
  * A pair of buffer accesses through a call to memcpy.
  */
 class MemCpy extends BufferAccess, FunctionCall {
-  MemCpy() { getTarget().hasName("memcpy") }
+  MemCpy() { this.getTarget().hasName("memcpy") }
 
   override Expr getPointer() {
-    result = getArgument(0) or
-    result = getArgument(1)
+    result = this.getArgument(0) or
+    result = this.getArgument(1)
   }
 
-  override Expr getAccessedLength() { result = getArgument(2) }
+  override Expr getAccessedLength() { result = this.getArgument(2) }
 }
 
 class StrncpySizeExpr extends BufferAccess, FunctionCall {
-  StrncpySizeExpr() { getTarget().hasName("strncpy") }
+  StrncpySizeExpr() { this.getTarget().hasName("strncpy") }
 
   override Expr getPointer() {
-    result = getArgument(0) or
-    result = getArgument(1)
+    result = this.getArgument(0) or
+    result = this.getArgument(1)
   }
 
-  override Expr getAccessedLength() { result = getArgument(2) }
+  override Expr getAccessedLength() { result = this.getArgument(2) }
 }
 
 class RecvSizeExpr extends BufferAccess, FunctionCall {
-  RecvSizeExpr() { getTarget().hasName("recv") }
+  RecvSizeExpr() { this.getTarget().hasName("recv") }
 
-  override Expr getPointer() { result = getArgument(1) }
+  override Expr getPointer() { result = this.getArgument(1) }
 
-  override Expr getAccessedLength() { result = getArgument(2) }
+  override Expr getAccessedLength() { result = this.getArgument(2) }
 }
 
 class SendSizeExpr extends BufferAccess, FunctionCall {
-  SendSizeExpr() { getTarget().hasName("send") }
+  SendSizeExpr() { this.getTarget().hasName("send") }
 
-  override Expr getPointer() { result = getArgument(1) }
+  override Expr getPointer() { result = this.getArgument(1) }
 
-  override Expr getAccessedLength() { result = getArgument(2) }
+  override Expr getAccessedLength() { result = this.getArgument(2) }
 }
 
 class SnprintfSizeExpr extends BufferAccess, FunctionCall {
-  SnprintfSizeExpr() { getTarget().hasName("snprintf") }
+  SnprintfSizeExpr() { this.getTarget().hasName("snprintf") }
 
-  override Expr getPointer() { result = getArgument(0) }
+  override Expr getPointer() { result = this.getArgument(0) }
 
-  override Expr getAccessedLength() { result = getArgument(1) }
+  override Expr getAccessedLength() { result = this.getArgument(1) }
 }
 
 class MemcmpSizeExpr extends BufferAccess, FunctionCall {
-  MemcmpSizeExpr() { getTarget().hasName("Memcmp") }
+  MemcmpSizeExpr() { this.getTarget().hasName("Memcmp") }
 
   override Expr getPointer() {
-    result = getArgument(0) or
-    result = getArgument(1)
+    result = this.getArgument(0) or
+    result = this.getArgument(1)
   }
 
-  override Expr getAccessedLength() { result = getArgument(2) }
+  override Expr getAccessedLength() { result = this.getArgument(2) }
 }
 
 class MallocSizeExpr extends BufferAccess, FunctionCall {
-  MallocSizeExpr() { getTarget().hasName("malloc") }
+  MallocSizeExpr() { this.getTarget().hasName("malloc") }
 
   override Expr getPointer() { none() }
 
-  override Expr getAccessedLength() { result = getArgument(0) }
+  override Expr getAccessedLength() { result = this.getArgument(0) }
 }
 
 class NetworkFunctionCall extends FunctionCall {
-  NetworkFunctionCall() { getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
+  NetworkFunctionCall() { this.getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
 }
 
 class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {

cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql

@@ -13,7 +13,7 @@ import cpp
 
 class MacroFunctionCall extends MacroInvocation {
   MacroFunctionCall() {
-    not exists(getParentInvocation()) and
+    not exists(this.getParentInvocation()) and
     this.getMacro().getHead().matches("%(%")
   }
 

cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql

@@ -13,7 +13,7 @@ import semmle.code.cpp.commons.Assertions
 
 class MacroFunctionCall extends MacroInvocation {
   MacroFunctionCall() {
-    not exists(getParentInvocation()) and
+    not exists(this.getParentInvocation()) and
     this.getMacro().getHead().matches("%(%")
   }
 

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -38,7 +38,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
   int getIndex() { result = i }
 
   /** Gets the description of the function being called. */
-  string getFunctionDescription() { result = getExternalFunction().toString() }
+  string getFunctionDescription() { result = this.getExternalFunction().toString() }
 }
 
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll

@@ -38,7 +38,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
   int getIndex() { result = i }
 
   /** Gets the description of the function being called. */
-  string getFunctionDescription() { result = getExternalFunction().toString() }
+  string getFunctionDescription() { result = this.getExternalFunction().toString() }
 }
 
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */

cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql

@@ -21,14 +21,15 @@ import semmle.code.cpp.commons.Alloc
  * See CWE-120/UnboundedWrite.ql for a summary of CWE-120 alert cases.
  */
 
-from BufferWrite bw, Expr dest, int destSize
+from BufferWrite bw, Expr dest, int destSize, int estimated
 where
   not bw.hasExplicitLimit() and // has no explicit size limit
   dest = bw.getDest() and
   destSize = getBufferSize(dest, _) and
+  estimated = bw.getMaxDataLimited(_) and
   // we can deduce that too much data may be copied (even without
   // long '%f' conversions)
-  bw.getMaxDataLimited() > destSize
+  estimated > destSize
 select bw,
-  "This '" + bw.getBWDesc() + "' operation requires " + bw.getMaxData() +
+  "This '" + bw.getBWDesc() + "' operation requires " + estimated +
     " bytes but the destination is only " + destSize + " bytes."

cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql

@@ -21,14 +21,15 @@ import semmle.code.cpp.security.BufferWrite
  * See CWE-120/UnboundedWrite.ql for a summary of CWE-120 alert cases.
  */
 
-from BufferWrite bw, int destSize
+from BufferWrite bw, int destSize, int estimated, BufferWriteEstimationReason reason
 where
   not bw.hasExplicitLimit() and
   // has no explicit size limit
   destSize = getBufferSize(bw.getDest(), _) and
-  bw.getMaxData() > destSize and
+  estimated = bw.getMaxData(reason) and
+  estimated > destSize and
   // and we can deduce that too much data may be copied
-  bw.getMaxDataLimited() <= destSize // but it would fit without long '%f' conversions
+  bw.getMaxDataLimited(reason) <= destSize // but it would fit without long '%f' conversions
 select bw,
-  "This '" + bw.getBWDesc() + "' operation may require " + bw.getMaxData() +
+  "This '" + bw.getBWDesc() + "' operation may require " + estimated +
     " bytes because of float conversions, but the target is only " + destSize + " bytes."

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -44,7 +44,7 @@ import TaintedWithPath
 
 predicate isUnboundedWrite(BufferWrite bw) {
   not bw.hasExplicitLimit() and // has no explicit size limit
-  not exists(bw.getMaxData()) // and we can't deduce an upper bound to the amount copied
+  not exists(bw.getMaxData(_)) // and we can't deduce an upper bound to the amount copied
 }
 
 /*

cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql

@@ -42,7 +42,7 @@ class VarargsFunction extends Function {
   }
 
   private int trailingArgValueCount(string value) {
-    result = strictcount(FunctionCall fc | trailingArgValue(fc) = value)
+    result = strictcount(FunctionCall fc | this.trailingArgValue(fc) = value)
   }
 
   string nonTrailingVarArgValue(FunctionCall fc, int index) {
@@ -58,11 +58,11 @@ class VarargsFunction extends Function {
 
   string normalTerminator(int cnt) {
     result = ["0", "-1"] and
-    cnt = trailingArgValueCount(result) and
-    2 * cnt > totalCount() and
+    cnt = this.trailingArgValueCount(result) and
+    2 * cnt > this.totalCount() and
     not exists(FunctionCall fc, int index |
       // terminator value is used in a non-terminating position
-      nonTrailingVarArgValue(fc, index) = result
+      this.nonTrailingVarArgValue(fc, index) = result
     )
   }
 

cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql

@@ -42,7 +42,7 @@ class TaintSource extends VariableAccess {
     definitionUsePair(_, this, va)
     or
     exists(VariableAccess mid, Expr def |
-      sourceReaches(mid) and
+      this.sourceReaches(mid) and
       exprDefinition(_, def, mid) and
       definitionUsePair(_, def, va)
     )
@@ -53,11 +53,11 @@ class TaintSource extends VariableAccess {
    * from `va`, possibly using intermediate reassignments.
    */
   private predicate reachesSink(VariableAccess va, VariableAccess sink) {
-    isSink(sink) and
+    this.isSink(sink) and
     va = sink
     or
     exists(VariableAccess mid, Expr def |
-      reachesSink(mid, sink) and
+      this.reachesSink(mid, sink) and
       exprDefinition(_, def, va) and
       definitionUsePair(_, def, mid)
     )
@@ -71,15 +71,15 @@ class TaintSource extends VariableAccess {
    * this source to `sink` found via `tainted(source, sink)`.)
    */
   predicate reaches(VariableAccess sink) {
-    isSink(sink) and
+    this.isSink(sink) and
     not exists(VariableAccess va |
       va != this and
       va != sink and
       mayAddNullTerminator(_, va)
     |
-      sourceReaches(va)
+      this.sourceReaches(va)
       or
-      reachesSink(va, sink)
+      this.reachesSink(va, sink)
     )
   }
 }

cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll

@@ -84,8 +84,8 @@ class ParameterNullCheck extends ParameterCheck {
     p.getFunction() instanceof InitializationFunction and
     p.getType().getUnspecifiedType() instanceof PointerType and
     exists(VariableAccess va | va = p.getAnAccess() |
-      nullSuccessor = getATrueSuccessor() and
-      notNullSuccessor = getAFalseSuccessor() and
+      nullSuccessor = this.getATrueSuccessor() and
+      notNullSuccessor = this.getAFalseSuccessor() and
       (
         va = this.(NotExpr).getOperand() or
         va = any(EQExpr eq | eq = this and eq.getAnOperand().getValue() = "0").getAnOperand() or
@@ -95,8 +95,8 @@ class ParameterNullCheck extends ParameterCheck {
               .getAnOperand()
       )
       or
-      nullSuccessor = getAFalseSuccessor() and
-      notNullSuccessor = getATrueSuccessor() and
+      nullSuccessor = this.getAFalseSuccessor() and
+      notNullSuccessor = this.getATrueSuccessor() and
       (
         va = this or
         va = any(NEExpr eq | eq = this and eq.getAnOperand().getValue() = "0").getAnOperand() or
@@ -132,7 +132,7 @@ class ValidatedExternalCondInitFunction extends ExternalData {
   ValidatedExternalCondInitFunction() { this.getDataPath().matches("%cond-init%.csv") }
 
   predicate isExternallyVerified(Function f, int param) {
-    functionSignature(f, getField(1), getField(2)) and param = getFieldAsInt(3)
+    functionSignature(f, this.getField(1), this.getField(2)) and param = this.getFieldAsInt(3)
   }
 }
 
@@ -193,7 +193,7 @@ class InitializationFunction extends Function {
             .getAnOverridingFunction+()
             .(InitializationFunction)
             .initializedParameter() or
-      getParameter(i) = any(InitializationFunctionCall c).getAnInitParameter()
+      this.getParameter(i) = any(InitializationFunctionCall c).getAnInitParameter()
     )
     or
     // If we have no definition, we look at SAL annotations
@@ -227,7 +227,7 @@ class InitializationFunction extends Function {
         result = getAnInitializedArgument(any(Call c))
         or
         exists(IfStmt check | result = check.getCondition().getAChild*() |
-          paramReassignmentCondition(check)
+          this.paramReassignmentCondition(check)
         )
       )
       or
@@ -249,15 +249,15 @@ class InitializationFunction extends Function {
 
   /** Holds if `n` can be reached without the parameter at `index` being reassigned. */
   predicate paramNotReassignedAt(ControlFlowNode n, int index, Context c) {
-    c = getAContext(index) and
+    c = this.getAContext(index) and
     (
       not exists(this.getEntryPoint()) and index = i and n = this
       or
       n = this.getEntryPoint() and index = i
       or
-      exists(ControlFlowNode mid | paramNotReassignedAt(mid, index, c) |
+      exists(ControlFlowNode mid | this.paramNotReassignedAt(mid, index, c) |
         n = mid.getASuccessor() and
-        not n = paramReassignment(index) and
+        not n = this.paramReassignment(index) and
         /*
          * Ignore successor edges where the parameter is null, because it is then confirmed to be
          * initialized.
@@ -265,7 +265,7 @@ class InitializationFunction extends Function {
 
         not exists(ParameterNullCheck nullCheck |
           nullCheck = mid and
-          nullCheck = getANullCheck(index) and
+          nullCheck = this.getANullCheck(index) and
           n = nullCheck.getNullSuccessor()
         ) and
         /*
@@ -281,13 +281,13 @@ class InitializationFunction extends Function {
 
   /** Gets a null-check on the parameter at `index`. */
   private ParameterNullCheck getANullCheck(int index) {
-    getParameter(index) = result.getParameter()
+    this.getParameter(index) = result.getParameter()
   }
 
   /** Gets a parameter which is not at the given index. */
   private Parameter getOtherParameter(int index) {
     index = i and
-    result = getAParameter() and
+    result = this.getAParameter() and
     not result.getIndex() = index
   }
 
@@ -306,10 +306,10 @@ class InitializationFunction extends Function {
     if
       strictcount(Parameter p |
         exists(Context c | c = ParamNull(p) or c = ParamNotNull(p)) and
-        p = getOtherParameter(index)
+        p = this.getOtherParameter(index)
       ) = 1
     then
-      exists(Parameter p | p = getOtherParameter(index) |
+      exists(Parameter p | p = this.getOtherParameter(index) |
         result = ParamNull(p) or result = ParamNotNull(p)
       )
     else
@@ -424,8 +424,8 @@ class ConditionalInitializationCall extends FunctionCall {
 
   /** Gets the argument passed for the given parameter to this call. */
   Expr getArgumentForParameter(Parameter p) {
-    p = getTarget().getAParameter() and
-    result = getArgument(p.getIndex())
+    p = this.getTarget().getAParameter() and
+    result = this.getArgument(p.getIndex())
   }
 
   /**
@@ -442,7 +442,7 @@ class ConditionalInitializationCall extends FunctionCall {
         context = ParamNotNull(otherP) or
         context = ParamNull(otherP)
       |
-        otherArg = getArgumentForParameter(otherP) and
+        otherArg = this.getArgumentForParameter(otherP) and
         (otherArg instanceof AddressOfExpr implies context = ParamNotNull(otherP)) and
         (otherArg.getType() instanceof ArrayType implies context = ParamNotNull(otherP)) and
         (otherArg.getValue() = "0" implies context = ParamNull(otherP))
@@ -511,8 +511,8 @@ class ConditionalInitializationCall extends FunctionCall {
         )
     )
     or
-    exists(ControlFlowNode mid | mid = uncheckedReaches(var) |
-      not mid = getStatusVariable().getAnAccess() and
+    exists(ControlFlowNode mid | mid = this.uncheckedReaches(var) |
+      not mid = this.getStatusVariable().getAnAccess() and
       not mid = var.getAnAccess() and
       not exists(VariableAccess write | result = write and write = var.getAnAccess() |
         write = any(AssignExpr a).getLValue() or

cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll

@@ -44,7 +44,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
     // Find a call that conditionally initializes this variable
     hasConditionalInitialization(f, call, this, initAccess, e) and
     // Ignore cases where the variable is assigned prior to the call
-    not reaches(getAnAssignedValue(), initAccess) and
+    not reaches(this.getAnAssignedValue(), initAccess) and
     // Ignore cases where the variable is assigned field-wise prior to the call.
     not exists(FieldAccess fa |
       exists(Assignment a |
@@ -56,7 +56,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
     ) and
     // Ignore cases where the variable is assigned by a prior call to an initialization function
     not exists(Call c |
-      getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
+      this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
       reaches(c, initAccess)
     ) and
     /*
@@ -64,7 +64,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
      * the CFG, but should always be considered as initialized, so exclude them.
      */
 
-    not exists(getInitializer().getExpr())
+    not exists(this.getInitializer().getExpr())
   }
 
   /**
@@ -90,7 +90,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
     // Variable associated with this particular call
     call = initializingCall and
     // Access is a meaningful read access
-    result = getAReadAccess() and
+    result = this.getAReadAccess() and
     // Which occurs after the call
     reaches(call, result) and
     /*
@@ -124,7 +124,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
     call = initializingCall and
     initializingFunction = f and
     e = evidence and
-    result = getAReadAccessAfterCall(initializingCall) and
+    result = this.getAReadAccessAfterCall(initializingCall) and
     (
       // Access is risky because status return code ignored completely
       call instanceof ExprInVoidContext
@@ -148,7 +148,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
     call = initializingCall and
     initializingFunction = f and
     e = evidence and
-    result = getAReadAccessAfterCall(initializingCall) and
+    result = this.getAReadAccessAfterCall(initializingCall) and
     exists(LocalVariable status, Assignment a |
       a.getRValue() = call and
       call = status.getAnAssignedValue() and
@@ -184,7 +184,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
     ConditionalInitializationFunction initializingFunction,
     ConditionalInitializationCall initializingCall, Evidence evidence
   ) {
-    result = getARiskyAccessBeforeStatusCheck(initializingFunction, initializingCall, evidence) or
-    result = getARiskyAccessWithNoStatusCheck(initializingFunction, initializingCall, evidence)
+    result = this.getARiskyAccessBeforeStatusCheck(initializingFunction, initializingCall, evidence) or
+    result = this.getARiskyAccessWithNoStatusCheck(initializingFunction, initializingCall, evidence)
   }
 }

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -31,15 +31,15 @@ abstract class SystemData extends Element {
    */
   Expr getAnExprIndirect() {
     // direct SystemData
-    result = getAnExpr() or
+    result = this.getAnExpr() or
     // flow via global or member variable (conservative approximation)
-    result = getAnAffectedVar().getAnAccess() or
+    result = this.getAnAffectedVar().getAnAccess() or
     // flow via stack variable
-    definitionUsePair(_, getAnExprIndirect(), result) or
-    useUsePair(_, getAnExprIndirect(), result) or
-    useUsePair(_, result, getAnExprIndirect()) or
+    definitionUsePair(_, this.getAnExprIndirect(), result) or
+    useUsePair(_, this.getAnExprIndirect(), result) or
+    useUsePair(_, result, this.getAnExprIndirect()) or
     // flow from assigned value to assignment expression
-    result.(AssignExpr).getRValue() = getAnExprIndirect()
+    result.(AssignExpr).getRValue() = this.getAnExprIndirect()
   }
 
   /**

cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql

@@ -67,16 +67,16 @@ class IFStream extends Type {
  */
 class CinVariable extends NamespaceVariable {
   CinVariable() {
-    getName() = ["cin", "wcin"] and
-    getNamespace().getName() = "std"
+    this.getName() = ["cin", "wcin"] and
+    this.getNamespace().getName() = "std"
   }
 }
 
 /** A call to `std::operator>>`. */
 class OperatorRShiftCall extends FunctionCall {
   OperatorRShiftCall() {
-    getTarget().getNamespace().getName() = "std" and
-    getTarget().hasName("operator>>")
+    this.getTarget().getNamespace().getName() = "std" and
+    this.getTarget().hasName("operator>>")
   }
 
   /*
@@ -87,15 +87,15 @@ class OperatorRShiftCall extends FunctionCall {
    */
 
   Expr getSource() {
-    if getTarget() instanceof MemberFunction
-    then result = getQualifier()
-    else result = getArgument(0)
+    if this.getTarget() instanceof MemberFunction
+    then result = this.getQualifier()
+    else result = this.getArgument(0)
   }
 
   Expr getDest() {
-    if getTarget() instanceof MemberFunction
-    then result = getArgument(0)
-    else result = getArgument(1)
+    if this.getTarget() instanceof MemberFunction
+    then result = this.getArgument(0)
+    else result = this.getArgument(1)
   }
 }
 
@@ -119,7 +119,7 @@ abstract class PotentiallyDangerousInput extends Expr {
    * Gets the width restriction that applies to the input stream
    * for this expression, if any.
    */
-  Expr getWidth() { result = getPreviousAccess().getWidthAfter() }
+  Expr getWidth() { result = this.getPreviousAccess().getWidthAfter() }
 
   private Expr getWidthSetHere() {
     exists(FunctionCall widthCall |
@@ -154,11 +154,11 @@ abstract class PotentiallyDangerousInput extends Expr {
    * after this expression, if any.
    */
   Expr getWidthAfter() {
-    result = getWidthSetHere()
+    result = this.getWidthSetHere()
     or
-    not exists(getWidthSetHere()) and
-    not isWidthConsumedHere() and
-    result = getWidth()
+    not exists(this.getWidthSetHere()) and
+    not this.isWidthConsumedHere() and
+    result = this.getWidth()
   }
 }
 

cpp/ql/src/change-notes/released/0.0.4.md

@@ -0,0 +1,5 @@
+## 0.0.4
+
+### New Queries
+
+* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.

cpp/ql/src/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql

@@ -21,9 +21,9 @@ predicate argumentMayBeRoot(Expr e) {
 
 class SetuidLikeFunctionCall extends FunctionCall {
   SetuidLikeFunctionCall() {
-    (getTarget().hasGlobalName("setuid") or getTarget().hasGlobalName("setresuid")) and
+    (this.getTarget().hasGlobalName("setuid") or this.getTarget().hasGlobalName("setresuid")) and
     // setuid/setresuid with the root user are false positives.
-    not argumentMayBeRoot(getArgument(0))
+    not argumentMayBeRoot(this.getArgument(0))
   }
 }
 
@@ -44,7 +44,7 @@ class SetuidLikeWrapperCall extends FunctionCall {
 
 class CallBeforeSetuidFunctionCall extends FunctionCall {
   CallBeforeSetuidFunctionCall() {
-    getTarget()
+    this.getTarget()
         .hasGlobalName([
             "setgid", "setresgid",
             // Compatibility may require skipping initgroups and setgroups return checks.
@@ -52,7 +52,7 @@ class CallBeforeSetuidFunctionCall extends FunctionCall {
             "initgroups", "setgroups"
           ]) and
     // setgid/setresgid/etc with the root group are false positives.
-    not argumentMayBeRoot(getArgument(0))
+    not argumentMayBeRoot(this.getArgument(0))
   }
 }
 

cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql

@@ -24,7 +24,7 @@ class CallMayNotReturn extends FunctionCall {
     not exists(this.(ControlFlowNode).getASuccessor())
     or
     // call to another function that may not return
-    exists(CallMayNotReturn exit | getTarget() = exit.getEnclosingFunction())
+    exists(CallMayNotReturn exit | this.getTarget() = exit.getEnclosingFunction())
   }
 }
 

cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql

@@ -38,13 +38,7 @@ where
     fc.getTargetType().(Class).getABaseClass+().hasGlobalOrStdName("exception") or
     fc.getTargetType().(Class).getABaseClass+().hasGlobalOrStdName("CException")
   ) and
+  fc instanceof ExprInVoidContext and
   not fc.isInMacroExpansion() and
-  not exists(ThrowExpr texp | fc.getEnclosingStmt() = texp.getEnclosingStmt()) and
-  not exists(FunctionCall fctmp | fctmp.getAnArgument() = fc) and
-  not fc instanceof ConstructorDirectInit and
-  not fc.getEnclosingStmt() instanceof DeclStmt and
-  not fc instanceof ConstructorDelegationInit and
-  not fc.getParent() instanceof Initializer and
-  not fc.getParent() instanceof AllocationExpr and
-  msg = "This object does not generate an exception."
+  msg = "Object creation of exception type on stack. Did you forget the throw keyword?"
 select fc, msg

cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql

@@ -118,7 +118,7 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
 }
 
 class Resource extends MemberVariable {
-  Resource() { not isStatic() }
+  Resource() { not this.isStatic() }
 
   // Check that an expr is somewhere in this class - does not have to be a constructor
   predicate inSameClass(Expr e) {
@@ -129,7 +129,7 @@ class Resource extends MemberVariable {
     f instanceof Destructor and f.getDeclaringType() = this.getDeclaringType()
     or
     exists(Function mid, FunctionCall fc |
-      calledFromDestructor(mid) and
+      this.calledFromDestructor(mid) and
       fc.getEnclosingFunction() = mid and
       fc.getTarget() = f and
       f.getDeclaringType() = this.getDeclaringType()
@@ -137,7 +137,7 @@ class Resource extends MemberVariable {
   }
 
   predicate inDestructor(Expr e) {
-    exists(Function f | f = e.getEnclosingFunction() | calledFromDestructor(f))
+    exists(Function f | f = e.getEnclosingFunction() | this.calledFromDestructor(f))
   }
 
   predicate acquisitionWithRequiredKind(Assignment acquireAssign, string kind) {

cpp/ql/src/qlpack.yml

@@ -1,5 +1,6 @@
 name: codeql/cpp-queries
-version: 0.0.2
+version: 0.0.5-dev
+groups: cpp
 dependencies:
     codeql/cpp-all: "*"
     codeql/suite-helpers: "*"

cpp/ql/test/experimental/library-tests/rangeanalysis/extensibility/extensibility.ql

@@ -29,7 +29,8 @@ class CustomAddFunctionCall extends SimpleRangeAnalysisExpr, FunctionCall {
 
 class SelfSub extends SimpleRangeAnalysisExpr, SubExpr {
   SelfSub() {
-    getLeftOperand().(VariableAccess).getTarget() = getRightOperand().(VariableAccess).getTarget()
+    this.getLeftOperand().(VariableAccess).getTarget() =
+      this.getRightOperand().(VariableAccess).getTarget()
   }
 
   override float getLowerBounds() { result = 0 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.expected

@@ -1,3 +1,3 @@
-| test.cpp:35:3:35:33 | call to runtime_error | This object does not generate an exception. |
+| test.cpp:35:3:35:33 | call to runtime_error | Object creation of exception type on stack. Did you forget the throw keyword? |
 | test.cpp:41:3:41:11 | call to funcTest1 | There is an exception in the function that requires your attention. |
 | test.cpp:42:3:42:9 | call to DllMain | DllMain contains an exeption not wrapped in a try..catch block. |

cpp/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-tests
-version: 0.0.2
+groups: [cpp, test]
 dependencies:
   codeql/cpp-all: "*"
   codeql/cpp-queries: "*"

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml

@@ -1,6 +1,6 @@
 # This directory has its own qlpack for reasons detailed in commit 2550788598010fa2117274607c9d58f64f997f34
 name: codeql/cpp-tests-cwe-190-tainted
-version: 0.0.2
+groups: [cpp, test]
 dependencies:
   codeql/cpp-all: "*"
   codeql/cpp-queries: "*"

cpp/upgrades/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

cpp/upgrades/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

cpp/upgrades/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

cpp/upgrades/qlpack.yml

@@ -1,4 +1,5 @@
 name: codeql/cpp-upgrades
+groups: cpp
 upgrades: .
-version: 0.0.2
+version: 0.0.5-dev
 library: true

csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/Semmle.Autobuild.CSharp.Tests.csproj

@@ -1,25 +1,22 @@
 <Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
-    <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.4.1" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
-    </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\Semmle.Autobuild.CSharp\Semmle.Autobuild.CSharp.csproj" />
-    <ProjectReference Include="..\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj" />
-  </ItemGroup>
-</Project>
+	<PropertyGroup>
+		<TargetFramework>net5.0</TargetFramework>
+		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<ItemGroup>
+		<PackageReference Include="System.IO.FileSystem" Version="4.3.0"/>
+		<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0"/>
+		<PackageReference Include="xunit" Version="2.4.1"/>
+		<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
+			<PrivateAssets>all</PrivateAssets>
+			<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+		</PackageReference>
+		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.0.0"/>
+	</ItemGroup>
+	<ItemGroup>
+		<ProjectReference Include="..\Semmle.Autobuild.CSharp\Semmle.Autobuild.CSharp.csproj"/>
+		<ProjectReference Include="..\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj"/>
+	</ItemGroup>
+</Project>

csharp/autobuilder/Semmle.Autobuild.CSharp/Semmle.Autobuild.CSharp.csproj

@@ -1,30 +1,25 @@
 <Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
-    <AssemblyName>Semmle.Autobuild.CSharp</AssemblyName>
-    <RootNamespace>Semmle.Autobuild.CSharp</RootNamespace>
-    <ApplicationIcon />
-    <OutputType>Exe</OutputType>
-    <StartupObject />
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <Folder Include="Properties\" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj" />
-    <ProjectReference Include="..\..\extractor\Semmle.Extraction.CSharp\Semmle.Extraction.CSharp.csproj" />
-    <ProjectReference Include="..\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj" />
-  </ItemGroup>
-
-</Project>
+	<PropertyGroup>
+		<TargetFramework>net5.0</TargetFramework>
+		<AssemblyName>Semmle.Autobuild.CSharp</AssemblyName>
+		<RootNamespace>Semmle.Autobuild.CSharp</RootNamespace>
+		<ApplicationIcon/>
+		<OutputType>Exe</OutputType>
+		<StartupObject/>
+		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<ItemGroup>
+		<Folder Include="Properties\"/>
+	</ItemGroup>
+	<ItemGroup>
+		<PackageReference Include="Microsoft.Build" Version="16.11.0"/>
+		<PackageReference Include="Newtonsoft.Json" Version="13.0.1"/>
+	</ItemGroup>
+	<ItemGroup>
+		<ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj"/>
+		<ProjectReference Include="..\..\extractor\Semmle.Extraction.CSharp\Semmle.Extraction.CSharp.csproj"/>
+		<ProjectReference Include="..\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj"/>
+	</ItemGroup>
+</Project>

csharp/autobuilder/Semmle.Autobuild.Shared/Semmle.Autobuild.Shared.csproj

@@ -1,24 +1,19 @@
 <Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
-    <AssemblyName>Semmle.Autobuild.Shared</AssemblyName>
-    <RootNamespace>Semmle.Autobuild.Shared</RootNamespace>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <Folder Include="Properties\" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj" />
-  </ItemGroup>
-
-</Project>
+	<PropertyGroup>
+		<TargetFramework>net5.0</TargetFramework>
+		<AssemblyName>Semmle.Autobuild.Shared</AssemblyName>
+		<RootNamespace>Semmle.Autobuild.Shared</RootNamespace>
+		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<ItemGroup>
+		<Folder Include="Properties\"/>
+	</ItemGroup>
+	<ItemGroup>
+		<PackageReference Include="Microsoft.Build" Version="16.11.0"/>
+	</ItemGroup>
+	<ItemGroup>
+		<ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj"/>
+	</ItemGroup>
+</Project>

csharp/documentation/library-coverage/coverage.csv

@@ -1,6 +1,7 @@
-package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint
-Dapper,55,,,,,,55,,,
-Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,
-MySql.Data.MySqlClient,48,,,,,,48,,,
-ServiceStack,194,,7,27,,75,92,,,7
-System,28,3,13,,4,,23,1,3,13
+package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+Dapper,55,,,,,,55,,,,
+Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
+MySql.Data.MySqlClient,48,,,,,,48,,,,
+Newtonsoft.Json,,,73,,,,,,,73,
+ServiceStack,194,,7,27,,75,92,,,7,
+System,28,3,599,,4,,23,1,3,504,95

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",3,13,28,5
-   Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``MySql.Data.MySqlClient``",,,131,
-   Totals,,3,20,353,5
+   System,"``System.*``, ``System``",3,599,28,5
+   Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,73,131,
+   Totals,,3,679,353,5
 

csharp/extractor/Semmle.Extraction.CIL/Semmle.Extraction.CIL.csproj

@@ -26,7 +26,9 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.DiaSymReader" Version="1.3.0" />
     <PackageReference Include="Microsoft.DiaSymReader.Native" Version="1.7.0" />
-    <PackageReference Include="Microsoft.DiaSymReader.PortablePdb" Version="1.5.0" />
+    <PackageReference Include="Microsoft.DiaSymReader.PortablePdb" Version="1.6.0"><IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+<PrivateAssets>all</PrivateAssets>
+</PackageReference>
   </ItemGroup>
 
 </Project>

csharp/extractor/Semmle.Extraction.CSharp.Standalone/Semmle.Extraction.CSharp.Standalone.csproj

@@ -1,33 +1,28 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <OutputType>Exe</OutputType>
-    <TargetFramework>net5.0</TargetFramework>
-    <AssemblyName>Semmle.Extraction.CSharp.Standalone</AssemblyName>
-    <RootNamespace>Semmle.Extraction.CSharp.Standalone</RootNamespace>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
-    <WarningsAsErrors />
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\Semmle.Extraction.CSharp\Semmle.Extraction.CSharp.csproj" />
-    <ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <Folder Include="Properties\" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
-    <PackageReference Include="Microsoft.Win32.Primitives" Version="4.3.0" />
-    <PackageReference Include="System.Net.Primitives" Version="4.3.1" />
-    <PackageReference Include="System.Security.Principal" Version="4.3.0" />
-    <PackageReference Include="System.Threading.ThreadPool" Version="4.3.0" />
-  </ItemGroup>
-
-</Project>
+<Project Sdk="Microsoft.NET.Sdk">
+	<PropertyGroup>
+		<OutputType>Exe</OutputType>
+		<TargetFramework>net5.0</TargetFramework>
+		<AssemblyName>Semmle.Extraction.CSharp.Standalone</AssemblyName>
+		<RootNamespace>Semmle.Extraction.CSharp.Standalone</RootNamespace>
+		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+		<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+		<TreatWarningsAsErrors>false</TreatWarningsAsErrors>
+		<WarningsAsErrors/>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<ItemGroup>
+		<ProjectReference Include="..\Semmle.Extraction.CSharp\Semmle.Extraction.CSharp.csproj"/>
+		<ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj"/>
+	</ItemGroup>
+	<ItemGroup>
+		<Folder Include="Properties\"/>
+	</ItemGroup>
+	<ItemGroup>
+		<PackageReference Include="Microsoft.Build" Version="16.11.0"/>
+		<PackageReference Include="Microsoft.Win32.Primitives" Version="4.3.0"/>
+		<PackageReference Include="System.Net.Primitives" Version="4.3.1"/>
+		<PackageReference Include="System.Security.Principal" Version="4.3.0"/>
+		<PackageReference Include="System.Threading.ThreadPool" Version="4.3.0"/>
+	</ItemGroup>
+</Project>

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Lambda.cs

@@ -18,6 +18,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         private void VisitParameter(ParameterSyntax p)
         {
             var symbol = Context.GetModel(p).GetDeclaredSymbol(p)!;
+            Context.CacheLambdaParameterSymbol(symbol, p);
             Parameter.Create(Context, symbol, this);
         }
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs

@@ -55,11 +55,17 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public static Parameter Create(Context cx, IParameterSymbol param, IEntity parent, Parameter? original = null) =>
-            ParameterFactory.Instance.CreateEntity(cx, param, (param, parent, original));
+        public static Parameter Create(Context cx, IParameterSymbol param, IEntity parent, Parameter? original = null)
+        {
+            var cachedSymbol = cx.GetPossiblyCachedParameterSymbol(param);
+            return ParameterFactory.Instance.CreateEntity(cx, cachedSymbol, (cachedSymbol, parent, original));
+        }
 
-        public static Parameter Create(Context cx, IParameterSymbol param) =>
-            ParameterFactory.Instance.CreateEntity(cx, param, (param, null, null));
+        public static Parameter Create(Context cx, IParameterSymbol param)
+        {
+            var cachedSymbol = cx.GetPossiblyCachedParameterSymbol(param);
+            return ParameterFactory.Instance.CreateEntity(cx, cachedSymbol, (cachedSymbol, null, null));
+        }
 
         public override void WriteId(EscapingTextWriter trapFile)
         {

csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs

@@ -1,7 +1,6 @@
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Semmle.Extraction.CSharp.Populators;
-using Semmle.Extraction.Entities;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -36,6 +35,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             if (Symbol.TypeKind == TypeKind.Error)
             {
+                UnknownType.Create(Context); // make sure this exists so we can use it in `TypeRef::getReferencedType`
                 Context.Extractor.MissingType(Symbol.ToString()!, Context.FromSource);
                 return;
             }
@@ -48,7 +48,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 if (Symbol.IsBoundNullable())
                 {
                     // An instance of Nullable<T>
-                    trapFile.nullable_underlying_type(this, Create(Context, Symbol.TypeArguments[0]).TypeRef);
+                    trapFile.nullable_underlying_type(this, TypeArguments[0].TypeRef);
                 }
                 else if (Symbol.IsReallyUnbound())
                 {
@@ -67,7 +67,7 @@ namespace Semmle.Extraction.CSharp.Entities
                         : Type.Create(Context, Symbol.ConstructedFrom);
                     trapFile.constructed_generic(this, unbound.TypeRef);
 
-                    for (var i = 0; i < Symbol.TypeArguments.Length; ++i)
+                    for (var i = 0; i < TypeArguments.Length; ++i)
                     {
                         trapFile.type_arguments(TypeArguments[i].TypeRef, i, this);
                     }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs

@@ -1,6 +1,5 @@
 using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Util;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -24,9 +23,9 @@ namespace Semmle.Extraction.CSharp.Entities
                 symbol.ContainingType is not null && ConstructedOrParentIsConstructed(symbol.ContainingType);
         }
 
-        private static Kinds.TypeKind GetClassType(Context cx, ITypeSymbol t, bool constructUnderlyingTupleType)
+        public Kinds.TypeKind GetTypeKind(Context cx, bool constructUnderlyingTupleType)
         {
-            switch (t.SpecialType)
+            switch (Symbol.SpecialType)
             {
                 case SpecialType.System_Int32: return Kinds.TypeKind.INT;
                 case SpecialType.System_UInt32: return Kinds.TypeKind.UINT;
@@ -44,14 +43,14 @@ namespace Semmle.Extraction.CSharp.Entities
                 case SpecialType.System_Single: return Kinds.TypeKind.FLOAT;
                 case SpecialType.System_IntPtr: return Kinds.TypeKind.INT_PTR;
                 default:
-                    if (t.IsBoundNullable())
+                    if (Symbol.IsBoundNullable())
                         return Kinds.TypeKind.NULLABLE;
 
-                    switch (t.TypeKind)
+                    switch (Symbol.TypeKind)
                     {
                         case TypeKind.Class: return Kinds.TypeKind.CLASS;
                         case TypeKind.Struct:
-                            return ((INamedTypeSymbol)t).IsTupleType && !constructUnderlyingTupleType
+                            return ((INamedTypeSymbol)Symbol).IsTupleType && !constructUnderlyingTupleType
                                 ? Kinds.TypeKind.TUPLE
                                 : Kinds.TypeKind.STRUCT;
                         case TypeKind.Interface: return Kinds.TypeKind.INTERFACE;
@@ -62,7 +61,7 @@ namespace Semmle.Extraction.CSharp.Entities
                         case TypeKind.FunctionPointer: return Kinds.TypeKind.FUNCTION_POINTER;
                         case TypeKind.Error: return Kinds.TypeKind.UNKNOWN;
                         default:
-                            cx.ModelError(t, $"Unhandled type kind '{t.TypeKind}'");
+                            cx.ModelError(Symbol, $"Unhandled type kind '{Symbol.TypeKind}'");
                             return Kinds.TypeKind.UNKNOWN;
                     }
             }
@@ -76,7 +75,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.Write("types(");
             trapFile.WriteColumn(this);
             trapFile.Write(',');
-            trapFile.WriteColumn((int)GetClassType(Context, Symbol, constructUnderlyingTupleType));
+            trapFile.WriteColumn((int)GetTypeKind(Context, constructUnderlyingTupleType));
             trapFile.Write(",\"");
             Symbol.BuildDisplayName(Context, trapFile, constructUnderlyingTupleType);
             trapFile.WriteLine("\")");

csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/UnknownType.cs

@@ -0,0 +1,39 @@
+using System.IO;
+using Microsoft.CodeAnalysis;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    internal class UnknownType : Type
+    {
+        private UnknownType(Context cx)
+            : base(cx, null) { }
+
+        public override void Populate(TextWriter trapFile)
+        {
+            trapFile.types(this, Kinds.TypeKind.UNKNOWN, "<unknown type>");
+        }
+
+        public override void WriteId(EscapingTextWriter trapFile)
+        {
+            trapFile.Write("<unknown>;type");
+        }
+
+        public override bool NeedsPopulation => true;
+
+        public override int GetHashCode() => 98744554;
+
+        public override bool Equals(object? obj)
+        {
+            return obj is not null && obj.GetType() == typeof(UnknownType);
+        }
+
+        public static Type Create(Context cx) => UnknownTypeFactory.Instance.CreateEntity(cx, typeof(UnknownType), null);
+
+        private class UnknownTypeFactory : CachedEntityFactory<ITypeSymbol?, UnknownType>
+        {
+            public static UnknownTypeFactory Instance { get; } = new UnknownTypeFactory();
+
+            public override UnknownType Create(Context cx, ITypeSymbol? init) => new UnknownType(cx);
+        }
+    }
+}

csharp/extractor/Semmle.Extraction.CSharp/Extractor/Context.cs

@@ -18,18 +18,56 @@ namespace Semmle.Extraction.CSharp
         /// </summary>
         public SemanticModel GetModel(SyntaxNode node)
         {
-            // todo: when this context belongs to a SourceScope, the syntax tree can be retrieved from the scope, and
-            // the node parameter could be removed. Is there any case when we pass in a node that's not from the current
-            // tree?
-            if (cachedModel is null || node.SyntaxTree != cachedModel.SyntaxTree)
+            if (node.SyntaxTree == SourceTree)
             {
-                cachedModel = Compilation.GetSemanticModel(node.SyntaxTree);
+                if (cachedModelForTree is null)
+                {
+                    cachedModelForTree = Compilation.GetSemanticModel(node.SyntaxTree);
+                }
+
+                return cachedModelForTree;
             }
 
-            return cachedModel;
+            if (cachedModelForOtherTrees is null || node.SyntaxTree != cachedModelForOtherTrees.SyntaxTree)
+            {
+                cachedModelForOtherTrees = Compilation.GetSemanticModel(node.SyntaxTree);
+            }
+
+            return cachedModelForOtherTrees;
         }
 
-        private SemanticModel? cachedModel;
+        private SemanticModel? cachedModelForTree;
+        private SemanticModel? cachedModelForOtherTrees;
+
+        // The below is a workaround to the bug reported in https://github.com/dotnet/roslyn/issues/58226
+        // Lambda parameters that are equal according to `SymbolEqualityComparer.Default`, might have different
+        // hash-codes, and as a result might not be found in `symbolEntityCache` by hash-code lookup.
+        internal IParameterSymbol GetPossiblyCachedParameterSymbol(IParameterSymbol param)
+        {
+            if ((param.ContainingSymbol as IMethodSymbol)?.MethodKind != MethodKind.AnonymousFunction)
+            {
+                return param;
+            }
+
+            foreach (var sr in param.DeclaringSyntaxReferences)
+            {
+                var syntax = sr.GetSyntax();
+                if (lambdaParameterCache.TryGetValue(syntax, out var cached) &&
+                    SymbolEqualityComparer.Default.Equals(param, cached))
+                {
+                    return cached;
+                }
+            }
+
+            return param;
+        }
+
+        internal void CacheLambdaParameterSymbol(IParameterSymbol param, SyntaxNode syntax)
+        {
+            lambdaParameterCache[syntax] = param;
+        }
+
+        private readonly Dictionary<SyntaxNode, IParameterSymbol> lambdaParameterCache = new Dictionary<SyntaxNode, IParameterSymbol>();
 
         /// <summary>
         /// The current compilation unit.

csharp/extractor/Semmle.Extraction.CSharp/Semmle.Extraction.CSharp.csproj

@@ -1,29 +1,24 @@
 <Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
-    <AssemblyName>Semmle.Extraction.CSharp</AssemblyName>
-    <RootNamespace>Semmle.Extraction.CSharp</RootNamespace>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\Semmle.Extraction.CIL\Semmle.Extraction.CIL.csproj" />
-    <ProjectReference Include="..\Semmle.Extraction\Semmle.Extraction.csproj" />
-    <ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <Folder Include="Properties\" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="3.9.0" />
-    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
-  </ItemGroup>
-
-</Project>
+	<PropertyGroup>
+		<TargetFramework>net5.0</TargetFramework>
+		<AssemblyName>Semmle.Extraction.CSharp</AssemblyName>
+		<RootNamespace>Semmle.Extraction.CSharp</RootNamespace>
+		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+		<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<ItemGroup>
+		<ProjectReference Include="..\Semmle.Extraction.CIL\Semmle.Extraction.CIL.csproj"/>
+		<ProjectReference Include="..\Semmle.Extraction\Semmle.Extraction.csproj"/>
+		<ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj"/>
+	</ItemGroup>
+	<ItemGroup>
+		<Folder Include="Properties\"/>
+	</ItemGroup>
+	<ItemGroup>
+		<PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.0.1"/>
+		<PackageReference Include="Microsoft.Build" Version="16.11.0"/>
+	</ItemGroup>
+</Project>

csharp/extractor/Semmle.Extraction.Tests/Semmle.Extraction.Tests.csproj

@@ -1,28 +1,24 @@
 <Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
-    <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.4.1" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
-    </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\Semmle.Extraction.CSharp.Standalone\Semmle.Extraction.CSharp.Standalone.csproj" />
-    <ProjectReference Include="..\Semmle.Extraction.CSharp\Semmle.Extraction.CSharp.csproj" />
-    <ProjectReference Include="..\Semmle.Extraction\Semmle.Extraction.csproj" />
-    <ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj" />
-  </ItemGroup>
-
-</Project>
+	<PropertyGroup>
+		<TargetFramework>net5.0</TargetFramework>
+		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<ItemGroup>
+		<PackageReference Include="System.IO.FileSystem" Version="4.3.0"/>
+		<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0"/>
+		<PackageReference Include="xunit" Version="2.4.1"/>
+		<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
+			<PrivateAssets>all</PrivateAssets>
+			<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+		</PackageReference>
+		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.0.0"/>
+	</ItemGroup>
+	<ItemGroup>
+		<ProjectReference Include="..\Semmle.Extraction.CSharp.Standalone\Semmle.Extraction.CSharp.Standalone.csproj"/>
+		<ProjectReference Include="..\Semmle.Extraction.CSharp\Semmle.Extraction.CSharp.csproj"/>
+		<ProjectReference Include="..\Semmle.Extraction\Semmle.Extraction.csproj"/>
+		<ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj"/>
+	</ItemGroup>
+</Project>

csharp/extractor/Semmle.Extraction/Semmle.Extraction.csproj

@@ -1,29 +1,24 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
-    <AssemblyName>Semmle.Extraction</AssemblyName>
-    <RootNamespace>Semmle.Extraction</RootNamespace>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <CodeAnalysisRuleSet>Semmle.Extraction.ruleset</CodeAnalysisRuleSet>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
-    <DefineConstants>TRACE;DEBUG;DEBUG_LABELS</DefineConstants>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.CodeAnalysis" Version="3.9.0" />
-    <PackageReference Include="GitInfo" Version="2.1.2">
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
-      <PrivateAssets>all</PrivateAssets>
-    </PackageReference>
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj" />
-  </ItemGroup>
-
-</Project>
+<Project Sdk="Microsoft.NET.Sdk">
+	<PropertyGroup>
+		<TargetFramework>net5.0</TargetFramework>
+		<AssemblyName>Semmle.Extraction</AssemblyName>
+		<RootNamespace>Semmle.Extraction</RootNamespace>
+		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+		<CodeAnalysisRuleSet>Semmle.Extraction.ruleset</CodeAnalysisRuleSet>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
+		<DefineConstants>TRACE;DEBUG;DEBUG_LABELS</DefineConstants>
+	</PropertyGroup>
+	<ItemGroup>
+		<PackageReference Include="Microsoft.CodeAnalysis" Version="4.0.1"/>
+		<PackageReference Include="GitInfo" Version="2.2.0">
+			<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+			<PrivateAssets>all</PrivateAssets>
+		</PackageReference>
+	</ItemGroup>
+	<ItemGroup>
+		<ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj"/>
+	</ItemGroup>
+</Project>

csharp/extractor/Semmle.Util.Tests/Semmle.Util.Tests.csproj

@@ -1,23 +1,19 @@
 <Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <PackageReference Include="xunit" Version="2.4.1" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
-    </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj" />
-  </ItemGroup>
-
-</Project>
+	<PropertyGroup>
+		<TargetFramework>net5.0</TargetFramework>
+		<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+		<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<ItemGroup>
+		<PackageReference Include="xunit" Version="2.4.1"/>
+		<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
+			<PrivateAssets>all</PrivateAssets>
+			<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+		</PackageReference>
+		<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.0.0"/>
+	</ItemGroup>
+	<ItemGroup>
+		<ProjectReference Include="..\Semmle.Util\Semmle.Util.csproj"/>
+	</ItemGroup>
+</Project>

csharp/ql/lib/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

csharp/ql/lib/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

csharp/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

csharp/ql/lib/csharp.qll

@@ -2,40 +2,5 @@
  * The default C# QL library.
  */
 
-import Customizations
-import semmle.code.csharp.Attribute
-import semmle.code.csharp.Callable
-import semmle.code.csharp.Comments
-import semmle.code.csharp.Element
-import semmle.code.csharp.Event
-import semmle.code.csharp.File
-import semmle.code.csharp.Generics
-import semmle.code.csharp.Location
-import semmle.code.csharp.Member
-import semmle.code.csharp.Namespace
-import semmle.code.csharp.AnnotatedType
-import semmle.code.csharp.Property
-import semmle.code.csharp.Stmt
-import semmle.code.csharp.Type
-import semmle.code.csharp.Using
-import semmle.code.csharp.Variable
-import semmle.code.csharp.XML
-import semmle.code.csharp.Preprocessor
-import semmle.code.csharp.exprs.Access
-import semmle.code.csharp.exprs.ArithmeticOperation
-import semmle.code.csharp.exprs.Assignment
-import semmle.code.csharp.exprs.BitwiseOperation
-import semmle.code.csharp.exprs.Call
-import semmle.code.csharp.exprs.ComparisonOperation
-import semmle.code.csharp.exprs.Creation
-import semmle.code.csharp.exprs.Dynamic
-import semmle.code.csharp.exprs.Expr
-import semmle.code.csharp.exprs.Literal
-import semmle.code.csharp.exprs.LogicalOperation
-import semmle.code.csharp.controlflow.ControlFlowGraph
-import semmle.code.csharp.dataflow.DataFlow
-import semmle.code.csharp.dataflow.TaintTracking
-import semmle.code.csharp.dataflow.SSA
-
-/** Whether the source was extracted without a build command. */
-predicate extractionIsStandalone() { exists(SourceFile f | f.extractedStandalone()) }
+// Do not add other imports here; add to `semmle.code.csharp.internal.csharp` instead
+import semmle.code.csharp.internal.csharp

csharp/ql/lib/qlpack.yml

@@ -1,7 +1,8 @@
 name: codeql/csharp-all
-version: 0.0.2
+version: 0.0.5-dev
+groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
 library: true
 dependencies:
-  codeql/csharp-upgrades: 0.0.2
+  codeql/csharp-upgrades: ^0.0.3

csharp/ql/lib/semmle/code/cil/CallableReturns.qll

@@ -25,7 +25,7 @@ private module Cached {
   cached
   predicate alwaysThrowsException(Method m, Type t) {
     alwaysThrowsMethod(m) and
-    forex(Throw ex | ex = m.getImplementation().getAnInstruction() | t = ex.getExpr().getType())
+    forex(Throw ex | ex = m.getImplementation().getAnInstruction() | t = ex.getExceptionType())
   }
 }
 

csharp/ql/lib/semmle/code/cil/ConsistencyChecks.qll

@@ -612,7 +612,7 @@ class ExprMissingType extends InstructionViolation {
     not instruction instanceof Opcodes::Ldvirtftn and
     not instruction instanceof Opcodes::Arglist and
     not instruction instanceof Opcodes::Refanytype and
-    instruction.getPushCount() = 1 and
+    instruction.getPushCount() >= 1 and
     count(instruction.getType()) != 1
   }
 

csharp/ql/lib/semmle/code/cil/ControlFlow.qll

@@ -56,6 +56,32 @@ class ControlFlowNode extends @cil_controlflow_node {
     )
   }
 
+  /**
+   * Gets the type of the `i`th operand. Unlike `getOperand(i).getType()`, this
+   * predicate takes into account when there are multiple possible operands with
+   * different types.
+   */
+  Type getOperandType(int i) {
+    strictcount(this.getOperand(i)) = 1 and
+    result = this.getOperand(i).getType()
+    or
+    strictcount(this.getOperand(i)) = 2 and
+    exists(ControlFlowNode op1, ControlFlowNode op2, Type t2 |
+      op1 = this.getOperand(i) and
+      op2 = this.getOperand(i) and
+      op1 != op2 and
+      result = op1.getType() and
+      t2 = op2.getType()
+    |
+      result = t2
+      or
+      result.(PrimitiveType).getUnderlyingType().getConversionIndex() >
+        t2.(PrimitiveType).getUnderlyingType().getConversionIndex()
+      or
+      op2 instanceof NullLiteral
+    )
+  }
+
   /** Gets an operand of this instruction, if any. */
   ControlFlowNode getAnOperand() { result = this.getOperand(_) }
 
@@ -102,7 +128,12 @@ class ControlFlowNode extends @cil_controlflow_node {
   /** Gets the method containing this control flow node. */
   MethodImplementation getImplementation() { none() }
 
-  /** Gets the type of the item pushed onto the stack, if any. */
+  /**
+   * Gets the type of the item pushed onto the stack, if any.
+   *
+   * If called via `ControlFlowNode::getOperand(i).getType()`, consider using
+   * `ControlFlowNode::getOperandType(i)` instead.
+   */
   cached
   Type getType() { none() }
 

csharp/ql/lib/semmle/code/cil/InstructionGroups.qll

@@ -73,8 +73,8 @@ class ComparisonOperation extends BinaryExpr, @cil_comparison_operation {
 class BinaryArithmeticExpr extends BinaryExpr, @cil_binary_arithmetic_operation {
   override Type getType() {
     exists(Type t0, Type t1 |
-      t0 = this.getOperand(0).getType().getUnderlyingType() and
-      t1 = this.getOperand(1).getType().getUnderlyingType()
+      t0 = this.getOperandType(0).getUnderlyingType() and
+      t1 = this.getOperandType(1).getUnderlyingType()
     |
       t0 = t1 and result = t0
       or
@@ -242,6 +242,9 @@ class Return extends Instruction, @cil_ret {
 class Throw extends Instruction, DotNet::Throw, @cil_throw_any {
   override Expr getExpr() { result = this.getOperand(0) }
 
+  /** Gets the type of the exception being thrown. */
+  Type getExceptionType() { result = this.getOperandType(0) }
+
   override predicate canFlowNext() { none() }
 }
 

csharp/ql/lib/semmle/code/cil/Instructions.qll

@@ -199,9 +199,9 @@ module Opcodes {
     override string getOpcodeName() { result = "neg" }
 
     override NumericType getType() {
-      result = this.getOperand().getType()
+      result = this.getOperandType(0)
       or
-      this.getOperand().getType() instanceof Enum and result instanceof IntType
+      this.getOperandType(0) instanceof Enum and result instanceof IntType
     }
   }
 
@@ -260,7 +260,7 @@ module Opcodes {
 
     override int getPushCount() { result = 2 } // This is the only instruction that pushes 2 items
 
-    override Type getType() { result = this.getOperand(0).getType() }
+    override Type getType() { result = this.getOperandType(0) }
   }
 
   /** A `ret` instruction. */
@@ -887,7 +887,7 @@ module Opcodes {
   class Ldelem_ref extends ReadArrayElement, @cil_ldelem_ref {
     override string getOpcodeName() { result = "ldelem.ref" }
 
-    override Type getType() { result = this.getArray().getType() }
+    override Type getType() { result = this.getOperandType(1) }
   }
 
   /** An `ldelema` instruction. */

csharp/ql/lib/semmle/code/csharp/Member.qll

@@ -362,14 +362,22 @@ class Virtualizable extends Member, @virtualizable {
   /** Holds if this member implements (transitively) an interface member. */
   predicate implements() { exists(this.getAnUltimateImplementee()) }
 
+  /**
+   * Holds if this member overrides or implements (transitively)
+   * `that` member.
+   */
+  predicate overridesOrImplements(Virtualizable that) {
+    this.getOverridee+() = that or
+    this.getAnUltimateImplementee() = that
+  }
+
   /**
    * Holds if this member overrides or implements (reflexively, transitively)
    * `that` member.
    */
   predicate overridesOrImplementsOrEquals(Virtualizable that) {
     this = that or
-    this.getOverridee+() = that or
-    this.getAnUltimateImplementee() = that
+    this.overridesOrImplements(that)
   }
 }
 

csharp/ql/lib/semmle/code/csharp/Stmt.qll

@@ -75,7 +75,7 @@ class BlockStmt extends Stmt, @block_stmt {
 
   /** Holds if this block is the container of the global statements. */
   predicate isGlobalStatementContainer() {
-    this.getEnclosingCallable().hasQualifiedName("<Program>$.<Main>$")
+    this.getEnclosingCallable().hasQualifiedName("Program.<Main>$")
   }
 
   override Stmt stripSingletonBlocks() {

csharp/ql/lib/semmle/code/csharp/TypeRef.qll

@@ -12,7 +12,12 @@ private class TypeRef extends @typeref {
 
   string toString() { result = this.getName() }
 
-  Type getReferencedType() { typeref_type(this, result) }
+  Type getReferencedType() {
+    typeref_type(this, result)
+    or
+    not typeref_type(this, _) and
+    result instanceof UnknownType
+  }
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/commons/Util.qll

@@ -8,7 +8,7 @@ class MainMethod extends Method {
     (
       this.hasName("Main")
       or
-      this.hasQualifiedName("<Program>$", "<Main>$")
+      this.hasQualifiedName("Program.<Main>$")
     ) and
     this.isStatic() and
     (this.getReturnType() instanceof VoidType or this.getReturnType() instanceof IntType) and

csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll

@@ -241,7 +241,7 @@ module ControlFlow {
     predicate isBranch() { strictcount(this.getASuccessor()) > 1 }
 
     /** Gets the enclosing callable of this control flow node. */
-    Callable getEnclosingCallable() { none() }
+    final Callable getEnclosingCallable() { result = getNodeCfgScope(this) }
   }
 
   /** Provides different types of control flow nodes. */
@@ -253,8 +253,6 @@ module ControlFlow {
 
       override BasicBlocks::EntryBlock getBasicBlock() { result = Node.super.getBasicBlock() }
 
-      override Callable getEnclosingCallable() { result = this.getCallable() }
-
       private Assignable getAssignable() { this = TEntryNode(result) }
 
       override Location getLocation() {
@@ -283,8 +281,6 @@ module ControlFlow {
         result = Node.super.getBasicBlock()
       }
 
-      override Callable getEnclosingCallable() { result = this.getCallable() }
-
       override Location getLocation() { result = scope.getLocation() }
 
       override string toString() {
@@ -309,8 +305,6 @@ module ControlFlow {
 
       override BasicBlocks::ExitBlock getBasicBlock() { result = Node.super.getBasicBlock() }
 
-      override Callable getEnclosingCallable() { result = this.getCallable() }
-
       override Location getLocation() { result = scope.getLocation() }
 
       override string toString() { result = "exit " + scope }
@@ -327,14 +321,7 @@ module ControlFlow {
       private Splits splits;
       private ControlFlowElement cfe;
 
-      ElementNode() { this = TElementNode(cfe, splits) }
-
-      override Callable getEnclosingCallable() {
-        result = cfe.getEnclosingCallable()
-        or
-        result =
-          this.getASplit().(Splitting::InitializerSplitting::InitializerSplit).getConstructor()
-      }
+      ElementNode() { this = TElementNode(_, cfe, splits) }
 
       override ControlFlowElement getElement() { result = cfe }
 

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll

@@ -342,7 +342,7 @@ private predicate succExitSplits(
   ControlFlowElement pred, Splits predSplits, CfgScope succ, SuccessorType t
 ) {
   exists(Reachability::SameSplitsBlock b, Completion c | pred = b.getAnElement() |
-    b.isReachable(predSplits) and
+    b.isReachable(succ, predSplits) and
     t = getAMatchingSuccessorType(c) and
     scopeLast(succ, pred, c) and
     forall(SplitImpl predSplit | predSplit = predSplits.getASplit() |
@@ -399,7 +399,7 @@ private module SuccSplits {
     ControlFlowElement succ, Completion c
   ) {
     pred = b.getAnElement() and
-    b.isReachable(predSplits) and
+    b.isReachable(_, predSplits) and
     succ(pred, succ, c)
   }
 
@@ -728,12 +728,12 @@ private module Reachability {
      * Holds if the elements of this block are reachable from a callable entry
      *  point, with the splits `splits`.
      */
-    predicate isReachable(Splits splits) {
+    predicate isReachable(CfgScope scope, Splits splits) {
       // Base case
-      succEntrySplits(_, this, splits, _)
+      succEntrySplits(scope, this, splits, _)
       or
       // Recursive case
-      exists(SameSplitsBlock pred, Splits predSplits | pred.isReachable(predSplits) |
+      exists(SameSplitsBlock pred, Splits predSplits | pred.isReachable(scope, predSplits) |
         this = pred.getASuccessor(predSplits, splits)
       )
     }
@@ -791,18 +791,20 @@ private module Cached {
   newtype TCfgNode =
     TEntryNode(CfgScope scope) { succEntrySplits(scope, _, _, _) } or
     TAnnotatedExitNode(CfgScope scope, boolean normal) {
-      exists(Reachability::SameSplitsBlock b, SuccessorType t | b.isReachable(_) |
+      exists(Reachability::SameSplitsBlock b, SuccessorType t | b.isReachable(scope, _) |
         succExitSplits(b.getAnElement(), _, scope, t) and
         if isAbnormalExitType(t) then normal = false else normal = true
       )
     } or
     TExitNode(CfgScope scope) {
-      exists(Reachability::SameSplitsBlock b | b.isReachable(_) |
+      exists(Reachability::SameSplitsBlock b | b.isReachable(scope, _) |
         succExitSplits(b.getAnElement(), _, scope, _)
       )
     } or
-    TElementNode(ControlFlowElement cfe, Splits splits) {
-      exists(Reachability::SameSplitsBlock b | b.isReachable(splits) | cfe = b.getAnElement())
+    TElementNode(CfgScope scope, ControlFlowElement cfe, Splits splits) {
+      exists(Reachability::SameSplitsBlock b | b.isReachable(scope, splits) |
+        cfe = b.getAnElement()
+      )
     }
 
   /** Gets a successor node of a given flow type, if any. */
@@ -810,24 +812,24 @@ private module Cached {
   TCfgNode getASuccessor(TCfgNode pred, SuccessorType t) {
     // Callable entry node -> callable body
     exists(ControlFlowElement succElement, Splits succSplits, CfgScope scope |
-      result = TElementNode(succElement, succSplits) and
+      result = TElementNode(scope, succElement, succSplits) and
       pred = TEntryNode(scope) and
       succEntrySplits(scope, succElement, succSplits, t)
     )
     or
-    exists(ControlFlowElement predElement, Splits predSplits |
-      pred = TElementNode(predElement, predSplits)
+    exists(CfgScope scope, ControlFlowElement predElement, Splits predSplits |
+      pred = TElementNode(pragma[only_bind_into](scope), predElement, predSplits)
     |
       // Element node -> callable exit (annotated)
-      exists(CfgScope scope, boolean normal |
-        result = TAnnotatedExitNode(scope, normal) and
+      exists(boolean normal |
+        result = TAnnotatedExitNode(pragma[only_bind_into](scope), normal) and
         succExitSplits(predElement, predSplits, scope, t) and
         if isAbnormalExitType(t) then normal = false else normal = true
       )
       or
       // Element node -> element node
       exists(ControlFlowElement succElement, Splits succSplits, Completion c |
-        result = TElementNode(succElement, succSplits)
+        result = TElementNode(pragma[only_bind_into](scope), succElement, succSplits)
       |
         succSplits(predElement, predSplits, succElement, succSplits, c) and
         t = getAMatchingSuccessorType(c)
@@ -853,6 +855,23 @@ private module Cached {
    */
   cached
   ControlFlowElement getAControlFlowExitNode(ControlFlowElement cfe) { last(cfe, result, _) }
+
+  /**
+   * Gets the CFG scope of node `n`. Unlike `getCfgScope`, this predicate
+   * is calculated based on reachability from an entry node, and it may
+   * yield different results for AST elements that are split into multiple
+   * scopes.
+   */
+  cached
+  CfgScope getNodeCfgScope(TCfgNode n) {
+    n = TEntryNode(result)
+    or
+    n = TAnnotatedExitNode(result, _)
+    or
+    n = TExitNode(result)
+    or
+    n = TElementNode(result, _, _)
+  }
 }
 
 import Cached
@@ -938,14 +957,45 @@ module Consistency {
     not split.hasEntry(pred, succ, c)
   }
 
+  private class SimpleSuccessorType extends SuccessorType {
+    SimpleSuccessorType() {
+      this = getAMatchingSuccessorType(any(Completion c | completionIsSimple(c)))
+    }
+  }
+
+  private class NormalSuccessorType extends SuccessorType {
+    NormalSuccessorType() {
+      this = getAMatchingSuccessorType(any(Completion c | completionIsNormal(c)))
+    }
+  }
+
   query predicate multipleSuccessors(Node node, SuccessorType t, Node successor) {
-    not node instanceof TEntryNode and
     strictcount(getASuccessor(node, t)) > 1 and
-    successor = getASuccessor(node, t)
+    successor = getASuccessor(node, t) and
+    // allow for functions with multiple bodies
+    not (t instanceof SimpleSuccessorType and node instanceof TEntryNode)
+  }
+
+  query predicate simpleAndNormalSuccessors(
+    Node node, NormalSuccessorType t1, SimpleSuccessorType t2, Node succ1, Node succ2
+  ) {
+    t1 != t2 and
+    succ1 = getASuccessor(node, t1) and
+    succ2 = getASuccessor(node, t2)
   }
 
   query predicate deadEnd(Node node) {
     not node instanceof TExitNode and
     not exists(getASuccessor(node, _))
   }
+
+  query predicate nonUniqueSplitKind(SplitImpl split, SplitKind sk) {
+    sk = split.getKind() and
+    strictcount(split.getKind()) > 1
+  }
+
+  query predicate nonUniqueListOrder(SplitKind sk, int ord) {
+    ord = sk.getListOrder() and
+    strictcount(sk.getListOrder()) > 1
+  }
 }

csharp/ql/lib/semmle/code/csharp/controlflow/internal/Splitting.qll

@@ -179,7 +179,7 @@ module InitializerSplitting {
    *
    * respectively.
    */
-  class InitializerSplit extends Split, TInitializerSplit {
+  private class InitializerSplit extends Split, TInitializerSplit {
     private Constructor c;
 
     InitializerSplit() { this = TInitializerSplit(c) }

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -92,6 +92,13 @@ private module Frameworks {
   private import semmle.code.csharp.frameworks.ServiceStack
   private import semmle.code.csharp.frameworks.Sql
   private import semmle.code.csharp.frameworks.EntityFramework
+  private import semmle.code.csharp.frameworks.system.Text
+  private import semmle.code.csharp.frameworks.system.Net
+  private import semmle.code.csharp.frameworks.system.Web
+  private import semmle.code.csharp.frameworks.system.collections.Generic
+  private import semmle.code.csharp.frameworks.system.web.ui.WebControls
+  private import semmle.code.csharp.frameworks.JsonNET
+  private import semmle.code.csharp.frameworks.system.IO
 }
 
 /**
@@ -262,7 +269,7 @@ module CsvValidation {
       not name.regexpMatch("[a-zA-Z0-9_<>,]*") and
       msg = "Dubious member name \"" + name + "\" in " + pred + " model."
       or
-      not signature.regexpMatch("|\\([a-zA-Z0-9_<>\\.\\+,\\[\\]]*\\)") and
+      not signature.regexpMatch("|\\([a-zA-Z0-9_<>\\.\\+\\*,\\[\\]]*\\)") and
       msg = "Dubious signature \"" + signature + "\" in " + pred + " model."
       or
       not ext.regexpMatch("|Attribute") and