Merge pull request #16702 from github/sitedocs/2.17.4-fixup

Add changelog for 2.17.4 to release brach

.bazelrc

@@ -10,16 +10,15 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
 
-# we use transitions that break builds of `...`, so for `test` to work with that we need the following
-test --build_tests_only
+build:linux --cxxopt=-std=c++20
+# we currently cannot built the swift extractor for ARM
+build:macos --cxxopt=-std=c++20 --copt=-arch --copt=x86_64 --linkopt=-arch --linkopt=x86_64
+build:windows --cxxopt=/std:c++20 --cxxopt=/Zc:preprocessor
 
 # this requires developer mode, but is required to have pack installer functioning
 startup --windows_enable_symlinks
 common --enable_runfiles
 
-# with the above, we can avoid building python zips which is the default on windows as that's expensive
-build --nobuild_python_zip
-
 common --registry=file:///%workspace%/misc/bazel/registry
 common --registry=https://bcr.bazel.build
 

.bazelversion

@@ -1 +1 @@
-7.2.1
+7.1.2

.gitattributes

@@ -50,40 +50,33 @@
 *.dll -text
 *.pdb -text
 
-/java/ql/test/stubs/**/*.java linguist-generated=true
-/java/ql/test/experimental/stubs/**/*.java linguist-generated=true
-/java/kotlin-extractor/deps/*.jar filter=lfs diff=lfs merge=lfs -text
+java/ql/test/stubs/**/*.java linguist-generated=true
+java/ql/test/experimental/stubs/**/*.java linguist-generated=true
 
 # Force git not to modify line endings for go or html files under the go/ql directory
-/go/ql/**/*.go -text
-/go/ql/**/*.html -text
+go/ql/**/*.go -text
+go/ql/**/*.html -text
 # Force git not to modify line endings for go dbschemes
-/go/*.dbscheme -text
+go/*.dbscheme -text
 # Preserve unusual line ending from codeql-go merge
-/go/extractor/opencsv/CSVReader.java -text
+go/extractor/opencsv/CSVReader.java -text
 
 # For some languages, upgrade script testing references really old dbscheme
 # files from legacy upgrades that have CRLF line endings. Since upgrade
 # resolution relies on object hashes, we must suppress line ending conversion
 # for those testing dbscheme files.
-/*/ql/lib/upgrades/initial/*.dbscheme -text
+*/ql/lib/upgrades/initial/*.dbscheme -text
 
 # Auto-generated modeling for Python
-/python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
+python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
 
 # auto-generated bazel lock file
-/ruby/extractor/cargo-bazel-lock.json linguist-generated=true
-/ruby/extractor/cargo-bazel-lock.json -merge
+ruby/extractor/cargo-bazel-lock.json linguist-generated=true
+ruby/extractor/cargo-bazel-lock.json -merge
 
 # auto-generated files for the C# build
-/csharp/paket.lock linguist-generated=true
-# needs eol=crlf, as `paket` touches this file and saves it as crlf
-/csharp/.paket/Paket.Restore.targets linguist-generated=true eol=crlf
-/csharp/paket.main.bzl linguist-generated=true
-/csharp/paket.main_extension.bzl linguist-generated=true
-
-# ripunzip tool
-/misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
-
-# swift prebuilt resources
-/swift/third_party/resource-dir/*.zip filter=lfs diff=lfs merge=lfs -text
+csharp/paket.lock linguist-generated=true
+# needs eol=crlf, as `paket` touches this file and saves it als crlf
+csharp/.paket/Paket.Restore.targets linguist-generated=true eol=crlf
+csharp/paket.main.bzl linguist-generated=true
+csharp/paket.main_extension.bzl linguist-generated=true

.github/workflows/csharp-qltest.yml

@@ -65,7 +65,7 @@ jobs:
           key: csharp-qltest-${{ matrix.slice }}
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
@@ -101,6 +101,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/go-tests-other-os.yml

@@ -7,9 +7,6 @@ on:
       - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
-      - MODULE.bazel
-      - .bazelrc
-      - misc/bazel/**
 
 permissions:
   contents: read

.github/workflows/go-tests.yml

@@ -15,9 +15,6 @@ on:
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
-      - MODULE.bazel
-      - .bazelrc
-      - misc/bazel/**
 
 permissions:
   contents: read

.github/workflows/kotlin-build.yml

@@ -1,28 +0,0 @@
-name: "Kotlin Build"
-
-on:
-  pull_request:
-    paths:
-      - "java/kotlin-extractor/**"
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "*.bazel*"
-      - .github/workflows/kotlin-build.yml
-    branches:
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          bazel query //java/kotlin-extractor/...
-          # only build the default version as a quick check that we can build from `codeql`
-          # the full official build will be checked by QLucie
-          bazel build //java/kotlin-extractor

.github/workflows/ql-for-ql-build.yml

@@ -49,20 +49,20 @@ jobs:
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Release build
         if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd ql; ./scripts/create-extractor-pack.sh
+        run: cd ql; ./scripts/create-extractor-pack.sh       
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ github.token }}   
       - name: Cache compilation cache
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
-        with:
+        with: 
           key: run-ql-for-ql
       - name: Make database and analyze
         run: |
           ./ql/target/release/buramu | tee deprecated.blame # Add a blame file for the extractor to parse.
-          ${CODEQL} database create -l=ql ${DB} --search-path "${{ github.workspace }}"
+          ${CODEQL} database create -l=ql --search-path ql/extractor-pack ${DB}
           ${CODEQL} database analyze -j0 --format=sarif-latest --output=ql-for-ql.sarif ${DB} ql/ql/src/codeql-suites/ql-code-scanning.qls  --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-        env:
+        env: 
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
           DB: ${{ runner.temp }}/DB
           LGTM_INDEX_FILTERS: |

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -53,8 +53,8 @@ jobs:
       - name: Create database
         run: |
           "${CODEQL}" database create \
-          --search-path "${{ github.workspace }}"
-          --threads 4 \
+            --search-path "ql/extractor-pack" \
+            --threads 4 \
             --language ql --source-root "${{ github.workspace }}/repo" \
             "${{ runner.temp }}/database"
         env:

.github/workflows/ql-for-ql-tests.yml

@@ -49,15 +49,15 @@ jobs:
       - name: Cache compilation cache
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
-        with:
+        with: 
           key: ql-for-ql-tests
       - name: Run QL tests
         run: |
-          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test
+          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
 
-  other-os:
+  other-os: 
     strategy:
       matrix:
         os: [macos-latest, windows-latest]
@@ -65,7 +65,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
-      - name: Install GNU tar
+      - name: Install GNU tar 
         if: runner.os == 'macOS'
         run: |
           brew install gnu-tar
@@ -100,7 +100,7 @@ jobs:
       - name: Run a single QL tests - Unix
         if: runner.os != 'Windows'
         run: |
-          "${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
+          "${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Run a single QL tests - Windows
@@ -108,4 +108,5 @@ jobs:
         shell: pwsh
         run: |
           $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
-          codeql test run --check-databases --search-path "${{ github.workspace }}" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
+          codeql test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
+      

.github/workflows/ruby-build.yml

@@ -7,7 +7,6 @@ on:
       - .github/workflows/ruby-build.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
-      - "shared/tree-sitter-extractor/**"
     branches:
       - main
       - "rc/*"
@@ -17,7 +16,6 @@ on:
       - .github/workflows/ruby-build.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
-      - "shared/tree-sitter-extractor/**"
     branches:
       - main
       - "rc/*"

.github/workflows/ruby-dataset-measure.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Create database
         run: |
           codeql database create \
-            --search-path "${{ github.workspace }}" \
+            --search-path "${{ github.workspace }}/ruby/extractor-pack" \
             --threads 4 \
             --language ruby --source-root "${{ github.workspace }}/repo" \
             "${{ runner.temp }}/database"

.github/workflows/ruby-qltest.yml

@@ -64,10 +64,10 @@ jobs:
       - name: Cache compilation cache
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
-        with:
+        with: 
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -68,6 +68,21 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests
+  integration-tests-linux:
+    if: github.repository_owner == 'github'
+    needs: build-and-test-linux
+    runs-on: ubuntu-latest-xl
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./swift/actions/run-integration-tests
+  integration-tests-macos:
+    if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
+    needs: build-and-test-macos
+    runs-on: macos-12-xl
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./swift/actions/run-integration-tests
   clang-format:
     if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest

.github/workflows/zipmerge-test.yml

@@ -1,23 +0,0 @@
-name: "Test zipmerge code"
-
-on:
-  pull_request:
-    paths:
-      - "misc/bazel/internal/zipmerge/**"
-      - "MODULE.bazel"
-      - ".bazelrc*"
-    branches:
-      - main
-      - "rc/*"
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          bazel test //misc/bazel/internal/zipmerge:test --test_output=all

.gitignore

@@ -62,6 +62,3 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
-
-# bazel-built in-tree extractor packs
-/*/extractor-pack

.lfsconfig

@@ -2,6 +2,4 @@
 # codeql is publicly forked by many users, and we don't want any LFS file polluting their working
 # copies. We therefore exclude everything by default.
 # For files required by bazel builds, use rules in `misc/bazel/lfs.bzl` to download them on demand.
-# we go for `fetchinclude` to something not exsiting rather than `fetchexclude = *` because the
-# former is easier to override (with `git -c` or a local git config) to fetch something specific
 fetchinclude = /nothing

MODULE.bazel

@@ -13,45 +13,20 @@ local_path_override(
 
 # see https://registry.bazel.build/ for a list of available packages
 
-bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.48.0")
+bazel_dep(name = "platforms", version = "0.0.9")
+bazel_dep(name = "rules_go", version = "0.47.0")
 bazel_dep(name = "rules_pkg", version = "0.10.1")
-bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.32.2")
-bazel_dep(name = "bazel_skylib", version = "1.6.1")
+bazel_dep(name = "rules_nodejs", version = "6.0.3")
+bazel_dep(name = "rules_python", version = "0.31.0")
+bazel_dep(name = "bazel_skylib", version = "1.5.0")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
-bazel_dep(name = "gazelle", version = "0.37.0")
+bazel_dep(name = "gazelle", version = "0.36.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
-bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.46.0")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
-crate = use_extension(
-    "@rules_rust//crate_universe:extension.bzl",
-    "crate",
-)
-crate.from_cargo(
-    name = "py_deps",
-    cargo_lockfile = "//python/extractor/tsg-python:Cargo.lock",
-    manifests = [
-        "//python/extractor/tsg-python:Cargo.toml",
-        "//python/extractor/tsg-python/tsp:Cargo.toml",
-    ],
-)
-crate.from_cargo(
-    name = "ruby_deps",
-    cargo_lockfile = "//ruby/extractor:Cargo.lock",
-    manifests = [
-        "//ruby/extractor:Cargo.toml",
-        "//ruby/extractor/codeql-extractor-fake-crate:Cargo.toml",
-    ],
-)
-use_repo(crate, "py_deps", "ruby_deps")
-
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
 dotnet.toolchain(dotnet_version = "8.0.101")
 use_repo(dotnet, "dotnet_toolchains")
@@ -85,92 +60,13 @@ use_repo(
 node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node")
 node.toolchain(
     name = "nodejs",
-    node_urls = [
-        "https://nodejs.org/dist/v{version}/{filename}",
-        "https://mirrors.dotsrc.org/nodejs/release/v{version}/{filename}",
-    ],
     node_version = "18.15.0",
 )
 use_repo(node, "nodejs", "nodejs_toolchains")
 
-kotlin_extractor_deps = use_extension("//java/kotlin-extractor:deps.bzl", "kotlin_extractor_deps")
-
-# following list can be kept in sync by running `bazel mod tidy` in `codeql`
-use_repo(
-    kotlin_extractor_deps,
-    "codeql_kotlin_defaults",
-    "codeql_kotlin_embeddable",
-    "kotlin-compiler-1.5.0",
-    "kotlin-compiler-1.5.10",
-    "kotlin-compiler-1.5.20",
-    "kotlin-compiler-1.5.30",
-    "kotlin-compiler-1.6.0",
-    "kotlin-compiler-1.6.20",
-    "kotlin-compiler-1.7.0",
-    "kotlin-compiler-1.7.20",
-    "kotlin-compiler-1.8.0",
-    "kotlin-compiler-1.9.0-Beta",
-    "kotlin-compiler-1.9.20-Beta",
-    "kotlin-compiler-2.0.0-RC1",
-    "kotlin-compiler-embeddable-1.5.0",
-    "kotlin-compiler-embeddable-1.5.10",
-    "kotlin-compiler-embeddable-1.5.20",
-    "kotlin-compiler-embeddable-1.5.30",
-    "kotlin-compiler-embeddable-1.6.0",
-    "kotlin-compiler-embeddable-1.6.20",
-    "kotlin-compiler-embeddable-1.7.0",
-    "kotlin-compiler-embeddable-1.7.20",
-    "kotlin-compiler-embeddable-1.8.0",
-    "kotlin-compiler-embeddable-1.9.0-Beta",
-    "kotlin-compiler-embeddable-1.9.20-Beta",
-    "kotlin-compiler-embeddable-2.0.0-RC1",
-    "kotlin-stdlib-1.5.0",
-    "kotlin-stdlib-1.5.10",
-    "kotlin-stdlib-1.5.20",
-    "kotlin-stdlib-1.5.30",
-    "kotlin-stdlib-1.6.0",
-    "kotlin-stdlib-1.6.20",
-    "kotlin-stdlib-1.7.0",
-    "kotlin-stdlib-1.7.20",
-    "kotlin-stdlib-1.8.0",
-    "kotlin-stdlib-1.9.0-Beta",
-    "kotlin-stdlib-1.9.20-Beta",
-    "kotlin-stdlib-2.0.0-RC1",
-)
-
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
 go_sdk.download(version = "1.22.2")
 
-lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
-
-lfs_files(
-    name = "ripunzip-linux",
-    srcs = ["//misc/ripunzip:ripunzip-linux"],
-    executable = True,
-)
-
-lfs_files(
-    name = "ripunzip-windows",
-    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
-    executable = True,
-)
-
-lfs_files(
-    name = "ripunzip-macos",
-    srcs = ["//misc/ripunzip:ripunzip-macos"],
-    executable = True,
-)
-
-lfs_files(
-    name = "swift-resource-dir-linux",
-    srcs = ["//swift/third_party/resource-dir:resource-dir-linux.zip"],
-)
-
-lfs_files(
-    name = "swift-resource-dir-macos",
-    srcs = ["//swift/third_party/resource-dir:resource-dir-macos.zip"],
-)
-
 register_toolchains(
     "@nodejs_toolchains//:all",
 )

codeql-workspace.yml

@@ -6,16 +6,19 @@ provide:
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"
   - "*/ql/automodel/test/qlpack.yml"
-  - "*/extractor-pack/codeql-extractor.yml"
   - "python/extractor/qlpack.yml"
   - "shared/**/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
+  - "go/build/codeql-extractor-go/codeql-extractor.yml"
   - "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/test/qlpack.yml"
   - "misc/legacy-support/*/qlpack.yml"
   - "misc/suite-helpers/qlpack.yml"
+  - "ruby/extractor-pack/codeql-extractor.yml"
+  - "swift/extractor-pack/codeql-extractor.yml"
+  - "ql/extractor-pack/codeql-extractor.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
 
 versionPolicies:

config/identical-files.json

@@ -61,6 +61,10 @@
     "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
     "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
   ],
+  "Model as Data Generation Java/C# - CaptureModelsPrinting": [
+    "java/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll",
+    "csharp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll"
+  ],
   "Sign Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
@@ -181,6 +185,11 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
   ],
+  "C++ IR ValueNumberingImports": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
+  ],
   "IR SSA SSAConstruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"

cpp/downgrades/BUILD.bazel

@@ -6,7 +6,7 @@ pkg_files(
         ["**"],
         exclude = ["BUILD.bazel"],
     ),
-    prefix = "downgrades",
+    prefix = "cpp/downgrades",
     strip_prefix = strip_prefix.from_pkg(),
     visibility = ["//cpp:__pkg__"],
 )

cpp/ql/lib/BUILD.bazel

@@ -5,9 +5,11 @@ package(default_visibility = ["//cpp:__pkg__"])
 pkg_files(
     name = "dbscheme",
     srcs = ["semmlecode.cpp.dbscheme"],
+    prefix = "cpp",
 )
 
 pkg_files(
     name = "dbscheme-stats",
     srcs = ["semmlecode.cpp.dbscheme.stats"],
+    prefix = "cpp",
 )

cpp/ql/lib/CHANGELOG.md

@@ -1,13 +1,3 @@
-## 1.1.0
-
-### New Features
-
-* Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension `.model.yml` files, rather than by writing classes in QL code. New models should be added in the `lib/ext` folder.
-
-### Minor Analysis Improvements
-
-* A partial model for the `Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in `Boost.Asio`, such as `read_until` and `write`.
-
 ## 1.0.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/2024-06-10-builtin-expect.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.

cpp/ql/lib/change-notes/2024-06-13-double-free.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.

cpp/ql/lib/change-notes/2024-06-20-extensible-allocation-deallocation.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.

cpp/ql/lib/change-notes/released/1.1.0.md

@@ -1,9 +0,0 @@
-## 1.1.0
-
-### New Features
-
-* Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension `.model.yml` files, rather than by writing classes in QL code. New models should be added in the `lib/ext` folder.
-
-### Minor Analysis Improvements
-
-* A partial model for the `Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in `Boost.Asio`, such as `read_until` and `write`.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.0
+lastReleaseVersion: 1.0.0

cpp/ql/lib/ext/Boost.Asio.model.yml

@@ -1,26 +0,0 @@
-extensions:
-  # partial model of the Boost::Asio network library
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: sourceModel
-    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
-      - ["boost::asio", "", False, "read", "", "", "Argument[*1]", "remote", "manual"]
-      - ["boost::asio", "", False, "read_at", "", "", "Argument[*2]", "remote", "manual"]
-      - ["boost::asio", "", False, "read_until", "", "", "Argument[*1]", "remote", "manual"]
-      - ["boost::asio", "", False, "async_read", "", "", "Argument[*1]", "remote", "manual"]
-      - ["boost::asio", "", False, "async_read_at", "", "", "Argument[*2]", "remote", "manual"]
-      - ["boost::asio", "", False, "async_read_until", "", "", "Argument[*1]", "remote", "manual"]
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: sinkModel
-    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
-      - ["boost::asio", "", False, "write", "", "", "Argument[*1]", "remote-sink", "manual"]
-      - ["boost::asio", "", False, "write_at", "", "", "Argument[*2]", "remote-sink", "manual"]
-      - ["boost::asio", "", False, "async_write", "", "", "Argument[*1]", "remote-sink", "manual"]
-      - ["boost::asio", "", False, "async_write_at", "", "", "Argument[*2]", "remote-sink", "manual"]
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["boost::asio", "", False, "buffer", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]

cpp/ql/lib/ext/allocation/Bsd.allocation.model.yml

@@ -1,7 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: allocationFunctionModel
-    data:
-      - ["", "", False, "kmem_alloc", "0", "", "", True]
-      - ["", "", False, "kmem_zalloc", "0", "", "", True]

cpp/ql/lib/ext/allocation/Glibc.allocation.model.yml

@@ -1,7 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: allocationFunctionModel
-    data:
-      - ["", "", False, "g_malloc", "0", "", "", True]
-      - ["", "", False, "g_try_malloc", "0", "", "", True]

cpp/ql/lib/ext/allocation/OpenSSL.allocation.model.yml

@@ -1,10 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: allocationFunctionModel
-    data:
-      - ["", "", False, "CRYPTO_malloc", "0", "", "", True]
-      - ["", "", False, "CRYPTO_zalloc", "0", "", "", True]
-      - ["", "", False, "CRYPTO_secure_malloc", "0", "", "", True]
-      - ["", "", False, "CRYPTO_secure_zalloc", "0", "", "", True]
-

cpp/ql/lib/ext/allocation/Std.allocation.model.yml

@@ -1,15 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: allocationFunctionModel
-    data:
-      - ["", "", False, "malloc", "0", "", "", True]
-      - ["std", "", False, "malloc", "0", "", "", True]
-      - ["bsl", "", False, "malloc", "0", "", "", True]
-      - ["", "", False, "alloca", "0", "", "", False]
-      - ["", "", False, "__builtin_alloca", "0", "", "", False]
-      - ["", "", False, "_alloca", "0", "", "", False]
-      - ["", "", False, "_malloca", "0", "", "", False]
-      - ["", "", False, "calloc", "1", "0", "", True]
-      - ["std", "", False, "calloc", "1", "0", "", True]
-      - ["bsl", "", False, "calloc", "1", "0", "", True]

cpp/ql/lib/ext/allocation/Windows.allocation.model.yml

@@ -1,29 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: allocationFunctionModel
-    data:
-      - ["", "", False, "MmAllocateContiguousMemory", "0", "", "", True]
-      - ["", "", False, "MmAllocateContiguousNodeMemory", "0", "", "", True]
-      - ["", "", False, "MmAllocateContiguousMemorySpecifyCache", "0", "", "", True]
-      - ["", "", False, "MmAllocateContiguousMemorySpecifyCacheNode", "0", "", "", True]
-      - ["", "", False, "MmAllocateNonCachedMemory", "0", "", "", True]
-      - ["", "", False, "MmAllocateMappingAddress", "0", "", "", True]
-      - ["", "", False, "CoTaskMemAlloc", "0", "", "", True]
-      - ["", "", False, "ExAllocatePool", "1", "", "", True]
-      - ["", "", False, "ExAllocatePool2", "1", "", "", True]
-      - ["", "", False, "ExAllocatePool3", "1", "", "", True]
-      - ["", "", False, "ExAllocatePoolWithTag", "1", "", "", True]
-      - ["", "", False, "ExAllocatePoolWithTagPriority", "1", "", "", True]
-      - ["", "", False, "ExAllocatePoolWithQuota", "1", "", "", True]
-      - ["", "", False, "ExAllocatePoolWithQuotaTag", "1", "", "", True]
-      - ["", "", False, "ExAllocatePoolZero", "1", "", "", True]
-      - ["", "", False, "IoAllocateMdl", "1", "", "", True]
-      - ["", "", False, "IoAllocateErrorLogEntry", "1", "", "", True]
-      - ["", "", False, "LocalAlloc", "1", "", "", True]
-      - ["", "", False, "GlobalAlloc", "1", "", "", True]
-      - ["", "", False, "VirtualAlloc", "1", "", "", True]
-      - ["", "", False, "HeapAlloc", "2", "", "", True]
-      - ["", "", False, "MmAllocatePagesForMdl", "3", "", "", True]
-      - ["", "", False, "MmAllocatePagesForMdlEx", "3", "", "", True]
-      - ["", "", False, "MmAllocateNodePagesForMdlEx", "3", "", "", True]

cpp/ql/lib/ext/allocation/empty.allocation.model.yml

@@ -1,5 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: allocationFunctionModel
-    data: []

cpp/ql/lib/ext/deallocation/Bsd.deallocation.model.yml

@@ -1,8 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: deallocationFunctionModel
-    data:
-      - ["", "", False, "pool_put", "1"]
-      - ["", "", False, "pool_cache_put", "1"]
-      - ["", "", False, "kmem_free", "0"]

cpp/ql/lib/ext/deallocation/Std.deallocation.model.yml

@@ -1,42 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: deallocationFunctionModel
-    data:
-      - ["", "", False, "free", "0"]
-      - ["std", "", False, "free", "0"]
-      - ["bsl", "", False, "free", "0"]
-      - ["", "", False, "realloc", "0"]
-      - ["std", "", False, "realloc", "0"]
-      - ["bsl", "", False, "realloc", "0"]
-      - ["", "", False, "CRYPTO_free", "0"]
-      - ["", "", False, "CRYPTO_secure_free", "0"]
-      - ["", "", False, "g_free", "0"]
-      - ["", "", False, "ExFreePool", "0"]
-      - ["", "", False, "ExFreePoolWithTag", "0"]
-      - ["", "", False, "ExDeleteTimer", "0"]
-      - ["", "", False, "IoFreeIrp", "0"]
-      - ["", "", False, "IoFreeMdl", "0"]
-      - ["", "", False, "IoFreeErrorLogEntry", "0"]
-      - ["", "", False, "IoFreeWorkItem", "0"]
-      - ["", "", False, "MmFreeContiguousMemory", "0"]
-      - ["", "", False, "MmFreeContiguousMemorySpecifyCache", "0"]
-      - ["", "", False, "MmFreeNonCachedMemory", "0"]
-      - ["", "", False, "MmFreeMappingAddress", "0"]
-      - ["", "", False, "MmFreePagesFromMdl", "0"]
-      - ["", "", False, "MmUnmapReservedMapping", "0"]
-      - ["", "", False, "MmUnmapLockedPages", "0"]
-      - ["", "", False, "NdisFreeGenericObject", "0"]
-      - ["", "", False, "NdisFreeMemory", "0"]
-      - ["", "", False, "NdisFreeMemoryWithTag", "0"]
-      - ["", "", False, "NdisFreeMdl", "0"]
-      - ["", "", False, "NdisFreeNetBufferListPool", "0"]
-      - ["", "", False, "NdisFreeNetBufferPool", "0"]
-      - ["", "", False, "LocalFree", "0"]
-      - ["", "", False, "GlobalFree", "0"]
-      - ["", "", False, "LocalReAlloc", "0"]
-      - ["", "", False, "GlobalReAlloc", "0"]
-      - ["", "", False, "VirtualFree", "0"]
-      - ["", "", False, "CoTaskMemFree", "0"]
-      - ["", "", False, "CoTaskMemRealloc", "0"]
-      - ["", "", False, "SysFreeString", "0"]

cpp/ql/lib/ext/deallocation/Windows.deallocation.model.yml

@@ -1,41 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: deallocationFunctionModel
-    data:
-      - ["", "", False, "ExFreePool", "0"]
-      - ["", "", False, "ExFreePoolWithTag", "0"]
-      - ["", "", False, "ExDeleteTimer", "0"]
-      - ["", "", False, "IoFreeIrp", "0"]
-      - ["", "", False, "IoFreeMdl", "0"]
-      - ["", "", False, "IoFreeErrorLogEntry", "0"]
-      - ["", "", False, "IoFreeWorkItem", "0"]
-      - ["", "", False, "MmFreeContiguousMemory", "0"]
-      - ["", "", False, "MmFreeContiguousMemorySpecifyCache", "0"]
-      - ["", "", False, "MmFreeNonCachedMemory", "0"]
-      - ["", "", False, "MmFreeMappingAddress", "0"]
-      - ["", "", False, "MmFreePagesFromMdl", "0"]
-      - ["", "", False, "MmUnmapReservedMapping", "0"]
-      - ["", "", False, "MmUnmapLockedPages", "0"]
-      - ["", "", False, "NdisFreeGenericObject", "0"]
-      - ["", "", False, "NdisFreeMemory", "0"]
-      - ["", "", False, "NdisFreeMemoryWithTag", "0"]
-      - ["", "", False, "NdisFreeMdl", "0"]
-      - ["", "", False, "NdisFreeNetBufferListPool", "0"]
-      - ["", "", False, "NdisFreeNetBufferPool", "0"]
-      - ["", "", False, "LocalFree", "0"]
-      - ["", "", False, "GlobalFree", "0"]
-      - ["", "", False, "LocalReAlloc", "0"]
-      - ["", "", False, "GlobalReAlloc", "0"]
-      - ["", "", False, "VirtualFree", "0"]
-      - ["", "", False, "CoTaskMemFree", "0"]
-      - ["", "", False, "CoTaskMemRealloc", "0"]
-      - ["", "", False, "SysFreeString", "0"]
-      - ["", "", False, "ExFreeToLookasideListEx", "1"]
-      - ["", "", False, "ExFreeToPagedLookasideList", "1"]
-      - ["", "", False, "ExFreeToNPagedLookasideList", "1"]
-      - ["", "", False, "NdisFreeMemoryWithTagPriority", "1"]
-      - ["", "", False, "StorPortFreeMdl", "1"]
-      - ["", "", False, "StorPortFreePool", "1"]
-      - ["", "", False, "HeapFree", "2"]
-      - ["", "", False, "HeapReAlloc", "2"]

cpp/ql/lib/ext/deallocation/empty.deallocation.model.yml

@@ -1,5 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: deallocationFunctionModel
-    data: []

cpp/ql/lib/ext/empty.model.yml

@@ -1,15 +0,0 @@
-extensions:
-  # Make sure that the extensible model predicates have at least one definition
-  # to avoid errors about undefined extensionals.
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: sourceModel
-    data: []
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: sinkModel
-    data: []
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: []

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.1.1-dev
+version: 1.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -14,8 +14,4 @@ dependencies:
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
   codeql/xml: ${workspace}
-dataExtensions:
-  - ext/*.model.yml
-  - ext/deallocation/*.model.yml
-  - ext/allocation/*.model.yml
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -410,10 +410,6 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
     or
     orphaned_variables(underlyingElement(this), unresolveElement(result))
   }
-
-  override predicate isStatic() {
-    super.isStatic() or orphaned_variables(underlyingElement(this), _)
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -375,33 +375,6 @@ cached
 class IRGuardCondition extends Instruction {
   Instruction branch;
 
-  /*
-   * An `IRGuardCondition` supports reasoning about four different kinds of
-   * relations:
-   * 1. A unary equality relation of the form `e == k`
-   * 2. A binary equality relation of the form `e1 == e2 + k`
-   * 3. A unary inequality relation of the form `e < k`
-   * 4. A binary inequality relation of the form `e1 < e2 + k`
-   *
-   * where `k` is a constant.
-   *
-   * Furthermore, the unary relations (i.e., case 1 and case 3) are also
-   * inferred from `switch` statement guards: equality relations are inferred
-   * from the unique `case` statement, if any, and inequality relations are
-   * inferred from the [case range](https://gcc.gnu.org/onlinedocs/gcc/Case-Ranges.html)
-   * gcc extension.
-   *
-   * The implementation of all four follows the same structure: Each relation
-   * has a cached user-facing predicate that. For example,
-   * `GuardCondition::comparesEq` calls `compares_eq`. This predicate has
-   * several cases that recursively decompose the relation to bring it to a
-   * canonical form (i.e., a relation of the form `e1 == e2 + k`). The base
-   * case for this relation (i.e., `simple_comparison_eq`) handles
-   * `CompareEQInstruction`s and `CompareNEInstruction`, and recursive
-   * predicates (e.g., `complex_eq`) rewrites larger expressions such as
-   * `e1 + k1 == e2 + k2` into canonical the form `e1 == e2 + (k2 - k1)`.
-   */
-
   cached
   IRGuardCondition() { branch = getBranchForCondition(this) }
 
@@ -762,8 +735,6 @@ private predicate compares_eq(
   exists(AbstractValue dual | value = dual.getDualValue() |
     compares_eq(test.(LogicalNotInstruction).getUnary(), left, right, k, areEqual, dual)
   )
-  or
-  compares_eq(test.(BuiltinExpectCallInstruction).getCondition(), left, right, k, areEqual, value)
 }
 
 /**
@@ -805,9 +776,7 @@ private predicate unary_compares_eq(
   Instruction test, Operand op, int k, boolean areEqual, boolean inNonZeroCase, AbstractValue value
 ) {
   /* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */
-  exists(AbstractValue v |
-    unary_simple_comparison_eq(test, k, inNonZeroCase, v) and op.getDef() = test
-  |
+  exists(AbstractValue v | unary_simple_comparison_eq(test, op, k, inNonZeroCase, v) |
     areEqual = true and value = v
     or
     areEqual = false and value = v.getDualValue()
@@ -833,9 +802,6 @@ private predicate unary_compares_eq(
     int_value(const) = k1 and
     k = k1 + k2
   )
-  or
-  unary_compares_eq(test.(BuiltinExpectCallInstruction).getCondition(), op, k, areEqual,
-    inNonZeroCase, value)
 }
 
 /** Rearrange various simple comparisons into `left == right + k` form. */
@@ -855,55 +821,45 @@ private predicate simple_comparison_eq(
   value.(BooleanValue).getValue() = false
 }
 
+/**
+ * Holds if `test` is an instruction that is part of test that eventually is
+ * used in a conditional branch.
+ */
+private predicate relevantUnaryComparison(Instruction test) {
+  not test instanceof CompareInstruction and
+  exists(IRType type, ConditionalBranchInstruction branch |
+    type instanceof IRAddressType or type instanceof IRIntegerType
+  |
+    type = test.getResultIRType() and
+    branch.getCondition() = test
+  )
+  or
+  exists(LogicalNotInstruction logicalNot |
+    relevantUnaryComparison(logicalNot) and
+    test = logicalNot.getUnary()
+  )
+}
+
 /**
  * Rearrange various simple comparisons into `op == k` form.
  */
 private predicate unary_simple_comparison_eq(
-  Instruction test, int k, boolean inNonZeroCase, AbstractValue value
+  Instruction test, Operand op, int k, boolean inNonZeroCase, AbstractValue value
 ) {
   exists(SwitchInstruction switch, CaseEdge case |
     test = switch.getExpression() and
+    op.getDef() = test and
     case = value.(MatchValue).getCase() and
     exists(switch.getSuccessor(case)) and
     case.getValue().toInt() = k and
     inNonZeroCase = false
   )
   or
-  // Any instruction with an integral type could potentially be part of a
-  // check for nullness when used in a guard. So we include all integral
-  // typed instructions here. However, since some of these instructions are
-  // already included as guards in other cases, we exclude those here.
-  // These are instructions that compute a binary equality or inequality
-  // relation. For example, the following:
-  // ```cpp
-  // if(a == b + 42) { ... }
-  // ```
-  // generates the following IR:
-  // ```
-  // r1(glval<int>) = VariableAddress[a]     :
-  // r2(int)        = Load[a]                : &:r1, m1
-  // r3(glval<int>) = VariableAddress[b]     :
-  // r4(int)        = Load[b]                : &:r3, m2
-  // r5(int)        = Constant[42]           :
-  // r6(int)        = Add                    : r4, r5
-  // r7(bool)       = CompareEQ              : r2, r6
-  // v1(void)       = ConditionalBranch      : r7
-  // ```
-  // and since `r7` is an integral typed instruction this predicate could
-  // include a case for when `r7` evaluates to true (in which case we would
-  // infer that `r6` was non-zero, and a case for when `r7` evaluates to false
-  // (in which case we would infer that `r6` was zero).
-  // However, since `a == b + 42` is already supported when reasoning about
-  // binary equalities we exclude those cases here.
-  not test.isGLValue() and
-  not simple_comparison_eq(test, _, _, _, _) and
-  not simple_comparison_lt(test, _, _, _) and
-  not test = any(SwitchInstruction switch).getExpression() and
-  (
-    test.getResultIRType() instanceof IRAddressType or
-    test.getResultIRType() instanceof IRIntegerType or
-    test.getResultIRType() instanceof IRBooleanType
-  ) and
+  // There's no implicit CompareInstruction in files compiled as C since C
+  // doesn't have implicit boolean conversions. So instead we check whether
+  // there's a branch on a value of pointer or integer type.
+  relevantUnaryComparison(test) and
+  op.getDef() = test and
   (
     k = 1 and
     value.(BooleanValue).getValue() = true and
@@ -915,68 +871,12 @@ private predicate unary_simple_comparison_eq(
   )
 }
 
-/** A call to the builtin operation `__builtin_expect`. */
-private class BuiltinExpectCallInstruction extends CallInstruction {
-  BuiltinExpectCallInstruction() { this.getStaticCallTarget().hasName("__builtin_expect") }
-
-  /** Gets the condition of this call. */
-  Instruction getCondition() {
-    // The first parameter of `__builtin_expect` has type `long`. So we skip
-    // the conversion when inferring guards.
-    result = this.getArgument(0).(ConvertInstruction).getUnary()
-  }
-}
-
-/**
- * Holds if `left == right + k` is `areEqual` if `cmp` evaluates to `value`,
- * and `cmp` is an instruction that compares the value of
- * `__builtin_expect(left == right + k, _)` to `0`.
- */
-private predicate builtin_expect_eq(
-  CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
-) {
-  exists(BuiltinExpectCallInstruction call, Instruction const, AbstractValue innerValue |
-    int_value(const) = 0 and
-    cmp.hasOperands(call.getAUse(), const.getAUse()) and
-    compares_eq(call.getCondition(), left, right, k, areEqual, innerValue)
-  |
-    cmp instanceof CompareNEInstruction and
-    value = innerValue
-    or
-    cmp instanceof CompareEQInstruction and
-    value.getDualValue() = innerValue
-  )
-}
-
 private predicate complex_eq(
   CompareInstruction cmp, Operand left, Operand right, int k, boolean areEqual, AbstractValue value
 ) {
   sub_eq(cmp, left, right, k, areEqual, value)
   or
   add_eq(cmp, left, right, k, areEqual, value)
-  or
-  builtin_expect_eq(cmp, left, right, k, areEqual, value)
-}
-
-/**
- * Holds if `op == k` is `areEqual` if `cmp` evaluates to `value`, and `cmp` is
- * an instruction that compares the value of `__builtin_expect(op == k, _)` to `0`.
- */
-private predicate unary_builtin_expect_eq(
-  CompareInstruction cmp, Operand op, int k, boolean areEqual, boolean inNonZeroCase,
-  AbstractValue value
-) {
-  exists(BuiltinExpectCallInstruction call, Instruction const, AbstractValue innerValue |
-    int_value(const) = 0 and
-    cmp.hasOperands(call.getAUse(), const.getAUse()) and
-    unary_compares_eq(call.getCondition(), op, k, areEqual, inNonZeroCase, innerValue)
-  |
-    cmp instanceof CompareNEInstruction and
-    value = innerValue
-    or
-    cmp instanceof CompareEQInstruction and
-    value.getDualValue() = innerValue
-  )
 }
 
 private predicate unary_complex_eq(
@@ -985,8 +885,6 @@ private predicate unary_complex_eq(
   unary_sub_eq(test, op, k, areEqual, inNonZeroCase, value)
   or
   unary_add_eq(test, op, k, areEqual, inNonZeroCase, value)
-  or
-  unary_builtin_expect_eq(test, op, k, areEqual, inNonZeroCase, value)
 }
 
 /*
@@ -1015,8 +913,7 @@ private predicate compares_lt(
 
 /** Holds if `op < k` evaluates to `isLt` given that `test` evaluates to `value`. */
 private predicate compares_lt(Instruction test, Operand op, int k, boolean isLt, AbstractValue value) {
-  unary_simple_comparison_lt(test, k, isLt, value) and
-  op.getDef() = test
+  simple_comparison_lt(test, op, k, isLt, value)
   or
   complex_lt(test, op, k, isLt, value)
   or
@@ -1063,11 +960,12 @@ private predicate simple_comparison_lt(CompareInstruction cmp, Operand left, Ope
 }
 
 /** Rearrange various simple comparisons into `op < k` form. */
-private predicate unary_simple_comparison_lt(
-  Instruction test, int k, boolean isLt, AbstractValue value
+private predicate simple_comparison_lt(
+  Instruction test, Operand op, int k, boolean isLt, AbstractValue value
 ) {
   exists(SwitchInstruction switch, CaseEdge case |
     test = switch.getExpression() and
+    op.getDef() = test and
     case = value.(MatchValue).getCase() and
     exists(switch.getSuccessor(case)) and
     case.getMaxValue() > case.getMinValue()

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -78,7 +78,6 @@ private import internal.FlowSummaryImpl
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private
 private import internal.FlowSummaryImpl::Private::External
-private import internal.ExternalFlowExtensions as Extensions
 private import codeql.mad.ModelValidation as SharedModelVal
 private import codeql.util.Unit
 
@@ -139,9 +138,6 @@ predicate sourceModel(
     row.splitAt(";", 7) = kind
   ) and
   provenance = "manual"
-  or
-  Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance,
-    _)
 }
 
 /** Holds if a sink model exists for the given parameters. */
@@ -162,8 +158,6 @@ predicate sinkModel(
     row.splitAt(";", 7) = kind
   ) and
   provenance = "manual"
-  or
-  Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance, _)
 }
 
 /** Holds if a summary model exists for the given parameters. */
@@ -185,9 +179,6 @@ predicate summaryModel(
     row.splitAt(";", 8) = kind
   ) and
   provenance = "manual"
-  or
-  Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-    provenance, _)
 }
 
 private predicate relevantNamespace(string namespace) {
@@ -212,10 +203,8 @@ private predicate canonicalNamespaceLink(string namespace, string subns) {
 }
 
 /**
- * Holds if MaD framework coverage of `namespace` is `n` api endpoints of the
- * kind `(kind, part)`, and `namespaces` is the number of subnamespaces of
- * `namespace` which have MaD framework coverage (including `namespace`
- * itself).
+ * Holds if CSV framework coverage of `namespace` is `n` api endpoints of the
+ * kind `(kind, part)`.
  */
 predicate modelCoverage(string namespace, int namespaces, string kind, string part, int n) {
   namespaces = strictcount(string subns | canonicalNamespaceLink(namespace, subns)) and
@@ -332,10 +321,10 @@ module CsvValidation {
       or
       summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
     |
-      not namespace.regexpMatch("[a-zA-Z0-9_\\.:]*") and
+      not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
       result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
       or
-      not type.regexpMatch("[a-zA-Z0-9_<>,\\+]*") and
+      not type.regexpMatch("[a-zA-Z0-9_<>,\\+]+") and
       result = "Dubious type \"" + type + "\" in " + pred + " model."
       or
       not name.regexpMatch("[a-zA-Z0-9_<>,]*") and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -216,7 +216,7 @@ predicate localMustFlowStep(Node node1, Node node2) { none() }
 
 /** Gets the type of `n` used for type pruning. */
 Type getNodeType(Node n) {
-  exists(n) and
+  suppressUnusedNode(n) and
   result instanceof VoidType // stub implementation
 }
 
@@ -227,10 +227,13 @@ string ppReprType(Type t) { none() } // stub implementation
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
+pragma[inline]
 predicate compatibleTypes(Type t1, Type t2) {
-  t1 instanceof VoidType and t2 instanceof VoidType // stub implementation
+  any() // stub implementation
 }
 
+private predicate suppressUnusedNode(Node n) { any() }
+
 //////////////////////////////////////////////////////////////////////////////
 // Java QL library compatibility wrappers
 //////////////////////////////////////////////////////////////////////////////

cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll

@@ -1,27 +0,0 @@
-/**
- * This module provides extensible predicates for defining MaD models.
- */
-
-/**
- * Holds if an external source model exists for the given parameters.
- */
-extensible predicate sourceModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance, QlBuiltins::ExtensionId madId
-);
-
-/**
- * Holds if an external sink model exists for the given parameters.
- */
-extensible predicate sinkModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance, QlBuiltins::ExtensionId madId
-);
-
-/**
- * Holds if an external summary model exists for the given parameters.
- */
-extensible predicate summaryModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
-);

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -988,7 +988,7 @@ predicate localMustFlowStep(Node node1, Node node2) { none() }
 
 /** Gets the type of `n` used for type pruning. */
 DataFlowType getNodeType(Node n) {
-  exists(n) and
+  suppressUnusedNode(n) and
   result instanceof VoidType // stub implementation
 }
 
@@ -999,10 +999,13 @@ string ppReprType(DataFlowType t) { none() } // stub implementation
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
+pragma[inline]
 predicate compatibleTypes(DataFlowType t1, DataFlowType t2) {
-  t1 instanceof VoidType and t2 instanceof VoidType // stub implementation
+  any() // stub implementation
 }
 
+private predicate suppressUnusedNode(Node n) { any() }
+
 //////////////////////////////////////////////////////////////////////////////
 // Java QL library compatibility wrappers
 //////////////////////////////////////////////////////////////////////////////
@@ -1333,8 +1336,6 @@ predicate nodeIsHidden(Node n) {
   n instanceof FinalGlobalValue
   or
   n instanceof InitialGlobalValue
-  or
-  n instanceof SsaPhiInputNode
 }
 
 predicate neverSkipInPathGraph(Node n) {
@@ -1633,8 +1634,6 @@ private Instruction getAnInstruction(Node n) {
   or
   result = n.(SsaPhiNode).getPhiNode().getBasicBlock().getFirstInstruction()
   or
-  result = n.(SsaPhiInputNode).getBasicBlock().getFirstInstruction()
-  or
   n.(IndirectInstruction).hasInstructionAndIndirectionIndex(result, _)
   or
   not n instanceof IndirectInstruction and
@@ -1764,7 +1763,7 @@ module IteratorFlow {
         crementCall = def.getValue().asInstruction().(StoreInstruction).getSourceValue() and
         sv = def.getSourceVariable() and
         bb.getInstruction(i) = crementCall and
-        Ssa::ssaDefReachesReadExt(sv, result.asDef(), bb, i)
+        Ssa::ssaDefReachesRead(sv, result.asDef(), bb, i)
       )
     }
 
@@ -1798,7 +1797,7 @@ module IteratorFlow {
         isIteratorWrite(writeToDeref, address) and
         operandForFullyConvertedCall(address, starCall) and
         bbStar.getInstruction(iStar) = starCall and
-        Ssa::ssaDefReachesReadExt(_, def.asDef(), bbStar, iStar) and
+        Ssa::ssaDefReachesRead(_, def.asDef(), bbStar, iStar) and
         ultimate = getAnUltimateDefinition*(def) and
         beginStore = ultimate.getValue().asInstruction() and
         operandForFullyConvertedCall(beginStore.getSourceValueOperand(), beginCall)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -17,7 +17,6 @@ private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
 private import Node0ToString
-import ExprNodes
 
 /**
  * The IR dataflow graph consists of the following nodes:
@@ -46,7 +45,6 @@ private newtype TIRDataFlowNode =
     or
     Ssa::isModifiableByCall(operand, indirectionIndex)
   } or
-  TSsaPhiInputNode(Ssa::PhiNode phi, IRBlock input) { phi.hasInputFromBlock(_, _, _, _, input) } or
   TSsaPhiNode(Ssa::PhiNode phi) or
   TSsaIteratorNode(IteratorFlow::IteratorFlowNode n) or
   TRawIndirectOperand0(Node0Impl node, int indirectionIndex) {
@@ -116,13 +114,6 @@ predicate conversionFlow(
       instrTo.(CheckedConvertOrNullInstruction).getUnaryOperand() = opFrom
       or
       instrTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom
-      or
-      exists(BuiltInInstruction builtIn |
-        builtIn = instrTo and
-        // __builtin_bit_cast
-        builtIn.getBuiltInOperation() instanceof BuiltInBitCast and
-        opFrom = builtIn.getAnOperand()
-      )
     )
     or
     additional = true and
@@ -167,12 +158,6 @@ class Node extends TIRDataFlowNode {
   /** Gets the operands corresponding to this node, if any. */
   Operand asOperand() { result = this.(OperandNode).getOperand() }
 
-  /**
-   * Gets the operand that is indirectly tracked by this node behind `index`
-   * number of indirections.
-   */
-  Operand asIndirectOperand(int index) { hasOperandAndIndex(this, result, index) }
-
   /**
    * Holds if this node is at index `i` in basic block `block`.
    *
@@ -185,9 +170,6 @@ class Node extends TIRDataFlowNode {
     or
     this.(SsaPhiNode).getPhiNode().getBasicBlock() = block and i = -1
     or
-    this.(SsaPhiInputNode).getBlock() = block and
-    i = block.getInstructionCount()
-    or
     this.(RawIndirectOperand).getOperand().getUse() = block.getInstruction(i)
     or
     this.(RawIndirectInstruction).getInstruction() = block.getInstruction(i)
@@ -640,7 +622,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 
   final override Location getLocationImpl() { result = phi.getBasicBlock().getLocation() }
 
-  override string toStringImpl() { result = phi.toString() }
+  override string toStringImpl() { result = "Phi" }
 
   /**
    * Gets a node that is used as input to this phi node.
@@ -649,7 +631,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
    */
   cached
   final Node getAnInput(boolean fromBackEdge) {
-    result.(SsaPhiInputNode).getPhiNode() = phi and
+    localFlowStep(result, this) and
     exists(IRBlock bPhi, IRBlock bResult |
       bPhi = phi.getBasicBlock() and bResult = result.getBasicBlock()
     |
@@ -672,58 +654,6 @@ class SsaPhiNode extends Node, TSsaPhiNode {
   predicate isPhiRead() { phi.isPhiRead() }
 }
 
-/**
- * INTERNAL: Do not use.
- *
- * A node that is used as an input to a phi node.
- *
- * This class exists to allow more powerful barrier guards. Consider this
- * example:
- *
- * ```cpp
- * int x = source();
- * if(!safe(x)) {
- *   x = clear();
- * }
- * // phi node for x here
- * sink(x);
- * ```
- *
- * At the phi node for `x` it is neither the case that `x` is dominated by
- * `safe(x)`, or is the case that the phi is dominated by a clearing of `x`.
- *
- * By inserting a "phi input" node as the last entry in the basic block that
- * defines the inputs to the phi we can conclude that each of those inputs are
- * safe to pass to `sink`.
- */
-class SsaPhiInputNode extends Node, TSsaPhiInputNode {
-  Ssa::PhiNode phi;
-  IRBlock block;
-
-  SsaPhiInputNode() { this = TSsaPhiInputNode(phi, block) }
-
-  /** Gets the phi node associated with this node. */
-  Ssa::PhiNode getPhiNode() { result = phi }
-
-  /** Gets the basic block in which this input originates. */
-  IRBlock getBlock() { result = block }
-
-  override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-  override Declaration getFunction() { result = phi.getBasicBlock().getEnclosingFunction() }
-
-  override DataFlowType getType() { result = this.getSourceVariable().getType() }
-
-  override predicate isGLValue() { phi.getSourceVariable().isGLValue() }
-
-  final override Location getLocationImpl() { result = block.getLastInstruction().getLocation() }
-
-  override string toStringImpl() { result = "Phi input" }
-
-  /** Gets the source variable underlying this phi node. */
-  Ssa::SourceVariable getSourceVariable() { result = phi.getSourceVariable() }
-}
-
 /**
  * INTERNAL: do not use.
  *
@@ -1297,6 +1227,466 @@ class UninitializedNode extends Node {
   LocalVariable getLocalVariable() { result = v }
 }
 
+private module GetConvertedResultExpression {
+  private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
+  private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
+
+  private Operand getAnInitializeDynamicAllocationInstructionAddress() {
+    result = any(InitializeDynamicAllocationInstruction init).getAllocationAddressOperand()
+  }
+
+  /**
+   * Gets the expression that should be returned as the result expression from `instr`.
+   *
+   * Note that this predicate may return multiple results in cases where a conversion belongs to a
+   * different AST element than its operand.
+   */
+  Expr getConvertedResultExpression(Instruction instr, int n) {
+    // Only fully converted instructions have a result for `asConvertedExpr`
+    not conversionFlow(unique(Operand op |
+        // The address operand of a `InitializeDynamicAllocationInstruction` is
+        // special: we need to handle it during dataflow (since it's
+        // effectively a store to an indirection), but it doesn't appear in
+        // source syntax, so dataflow node <-> expression conversion shouldn't
+        // care about it.
+        op = getAUse(instr) and not op = getAnInitializeDynamicAllocationInstructionAddress()
+      |
+        op
+      ), _, false, false) and
+    result = getConvertedResultExpressionImpl(instr) and
+    n = 0
+    or
+    // If the conversion also has a result then we return multiple results
+    exists(Operand operand | conversionFlow(operand, instr, false, false) |
+      n = 1 and
+      result = getConvertedResultExpressionImpl(operand.getDef())
+      or
+      result = getConvertedResultExpression(operand.getDef(), n - 1)
+    )
+  }
+
+  private Expr getConvertedResultExpressionImpl0(Instruction instr) {
+    // IR construction inserts an additional cast to a `size_t` on the extent
+    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
+    // a result for `getConvertedResultExpression`. We remap this here so that
+    // this `ConvertInstruction` maps to the result of the expression that
+    // represents the extent.
+    exists(TranslatedNonConstantAllocationSize tas |
+      result = tas.getExtent().getExpr() and
+      instr = tas.getInstruction(AllocationExtentConvertTag())
+    )
+    or
+    // There's no instruction that returns `ParenthesisExpr`, but some queries
+    // expect this
+    exists(TranslatedTransparentConversion ttc |
+      result = ttc.getExpr().(ParenthesisExpr) and
+      instr = ttc.getResult()
+    )
+    or
+    // Certain expressions generate `CopyValueInstruction`s only when they
+    // are needed. Examples of this include crement operations and compound
+    // assignment operations. For example:
+    // ```cpp
+    // int x = ...
+    // int y = x++;
+    // ```
+    // this generate IR like:
+    // ```
+    // r1(glval<int>) = VariableAddress[x] :
+    // r2(int)        = Constant[0]        :
+    // m3(int)        = Store[x]           : &:r1, r2
+    // r4(glval<int>) = VariableAddress[y] :
+    // r5(glval<int>) = VariableAddress[x] :
+    // r6(int)        = Load[x]            : &:r5, m3
+    // r7(int)        = Constant[1]        :
+    // r8(int)        = Add                : r6, r7
+    // m9(int)        = Store[x]           : &:r5, r8
+    // r11(int)       = CopyValue         : r6
+    // m12(int)       = Store[y]          : &:r4, r11
+    // ```
+    // When the `CopyValueInstruction` is not generated there is no instruction
+    // whose `getConvertedResultExpression` maps back to the expression. When
+    // such an instruction doesn't exist it means that the old value is not
+    // needed, and in that case the only value that will propagate forward in
+    // the program is the value that's been updated. So in those cases we just
+    // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
+    exists(TranslatedCoreExpr tco |
+      tco.getInstruction(_) = instr and
+      tco.producesExprResult() and
+      result = asDefinitionImpl0(instr)
+    )
+  }
+
+  private Expr getConvertedResultExpressionImpl(Instruction instr) {
+    result = getConvertedResultExpressionImpl0(instr)
+    or
+    not exists(getConvertedResultExpressionImpl0(instr)) and
+    result = instr.getConvertedResultExpression()
+  }
+
+  /**
+   * Gets the result for `node.asDefinition()` (when `node` is the instruction
+   * node that wraps `store`) in the cases where `store.getAst()` should not be
+   * used to define the result of `node.asDefinition()`.
+   */
+  private Expr asDefinitionImpl0(StoreInstruction store) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedAssignOperation tao |
+      store = tao.getInstruction(AssignmentStoreTag()) and
+      result = tao.getExpr()
+    )
+    or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedCrementOperation tco |
+      store = tco.getInstruction(CrementStoreTag()) and
+      result = tco.getExpr()
+    )
+  }
+
+  /**
+   * Holds if the expression returned by `store.getAst()` should not be
+   * returned as the result of `node.asDefinition()` when `node` is the
+   * instruction node that wraps `store`.
+   */
+  private predicate excludeAsDefinitionResult(StoreInstruction store) {
+    // Exclude the store to the temporary generated by a ternary expression.
+    exists(TranslatedConditionalExpr tce |
+      store = tce.getInstruction(ConditionValueFalseStoreTag())
+      or
+      store = tce.getInstruction(ConditionValueTrueStoreTag())
+    )
+  }
+
+  /**
+   * Gets the expression that represents the result of `StoreInstruction` for
+   * dataflow purposes.
+   *
+   * For example, consider the following example
+   * ```cpp
+   * int x = 42;     // 1
+   * x = 34;         // 2
+   * ++x;            // 3
+   * x++;            // 4
+   * x += 1;         // 5
+   * int y = x += 2; // 6
+   * ```
+   * For (1) the result is `42`.
+   * For (2) the result is `x = 34`.
+   * For (3) the result is `++x`.
+   * For (4) the result is `x++`.
+   * For (5) the result is `x += 1`.
+   * For (6) there are two results:
+   *   - For the `StoreInstruction` generated by `x += 2` the result
+   *     is `x += 2`
+   *   - For the `StoreInstruction` generated by `int y = ...` the result
+   *     is also `x += 2`
+   */
+  Expr asDefinitionImpl(StoreInstruction store) {
+    not exists(asDefinitionImpl0(store)) and
+    not excludeAsDefinitionResult(store) and
+    result = store.getAst().(Expr).getUnconverted()
+    or
+    result = asDefinitionImpl0(store)
+  }
+}
+
+private import GetConvertedResultExpression
+
+/** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
+predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) {
+  not exprNodeShouldBeIndirectOperand(_, e, n) and
+  exists(Instruction def |
+    unique( | | getAUse(def)) = node.getOperand() and
+    e = getConvertedResultExpression(def, n)
+  )
+}
+
+/** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */
+private predicate indirectExprNodeShouldBeIndirectOperand(
+  IndirectOperand node, Expr e, int n, int indirectionIndex
+) {
+  exists(Instruction def |
+    node.hasOperandAndIndirectionIndex(unique( | | getAUse(def)), indirectionIndex) and
+    e = getConvertedResultExpression(def, n)
+  )
+}
+
+/** Holds if `node` should be an `IndirectOperand` that maps `node.asExpr()` to `e`. */
+private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e, int n) {
+  exists(ArgumentOperand operand |
+    // When an argument (qualifier or positional) is a prvalue and the
+    // parameter (qualifier or positional) is a (const) reference, IR
+    // construction introduces a temporary `IRVariable`. The `VariableAddress`
+    // instruction has the argument as its `getConvertedResultExpression`
+    // result. However, the instruction actually represents the _address_ of
+    // the argument. So to fix this mismatch, we have the indirection of the
+    // `VariableAddressInstruction` map to the expression.
+    node.hasOperandAndIndirectionIndex(operand, 1) and
+    e = getConvertedResultExpression(operand.getDef(), n) and
+    operand.getDef().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
+  )
+}
+
+private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) {
+  exists(CallInstruction call |
+    call.getStaticCallTarget() instanceof Constructor and
+    e = getConvertedResultExpression(call, n) and
+    call.getThisArgumentOperand() = node.getAddressOperand()
+  )
+}
+
+/** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
+predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) {
+  not exprNodeShouldBeOperand(_, e, n) and
+  not exprNodeShouldBeIndirectOutNode(_, e, n) and
+  not exprNodeShouldBeIndirectOperand(_, e, n) and
+  e = getConvertedResultExpression(node.asInstruction(), n)
+}
+
+/** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
+predicate indirectExprNodeShouldBeIndirectInstruction(
+  IndirectInstruction node, Expr e, int n, int indirectionIndex
+) {
+  not indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) and
+  exists(Instruction instr |
+    node.hasInstructionAndIndirectionIndex(instr, indirectionIndex) and
+    e = getConvertedResultExpression(instr, n)
+  )
+}
+
+abstract private class ExprNodeBase extends Node {
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  abstract Expr getConvertedExpr(int n);
+
+  /** Gets the non-conversion expression corresponding to this node, if any. */
+  final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() }
+}
+
+/**
+ * Holds if there exists a dataflow node whose `asExpr(n)` should evaluate
+ * to `e`.
+ */
+private predicate exprNodeShouldBe(Expr e, int n) {
+  exprNodeShouldBeInstruction(_, e, n) or
+  exprNodeShouldBeOperand(_, e, n) or
+  exprNodeShouldBeIndirectOutNode(_, e, n) or
+  exprNodeShouldBeIndirectOperand(_, e, n)
+}
+
+private class InstructionExprNode extends ExprNodeBase, InstructionNode {
+  InstructionExprNode() {
+    exists(Expr e, int n |
+      exprNodeShouldBeInstruction(this, e, n) and
+      not exists(Expr conv |
+        exprNodeShouldBe(conv, n + 1) and
+        conv.getUnconverted() = e.getUnconverted()
+      )
+    )
+  }
+
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeInstruction(this, result, n) }
+}
+
+private class OperandExprNode extends ExprNodeBase, OperandNode {
+  OperandExprNode() {
+    exists(Expr e, int n |
+      exprNodeShouldBeOperand(this, e, n) and
+      not exists(Expr conv |
+        exprNodeShouldBe(conv, n + 1) and
+        conv.getUnconverted() = e.getUnconverted()
+      )
+    )
+  }
+
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeOperand(this, result, n) }
+}
+
+abstract private class IndirectExprNodeBase extends Node {
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  abstract Expr getConvertedExpr(int n, int indirectionIndex);
+
+  /** Gets the non-conversion expression corresponding to this node, if any. */
+  final Expr getExpr(int n, int indirectionIndex) {
+    result = this.getConvertedExpr(n, indirectionIndex).getUnconverted()
+  }
+}
+
+/** A signature for converting an indirect node to an expression. */
+private signature module IndirectNodeToIndirectExprSig {
+  /** The indirect node class to be converted to an expression */
+  class IndirectNode;
+
+  /**
+   * Holds if the indirect expression at indirection index `indirectionIndex`
+   * of `node` is `e`. The integer `n` specifies how many conversions has been
+   * applied to `node`.
+   */
+  predicate indirectNodeHasIndirectExpr(IndirectNode node, Expr e, int n, int indirectionIndex);
+}
+
+/**
+ * A module that implements the logic for deciding whether an indirect node
+ * should be an `IndirectExprNode`.
+ */
+private module IndirectNodeToIndirectExpr<IndirectNodeToIndirectExprSig Sig> {
+  import Sig
+
+  /**
+   * This predicate shifts the indirection index by one when `conv` is a
+   * `ReferenceDereferenceExpr`.
+   *
+   * This is necessary because `ReferenceDereferenceExpr` is a conversion
+   * in the AST, but appears as a `LoadInstruction` in the IR.
+   */
+  bindingset[e, indirectionIndex]
+  private predicate adjustForReference(
+    Expr e, int indirectionIndex, Expr conv, int adjustedIndirectionIndex
+  ) {
+    conv.(ReferenceDereferenceExpr).getExpr() = e and
+    adjustedIndirectionIndex = indirectionIndex - 1
+    or
+    not conv instanceof ReferenceDereferenceExpr and
+    conv = e and
+    adjustedIndirectionIndex = indirectionIndex
+  }
+
+  /** Holds if `node` should be an `IndirectExprNode`. */
+  predicate charpred(IndirectNode node) {
+    exists(Expr e, int n, int indirectionIndex |
+      indirectNodeHasIndirectExpr(node, e, n, indirectionIndex) and
+      not exists(Expr conv, int adjustedIndirectionIndex |
+        adjustForReference(e, indirectionIndex, conv, adjustedIndirectionIndex) and
+        indirectExprNodeShouldBe(conv, n + 1, adjustedIndirectionIndex)
+      )
+    )
+  }
+}
+
+private predicate indirectExprNodeShouldBe(Expr e, int n, int indirectionIndex) {
+  indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) or
+  indirectExprNodeShouldBeIndirectInstruction(_, e, n, indirectionIndex)
+}
+
+private module IndirectOperandIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
+  class IndirectNode = IndirectOperand;
+
+  predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectOperand/4;
+}
+
+module IndirectOperandToIndirectExpr =
+  IndirectNodeToIndirectExpr<IndirectOperandIndirectExprNodeImpl>;
+
+private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
+{
+  IndirectOperandIndirectExprNode() { IndirectOperandToIndirectExpr::charpred(this) }
+
+  final override Expr getConvertedExpr(int n, int index) {
+    IndirectOperandToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
+  }
+}
+
+private module IndirectInstructionIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
+  class IndirectNode = IndirectInstruction;
+
+  predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectInstruction/4;
+}
+
+module IndirectInstructionToIndirectExpr =
+  IndirectNodeToIndirectExpr<IndirectInstructionIndirectExprNodeImpl>;
+
+private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
+{
+  IndirectInstructionIndirectExprNode() { IndirectInstructionToIndirectExpr::charpred(this) }
+
+  final override Expr getConvertedExpr(int n, int index) {
+    IndirectInstructionToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
+  }
+}
+
+private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
+  IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _, _) }
+
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) }
+}
+
+private class IndirectOperandExprNode extends ExprNodeBase instanceof IndirectOperand {
+  IndirectOperandExprNode() { exprNodeShouldBeIndirectOperand(this, _, _) }
+
+  final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOperand(this, result, n) }
+}
+
+/**
+ * An expression, viewed as a node in a data flow graph.
+ */
+class ExprNode extends Node instanceof ExprNodeBase {
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getExpr(int n) { result = super.getExpr(n) }
+
+  /**
+   * Gets the non-conversion expression corresponding to this node, if any. If
+   * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
+   * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
+   * expression.
+   */
+  final Expr getExpr() { result = this.getExpr(_) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getConvertedExpr(int n) { result = super.getConvertedExpr(n) }
+
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  final Expr getConvertedExpr() { result = this.getConvertedExpr(_) }
+}
+
+/**
+ * An indirect expression, viewed as a node in a data flow graph.
+ */
+class IndirectExprNode extends Node instanceof IndirectExprNodeBase {
+  /**
+   * Gets the non-conversion expression corresponding to this node, if any. If
+   * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
+   * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
+   * expression.
+   */
+  final Expr getExpr(int indirectionIndex) { result = this.getExpr(_, indirectionIndex) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getExpr(int n, int indirectionIndex) { result = super.getExpr(n, indirectionIndex) }
+
+  /**
+   * INTERNAL: Do not use.
+   */
+  Expr getConvertedExpr(int n, int indirectionIndex) {
+    result = super.getConvertedExpr(n, indirectionIndex)
+  }
+
+  /**
+   * Gets the expression corresponding to this node, if any. The returned
+   * expression may be a `Conversion`.
+   */
+  Expr getConvertedExpr(int indirectionIndex) {
+    result = this.getConvertedExpr(_, indirectionIndex)
+  }
+}
+
 abstract private class AbstractParameterNode extends Node {
   /**
    * Holds if this node is the parameter of `f` at the specified position. The
@@ -1786,9 +2176,6 @@ private module Cached {
       // Def-use/Use-use flow
       Ssa::ssaFlow(nodeFrom, nodeTo)
       or
-      // Phi input -> Phi
-      nodeFrom.(SsaPhiInputNode).getPhiNode() = nodeTo.(SsaPhiNode).getPhiNode()
-      or
       IteratorFlow::localFlowStep(nodeFrom, nodeTo)
       or
       // Operand -> Instruction flow
@@ -2227,22 +2614,6 @@ class ContentSet instanceof Content {
   }
 }
 
-pragma[nomagic]
-private predicate guardControlsPhiInput(
-  IRGuardCondition g, boolean branch, Ssa::Definition def, IRBlock input, Ssa::PhiNode phi
-) {
-  phi.hasInputFromBlock(def, _, _, _, input) and
-  (
-    g.controls(input, branch)
-    or
-    exists(EdgeKind kind |
-      g.getBlock() = input and
-      kind = getConditionalEdge(branch) and
-      input.getSuccessor(kind) = phi.getBasicBlock()
-    )
-  )
-}
-
 /**
  * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
  *
@@ -2291,21 +2662,13 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
    *
    * NOTE: If an indirect expression is tracked, use `getAnIndirectBarrierNode` instead.
    */
-  Node getABarrierNode() {
+  ExprNode getABarrierNode() {
     exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
       e = value.getAnInstruction().getConvertedResultExpression() and
-      result.asConvertedExpr() = e and
+      result.getConvertedExpr() = e and
       guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
       g.controls(result.getBasicBlock(), edge)
     )
-    or
-    exists(
-      IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
-    |
-      guardChecks(g, def.getARead().asOperand().getDef().getConvertedResultExpression(), branch) and
-      guardControlsPhiInput(g, branch, def, input, phi) and
-      result = TSsaPhiInputNode(phi, input)
-    )
   }
 
   /**
@@ -2341,7 +2704,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
    *
    * NOTE: If a non-indirect expression is tracked, use `getABarrierNode` instead.
    */
-  Node getAnIndirectBarrierNode() { result = getAnIndirectBarrierNode(_) }
+  IndirectExprNode getAnIndirectBarrierNode() { result = getAnIndirectBarrierNode(_) }
 
   /**
    * Gets an indirect expression node with indirection index `indirectionIndex` that is
@@ -2377,23 +2740,13 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
    *
    * NOTE: If a non-indirect expression is tracked, use `getABarrierNode` instead.
    */
-  Node getAnIndirectBarrierNode(int indirectionIndex) {
+  IndirectExprNode getAnIndirectBarrierNode(int indirectionIndex) {
     exists(IRGuardCondition g, Expr e, ValueNumber value, boolean edge |
       e = value.getAnInstruction().getConvertedResultExpression() and
-      result.asIndirectConvertedExpr(indirectionIndex) = e and
+      result.getConvertedExpr(indirectionIndex) = e and
       guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
       g.controls(result.getBasicBlock(), edge)
     )
-    or
-    exists(
-      IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
-    |
-      guardChecks(g,
-        def.getARead().asIndirectOperand(indirectionIndex).getDef().getConvertedResultExpression(),
-        branch) and
-      guardControlsPhiInput(g, branch, def, input, phi) and
-      result = TSsaPhiInputNode(phi, input)
-    )
   }
 }
 
@@ -2402,14 +2755,6 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
  */
 signature predicate instructionGuardChecksSig(IRGuardCondition g, Instruction instr, boolean branch);
 
-private EdgeKind getConditionalEdge(boolean branch) {
-  branch = true and
-  result instanceof TrueEdge
-  or
-  branch = false and
-  result instanceof FalseEdge
-}
-
 /**
  * Provides a set of barrier nodes for a guard that validates an instruction.
  *
@@ -2418,20 +2763,12 @@ private EdgeKind getConditionalEdge(boolean branch) {
  */
 module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardChecks> {
   /** Gets a node that is safely guarded by the given guard check. */
-  Node getABarrierNode() {
+  ExprNode getABarrierNode() {
     exists(IRGuardCondition g, ValueNumber value, boolean edge, Operand use |
       instructionGuardChecks(g, value.getAnInstruction(), edge) and
       use = value.getAnInstruction().getAUse() and
       result.asOperand() = use and
-      g.controls(result.getBasicBlock(), edge)
-    )
-    or
-    exists(
-      IRGuardCondition g, boolean branch, Ssa::DefinitionExt def, IRBlock input, Ssa::PhiNode phi
-    |
-      instructionGuardChecks(g, def.getARead().asOperand().getDef(), branch) and
-      guardControlsPhiInput(g, branch, def, input, phi) and
-      result = TSsaPhiInputNode(phi, input)
+      g.controls(use.getDef().getBlock(), edge)
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll

@@ -1,518 +0,0 @@
-/**
- * Provides the classes `ExprNode` and `IndirectExprNode` for converting between `Expr` and `Node`.
- */
-
-private import cpp
-private import semmle.code.cpp.ir.IR
-private import DataFlowUtil
-private import DataFlowPrivate
-private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
-private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
-
-cached
-private module Cached {
-  private Operand getAnInitializeDynamicAllocationInstructionAddress() {
-    result = any(InitializeDynamicAllocationInstruction init).getAllocationAddressOperand()
-  }
-
-  /**
-   * Gets the expression that should be returned as the result expression from `instr`.
-   *
-   * Note that this predicate may return multiple results in cases where a conversion belongs to a
-   * different AST element than its operand.
-   */
-  private Expr getConvertedResultExpression(Instruction instr, int n) {
-    // Only fully converted instructions have a result for `asConvertedExpr`
-    not conversionFlow(unique(Operand op |
-        // The address operand of a `InitializeDynamicAllocationInstruction` is
-        // special: we need to handle it during dataflow (since it's
-        // effectively a store to an indirection), but it doesn't appear in
-        // source syntax, so dataflow node <-> expression conversion shouldn't
-        // care about it.
-        op = getAUse(instr) and not op = getAnInitializeDynamicAllocationInstructionAddress()
-      |
-        op
-      ), _, false, false) and
-    result = getConvertedResultExpressionImpl(instr) and
-    n = 0
-    or
-    // If the conversion also has a result then we return multiple results
-    exists(Operand operand | conversionFlow(operand, instr, false, false) |
-      n = 1 and
-      result = getConvertedResultExpressionImpl(operand.getDef())
-      or
-      result = getConvertedResultExpression(operand.getDef(), n - 1)
-    )
-  }
-
-  private Expr getConvertedResultExpressionImpl0(Instruction instr) {
-    // IR construction inserts an additional cast to a `size_t` on the extent
-    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
-    // a result for `getConvertedResultExpression`. We remap this here so that
-    // this `ConvertInstruction` maps to the result of the expression that
-    // represents the extent.
-    exists(TranslatedNonConstantAllocationSize tas |
-      result = tas.getExtent().getExpr() and
-      instr = tas.getInstruction(AllocationExtentConvertTag())
-    )
-    or
-    // There's no instruction that returns `ParenthesisExpr`, but some queries
-    // expect this
-    exists(TranslatedTransparentConversion ttc |
-      result = ttc.getExpr().(ParenthesisExpr) and
-      instr = ttc.getResult()
-    )
-    or
-    // Certain expressions generate `CopyValueInstruction`s only when they
-    // are needed. Examples of this include crement operations and compound
-    // assignment operations. For example:
-    // ```cpp
-    // int x = ...
-    // int y = x++;
-    // ```
-    // this generate IR like:
-    // ```
-    // r1(glval<int>) = VariableAddress[x] :
-    // r2(int)        = Constant[0]        :
-    // m3(int)        = Store[x]           : &:r1, r2
-    // r4(glval<int>) = VariableAddress[y] :
-    // r5(glval<int>) = VariableAddress[x] :
-    // r6(int)        = Load[x]            : &:r5, m3
-    // r7(int)        = Constant[1]        :
-    // r8(int)        = Add                : r6, r7
-    // m9(int)        = Store[x]           : &:r5, r8
-    // r11(int)       = CopyValue         : r6
-    // m12(int)       = Store[y]          : &:r4, r11
-    // ```
-    // When the `CopyValueInstruction` is not generated there is no instruction
-    // whose `getConvertedResultExpression` maps back to the expression. When
-    // such an instruction doesn't exist it means that the old value is not
-    // needed, and in that case the only value that will propagate forward in
-    // the program is the value that's been updated. So in those cases we just
-    // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
-    exists(TranslatedCoreExpr tco |
-      tco.getInstruction(_) = instr and
-      tco.producesExprResult() and
-      result = asDefinitionImpl0(instr)
-    )
-  }
-
-  private Expr getConvertedResultExpressionImpl(Instruction instr) {
-    result = getConvertedResultExpressionImpl0(instr)
-    or
-    not exists(getConvertedResultExpressionImpl0(instr)) and
-    result = instr.getConvertedResultExpression()
-  }
-
-  /**
-   * Gets the result for `node.asDefinition()` (when `node` is the instruction
-   * node that wraps `store`) in the cases where `store.getAst()` should not be
-   * used to define the result of `node.asDefinition()`.
-   */
-  private Expr asDefinitionImpl0(StoreInstruction store) {
-    // For an expression such as `i += 2` we pretend that the generated
-    // `StoreInstruction` contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedAssignOperation tao |
-      store = tao.getInstruction(AssignmentStoreTag()) and
-      result = tao.getExpr()
-    )
-    or
-    // Similarly for `i++` and `++i` we pretend that the generated
-    // `StoreInstruction` is contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedCrementOperation tco |
-      store = tco.getInstruction(CrementStoreTag()) and
-      result = tco.getExpr()
-    )
-  }
-
-  /**
-   * Holds if the expression returned by `store.getAst()` should not be
-   * returned as the result of `node.asDefinition()` when `node` is the
-   * instruction node that wraps `store`.
-   */
-  private predicate excludeAsDefinitionResult(StoreInstruction store) {
-    // Exclude the store to the temporary generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      store = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      store = tce.getInstruction(ConditionValueTrueStoreTag())
-    )
-  }
-
-  /**
-   * Gets the expression that represents the result of `StoreInstruction` for
-   * dataflow purposes.
-   *
-   * For example, consider the following example
-   * ```cpp
-   * int x = 42;     // 1
-   * x = 34;         // 2
-   * ++x;            // 3
-   * x++;            // 4
-   * x += 1;         // 5
-   * int y = x += 2; // 6
-   * ```
-   * For (1) the result is `42`.
-   * For (2) the result is `x = 34`.
-   * For (3) the result is `++x`.
-   * For (4) the result is `x++`.
-   * For (5) the result is `x += 1`.
-   * For (6) there are two results:
-   *   - For the `StoreInstruction` generated by `x += 2` the result
-   *     is `x += 2`
-   *   - For the `StoreInstruction` generated by `int y = ...` the result
-   *     is also `x += 2`
-   */
-  cached
-  Expr asDefinitionImpl(StoreInstruction store) {
-    not exists(asDefinitionImpl0(store)) and
-    not excludeAsDefinitionResult(store) and
-    result = store.getAst().(Expr).getUnconverted()
-    or
-    result = asDefinitionImpl0(store)
-  }
-
-  /** Holds if `node` is an `OperandNode` that should map `node.asExpr()` to `e`. */
-  private predicate exprNodeShouldBeOperand(OperandNode node, Expr e, int n) {
-    not exprNodeShouldBeIndirectOperand(_, e, n) and
-    exists(Instruction def |
-      unique( | | getAUse(def)) = node.getOperand() and
-      e = getConvertedResultExpression(def, n)
-    )
-  }
-
-  /** Holds if `node` should be an `IndirectOperand` that maps `node.asIndirectExpr()` to `e`. */
-  private predicate indirectExprNodeShouldBeIndirectOperand(
-    IndirectOperand node, Expr e, int n, int indirectionIndex
-  ) {
-    exists(Instruction def |
-      node.hasOperandAndIndirectionIndex(unique( | | getAUse(def)), indirectionIndex) and
-      e = getConvertedResultExpression(def, n)
-    )
-  }
-
-  /** Holds if `operand`'s definition is a `VariableAddressInstruction` whose variable is a temporary */
-  private predicate isIRTempVariable(Operand operand) {
-    operand.getDef().(VariableAddressInstruction).getIRVariable() instanceof IRTempVariable
-  }
-
-  /**
-   * Holds if `node` is an indirect operand whose operand is an argument, and
-   * the `n`'th expression associated with the operand is `e`.
-   */
-  private predicate isIndirectOperandOfArgument(
-    IndirectOperand node, ArgumentOperand operand, Expr e, int n
-  ) {
-    node.hasOperandAndIndirectionIndex(operand, 1) and
-    e = getConvertedResultExpression(operand.getDef(), n)
-  }
-
-  /**
-   * Holds if `opFrom` is an operand to a conversion, and `opTo` is the unique
-   * use of the conversion.
-   */
-  private predicate isConversionStep(Operand opFrom, Operand opTo) {
-    exists(Instruction mid |
-      conversionFlow(opFrom, mid, false, false) and
-      opTo = unique( | | getAUse(mid))
-    )
-  }
-
-  /**
-   * Holds if an operand that satisfies `isIRTempVariable` flows to `op`
-   * through a (possibly empty) sequence of conversions.
-   */
-  private predicate irTempOperandConversionFlows(Operand op) {
-    isIRTempVariable(op)
-    or
-    exists(Operand mid |
-      irTempOperandConversionFlows(mid) and
-      isConversionStep(mid, op)
-    )
-  }
-
-  /** Holds if `node` should be an `IndirectOperand` that maps `node.asExpr()` to `e`. */
-  private predicate exprNodeShouldBeIndirectOperand(IndirectOperand node, Expr e, int n) {
-    exists(ArgumentOperand operand |
-      // When an argument (qualifier or positional) is a prvalue and the
-      // parameter (qualifier or positional) is a (const) reference, IR
-      // construction introduces a temporary `IRVariable`. The `VariableAddress`
-      // instruction has the argument as its `getConvertedResultExpression`
-      // result. However, the instruction actually represents the _address_ of
-      // the argument. So to fix this mismatch, we have the indirection of the
-      // `VariableAddressInstruction` map to the expression.
-      isIndirectOperandOfArgument(node, operand, e, n) and
-      irTempOperandConversionFlows(operand)
-    )
-  }
-
-  private predicate exprNodeShouldBeIndirectOutNode(IndirectArgumentOutNode node, Expr e, int n) {
-    exists(CallInstruction call |
-      call.getStaticCallTarget() instanceof Constructor and
-      e = getConvertedResultExpression(call, n) and
-      call.getThisArgumentOperand() = node.getAddressOperand()
-    )
-  }
-
-  /** Holds if `node` should be an instruction node that maps `node.asExpr()` to `e`. */
-  private predicate exprNodeShouldBeInstruction(Node node, Expr e, int n) {
-    not exprNodeShouldBeOperand(_, e, n) and
-    not exprNodeShouldBeIndirectOutNode(_, e, n) and
-    not exprNodeShouldBeIndirectOperand(_, e, n) and
-    e = getConvertedResultExpression(node.asInstruction(), n)
-  }
-
-  /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
-  private predicate indirectExprNodeShouldBeIndirectInstruction(
-    IndirectInstruction node, Expr e, int n, int indirectionIndex
-  ) {
-    not indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) and
-    exists(Instruction instr |
-      node.hasInstructionAndIndirectionIndex(instr, indirectionIndex) and
-      e = getConvertedResultExpression(instr, n)
-    )
-  }
-
-  abstract private class ExprNodeBase extends Node {
-    /**
-     * Gets the expression corresponding to this node, if any. The returned
-     * expression may be a `Conversion`.
-     */
-    abstract Expr getConvertedExpr(int n);
-
-    /** Gets the non-conversion expression corresponding to this node, if any. */
-    final Expr getExpr(int n) { result = this.getConvertedExpr(n).getUnconverted() }
-  }
-
-  /**
-   * Holds if there exists a dataflow node whose `asExpr(n)` should evaluate
-   * to `e`.
-   */
-  private predicate exprNodeShouldBe(Expr e, int n) {
-    exprNodeShouldBeInstruction(_, e, n) or
-    exprNodeShouldBeOperand(_, e, n) or
-    exprNodeShouldBeIndirectOutNode(_, e, n) or
-    exprNodeShouldBeIndirectOperand(_, e, n)
-  }
-
-  private class InstructionExprNode extends ExprNodeBase, InstructionNode {
-    InstructionExprNode() {
-      exists(Expr e, int n |
-        exprNodeShouldBeInstruction(this, e, n) and
-        not exists(Expr conv |
-          exprNodeShouldBe(conv, n + 1) and
-          conv.getUnconverted() = e.getUnconverted()
-        )
-      )
-    }
-
-    final override Expr getConvertedExpr(int n) { exprNodeShouldBeInstruction(this, result, n) }
-  }
-
-  private class OperandExprNode extends ExprNodeBase, OperandNode {
-    OperandExprNode() {
-      exists(Expr e, int n |
-        exprNodeShouldBeOperand(this, e, n) and
-        not exists(Expr conv |
-          exprNodeShouldBe(conv, n + 1) and
-          conv.getUnconverted() = e.getUnconverted()
-        )
-      )
-    }
-
-    final override Expr getConvertedExpr(int n) { exprNodeShouldBeOperand(this, result, n) }
-  }
-
-  abstract private class IndirectExprNodeBase extends Node {
-    /**
-     * Gets the expression corresponding to this node, if any. The returned
-     * expression may be a `Conversion`.
-     */
-    abstract Expr getConvertedExpr(int n, int indirectionIndex);
-
-    /** Gets the non-conversion expression corresponding to this node, if any. */
-    final Expr getExpr(int n, int indirectionIndex) {
-      result = this.getConvertedExpr(n, indirectionIndex).getUnconverted()
-    }
-  }
-
-  /** A signature for converting an indirect node to an expression. */
-  private signature module IndirectNodeToIndirectExprSig {
-    /** The indirect node class to be converted to an expression */
-    class IndirectNode;
-
-    /**
-     * Holds if the indirect expression at indirection index `indirectionIndex`
-     * of `node` is `e`. The integer `n` specifies how many conversions has been
-     * applied to `node`.
-     */
-    predicate indirectNodeHasIndirectExpr(IndirectNode node, Expr e, int n, int indirectionIndex);
-  }
-
-  /**
-   * A module that implements the logic for deciding whether an indirect node
-   * should be an `IndirectExprNode`.
-   */
-  private module IndirectNodeToIndirectExpr<IndirectNodeToIndirectExprSig Sig> {
-    import Sig
-
-    /**
-     * This predicate shifts the indirection index by one when `conv` is a
-     * `ReferenceDereferenceExpr`.
-     *
-     * This is necessary because `ReferenceDereferenceExpr` is a conversion
-     * in the AST, but appears as a `LoadInstruction` in the IR.
-     */
-    bindingset[e, indirectionIndex]
-    private predicate adjustForReference(
-      Expr e, int indirectionIndex, Expr conv, int adjustedIndirectionIndex
-    ) {
-      conv.(ReferenceDereferenceExpr).getExpr() = e and
-      adjustedIndirectionIndex = indirectionIndex - 1
-      or
-      not conv instanceof ReferenceDereferenceExpr and
-      conv = e and
-      adjustedIndirectionIndex = indirectionIndex
-    }
-
-    /** Holds if `node` should be an `IndirectExprNode`. */
-    predicate charpred(IndirectNode node) {
-      exists(Expr e, int n, int indirectionIndex |
-        indirectNodeHasIndirectExpr(node, e, n, indirectionIndex) and
-        not exists(Expr conv, int adjustedIndirectionIndex |
-          adjustForReference(e, indirectionIndex, conv, adjustedIndirectionIndex) and
-          indirectExprNodeShouldBe(conv, n + 1, adjustedIndirectionIndex)
-        )
-      )
-    }
-  }
-
-  private predicate indirectExprNodeShouldBe(Expr e, int n, int indirectionIndex) {
-    indirectExprNodeShouldBeIndirectOperand(_, e, n, indirectionIndex) or
-    indirectExprNodeShouldBeIndirectInstruction(_, e, n, indirectionIndex)
-  }
-
-  private module IndirectOperandIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
-    class IndirectNode = IndirectOperand;
-
-    predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectOperand/4;
-  }
-
-  module IndirectOperandToIndirectExpr =
-    IndirectNodeToIndirectExpr<IndirectOperandIndirectExprNodeImpl>;
-
-  private class IndirectOperandIndirectExprNode extends IndirectExprNodeBase instanceof IndirectOperand
-  {
-    IndirectOperandIndirectExprNode() { IndirectOperandToIndirectExpr::charpred(this) }
-
-    final override Expr getConvertedExpr(int n, int index) {
-      IndirectOperandToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
-    }
-  }
-
-  private module IndirectInstructionIndirectExprNodeImpl implements IndirectNodeToIndirectExprSig {
-    class IndirectNode = IndirectInstruction;
-
-    predicate indirectNodeHasIndirectExpr = indirectExprNodeShouldBeIndirectInstruction/4;
-  }
-
-  module IndirectInstructionToIndirectExpr =
-    IndirectNodeToIndirectExpr<IndirectInstructionIndirectExprNodeImpl>;
-
-  private class IndirectInstructionIndirectExprNode extends IndirectExprNodeBase instanceof IndirectInstruction
-  {
-    IndirectInstructionIndirectExprNode() { IndirectInstructionToIndirectExpr::charpred(this) }
-
-    final override Expr getConvertedExpr(int n, int index) {
-      IndirectInstructionToIndirectExpr::indirectNodeHasIndirectExpr(this, result, n, index)
-    }
-  }
-
-  private class IndirectArgumentOutExprNode extends ExprNodeBase, IndirectArgumentOutNode {
-    IndirectArgumentOutExprNode() { exprNodeShouldBeIndirectOutNode(this, _, _) }
-
-    final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOutNode(this, result, n) }
-  }
-
-  private class IndirectOperandExprNode extends ExprNodeBase instanceof IndirectOperand {
-    IndirectOperandExprNode() { exprNodeShouldBeIndirectOperand(this, _, _) }
-
-    final override Expr getConvertedExpr(int n) { exprNodeShouldBeIndirectOperand(this, result, n) }
-  }
-
-  /**
-   * An expression, viewed as a node in a data flow graph.
-   */
-  cached
-  class ExprNode extends Node instanceof ExprNodeBase {
-    /**
-     * INTERNAL: Do not use.
-     */
-    cached
-    Expr getExpr(int n) { result = super.getExpr(n) }
-
-    /**
-     * Gets the non-conversion expression corresponding to this node, if any. If
-     * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
-     * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
-     * expression.
-     */
-    cached
-    final Expr getExpr() { result = this.getExpr(_) }
-
-    /**
-     * INTERNAL: Do not use.
-     */
-    cached
-    Expr getConvertedExpr(int n) { result = super.getConvertedExpr(n) }
-
-    /**
-     * Gets the expression corresponding to this node, if any. The returned
-     * expression may be a `Conversion`.
-     */
-    cached
-    final Expr getConvertedExpr() { result = this.getConvertedExpr(_) }
-  }
-
-  /**
-   * An indirect expression, viewed as a node in a data flow graph.
-   */
-  cached
-  class IndirectExprNode extends Node instanceof IndirectExprNodeBase {
-    /**
-     * Gets the non-conversion expression corresponding to this node, if any. If
-     * this node strictly (in the sense of `getConvertedExpr`) corresponds to a
-     * `Conversion`, then the result is that `Conversion`'s non-`Conversion` base
-     * expression.
-     */
-    cached
-    final Expr getExpr(int indirectionIndex) { result = this.getExpr(_, indirectionIndex) }
-
-    /**
-     * INTERNAL: Do not use.
-     */
-    cached
-    Expr getExpr(int n, int indirectionIndex) { result = super.getExpr(n, indirectionIndex) }
-
-    /**
-     * INTERNAL: Do not use.
-     */
-    cached
-    Expr getConvertedExpr(int n, int indirectionIndex) {
-      result = super.getConvertedExpr(n, indirectionIndex)
-    }
-
-    /**
-     * Gets the expression corresponding to this node, if any. The returned
-     * expression may be a `Conversion`.
-     */
-    cached
-    Expr getConvertedExpr(int indirectionIndex) {
-      result = this.getConvertedExpr(_, indirectionIndex)
-    }
-  }
-}
-
-import Cached

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -657,9 +657,19 @@ class GlobalDefImpl extends DefImpl, TGlobalDefImpl {
  */
 predicate adjacentDefRead(IRBlock bb1, int i1, SourceVariable sv, IRBlock bb2, int i2) {
   adjacentDefReadExt(_, sv, bb1, i1, bb2, i2)
+  or
+  exists(PhiNode phi |
+    lastRefRedefExt(_, sv, bb1, i1, phi) and
+    phi.definesAt(sv, bb2, i2, _)
+  )
 }
 
 predicate useToNode(IRBlock bb, int i, SourceVariable sv, Node nodeTo) {
+  exists(Phi phi |
+    phi.asPhi().definesAt(sv, bb, i, _) and
+    nodeTo = phi.getNode()
+  )
+  or
   exists(UseImpl use |
     use.hasIndexInBlock(bb, i, sv) and
     nodeTo = use.getNode()
@@ -713,26 +723,46 @@ predicate nodeToDefOrUse(Node node, SourceVariable sv, IRBlock bb, int i, boolea
  */
 private predicate indirectConversionFlowStep(Node nFrom, Node nTo) {
   not exists(SourceVariable sv, IRBlock bb2, int i2 |
-    useToNode(bb2, i2, sv, nTo) and
+    nodeToDefOrUse(nTo, sv, bb2, i2, _) and
     adjacentDefRead(bb2, i2, sv, _, _)
   ) and
-  exists(Operand op1, Operand op2, int indirectionIndex, Instruction instr |
-    hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
-    hasOperandAndIndex(nTo, op2, pragma[only_bind_into](indirectionIndex)) and
-    instr = op2.getDef() and
-    conversionFlow(op1, instr, _, _)
+  (
+    exists(Operand op1, Operand op2, int indirectionIndex, Instruction instr |
+      hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
+      hasOperandAndIndex(nTo, op2, pragma[only_bind_into](indirectionIndex)) and
+      instr = op2.getDef() and
+      conversionFlow(op1, instr, _, _)
+    )
+    or
+    exists(Operand op1, Operand op2, int indirectionIndex, Instruction instr |
+      hasOperandAndIndex(nFrom, op1, pragma[only_bind_into](indirectionIndex)) and
+      hasOperandAndIndex(nTo, op2, indirectionIndex - 1) and
+      instr = op2.getDef() and
+      isDereference(instr, op1, _)
+    )
   )
 }
 
 /**
- * Holds if `node` is a phi input node that should receive flow from the
- * definition to (or use of) `sv` at `(bb1, i1)`.
+ * The reason for this predicate is a bit annoying:
+ * We cannot mark a `PointerArithmeticInstruction` that computes an offset based on some SSA
+ * variable `x` as a use of `x` since this creates taint-flow in the following example:
+ * ```c
+ * int x = array[source]
+ * sink(*array)
+ * ```
+ * This is because `source` would flow from the operand of `PointerArithmeticInstruction` to the
+ * result of the instruction, and into the `IndirectOperand` that represents the value of `*array`.
+ * Then, via use-use flow, flow will arrive at `*array` in `sink(*array)`.
+ *
+ * So this predicate recurses back along conversions and `PointerArithmeticInstruction`s to find the
+ * first use that has provides use-use flow, and uses that target as the target of the `nodeFrom`.
  */
-private predicate phiToNode(SsaPhiInputNode node, SourceVariable sv, IRBlock bb1, int i1) {
-  exists(PhiNode phi, IRBlock input |
-    phi.hasInputFromBlock(_, sv, bb1, i1, input) and
-    node.getPhiNode() = phi and
-    node.getBlock() = input
+private predicate adjustForPointerArith(PostUpdateNode pun, SourceVariable sv, IRBlock bb2, int i2) {
+  exists(IRBlock bb1, int i1, Node adjusted |
+    indirectConversionFlowStep*(adjusted, pun.getPreUpdateNode()) and
+    nodeToDefOrUse(adjusted, sv, bb1, i1, _) and
+    adjacentDefRead(bb1, i1, sv, bb2, i2)
   )
 }
 
@@ -747,14 +777,10 @@ private predicate phiToNode(SsaPhiInputNode node, SourceVariable sv, IRBlock bb1
 private predicate ssaFlowImpl(
   IRBlock bb1, int i1, SourceVariable sv, Node nodeFrom, Node nodeTo, boolean uncertain
 ) {
-  nodeToDefOrUse(nodeFrom, sv, bb1, i1, uncertain) and
-  (
-    exists(IRBlock bb2, int i2 |
-      adjacentDefRead(bb1, i1, sv, bb2, i2) and
-      useToNode(bb2, i2, sv, nodeTo)
-    )
-    or
-    phiToNode(nodeTo, sv, bb1, i1)
+  exists(IRBlock bb2, int i2 |
+    nodeToDefOrUse(nodeFrom, sv, bb1, i1, uncertain) and
+    adjacentDefRead(bb1, i1, sv, bb2, i2) and
+    useToNode(bb2, i2, sv, nodeTo)
   ) and
   nodeFrom != nodeTo
 }
@@ -763,7 +789,7 @@ private predicate ssaFlowImpl(
 private Node getAPriorDefinition(DefinitionExt next) {
   exists(IRBlock bb, int i, SourceVariable sv |
     lastRefRedefExt(_, pragma[only_bind_into](sv), pragma[only_bind_into](bb),
-      pragma[only_bind_into](i), _, next) and
+      pragma[only_bind_into](i), next) and
     nodeToDefOrUse(result, sv, bb, i, _)
   )
 }
@@ -870,31 +896,9 @@ private predicate isArgumentOfCallable(DataFlowCall call, Node n) {
  * Holds if there is use-use flow from `pun`'s pre-update node to `n`.
  */
 private predicate postUpdateNodeToFirstUse(PostUpdateNode pun, Node n) {
-  // We cannot mark a `PointerArithmeticInstruction` that computes an offset
-  // based on some SSA
-  // variable `x` as a use of `x` since this creates taint-flow in the
-  // following example:
-  // ```c
-  // int x = array[source]
-  // sink(*array)
-  // ```
-  // This is because `source` would flow from the operand of `PointerArithmetic`
-  // instruction to the result of the instruction, and into the `IndirectOperand`
-  // that represents the value of `*array`. Then, via use-use flow, flow will
-  // arrive at `*array` in `sink(*array)`.
-  // So this predicate recurses back along conversions and `PointerArithmetic`
-  // instructions to find the first use that has provides use-use flow, and
-  // uses that target as the target of the `nodeFrom`.
-  exists(Node adjusted, IRBlock bb1, int i1, SourceVariable sv |
-    indirectConversionFlowStep*(adjusted, pun.getPreUpdateNode()) and
-    useToNode(bb1, i1, sv, adjusted)
-  |
-    exists(IRBlock bb2, int i2 |
-      adjacentDefRead(bb1, i1, sv, bb2, i2) and
-      useToNode(bb2, i2, sv, n)
-    )
-    or
-    phiToNode(n, sv, bb1, i1)
+  exists(SourceVariable sv, IRBlock bb2, int i2 |
+    adjustForPointerArith(pun, sv, bb2, i2) and
+    useToNode(bb2, i2, sv, n)
   )
 }
 
@@ -949,16 +953,11 @@ predicate postUpdateFlow(PostUpdateNode pun, Node nodeTo) {
 
 /** Holds if `nodeTo` receives flow from the phi node `nodeFrom`. */
 predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
-  exists(PhiNode phi, SourceVariable sv, IRBlock bb1, int i1 |
+  exists(PhiNode phi, SourceVariable sv, IRBlock bb1, int i1, IRBlock bb2, int i2 |
     phi = nodeFrom.getPhiNode() and
-    phi.definesAt(sv, bb1, i1, _)
-  |
-    exists(IRBlock bb2, int i2 |
-      adjacentDefRead(bb1, i1, sv, bb2, i2) and
-      useToNode(bb2, i2, sv, nodeTo)
-    )
-    or
-    phiToNode(nodeTo, sv, bb1, i1)
+    phi.definesAt(sv, bb1, i1, _) and
+    adjacentDefRead(bb1, i1, sv, bb2, i2) and
+    useToNode(bb2, i2, sv, nodeTo)
   )
 }
 
@@ -1032,26 +1031,22 @@ module SsaCached {
    * Holds if the node at index `i` in `bb` is a last reference to SSA definition
    * `def`. The reference is last because it can reach another write `next`,
    * without passing through another read or write.
-   *
-   * The path from node `i` in `bb` to `next` goes via basic block `input`,
-   * which is either a predecessor of the basic block of `next`, or `input` =
-   * `bb` in case `next` occurs in basic block `bb`.
    */
   cached
   predicate lastRefRedefExt(
-    DefinitionExt def, SourceVariable sv, IRBlock bb, int i, IRBlock input, DefinitionExt next
+    DefinitionExt def, SourceVariable sv, IRBlock bb, int i, DefinitionExt next
   ) {
-    SsaImpl::lastRefRedefExt(def, sv, bb, i, input, next)
+    SsaImpl::lastRefRedefExt(def, sv, bb, i, next)
   }
 
   cached
-  Definition phiHasInputFromBlockExt(PhiNode phi, IRBlock bb) {
-    SsaImpl::phiHasInputFromBlockExt(phi, result, bb)
+  Definition phiHasInputFromBlock(PhiNode phi, IRBlock bb) {
+    SsaImpl::phiHasInputFromBlock(phi, result, bb)
   }
 
   cached
-  predicate ssaDefReachesReadExt(SourceVariable v, DefinitionExt def, IRBlock bb, int i) {
-    SsaImpl::ssaDefReachesReadExt(v, def, bb, i)
+  predicate ssaDefReachesRead(SourceVariable v, Definition def, IRBlock bb, int i) {
+    SsaImpl::ssaDefReachesRead(v, def, bb, i)
   }
 
   predicate variableRead = SsaInput::variableRead/4;
@@ -1203,11 +1198,11 @@ class Phi extends TPhi, SsaDef {
 
   final override Location getLocation() { result = phi.getBasicBlock().getLocation() }
 
-  override string toString() { result = phi.toString() }
+  override string toString() { result = "Phi" }
 
-  SsaPhiInputNode getNode(IRBlock block) { result.getPhiNode() = phi and result.getBlock() = block }
+  SsaPhiNode getNode() { result.getPhiNode() = phi }
 
-  predicate hasInputFromBlock(Definition inp, IRBlock bb) { inp = phiHasInputFromBlockExt(phi, bb) }
+  predicate hasInputFromBlock(Definition inp, IRBlock bb) { inp = phiHasInputFromBlock(phi, bb) }
 
   final Definition getAnInput() { this.hasInputFromBlock(result, _) }
 }
@@ -1233,21 +1228,13 @@ class PhiNode extends SsaImpl::DefinitionExt {
    */
   predicate isPhiRead() { this instanceof SsaImpl::PhiReadNode }
 
-  /**
-   * Holds if the node at index `i` in `bb` is a last reference to SSA
-   * definition `def` of `sv`. The reference is last because it can reach
-   * this phi node, without passing through another read or write.
-   *
-   * The path from node `i` in `bb` to this phi node goes via basic block
-   * `input`, which is either a predecessor of the basic block of this phi
-   * node, or `input` = `bb` in case this phi node occurs in basic block `bb`.
-   */
-  predicate hasInputFromBlock(DefinitionExt def, SourceVariable sv, IRBlock bb, int i, IRBlock input) {
-    SsaCached::lastRefRedefExt(def, sv, bb, i, input, this)
+  /** Holds if `inp` is an input to this phi node along the edge originating in `bb`. */
+  predicate hasInputFromBlock(Definition inp, IRBlock bb) {
+    inp = SsaCached::phiHasInputFromBlock(this, bb)
   }
 
   /** Gets a definition that is an input to this phi node. */
-  final Definition getAnInput() { this.hasInputFromBlock(result, _, _, _, _) }
+  final Definition getAnInput() { this.hasInputFromBlock(result, _) }
 }
 
 /** An static single assignment (SSA) definition. */
@@ -1262,15 +1249,6 @@ class DefinitionExt extends SsaImpl::DefinitionExt {
     result = this.getAPhiInputOrPriorDefinition*() and
     not result instanceof PhiNode
   }
-
-  /** Gets a node that represents a read of this SSA definition. */
-  Node getARead() {
-    exists(SourceVariable sv, IRBlock bb, int i | SsaCached::ssaDefReachesReadExt(sv, this, bb, i) |
-      useToNode(bb, i, sv, result)
-      or
-      phiToNode(result, sv, bb, i)
-    )
-  }
 }
 
 class Definition = SsaImpl::Definition;

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll

@@ -1,3 +1,3 @@
-import semmle.code.cpp.ir.implementation.raw.IR
+import semmle.code.cpp.ir.implementation.aliased_ssa.IR
 import semmle.code.cpp.ir.internal.Overlap
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -3208,20 +3208,9 @@ class TranslatedBuiltInOperation extends TranslatedNonConstantExpr {
 
   final override Instruction getResult() { result = this.getInstruction(OnlyInstructionTag()) }
 
-  /**
-   * Gets the rnk'th (0-indexed) child for which a `TranslatedElement` exists.
-   *
-   * We use this predicate to filter out `TypeName` expressions that sometimes
-   * occur in builtin operations since the IR doesn't have an instruction to
-   * represent a reference to a type.
-   */
-  private TranslatedElement getRankedChild(int rnk) {
-    result = rank[rnk + 1](int id, TranslatedElement te | te = this.getChild(id) | te order by id)
-  }
-
   final override Instruction getFirstInstruction(EdgeKind kind) {
-    if exists(this.getRankedChild(0))
-    then result = this.getRankedChild(0).getFirstInstruction(kind)
+    if exists(this.getChild(0))
+    then result = this.getChild(0).getFirstInstruction(kind)
     else (
       kind instanceof GotoEdge and result = this.getInstruction(OnlyInstructionTag())
     )
@@ -3241,11 +3230,11 @@ class TranslatedBuiltInOperation extends TranslatedNonConstantExpr {
   }
 
   final override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
-    exists(int id | child = this.getRankedChild(id) |
-      result = this.getRankedChild(id + 1).getFirstInstruction(kind)
+    exists(int id | child = this.getChild(id) |
+      result = this.getChild(id + 1).getFirstInstruction(kind)
       or
       kind instanceof GotoEdge and
-      not exists(this.getRankedChild(id + 1)) and
+      not exists(this.getChild(id + 1)) and
       result = this.getInstruction(OnlyInstructionTag())
     )
   }
@@ -3260,7 +3249,7 @@ class TranslatedBuiltInOperation extends TranslatedNonConstantExpr {
     tag = OnlyInstructionTag() and
     exists(int index |
       operandTag = positionalArgumentOperand(index) and
-      result = this.getRankedChild(index).(TranslatedExpr).getResult()
+      result = this.getChild(index).(TranslatedExpr).getResult()
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll

@@ -1,3 +1,3 @@
-import semmle.code.cpp.ir.implementation.unaliased_ssa.IR
+import semmle.code.cpp.ir.implementation.aliased_ssa.IR
 import semmle.code.cpp.ir.internal.Overlap
 import semmle.code.cpp.ir.internal.IRCppLanguage as Language

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -7,6 +7,119 @@
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.models.interfaces.Taint
 
+/**
+ * An allocation function (such as `malloc`) that has an argument for the size
+ * in bytes.
+ */
+private class MallocAllocationFunction extends AllocationFunction {
+  int sizeArg;
+
+  MallocAllocationFunction() {
+    // --- C library allocation
+    this.hasGlobalOrStdOrBslName("malloc") and // malloc(size)
+    sizeArg = 0
+    or
+    this.hasGlobalName([
+        // --- Windows Memory Management for Windows Drivers
+        "MmAllocateContiguousMemory", // MmAllocateContiguousMemory(size, maxaddress)
+        "MmAllocateContiguousNodeMemory", // MmAllocateContiguousNodeMemory(size, minaddress, maxaddress, bound, flag, prefer)
+        "MmAllocateContiguousMemorySpecifyCache", // MmAllocateContiguousMemorySpecifyCache(size, minaddress, maxaddress, bound, type)
+        "MmAllocateContiguousMemorySpecifyCacheNode", // MmAllocateContiguousMemorySpecifyCacheNode(size, minaddress, maxaddress, bound, type, prefer)
+        "MmAllocateNonCachedMemory", // MmAllocateNonCachedMemory(size)
+        "MmAllocateMappingAddress", // MmAllocateMappingAddress(size, tag)
+        // --- Windows COM allocation
+        "CoTaskMemAlloc", // CoTaskMemAlloc(size)
+        // --- Solaris/BSD kernel memory allocator
+        "kmem_alloc", // kmem_alloc(size, flags)
+        "kmem_zalloc", // kmem_zalloc(size, flags)
+        // --- OpenSSL memory allocation
+        "CRYPTO_malloc", // CRYPTO_malloc(size_t num, const char *file, int line)
+        "CRYPTO_zalloc", // CRYPTO_zalloc(size_t num, const char *file, int line)
+        "CRYPTO_secure_malloc", // CRYPTO_secure_malloc(size_t num, const char *file, int line)
+        "CRYPTO_secure_zalloc", // CRYPTO_secure_zalloc(size_t num, const char *file, int line)
+        "g_malloc", // g_malloc (n_bytes);
+        "g_try_malloc" // g_try_malloc(n_bytes);
+      ]) and
+    sizeArg = 0
+    or
+    this.hasGlobalName([
+        // --- Windows Memory Management for Windows Drivers
+        "ExAllocatePool", // ExAllocatePool(type, size)
+        "ExAllocatePool2", // ExAllocatePool2(flags, size, tag)
+        "ExAllocatePool3", // ExAllocatePool3(flags, size, tag, extparams, extparamscount)
+        "ExAllocatePoolWithTag", // ExAllocatePool(type, size, tag)
+        "ExAllocatePoolWithTagPriority", // ExAllocatePoolWithTagPriority(type, size, tag, priority)
+        "ExAllocatePoolWithQuota", // ExAllocatePoolWithQuota(type, size)
+        "ExAllocatePoolWithQuotaTag", // ExAllocatePoolWithQuotaTag(type, size, tag)
+        "ExAllocatePoolZero", // ExAllocatePoolZero(type, size, tag)
+        "IoAllocateMdl", // IoAllocateMdl(address, size, flag, flag, irp)
+        "IoAllocateErrorLogEntry", // IoAllocateErrorLogEntry(object, size)
+        // --- Windows Global / Local legacy allocation
+        "LocalAlloc", // LocalAlloc(flags, size)
+        "GlobalAlloc", // GlobalAlloc(flags, size)
+        // --- Windows System Services allocation
+        "VirtualAlloc" // VirtualAlloc(address, size, type, flag)
+      ]) and
+    sizeArg = 1
+    or
+    this.hasGlobalName("HeapAlloc") and // HeapAlloc(heap, flags, size)
+    sizeArg = 2
+    or
+    this.hasGlobalName([
+        // --- Windows Memory Management for Windows Drivers
+        "MmAllocatePagesForMdl", // MmAllocatePagesForMdl(minaddress, maxaddress, skip, size)
+        "MmAllocatePagesForMdlEx", // MmAllocatePagesForMdlEx(minaddress, maxaddress, skip, size, type, flags)
+        "MmAllocateNodePagesForMdlEx" // MmAllocateNodePagesForMdlEx(minaddress, maxaddress, skip, size, type, prefer, flags)
+      ]) and
+    sizeArg = 3
+  }
+
+  override int getSizeArg() { result = sizeArg }
+}
+
+/**
+ * An allocation function (such as `alloca`) that does not require a
+ * corresponding free (and has an argument for the size in bytes).
+ */
+private class AllocaAllocationFunction extends AllocationFunction {
+  int sizeArg;
+
+  AllocaAllocationFunction() {
+    this.hasGlobalName([
+        // --- stack allocation
+        "alloca", // // alloca(size)
+        "__builtin_alloca", // __builtin_alloca(size)
+        "_alloca", // _alloca(size)
+        "_malloca" // _malloca(size)
+      ]) and
+    sizeArg = 0
+  }
+
+  override int getSizeArg() { result = sizeArg }
+
+  override predicate requiresDealloc() { none() }
+}
+
+/**
+ * An allocation function (such as `calloc`) that has an argument for the size
+ * and another argument for the size of those units (in bytes).
+ */
+private class CallocAllocationFunction extends AllocationFunction {
+  int sizeArg;
+  int multArg;
+
+  CallocAllocationFunction() {
+    // --- C library allocation
+    this.hasGlobalOrStdOrBslName("calloc") and // calloc(num, size)
+    sizeArg = 1 and
+    multArg = 0
+  }
+
+  override int getSizeArg() { result = sizeArg }
+
+  override int getSizeMult() { result = multArg }
+}
+
 /**
  * An allocation function (such as `realloc`) that has an argument for the size
  * in bytes, and an argument for an existing pointer that is to be reallocated.
@@ -260,63 +373,6 @@ private class NewArrayAllocationExpr extends AllocationExpr, NewArrayExpr {
   override predicate requiresDealloc() { not exists(this.getPlacementPointer()) }
 }
 
-/**
- * Holds if `f` is an allocation function according to the
- * extensible `allocationFunctionModel` predicate.
- */
-private predicate isAllocationFunctionFromModel(
-  Function f, string namespace, string type, string name
-) {
-  exists(boolean subtypes | allocationFunctionModel(namespace, type, subtypes, name, _, _, _, _) |
-    if type = ""
-    then f.hasQualifiedName(namespace, "", name)
-    else
-      exists(Class c |
-        c.hasQualifiedName(namespace, type) and f.hasQualifiedName(namespace, _, name)
-      |
-        if subtypes = true
-        then f = c.getADerivedClass*().getAMemberFunction()
-        else f = c.getAMemberFunction()
-      )
-  )
-}
-
-/**
- * An allocation function modeled via the extensible `allocationFunctionModel` predicate.
- */
-private class AllocationFunctionFromModel extends AllocationFunction {
-  string namespace;
-  string type;
-  string name;
-
-  AllocationFunctionFromModel() { isAllocationFunctionFromModel(this, namespace, type, name) }
-
-  final override int getSizeArg() {
-    exists(string sizeArg |
-      allocationFunctionModel(namespace, type, _, name, sizeArg, _, _, _) and
-      result = sizeArg.toInt()
-    )
-  }
-
-  final override int getSizeMult() {
-    exists(string sizeMult |
-      allocationFunctionModel(namespace, type, _, name, _, sizeMult, _, _) and
-      result = sizeMult.toInt()
-    )
-  }
-
-  final override int getReallocPtrArg() {
-    exists(string reallocPtrArg |
-      allocationFunctionModel(namespace, type, _, name, _, _, reallocPtrArg, _) and
-      result = reallocPtrArg.toInt()
-    )
-  }
-
-  final override predicate requiresDealloc() {
-    allocationFunctionModel(namespace, type, _, name, _, _, _, true)
-  }
-}
-
 private module HeuristicAllocation {
   /** A class that maps an `AllocationExpr` to an `HeuristicAllocationExpr`. */
   private class HeuristicAllocationModeled extends HeuristicAllocationExpr instanceof AllocationExpr

cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll

@@ -7,42 +7,61 @@
 import semmle.code.cpp.models.interfaces.Deallocation
 
 /**
- * Holds if `f` is an deallocation function according to the
- * extensible `deallocationFunctionModel` predicate.
+ * A deallocation function such as `free`.
  */
-private predicate isDeallocationFunctionFromModel(
-  Function f, string namespace, string type, string name
-) {
-  exists(boolean subtypes | deallocationFunctionModel(namespace, type, subtypes, name, _) |
-    if type = ""
-    then f.hasQualifiedName(namespace, "", name)
-    else
-      exists(Class c |
-        c.hasQualifiedName(namespace, type) and f.hasQualifiedName(namespace, _, name)
-      |
-        if subtypes = true
-        then f = c.getADerivedClass*().getAMemberFunction()
-        else f = c.getAMemberFunction()
-      )
-  )
-}
+private class StandardDeallocationFunction extends DeallocationFunction {
+  int freedArg;
 
-/**
- * A deallocation function modeled via the extensible `deallocationFunctionModel` predicate.
- */
-private class DeallocationFunctionFromModel extends DeallocationFunction {
-  string namespace;
-  string type;
-  string name;
-
-  DeallocationFunctionFromModel() { isDeallocationFunctionFromModel(this, namespace, type, name) }
-
-  final override int getFreedArg() {
-    exists(string freedArg |
-      deallocationFunctionModel(namespace, type, _, name, freedArg) and
-      result = freedArg.toInt()
-    )
+  StandardDeallocationFunction() {
+    this.hasGlobalOrStdOrBslName([
+        // --- C library allocation
+        "free", "realloc"
+      ]) and
+    freedArg = 0
+    or
+    this.hasGlobalName([
+        // --- OpenSSL memory deallocation
+        "CRYPTO_free", "CRYPTO_secure_free",
+        // --- glib memory deallocation
+        "g_free"
+      ]) and
+    freedArg = 0
+    or
+    this.hasGlobalOrStdName([
+        // --- Windows Memory Management for Windows Drivers
+        "ExFreePool", "ExFreePoolWithTag", "ExDeleteTimer", "IoFreeIrp", "IoFreeMdl",
+        "IoFreeErrorLogEntry", "IoFreeWorkItem", "MmFreeContiguousMemory",
+        "MmFreeContiguousMemorySpecifyCache", "MmFreeNonCachedMemory", "MmFreeMappingAddress",
+        "MmFreePagesFromMdl", "MmUnmapReservedMapping", "MmUnmapLockedPages",
+        "NdisFreeGenericObject", "NdisFreeMemory", "NdisFreeMemoryWithTag", "NdisFreeMdl",
+        "NdisFreeNetBufferListPool", "NdisFreeNetBufferPool",
+        // --- Windows Global / Local legacy allocation
+        "LocalFree", "GlobalFree", "LocalReAlloc", "GlobalReAlloc",
+        // --- Windows System Services allocation
+        "VirtualFree",
+        // --- Windows COM allocation
+        "CoTaskMemFree", "CoTaskMemRealloc",
+        // --- Windows Automation
+        "SysFreeString",
+        // --- Solaris/BSD kernel memory allocator
+        "kmem_free"
+      ]) and
+    freedArg = 0
+    or
+    this.hasGlobalOrStdName([
+        // --- Windows Memory Management for Windows Drivers
+        "ExFreeToLookasideListEx", "ExFreeToPagedLookasideList", "ExFreeToNPagedLookasideList",
+        "NdisFreeMemoryWithTagPriority", "StorPortFreeMdl", "StorPortFreePool",
+        // --- NetBSD pool manager
+        "pool_put", "pool_cache_put"
+      ]) and
+    freedArg = 1
+    or
+    this.hasGlobalOrStdName(["HeapFree", "HeapReAlloc"]) and
+    freedArg = 2
   }
+
+  override int getFreedArg() { result = freedArg }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll

@@ -89,14 +89,6 @@ abstract class AllocationFunction extends Function {
   predicate requiresDealloc() { any() }
 }
 
-/**
- * Holds if an external allocation model exists for the given parameters.
- */
-extensible predicate allocationFunctionModel(
-  string namespace, string type, boolean subtypes, string name, string sizeArg, string multArg,
-  string reallocPtrArg, boolean requiresDealloc
-);
-
 /**
  * An `operator new` or `operator new[]` function that may be associated with
  * `new` or `new[]` expressions.  Note that `new` and `new[]` are not function

cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll

@@ -34,13 +34,6 @@ abstract class DeallocationFunction extends Function {
   int getFreedArg() { none() }
 }
 
-/**
- * Holds if an external deallocation model exists for the given parameters.
- */
-extensible predicate deallocationFunctionModel(
-  string namespace, string type, boolean subtypes, string name, string freedArg
-);
-
 /**
  * An `operator delete` or `operator delete[]` function that may be associated
  * with `delete` or `delete[]` expressions.  Note that `delete` and `delete[]`

cpp/ql/lib/semmle/code/cpp/security/flowafterfree/FlowAfterFree.qll

@@ -95,7 +95,7 @@ module FlowFromFree<FlowFromFreeParamSig P> {
         e = any(StoreInstruction store).getDestinationAddress().getUnconvertedResultExpression()
       )
       or
-      [n.asExpr(), n.asIndirectExpr()] instanceof ArrayExpr
+      n.asExpr() instanceof ArrayExpr
     }
   }
 

cpp/ql/src/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 1.0.1
-
-### Minor Analysis Improvements
-
-* The `cpp/dangerous-function-overflow` no longer produces a false positive alert when the `gets` function does not have exactly one parameter.
-
 ## 1.0.0
 
 ### Breaking Changes

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -209,7 +209,6 @@ class LoopWithAlloca extends Stmt {
       DataFlow::localFlow(result, DataFlow::exprNode(va)) and
       // Phi nodes will be preceded by nodes that represent actual definitions
       not result instanceof DataFlow::SsaPhiNode and
-      not result instanceof DataFlow::SsaPhiInputNode and
       // A source is outside the loop if it's not inside the loop
       not exists(Expr e | e = getExpr(result) | this = getAnEnclosingLoopOfExpr(e))
     )

cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql

@@ -215,18 +215,13 @@ predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchB
  */
 predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
   newExpr.getAllocator() instanceof ThrowingAllocator and
-  // There can be many guard conditions that compares `newExpr` againgst 0.
-  // For example, for `if(!p)` both `p` and `!p` are guard conditions. To not
-  // produce duplicates results we pick the "first" guard condition according
-  // to some arbitrary ordering (i.e., location information). This means `!p` is the
-  // element that we use to construct the alert.
-  guard =
-    min(GuardCondition gc, int startline, int startcolumn, int endline, int endcolumn |
-      gc.comparesEq(globalValueNumber(newExpr).getAnExpr(), 0, _, _) and
-      gc.getLocation().hasLocationInfo(_, startline, startcolumn, endline, endcolumn)
-    |
-      gc order by startline, startcolumn, endline, endcolumn
-    )
+  (
+    // Handles null comparisons.
+    guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
+    or
+    // Handles `if(ptr)` and `if(!ptr)` cases.
+    guard = globalValueNumber(newExpr).getAnExpr()
+  )
 }
 
 from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString

cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql

@@ -17,6 +17,5 @@ import cpp
 from FunctionCall call, Function target
 where
   call.getTarget() = target and
-  target.hasGlobalOrStdName("gets") and
-  target.getNumberOfParameters() = 1
+  target.hasGlobalOrStdName("gets")
 select call, "'gets' does not guard against buffer overflow."

cpp/ql/src/change-notes/released/1.0.1.md

@@ -1,5 +0,0 @@
-## 1.0.1
-
-### Minor Analysis Improvements
-
-* The `cpp/dangerous-function-overflow` no longer produces a false positive alert when the `gets` function does not have exactly one parameter.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.1
+lastReleaseVersion: 1.0.0

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.0.2-dev
+version: 1.0.0
 groups:
   - cpp
   - queries

cpp/ql/test/header-variant-tests/iquote/iquote.c

@@ -3,4 +3,4 @@
 #include "b.h"
 static int has_angle_b = __has_include(<b.h>);
 
-// semmle-extractor-options: -I${testdir}/dir2 -iquote ${testdir}/dir1 --clang
+// semmle-extractor-options: -I${testdir}/dir2 -iquote ${testdir}/dir1 --edg --clang

cpp/ql/test/library-tests/CPP-207/options

@@ -1 +1 @@
-semmle-extractor-options: --microsoft
+semmle-extractor-options: --edg --microsoft

cpp/ql/test/library-tests/arguments/arguments.expected

@@ -15,6 +15,8 @@
 | arguments.c | 15 | --edg |
 | arguments.c | 16 | __CODEQL_TEST__ |
 | arguments.c | 17 | --gcc |
-| arguments.c | 18 | -w |
-| arguments.c | 19 | -Werror |
-| arguments.c | 20 | arguments.c |
+| arguments.c | 18 | --predefined_macros |
+| arguments.c | 19 | <tools>/qltest/predefined_macros |
+| arguments.c | 20 | -w |
+| arguments.c | 21 | -Werror |
+| arguments.c | 22 | arguments.c |

cpp/ql/test/library-tests/arguments/arguments.ql

@@ -4,5 +4,8 @@ from Compilation c, int i, string s
 // Skip the extractor name; it'll vary depending on platform
 where
   i > 0 and
-  s = c.getArgument(i).replaceAll("\\", "/")
+  s =
+    c.getArgument(i)
+        .replaceAll("\\", "/")
+        .regexpReplaceAll(".*(/qltest/predefined_macros)", "<tools>$1")
 select c.getAFileCompiled().toString(), i, s

cpp/ql/test/library-tests/attributes/availability/options

@@ -1 +1 @@
-semmle-extractor-options: --clang
+semmle-extractor-options: --edg --clang

cpp/ql/test/library-tests/attributes/routine_attributes/arguments.expected

@@ -1,8 +1,4 @@
 | declspec.cpp:4:23:4:43 | Use fatal() instead | declspec.cpp:4:59:4:62 | exit | declspec.cpp:4:12:4:21 | deprecated | Use fatal() instead |
-| routine_attributes2.cpp:5:6:5:11 | hidden | routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.cpp:5:6:5:11 | visibility | hidden |
-| routine_attributes2.cpp:5:6:5:11 | hidden | routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.cpp:5:6:5:11 | visibility | hidden |
-| routine_attributes2.h:3:6:3:11 | hidden | routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.h:3:6:3:11 | visibility | hidden |
-| routine_attributes2.h:3:6:3:11 | hidden | routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.h:3:6:3:11 | visibility | hidden |
 | routine_attributes.c:3:53:3:59 | dummy | routine_attributes.c:3:12:3:24 | named_weakref | routine_attributes.c:3:44:3:50 | weakref | dummy |
 | routine_attributes.c:4:62:4:68 | dummy | routine_attributes.c:4:12:4:26 | aliased_weakref | routine_attributes.c:4:55:4:59 | alias | dummy |
 | routine_attributes.c:6:49:6:55 | dummy | routine_attributes.c:6:12:6:22 | plain_alias | routine_attributes.c:6:42:6:46 | alias | dummy |

cpp/ql/test/library-tests/attributes/routine_attributes/routine_attributes.expected

@@ -18,10 +18,6 @@
 | header_export.cpp:14:16:14:26 | myFunction4 | header_export.cpp:14:1:14:9 | dllexport |
 | header_export.cpp:18:6:18:16 | myFunction5 | header.h:10:2:10:10 | dllexport |
 | header_export.cpp:18:6:18:16 | myFunction5 | header.h:10:2:10:10 | dllimport |
-| routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.cpp:5:6:5:11 | visibility |
-| routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.cpp:5:6:5:11 | visibility |
-| routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.h:3:6:3:11 | visibility |
-| routine_attributes2.cpp:5:13:5:21 | a_routine | routine_attributes2.h:3:6:3:11 | visibility |
 | routine_attributes.c:3:12:3:24 | named_weakref | routine_attributes.c:3:44:3:50 | weakref |
 | routine_attributes.c:4:12:4:26 | aliased_weakref | routine_attributes.c:4:46:4:52 | weakref |
 | routine_attributes.c:4:12:4:26 | aliased_weakref | routine_attributes.c:4:55:4:59 | alias |

cpp/ql/test/library-tests/attributes/routine_attributes/routine_attributes2.cpp

@@ -1,7 +0,0 @@
-#define HIDDEN __attribute__((visibility("hidden")))
-
-#include "routine_attributes2.h"
-
-void HIDDEN a_routine() {
-    return;
-}

cpp/ql/test/library-tests/attributes/routine_attributes/routine_attributes2.h

@@ -1,3 +0,0 @@
-#pragma once
-
-void HIDDEN a_routine();

cpp/ql/test/library-tests/attributes/routine_attributes/routine_attributes3.cpp

@@ -1,3 +0,0 @@
-#define HIDDEN __attribute__((visibility("hidden")))
-
-#include "routine_attributes2.h"

cpp/ql/test/library-tests/attributes/type_attributes/arguments.expected

@@ -1,6 +1,3 @@
-| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.cpp:5:7:5:12 | visibility | type_attributes2.cpp:5:7:5:12 | hidden |
-| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.h:3:7:3:12 | visibility | type_attributes2.h:3:7:3:12 | hidden |
-| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.h:3:7:3:12 | visibility | type_attributes2.h:3:7:3:12 | hidden |
 | type_attributes_ms.cpp:4:67:4:75 | IDispatch | type_attributes_ms.cpp:4:19:4:22 | uuid | type_attributes_ms.cpp:4:24:4:63 | {00020400-0000-0000-c000-000000000046} |
 | type_attributes_ms.cpp:5:30:5:33 | Str1 | type_attributes_ms.cpp:5:12:5:16 | align | type_attributes_ms.cpp:5:18:5:19 | 32 |
 | type_attributes_ms.cpp:6:55:6:62 | IUnknown | type_attributes_ms.cpp:6:2:6:2 | uuid | type_attributes_ms.cpp:6:2:6:2 | 00000000-0000-0000-c000-000000000046 |

cpp/ql/test/library-tests/attributes/type_attributes/type_attributes.expected

@@ -1,7 +1,4 @@
 | file://:0:0:0:0 | short __attribute((__may_alias__)) | type_attributes.c:25:30:25:42 | may_alias |
-| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.cpp:5:7:5:12 | visibility |
-| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.h:3:7:3:12 | visibility |
-| type_attributes2.cpp:5:14:5:20 | a_class | type_attributes2.h:3:7:3:12 | visibility |
 | type_attributes.c:5:36:5:51 | my_packed_struct | type_attributes.c:5:23:5:32 | packed |
 | type_attributes.c:10:54:10:54 | (unnamed class/struct/union) | type_attributes.c:10:30:10:50 | transparent_union |
 | type_attributes.c:16:54:16:54 | (unnamed class/struct/union) | type_attributes.c:16:30:16:50 | transparent_union |

cpp/ql/test/library-tests/attributes/type_attributes/type_attributes2.cpp

@@ -1,6 +0,0 @@
-#define HIDDEN __attribute__((visibility("hidden")))
-
-#include "type_attributes2.h"
-
-class HIDDEN a_class {
-};

cpp/ql/test/library-tests/attributes/type_attributes/type_attributes2.h

@@ -1,3 +0,0 @@
-#pragma once
-
-class HIDDEN a_class;

cpp/ql/test/library-tests/attributes/type_attributes/type_attributes3.cpp

@@ -1,3 +0,0 @@
-#define HIDDEN __attribute__((visibility("hidden")))
-
-#include "type_attributes2.h"

cpp/ql/test/library-tests/attributes/var_attributes/var_attributes.expected

@@ -6,10 +6,6 @@
 | ms_var_attributes.cpp:12:42:12:46 | field | ms_var_attributes.cpp:12:14:12:21 | property |
 | ms_var_attributes.cpp:20:34:20:37 | pBuf | ms_var_attributes.cpp:20:12:20:12 | SAL_volatile |
 | ms_var_attributes.h:5:22:5:27 | myInt3 | ms_var_attributes.h:5:1:5:9 | dllexport |
-| var_attributes2.cpp:5:12:5:21 | a_variable | var_attributes2.cpp:5:5:5:10 | visibility |
-| var_attributes2.cpp:5:12:5:21 | a_variable | var_attributes2.cpp:5:5:5:10 | visibility |
-| var_attributes2.cpp:5:12:5:21 | a_variable | var_attributes2.h:3:12:3:17 | visibility |
-| var_attributes2.cpp:5:12:5:21 | a_variable | var_attributes2.h:3:12:3:17 | visibility |
 | var_attributes.c:1:12:1:19 | weak_var | var_attributes.c:1:36:1:39 | weak |
 | var_attributes.c:2:12:2:22 | weakref_var | var_attributes.c:2:39:2:45 | weakref |
 | var_attributes.c:3:12:3:19 | used_var | var_attributes.c:3:36:3:39 | used |

cpp/ql/test/library-tests/attributes/var_attributes/var_attributes2.cpp

@@ -1,5 +0,0 @@
-#define HIDDEN __attribute__((visibility("hidden")))
-
-#include "var_attributes2.h"
-
-int HIDDEN a_variable;

cpp/ql/test/library-tests/attributes/var_attributes/var_attributes2.h

@@ -1,3 +0,0 @@
-#pragma once
-
-extern int HIDDEN a_variable;

cpp/ql/test/library-tests/attributes/var_attributes/var_attributes3.cpp

@@ -1,3 +0,0 @@
-#define HIDDEN __attribute__((visibility("hidden")))
-
-#include "var_attributes2.h"

cpp/ql/test/library-tests/clang_builtin_macros/addressof.c

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang
+// semmle-extractor-options: --edg --clang
 
 int x = 0;
 

cpp/ql/test/library-tests/clang_builtin_macros/extended.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang --edg --c++11 --edg --nullptr
+// semmle-extractor-options: --edg --clang --edg --c++11 --edg --nullptr
 
 static int has_nullptr_f = __has_feature(cxx_nullptr);
 static int has_nullptr_e = __has_extension(cxx_nullptr);

cpp/ql/test/library-tests/clang_builtin_macros/options

@@ -1 +1 @@
-semmle-extractor-options: --clang
+semmle-extractor-options: --edg --clang

cpp/ql/test/library-tests/clang_builtin_macros/test.cpp

@@ -1,7 +1,7 @@
 // For the canonical behaviour, run: clang -E -w test.cpp
 #define __builtin_TRAP __builtin_trap
 #define BAR "bar.h"
-// semmle-extractor-options: --clang --expect_errors
+// semmle-extractor-options: --edg --clang --expect_errors
 #if defined(__has_include)
 static int has_include = 1;
 #else

cpp/ql/test/library-tests/clang_ms/options

@@ -1 +1 @@
-semmle-extractor-options: --clang --edg --ms_extensions
+semmle-extractor-options: --edg --clang --edg --ms_extensions

cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected

@@ -74,8 +74,6 @@ astGuardsCompare
 | 34 | j >= 10+0 when ... < ... is false |
 | 42 | 10 < j+1 when ... < ... is false |
 | 42 | 10 >= j+1 when ... < ... is true |
-| 42 | call to getABool != 0 when call to getABool is true |
-| 42 | call to getABool == 0 when call to getABool is false |
 | 42 | j < 10+0 when ... < ... is true |
 | 42 | j >= 10+0 when ... < ... is false |
 | 44 | 0 < z+0 when ... > ... is true |
@@ -539,8 +537,6 @@ astGuardsEnsure_const
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | -1 | 34 | 34 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 31 | 32 |
-| test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | != | 0 | 43 | 45 |
-| test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | == | 0 | 53 | 53 |
 irGuards
 | test.c:7:9:7:13 | CompareGT: ... > ... |
 | test.c:17:8:17:12 | CompareLT: ... < ... |
@@ -617,8 +613,6 @@ irGuardsCompare
 | 34 | j >= 10+0 when CompareLT: ... < ... is false |
 | 42 | 10 < j+1 when CompareLT: ... < ... is false |
 | 42 | 10 >= j+1 when CompareLT: ... < ... is true |
-| 42 | call to getABool != 0 when Call: call to getABool is true |
-| 42 | call to getABool == 0 when Call: call to getABool is false |
 | 42 | j < 10 when CompareLT: ... < ... is true |
 | 42 | j < 10+0 when CompareLT: ... < ... is true |
 | 42 | j >= 10 when CompareLT: ... < ... is false |
@@ -1087,5 +1081,3 @@ irGuardsEnsure_const
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | != | -1 | 34 | 34 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | == | -1 | 30 | 30 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | == | -1 | 32 | 32 |
-| test.cpp:42:13:42:20 | Call: call to getABool | test.cpp:42:13:42:20 | Call: call to getABool | != | 0 | 44 | 44 |
-| test.cpp:42:13:42:20 | Call: call to getABool | test.cpp:42:13:42:20 | Call: call to getABool | == | 0 | 53 | 53 |

cpp/ql/test/library-tests/controlflow/guards/Guards.expected

@@ -42,10 +42,3 @@
 | test.cpp:99:6:99:6 | f |
 | test.cpp:105:6:105:14 | ... != ... |
 | test.cpp:111:6:111:14 | ... != ... |
-| test.cpp:122:9:122:9 | b |
-| test.cpp:125:13:125:20 | ! ... |
-| test.cpp:125:14:125:17 | call to safe |
-| test.cpp:131:6:131:21 | call to __builtin_expect |
-| test.cpp:135:6:135:21 | call to __builtin_expect |
-| test.cpp:141:6:141:21 | call to __builtin_expect |
-| test.cpp:145:6:145:21 | call to __builtin_expect |

cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected

@@ -44,8 +44,6 @@
 | 34 | j >= 10+0 when ... < ... is false |
 | 42 | 10 < j+1 when ... < ... is false |
 | 42 | 10 >= j+1 when ... < ... is true |
-| 42 | call to getABool != 0 when call to getABool is true |
-| 42 | call to getABool == 0 when call to getABool is false |
 | 42 | j < 10 when ... < ... is true |
 | 42 | j < 10+0 when ... < ... is true |
 | 42 | j >= 10 when ... < ... is false |
@@ -151,59 +149,16 @@
 | 111 | 0.0 == i+0 when ... != ... is false |
 | 111 | i != 0.0+0 when ... != ... is true |
 | 111 | i == 0.0+0 when ... != ... is false |
-| 122 | b != 0 when b is true |
-| 122 | b == 0 when b is false |
-| 125 | ! ... != 0 when ! ... is true |
-| 125 | ! ... == 0 when ! ... is false |
-| 125 | call to safe != 0 when ! ... is false |
-| 125 | call to safe != 0 when call to safe is true |
-| 125 | call to safe == 0 when call to safe is false |
 | 126 | 1 != 0 when 1 is true |
 | 126 | 1 != 0 when ... && ... is true |
 | 126 | 1 == 0 when 1 is false |
 | 126 | call to test3_condition != 0 when ... && ... is true |
 | 126 | call to test3_condition != 0 when call to test3_condition is true |
 | 126 | call to test3_condition == 0 when call to test3_condition is false |
-| 131 | ... + ... != a+0 when call to __builtin_expect is false |
-| 131 | ... + ... == a+0 when call to __builtin_expect is true |
-| 131 | a != ... + ...+0 when call to __builtin_expect is false |
-| 131 | a != b+42 when call to __builtin_expect is false |
-| 131 | a == ... + ...+0 when call to __builtin_expect is true |
-| 131 | a == b+42 when call to __builtin_expect is true |
 | 131 | b != 0 when b is true |
-| 131 | b != a+-42 when call to __builtin_expect is false |
 | 131 | b == 0 when b is false |
-| 131 | b == a+-42 when call to __builtin_expect is true |
-| 131 | call to __builtin_expect != 0 when call to __builtin_expect is true |
-| 131 | call to __builtin_expect == 0 when call to __builtin_expect is false |
-| 135 | ... + ... != a+0 when call to __builtin_expect is true |
-| 135 | ... + ... == a+0 when call to __builtin_expect is false |
-| 135 | a != ... + ...+0 when call to __builtin_expect is true |
-| 135 | a != b+42 when call to __builtin_expect is true |
-| 135 | a == ... + ...+0 when call to __builtin_expect is false |
-| 135 | a == b+42 when call to __builtin_expect is false |
-| 135 | b != a+-42 when call to __builtin_expect is true |
-| 135 | b == a+-42 when call to __builtin_expect is false |
-| 135 | call to __builtin_expect != 0 when call to __builtin_expect is true |
-| 135 | call to __builtin_expect == 0 when call to __builtin_expect is false |
 | 137 | 0 != 0 when 0 is true |
 | 137 | 0 == 0 when 0 is false |
-| 141 | 42 != a+0 when call to __builtin_expect is false |
-| 141 | 42 == a+0 when call to __builtin_expect is true |
-| 141 | a != 42 when call to __builtin_expect is false |
-| 141 | a != 42+0 when call to __builtin_expect is false |
-| 141 | a == 42 when call to __builtin_expect is true |
-| 141 | a == 42+0 when call to __builtin_expect is true |
-| 141 | call to __builtin_expect != 0 when call to __builtin_expect is true |
-| 141 | call to __builtin_expect == 0 when call to __builtin_expect is false |
-| 145 | 42 != a+0 when call to __builtin_expect is true |
-| 145 | 42 == a+0 when call to __builtin_expect is false |
-| 145 | a != 42 when call to __builtin_expect is true |
-| 145 | a != 42+0 when call to __builtin_expect is true |
-| 145 | a == 42 when call to __builtin_expect is false |
-| 145 | a == 42+0 when call to __builtin_expect is false |
-| 145 | call to __builtin_expect != 0 when call to __builtin_expect is true |
-| 145 | call to __builtin_expect == 0 when call to __builtin_expect is false |
 | 146 | ! ... != 0 when ! ... is true |
 | 146 | ! ... == 0 when ! ... is false |
 | 146 | x != 0 when ! ... is false |

cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected

@@ -100,11 +100,3 @@
 | test.cpp:99:6:99:6 | f | true | 99 | 100 |
 | test.cpp:105:6:105:14 | ... != ... | true | 105 | 106 |
 | test.cpp:111:6:111:14 | ... != ... | true | 111 | 112 |
-| test.cpp:122:9:122:9 | b | true | 123 | 125 |
-| test.cpp:122:9:122:9 | b | true | 125 | 125 |
-| test.cpp:125:13:125:20 | ! ... | true | 125 | 125 |
-| test.cpp:125:14:125:17 | call to safe | false | 125 | 125 |
-| test.cpp:131:6:131:21 | call to __builtin_expect | true | 131 | 132 |
-| test.cpp:135:6:135:21 | call to __builtin_expect | true | 135 | 136 |
-| test.cpp:141:6:141:21 | call to __builtin_expect | true | 141 | 142 |
-| test.cpp:145:6:145:21 | call to __builtin_expect | true | 145 | 146 |

cpp/ql/test/library-tests/controlflow/guards/GuardsEnsure.expected

@@ -159,18 +159,6 @@ binary
 | test.cpp:105:6:105:14 | ... != ... | test.cpp:105:11:105:14 | 0.0 | != | test.cpp:105:6:105:6 | f | 0 | 105 | 106 |
 | test.cpp:111:6:111:14 | ... != ... | test.cpp:111:6:111:6 | i | != | test.cpp:111:11:111:14 | 0.0 | 0 | 111 | 112 |
 | test.cpp:111:6:111:14 | ... != ... | test.cpp:111:11:111:14 | 0.0 | != | test.cpp:111:6:111:6 | i | 0 | 111 | 112 |
-| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:23:131:23 | a | == | test.cpp:131:28:131:28 | b | 42 | 131 | 132 |
-| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:23:131:23 | a | == | test.cpp:131:28:131:33 | ... + ... | 0 | 131 | 132 |
-| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:28:131:28 | b | == | test.cpp:131:23:131:23 | a | -42 | 131 | 132 |
-| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:28:131:33 | ... + ... | == | test.cpp:131:23:131:23 | a | 0 | 131 | 132 |
-| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:23:135:23 | a | != | test.cpp:135:28:135:28 | b | 42 | 135 | 136 |
-| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:23:135:23 | a | != | test.cpp:135:28:135:33 | ... + ... | 0 | 135 | 136 |
-| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:28:135:28 | b | != | test.cpp:135:23:135:23 | a | -42 | 135 | 136 |
-| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:28:135:33 | ... + ... | != | test.cpp:135:23:135:23 | a | 0 | 135 | 136 |
-| test.cpp:141:6:141:21 | call to __builtin_expect | test.cpp:141:23:141:23 | a | == | test.cpp:141:28:141:29 | 42 | 0 | 141 | 142 |
-| test.cpp:141:6:141:21 | call to __builtin_expect | test.cpp:141:28:141:29 | 42 | == | test.cpp:141:23:141:23 | a | 0 | 141 | 142 |
-| test.cpp:145:6:145:21 | call to __builtin_expect | test.cpp:145:23:145:23 | a | != | test.cpp:145:28:145:29 | 42 | 0 | 145 | 146 |
-| test.cpp:145:6:145:21 | call to __builtin_expect | test.cpp:145:28:145:29 | 42 | != | test.cpp:145:23:145:23 | a | 0 | 145 | 146 |
 unary
 | test.c:7:9:7:13 | ... > ... | test.c:7:9:7:9 | x | < | 1 | 10 | 11 |
 | test.c:7:9:7:13 | ... > ... | test.c:7:9:7:9 | x | >= | 1 | 7 | 9 |
@@ -269,8 +257,6 @@ unary
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | -1 | 34 | 34 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | -1 | 31 | 32 |
-| test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | != | 0 | 43 | 45 |
-| test.cpp:42:13:42:20 | call to getABool | test.cpp:42:13:42:20 | call to getABool | == | 0 | 53 | 53 |
 | test.cpp:61:10:61:10 | i | test.cpp:61:10:61:10 | i | == | 0 | 62 | 64 |
 | test.cpp:61:10:61:10 | i | test.cpp:61:10:61:10 | i | == | 1 | 65 | 66 |
 | test.cpp:74:10:74:10 | i | test.cpp:74:10:74:10 | i | < | 11 | 75 | 77 |
@@ -278,13 +264,3 @@ unary
 | test.cpp:74:10:74:10 | i | test.cpp:74:10:74:10 | i | >= | 0 | 75 | 77 |
 | test.cpp:74:10:74:10 | i | test.cpp:74:10:74:10 | i | >= | 11 | 78 | 79 |
 | test.cpp:93:6:93:6 | c | test.cpp:93:6:93:6 | c | != | 0 | 93 | 94 |
-| test.cpp:122:9:122:9 | b | test.cpp:122:9:122:9 | b | != | 0 | 123 | 125 |
-| test.cpp:122:9:122:9 | b | test.cpp:122:9:122:9 | b | != | 0 | 125 | 125 |
-| test.cpp:125:13:125:20 | ! ... | test.cpp:125:13:125:20 | ! ... | != | 0 | 125 | 125 |
-| test.cpp:125:14:125:17 | call to safe | test.cpp:125:14:125:17 | call to safe | == | 0 | 125 | 125 |
-| test.cpp:131:6:131:21 | call to __builtin_expect | test.cpp:131:6:131:21 | call to __builtin_expect | != | 0 | 131 | 132 |
-| test.cpp:135:6:135:21 | call to __builtin_expect | test.cpp:135:6:135:21 | call to __builtin_expect | != | 0 | 135 | 136 |
-| test.cpp:141:6:141:21 | call to __builtin_expect | test.cpp:141:6:141:21 | call to __builtin_expect | != | 0 | 141 | 142 |
-| test.cpp:141:6:141:21 | call to __builtin_expect | test.cpp:141:23:141:23 | a | == | 42 | 141 | 142 |
-| test.cpp:145:6:145:21 | call to __builtin_expect | test.cpp:145:6:145:21 | call to __builtin_expect | != | 0 | 145 | 146 |
-| test.cpp:145:6:145:21 | call to __builtin_expect | test.cpp:145:23:145:23 | a | != | 42 | 145 | 146 |

cpp/ql/test/library-tests/controlflow/guards/test.cpp

@@ -112,37 +112,3 @@ void int_float_comparison(int i) {
     use(i);
   }
 }
-
-int source();
-bool safe(int);
-
-void test(bool b)
-{
-    int x;
-    if (b)
-    {
-        x = source();
-        if (!safe(x)) return;
-    }
-    use(x);
-}
-
-void binary_test_builtin_expected(int a, int b) {
-  if(__builtin_expect(a == b + 42, 0)) {
-      use(a);
-  }
-
-  if(__builtin_expect(a != b + 42, 0)) {
-      use(a);
-  }
-}
-
-void unary_test_builtin_expected(int a) {
-  if(__builtin_expect(a == 42, 0)) {
-      use(a);
-  }
-
-  if(__builtin_expect(a != 42, 0)) {
-      use(a);
-  }
-}

cpp/ql/test/library-tests/dataflow/dataflow-edge-tests/additionalEdges.expected

@@ -1,6 +1,6 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (additionalEdges.ql:31,6-14)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (additionalEdges.ql:31,31-39)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (additionalEdges.ql:32,7-15)
+WARNING: Module DataFlow has been deprecated and may be removed in future (additionalEdges.ql:31,6-14)
+WARNING: Module DataFlow has been deprecated and may be removed in future (additionalEdges.ql:31,31-39)
+WARNING: Module DataFlow has been deprecated and may be removed in future (additionalEdges.ql:32,7-15)
 | tryExcept.c:7:7:7:7 | x | tryExcept.c:14:10:14:10 | x |
 | tryExcept.c:7:13:7:14 | 0 | tryExcept.c:10:9:10:9 | y |
 | tryExcept.c:10:9:10:9 | y | tryExcept.c:10:5:10:9 | ... = ... |

cpp/ql/test/library-tests/dataflow/dataflow-edge-tests/standardEdges.expected

@@ -1,5 +1,5 @@
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (standardEdges.ql:4,6-14)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (standardEdges.ql:4,31-39)
-WARNING: module 'DataFlow' has been deprecated and may be removed in future (standardEdges.ql:5,7-15)
+WARNING: Module DataFlow has been deprecated and may be removed in future (standardEdges.ql:4,6-14)
+WARNING: Module DataFlow has been deprecated and may be removed in future (standardEdges.ql:4,31-39)
+WARNING: Module DataFlow has been deprecated and may be removed in future (standardEdges.ql:5,7-15)
 | tryExcept.c:7:13:7:14 | 0 | tryExcept.c:10:9:10:9 | y |
 | tryExcept.c:10:9:10:9 | y | tryExcept.c:10:5:10:9 | ... = ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp

@@ -75,54 +75,4 @@ void bg_indirect_expr() {
   if (guarded(buf)) {
     sink(buf);
   }
-}
-
-void test_guard_and_reassign() {
-  int x = source();
-
-  if(!guarded(x)) {
-    x = 0;
-  }
-  sink(x); // $ SPURIOUS: ast
-}
-
-void test_phi_read_guard(bool b) {
-  int x = source();
-
-  if(b) {
-    if(!guarded(x))
-      return;
-  }
-  else {
-    if(!guarded(x))
-      return;
-  }
-  
-  sink(x); // $ SPURIOUS: ast
-}
-
-bool unsafe(int);
-
-void test_guard_and_reassign_2() {
-  int x = source();
-
-  if(unsafe(x)) {
-    x = 0;
-  }
-  sink(x); // $ SPURIOUS: ast
-}
-
-void test_phi_read_guard_2(bool b) {
-  int x = source();
-
-  if(b) {
-    if(unsafe(x))
-      return;
-  }
-  else {
-    if(unsafe(x))
-      return;
-  }
-  
-  sink(x); // $ SPURIOUS: ast
 }

cpp/ql/test/library-tests/dataflow/dataflow-tests/TestBase.qll

@@ -7,17 +7,10 @@ module AstTest {
    * S in `if (guarded(x)) S`.
    */
   // This is tested in `BarrierGuard.cpp`.
-  predicate testBarrierGuard(GuardCondition g, Expr checked, boolean branch) {
-    exists(Call call, boolean b |
-      checked = call.getArgument(0) and
-      g.comparesEq(call, 0, b, any(BooleanValue bv | bv.getValue() = branch))
-    |
-      call.getTarget().hasName("guarded") and
-      b = false
-      or
-      call.getTarget().hasName("unsafe") and
-      b = true
-    )
+  predicate testBarrierGuard(GuardCondition g, Expr checked, boolean isTrue) {
+    g.(FunctionCall).getTarget().getName() = "guarded" and
+    checked = g.(FunctionCall).getArgument(0) and
+    isTrue = true
   }
 
   /** Common data flow configuration to be used by tests. */
@@ -109,16 +102,12 @@ module IRTest {
    * S in `if (guarded(x)) S`.
    */
   // This is tested in `BarrierGuard.cpp`.
-  predicate testBarrierGuard(IRGuardCondition g, Expr checked, boolean branch) {
-    exists(CallInstruction call, boolean b |
-      checked = call.getArgument(0).getUnconvertedResultExpression() and
-      g.comparesEq(call.getAUse(), 0, b, any(BooleanValue bv | bv.getValue() = branch))
-    |
-      call.getStaticCallTarget().hasName("guarded") and
-      b = false
-      or
-      call.getStaticCallTarget().hasName("unsafe") and
-      b = true
+  predicate testBarrierGuard(IRGuardCondition g, Expr checked, boolean isTrue) {
+    exists(Call call |
+      call = g.getUnconvertedResultExpression() and
+      call.getTarget().hasName("guarded") and
+      checked = call.getArgument(0) and
+      isTrue = true
     )
   }
 
@@ -151,9 +140,6 @@ module IRTest {
         or
         call.getTarget().getName() = "indirect_sink" and
         sink.asIndirectExpr() = e
-        or
-        call.getTarget().getName() = "indirect_sink_const_ref" and
-        sink.asIndirectExpr() = e
       )
     }
 

cpp/ql/test/library-tests/dataflow/dataflow-tests/clang.cpp

@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang
+// semmle-extractor-options: --edg --clang
 
 int source();
 void sink(int); void sink(const int *); void sink(int **); void indirect_sink(...);
@@ -52,9 +52,3 @@ void following_pointers( // $ ast-def=sourceStruct1_ptr ir-def=*cleanArray1 ir-d
   sink(stackArray); // $ ast,ir
   indirect_sink(stackArray); // $ ast ir=50:25 ir=50:35 ir=51:19
 }
-
-void test_bitcast() {
-  unsigned long x = source();
-  double d = __builtin_bit_cast(double, x);
-  sink(d); // $ ir MISSING: ast
-}