Merge branch 'main' into turbo/experimental-suite

.github/actions/cache-query-compilation/action.yml

@@ -23,19 +23,20 @@ runs:
       run: |
         MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
         echo "merge_base=$MERGE_BASE" >> $GITHUB_ENV
-    - name: Restore cache (PR)
+    - name: Restore read-only cache (PR)
       if: ${{ github.event_name == 'pull_request' }}
-      uses: actions/cache/restore@v3
+      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
       with:
         path: '**/.cache'
+        read-only: true
         key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }}
         restore-keys: |
           codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
           codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-
           codeql-compile-${{ inputs.key }}-main-
-    - name: Fill cache (only branch push)
+    - name: Fill cache (push)
       if: ${{ github.event_name != 'pull_request' }}
-      uses: actions/cache@v3
+      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
       with:
         path: '**/.cache'
         key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main

.github/actions/fetch-codeql/action.yml

@@ -19,6 +19,4 @@ runs:
         gh extension install github/gh-codeql
         gh codeql set-channel "$CHANNEL"
         gh codeql version
-        printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}"
-        gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}"
         gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"

.github/actions/os-version/action.yml

@@ -1,32 +0,0 @@
-name: OS Version
-description: Get OS version.
-
-outputs:
-  version:
-    description: "OS version"
-    value: ${{ steps.version.outputs.version }}
-
-runs:
-  using: composite
-  steps:
-    - if: runner.os == 'Linux'
-      shell: bash
-      run: |
-        . /etc/os-release
-        echo "VERSION=${NAME} ${VERSION}" >> $GITHUB_ENV
-    - if: runner.os == 'Windows'
-      shell: powershell
-      run: |
-        $objects = systeminfo.exe /FO CSV | ConvertFrom-Csv
-        "VERSION=$($objects.'OS Name') $($objects.'OS Version')" >> $env:GITHUB_ENV
-    - if: runner.os == 'macOS'
-      shell: bash
-      run: |
-        echo "VERSION=$(sw_vers -productName) $(sw_vers -productVersion)" >> $GITHUB_ENV
-    - name: Emit OS version
-      id: version
-      shell: bash
-      run: |
-        echo "$VERSION"
-        echo "version=${VERSION}" >> $GITHUB_OUTPUT
-

.github/dependabot.yml

@@ -1,7 +1,19 @@
 version: 2
 updates:
   - package-ecosystem: "cargo"
-    directory: "ruby"
+    directory: "ruby/node-types"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/generator"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/extractor"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/autobuilder"
     schedule:
       interval: "daily"
 

.github/workflows/atm-check-query-suite.yml

@@ -13,7 +13,7 @@ on:
 
 jobs:
   atm-check-query-suite:
-    runs-on: ubuntu-latest-xl
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
@@ -23,12 +23,6 @@ jobs:
         with:
           channel: release
 
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: atm-suite
-
       - name: Install ATM model
         run: |
           set -exu
@@ -56,13 +50,10 @@ jobs:
           echo "SARIF_PATH=${SARIF_PATH}" >> "${GITHUB_ENV}"
 
           codeql database analyze \
-            --threads=0 \
-            --ram 50000 \
             --format sarif-latest \
             --output "${SARIF_PATH}" \
             --sarif-group-rules-by-pack \
             -vv \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
             -- \
             "${DB_PATH}" \
             "${QUERY_PACK}/${QUERY_SUITE}"

.github/workflows/check-change-note.yml

@@ -26,9 +26,3 @@ jobs:
         run: |
           gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
           grep true -c
-      - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md' or 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text.
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$"))' |
-          grep true -c

.github/workflows/close-stale.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@v6
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'

.github/workflows/mad_modelDiff.yml

@@ -11,7 +11,7 @@ on:
     branches:
       - main
     paths:
-      - "java/ql/src/utils/modelgenerator/**/*.*"
+      - "java/ql/src/utils/model-generator/**/*.*"
       - ".github/workflows/mad_modelDiff.yml"
 
 permissions:
@@ -40,12 +40,12 @@ jobs:
       - name: Download database
         env:
           SLUG: ${{ matrix.slug }}
-          GH_TOKEN: ${{ github.token }}
         run: |
           set -x
           mkdir lib-dbs
           SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
-          gh api -H "Accept: application/zip" "/repos/${SLUG}/code-scanning/codeql/databases/java" > "$SHORTNAME.zip"
+          projectId=`curl -s https://lgtm.com/api/v1.0/projects/g/${SLUG} | jq .id`
+          curl -L "https://lgtm.com/api/v1.0/snapshots/$projectId/java" -o "$SHORTNAME.zip"
           unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip"
           mkdir "lib-dbs/$SHORTNAME/"
           mv "${SHORTNAME}-db/"$(ls -1 "${SHORTNAME}"-db)/* "lib-dbs/${SHORTNAME}/"
@@ -61,7 +61,7 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
+            python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
             mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
             cd ..
           }
@@ -100,6 +100,4 @@ jobs:
         with:
           name: diffs
           path: tmp-models/*.html
-          # An html file is only produced if the generated models differ.
-          if-no-files-found: ignore
           retention-days: 20

.github/workflows/mad_regenerate-models.yml

@@ -50,7 +50,7 @@ jobs:
           SLUG: ${{ matrix.slug }}
         run: |
           SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
-          java/ql/src/utils/modelgenerator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
+          java/ql/src/utils/model-generator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
       - name: Stage changes
         run: |
           find java -name "*.model.yml" -print0 | xargs -0 git add

.github/workflows/ql-for-ql-build.yml

@@ -27,7 +27,7 @@ jobs:
         uses: ./.github/actions/find-latest-bundle
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
         with:
           languages: javascript # does not matter
           tools: ${{ steps.find-latest-bundle.outputs.url }}
@@ -38,14 +38,12 @@ jobs:
         shell: bash
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - uses: ./.github/actions/os-version
-        id: os_version
       - name: Cache entire pack
         id: cache-pack
         uses: actions/cache@v3
         with:
           path: ${{ runner.temp }}/pack
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
+          key: ${{ runner.os }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
       - name: Cache queries
         if: steps.cache-pack.outputs.cache-hit != 'true'
         id: cache-queries
@@ -79,7 +77,7 @@ jobs:
             ql/target/release/ql-autobuilder.exe
             ql/target/release/ql-extractor
             ql/target/release/ql-extractor.exe
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
+          key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
       - name: Cache cargo
         if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         uses: actions/cache@v3
@@ -88,7 +86,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             ql/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Check formatting
         if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
         run: cd ql; cargo fmt --all -- --check
@@ -139,20 +137,20 @@ jobs:
         env:
           CONF: ./ql-for-ql-config.yml
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
         with:
           languages: ql
           db-location: ${{ runner.temp }}/db
           config-file: ./ql-for-ql-config.yml
           tools: ${{ steps.find-latest-bundle.outputs.url }}
-      - name: Move pack queries
+      - name: Move pack cache
         run: |
-          cp -r ${PACK}/queries ql/ql/src
+          cp -r ${PACK}/.cache ql/ql/src/.cache
         env:
           PACK: ${{ runner.temp }}/pack
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/analyze@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
         with:
           category: "ql-for-ql"
       - name: Copy sarif file to CWD
@@ -174,4 +172,4 @@ jobs:
         with:
           name: ql-for-ql-langs
           path: split-sarif
-          retention-days: 1
+          retention-days: 1

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -25,18 +25,16 @@ jobs:
 
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
+        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
         with:
           languages: javascript # does not matter
-      - uses: ./.github/actions/os-version
-        id: os_version
       - uses: actions/cache@v3
         with:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
             ql/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Build Extractor
         run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./scripts/create-extractor-pack.sh
         env:

.github/workflows/ql-for-ql-tests.yml

@@ -20,86 +20,30 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: Find codeql
-        id: find-codeql
-        uses: github/codeql-action/init@45955cb1830b640e2c1603ad72ad542a49d47b96
-        with:
-          languages: javascript # does not matter
-      - uses: ./.github/actions/os-version
-        id: os_version
-      - uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ql/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
-      - name: Build extractor
-        run: |
-          cd ql;
-          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
-          env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: ql-for-ql-tests
-      - name: Run QL tests
-        run: |
-          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test
-        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-
-  other-os: 
-    strategy:
-      matrix:
-        os: [macos-latest, windows-latest]
-    needs: [qltest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Install GNU tar 
-        if: runner.os == 'macOS'
-        run: |
-          brew install gnu-tar
-          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
       - name: Find codeql
         id: find-codeql
         uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
         with:
           languages: javascript # does not matter
-      - uses: ./.github/actions/os-version
-        id: os_version
       - uses: actions/cache@v3
         with:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
             ql/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
       - name: Build extractor
-        if: runner.os != 'Windows'
         run: |
           cd ql;
           codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
           env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
-      - name: Build extractor (Windows)
-        if: runner.os == 'Windows'
-        shell: pwsh
+      - name: Run QL tests
         run: |
-          cd ql;
-          $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
-          pwsh ./scripts/create-extractor-pack.ps1
-      - name: Run a single QL tests - Unix
-        if: runner.os != 'Windows'
-        run: |
-          "${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
+          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Run a single QL tests - Windows
-        if: runner.os == 'Windows'
-        shell: pwsh
+      - name: Check QL formatting
         run: |
-          $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
-          codeql test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
-      
+          find ql/ql/src "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}

.github/workflows/ruby-build.yml

@@ -48,8 +48,6 @@ jobs:
         run: |
           brew install gnu-tar
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - uses: ./.github/actions/os-version
-        id: os_version
       - name: Cache entire extractor
         uses: actions/cache@v3
         id: cache-extractor
@@ -60,7 +58,7 @@ jobs:
             ruby/target/release/ruby-extractor
             ruby/target/release/ruby-extractor.exe
             ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}--${{ hashFiles('ruby/**/*.rs') }}
+          key: ${{ runner.os }}-ruby-extractor-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}--${{ hashFiles('ruby/**/*.rs') }}
       - uses: actions/cache@v3
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         with:
@@ -68,7 +66,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             ruby/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
+          key: ${{ runner.os }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
       - name: Check formatting
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cargo fmt --all -- --check
@@ -117,10 +115,9 @@ jobs:
       - name: Build Query Pack
         run: |
           rm -rf target/packs
+          codeql pack create ../shared/ssa --output target/packs
           codeql pack create ../misc/suite-helpers --output target/packs
           codeql pack create ../shared/regex --output target/packs
-          codeql pack create ../shared/ssa --output target/packs
-          codeql pack create ../shared/tutorial --output target/packs
           codeql pack create ql/lib --output target/packs
           codeql pack create -j0 ql/src --output target/packs --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
           PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
@@ -205,6 +202,11 @@ jobs:
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
 
+      - uses: actions/checkout@v3
+        with:
+          repository: Shopify/example-ruby-app
+          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
+
       - name: Download Ruby bundle
         uses: actions/download-artifact@v3
         with:
@@ -213,15 +215,26 @@ jobs:
       - name: Unzip Ruby bundle
         shell: bash
         run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
-
+      - name: Prepare test files
+        shell: bash
+        run: |
+          echo "import codeql.ruby.AST select count(File f)" > "test.ql"
+          echo "| 4 |" > "test.expected"
+          echo 'name: sample-tests
+          version: 0.0.0
+          dependencies:
+            codeql/ruby-all: "*"
+          extractor: ruby
+          tests: .
+          ' > qlpack.yml
       - name: Run QL test
         shell: bash
         run: |
-          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
+          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
       - name: Create database
         shell: bash
         run: |
-          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
+          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
       - name: Analyze database
         shell: bash
         run: |

CONTRIBUTING.md

@@ -25,7 +25,6 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
     - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
-    - Experimental queries need to include `experimental` in their `@tags`
     - The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
     - Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.
 

README.md

@@ -10,8 +10,6 @@ There is [extensive documentation](https://codeql.github.com/docs/) on getting s
 
 We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
 
-For information on contributing to CodeQL documentation, see the "[contributing guide](docs/codeql/CONTRIBUTING.md)" for docs.
-
 ## License
 
 The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).

codeql-workspace.yml

@@ -8,16 +8,16 @@ provide:
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
   - "go/build/codeql-extractor-go/codeql-extractor.yml"
-  - "*/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml"
   # This pack is explicitly excluded from the workspace since most users
   # will want to use a version of this pack from the package cache. Internal
   # users can uncomment the following line and place a custom ML model
   # in the corresponding pack to test a custom ML model within their local
   # checkout.
-  - "*/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
-  - "*/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
-  - "*/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
-  - "*/ql/experimental/adaptivethreatmodeling/test/qlpack.yml"
+  # - "javascript/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
+  - "javascript/ql/experimental/adaptivethreatmodeling/test/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/test/qlpack.yml"

config/identical-files.json

@@ -29,7 +29,6 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll",
     "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll",
     "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
@@ -403,6 +402,16 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
   ],
+  "Inline Test Expectations": [
+    "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "ql/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "go/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "swift/ql/test/TestUtilities/InlineExpectationsTest.qll"
+  ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
     "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"
@@ -496,6 +505,14 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
     "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
   ],
+  "CodeQL Tutorial": [
+    "cpp/ql/lib/tutorial.qll",
+    "csharp/ql/lib/tutorial.qll",
+    "java/ql/lib/tutorial.qll",
+    "javascript/ql/lib/tutorial.qll",
+    "python/ql/lib/tutorial.qll",
+    "ruby/ql/lib/tutorial.qll"
+  ],
   "AccessPathSyntax": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
     "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
@@ -514,6 +531,11 @@
     "ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
     "javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll"
   ],
+  "Hostname Regexp queries": [
+    "javascript/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
+    "python/ql/src/Security/CWE-020/HostnameRegexpShared.qll",
+    "ruby/ql/src/queries/security/cwe-020/HostnameRegexpShared.qll"
+  ],
   "ApiGraphModels": [
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",

cpp/downgrades/23f7cbb88a4eb29f30c3490363dc201bc054c5ff/exprs.ql

@@ -13,5 +13,5 @@ predicate isExprWithNewBuiltin(Expr expr) {
 from Expr expr, int kind, int kind_new, Location location
 where
   exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
+  if isExprWithNewBuiltin(expr) then kind_new = 0 else kind_new = kind
 select expr, kind_new, location

cpp/downgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/exprs.ql

@@ -9,5 +9,5 @@ class Location extends @location_expr {
 from Expr expr, int kind, int kind_new, Location location
 where
   exprs(expr, kind, location) and
-  if expr instanceof @blockassignexpr then kind_new = 1 else kind_new = kind
+  if expr instanceof @blockassignexpr then kind_new = 0 else kind_new = kind
 select expr, kind_new, location

cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/builtintypes.ql

@@ -1,11 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
-where
-  builtintypes(type, name, kind, size, sign, alignment) and
-  if type instanceof @float16 or type instanceof @complex_float16
-  then kind_new = 2
-  else kind_new = kind
-select type, name, kind_new, size, sign, alignment

cpp/downgrades/a5bb28ed29f73855d64cc5f939cef977fa8fd19a/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce (_Complex) _Float16 type
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/downgrades/ba86bebea4c7a8235c2fa0e220391fbd4446a087/upgrade.properties

@@ -1,2 +0,0 @@
-description: Uncomment case splits in dbscheme
-compatibility: full

cpp/ql/lib/CHANGELOG.md

@@ -1,32 +1,3 @@
-## 0.5.1
-
-No user-facing changes.
-
-## 0.5.0
-
-### Breaking Changes
-
-The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
-
-### Deprecated APIs
-
-* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
-
-### Minor Analysis Improvements
-
-* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
-* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
-* The `getaddrinfo` function is now recognized as a flow source.
-* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
-* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
-* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.
-
-## 0.4.6
-
-No user-facing changes.
-
 ## 0.4.5
 
 No user-facing changes.

cpp/ql/lib/change-notes/2022-11-14-deprecate-ast-gvn.md

@@ -0,0 +1,6 @@
+---
+category: deprecated
+---
+
+
+* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.

cpp/ql/lib/change-notes/2022-11-16-must-flow.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.

cpp/ql/lib/change-notes/2022-11-17-deleted-deps.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.

cpp/ql/lib/change-notes/2022-11-25-deprecate-default-taint-tracking.md

@@ -0,0 +1,6 @@
+---
+category: deprecated
+---
+
+* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.

cpp/ql/lib/change-notes/2022-12-08-support-getaddrinfo-dataflow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `getaddrinfo` function is now recognized as a flow source.

cpp/ql/lib/change-notes/2022-12-08-support-getenv-variants.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.

cpp/ql/lib/change-notes/2022-12-08-support-scanf-dataflow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.

cpp/ql/lib/change-notes/2022-12-09-generalize-argv-source.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.

cpp/ql/lib/change-notes/released/0.4.6.md

@@ -1,3 +0,0 @@
-## 0.4.6
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.5.0.md

@@ -1,20 +0,0 @@
-## 0.5.0
-
-### Breaking Changes
-
-The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
-
-### Deprecated APIs
-
-* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
-
-### Minor Analysis Improvements
-
-* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
-* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
-* The `getaddrinfo` function is now recognized as a flow source.
-* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
-* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
-* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.

cpp/ql/lib/change-notes/released/0.5.1.md

@@ -1,3 +0,0 @@
-## 0.5.1
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.1
+lastReleaseVersion: 0.4.5

cpp/ql/lib/definitions.qll

@@ -123,13 +123,6 @@ private predicate constructorCallTypeMention(ConstructorCall cc, TypeMention tm)
   )
 }
 
-/** Holds if `loc` has the container `container` and is on the line starting at `startLine`. */
-pragma[nomagic]
-private predicate hasContainerAndStartLine(Location loc, Container container, int startLine) {
-  loc.getStartLine() = startLine and
-  loc.getContainer() = container
-}
-
 /**
  * Gets an element, of kind `kind`, that element `e` uses, if any.
  * Attention: This predicate yields multiple definitions for a single location.
@@ -166,9 +159,9 @@ Top definitionOf(Top e, string kind) {
     // Multiple type mentions can be generated when a typedef is used, and
     // in such cases we want to exclude all but the originating typedef.
     not exists(Type secondary |
-      exists(File f, int startline, int startcol |
+      exists(TypeMention tm, File f, int startline, int startcol |
         typeMentionStartLoc(e, result, f, startline, startcol) and
-        typeMentionStartLoc(_, secondary, f, startline, startcol) and
+        typeMentionStartLoc(tm, secondary, f, startline, startcol) and
         (
           result = secondary.(TypedefType).getBaseType() or
           result = secondary.(TypedefType).getBaseType().(SpecifiedType).getBaseType()
@@ -191,9 +184,11 @@ Top definitionOf(Top e, string kind) {
     kind = "I" and
     result = e.(Include).getIncludedFile() and
     // exclude `#include` directives containing macros
-    not exists(MacroInvocation mi, Container container, int startLine |
-      hasContainerAndStartLine(e.(Include).getLocation(), container, startLine) and
-      hasContainerAndStartLine(mi.getLocation(), container, startLine)
+    not exists(MacroInvocation mi, Location l1, Location l2 |
+      l1 = e.(Include).getLocation() and
+      l2 = mi.getLocation() and
+      l1.getContainer() = l2.getContainer() and
+      l1.getStartLine() = l2.getStartLine()
       // (an #include directive must be always on it's own line)
     )
   ) and

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -916,15 +916,15 @@ private module Cached {
     TDataFlowCallSome(DataFlowCall call)
 
   cached
-  newtype TParamNodeOption =
-    TParamNodeNone() or
-    TParamNodeSome(ParamNode p)
+  newtype TParameterPositionOption =
+    TParameterPositionNone() or
+    TParameterPositionSome(ParameterPosition pos)
 
   cached
   newtype TReturnCtx =
     TReturnCtxNone() or
     TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnPosition pos)
+    TReturnCtxMaybeFlowThrough(ReturnKindExt kind)
 
   cached
   newtype TTypedContentApprox =
@@ -1343,15 +1343,15 @@ class DataFlowCallOption extends TDataFlowCallOption {
   }
 }
 
-/** An optional `ParamNode`. */
-class ParamNodeOption extends TParamNodeOption {
+/** An optional `ParameterPosition`. */
+class ParameterPositionOption extends TParameterPositionOption {
   string toString() {
-    this = TParamNodeNone() and
+    this = TParameterPositionNone() and
     result = "(none)"
     or
-    exists(ParamNode p |
-      this = TParamNodeSome(p) and
-      result = p.toString()
+    exists(ParameterPosition pos |
+      this = TParameterPositionSome(pos) and
+      result = pos.toString()
     )
   }
 }
@@ -1363,7 +1363,7 @@ class ParamNodeOption extends TParamNodeOption {
  *
  * - `TReturnCtxNone()`: no return flow.
  * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
+ * - `TReturnCtxMaybeFlowThrough(ReturnKindExt kind)`: return flow, of kind `kind`, and
  *    flow through may be possible.
  */
 class ReturnCtx extends TReturnCtx {
@@ -1374,9 +1374,9 @@ class ReturnCtx extends TReturnCtx {
     this = TReturnCtxNoFlowThrough() and
     result = "(no flow through)"
     or
-    exists(ReturnPosition pos |
-      this = TReturnCtxMaybeFlowThrough(pos) and
-      result = pos.toString()
+    exists(ReturnKindExt kind |
+      this = TReturnCtxMaybeFlowThrough(kind) and
+      result = kind.toString()
     )
   }
 }

cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -45,16 +45,6 @@ module Consistency {
     ) {
       none()
     }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
-    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
-    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
   }
 
   private class RelevantNode extends Node {
@@ -111,7 +101,9 @@ module Consistency {
     exists(int c |
       c =
         strictcount(Node n |
-          not n.hasLocationInfo(_, _, _, _, _) and
+          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+          ) and
           not any(ConsistencyConfiguration conf).missingLocationExclude(n)
         ) and
       msg = "Nodes without location: " + c
@@ -256,7 +248,6 @@ module Consistency {
   query predicate uniqueParameterNodeAtPosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
     msg = "Parameters with overlapping positions."
@@ -265,7 +256,6 @@ module Consistency {
   query predicate uniqueParameterNodePosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
     msg = "Parameter node with multiple positions."

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ArrayLengthAnalysis.qll

@@ -218,7 +218,7 @@ private predicate allocation(Instruction array, Length length, int delta) {
           length.(VNLength).getInstruction().getConvertedResultExpression() = lengthExpr
         )
         or
-        not deconstructMallocSizeExpr(alloc.getSizeExpr(), _, _) and
+        not exists(int d | deconstructMallocSizeExpr(alloc.getSizeExpr(), _, d)) and
         length.(VNLength).getInstruction().getConvertedResultExpression() = alloc.getSizeExpr() and
         delta = 0
       )

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll

@@ -543,7 +543,9 @@ private predicate boundedPhiCand(
   PhiInstruction phi, boolean upper, Bound b, int delta, boolean fromBackEdge, int origdelta,
   Reason reason
 ) {
-  boundedPhiInp(phi, _, b, delta, upper, fromBackEdge, origdelta, reason)
+  exists(PhiInputOperand op |
+    boundedPhiInp(phi, op, b, delta, upper, fromBackEdge, origdelta, reason)
+  )
 }
 
 /**

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/FloatDelta.qll

@@ -1,29 +0,0 @@
-private import RangeAnalysisStage
-
-module FloatDelta implements DeltaSig {
-  class Delta = float;
-
-  bindingset[d]
-  bindingset[result]
-  float toFloat(Delta d) { result = d }
-
-  bindingset[d]
-  bindingset[result]
-  int toInt(Delta d) { result = d }
-
-  bindingset[n]
-  bindingset[result]
-  Delta fromInt(int n) { result = n }
-
-  bindingset[f]
-  Delta fromFloat(float f) {
-    result =
-      min(float diff, float res |
-        diff = (res - f) and res = f.ceil()
-        or
-        diff = (f - res) and res = f.floor()
-      |
-        res order by diff
-      )
-  }
-}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/ModulusAnalysis.qll

@@ -14,328 +14,321 @@ private import ModulusAnalysisSpecific::Private
 private import experimental.semmle.code.cpp.semantic.Semantic
 private import ConstantAnalysis
 private import RangeUtils
-private import RangeAnalysisStage
 
-module ModulusAnalysis<DeltaSig D, BoundSig<D> Bounds, UtilSig<D> U> {
-  /**
-   * Holds if `e + delta` equals `v` at `pos`.
-   */
-  private predicate valueFlowStepSsa(SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta) {
-    U::semSsaUpdateStep(v, e, D::fromInt(delta)) and pos.hasReadOfVar(v)
-    or
-    exists(SemGuard guard, boolean testIsTrue |
-      pos.hasReadOfVar(v) and
-      guard = U::semEqFlowCond(v, e, D::fromInt(delta), true, testIsTrue) and
-      semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue)
-    )
-  }
+/**
+ * Holds if `e + delta` equals `v` at `pos`.
+ */
+private predicate valueFlowStepSsa(SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta) {
+  semSsaUpdateStep(v, e, delta) and pos.hasReadOfVar(v)
+  or
+  exists(SemGuard guard, boolean testIsTrue |
+    pos.hasReadOfVar(v) and
+    guard = semEqFlowCond(v, e, delta, true, testIsTrue) and
+    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue)
+  )
+}
 
-  /**
-   * Holds if `add` is the addition of `larg` and `rarg`, neither of which are
-   * `ConstantIntegerExpr`s.
-   */
-  private predicate nonConstAddition(SemExpr add, SemExpr larg, SemExpr rarg) {
-    exists(SemAddExpr a | a = add |
-      larg = a.getLeftOperand() and
-      rarg = a.getRightOperand()
-    ) and
-    not larg instanceof SemConstantIntegerExpr and
-    not rarg instanceof SemConstantIntegerExpr
-  }
+/**
+ * Holds if `add` is the addition of `larg` and `rarg`, neither of which are
+ * `ConstantIntegerExpr`s.
+ */
+private predicate nonConstAddition(SemExpr add, SemExpr larg, SemExpr rarg) {
+  exists(SemAddExpr a | a = add |
+    larg = a.getLeftOperand() and
+    rarg = a.getRightOperand()
+  ) and
+  not larg instanceof SemConstantIntegerExpr and
+  not rarg instanceof SemConstantIntegerExpr
+}
 
-  /**
-   * Holds if `sub` is the subtraction of `larg` and `rarg`, where `rarg` is not
-   * a `ConstantIntegerExpr`.
-   */
-  private predicate nonConstSubtraction(SemExpr sub, SemExpr larg, SemExpr rarg) {
-    exists(SemSubExpr s | s = sub |
-      larg = s.getLeftOperand() and
-      rarg = s.getRightOperand()
-    ) and
-    not rarg instanceof SemConstantIntegerExpr
-  }
+/**
+ * Holds if `sub` is the subtraction of `larg` and `rarg`, where `rarg` is not
+ * a `ConstantIntegerExpr`.
+ */
+private predicate nonConstSubtraction(SemExpr sub, SemExpr larg, SemExpr rarg) {
+  exists(SemSubExpr s | s = sub |
+    larg = s.getLeftOperand() and
+    rarg = s.getRightOperand()
+  ) and
+  not rarg instanceof SemConstantIntegerExpr
+}
 
-  /** Gets an expression that is the remainder modulo `mod` of `arg`. */
-  private SemExpr modExpr(SemExpr arg, int mod) {
-    exists(SemRemExpr rem |
-      result = rem and
-      arg = rem.getLeftOperand() and
-      rem.getRightOperand().(SemConstantIntegerExpr).getIntValue() = mod and
-      mod >= 2
-    )
-    or
-    exists(SemConstantIntegerExpr c |
-      mod = 2.pow([1 .. 30]) and
-      c.getIntValue() = mod - 1 and
-      result.(SemBitAndExpr).hasOperands(arg, c)
-    )
-  }
+/** Gets an expression that is the remainder modulo `mod` of `arg`. */
+private SemExpr modExpr(SemExpr arg, int mod) {
+  exists(SemRemExpr rem |
+    result = rem and
+    arg = rem.getLeftOperand() and
+    rem.getRightOperand().(SemConstantIntegerExpr).getIntValue() = mod and
+    mod >= 2
+  )
+  or
+  exists(SemConstantIntegerExpr c |
+    mod = 2.pow([1 .. 30]) and
+    c.getIntValue() = mod - 1 and
+    result.(SemBitAndExpr).hasOperands(arg, c)
+  )
+}
 
-  /**
-   * Gets a guard that tests whether `v` is congruent with `val` modulo `mod` on
-   * its `testIsTrue` branch.
-   */
-  private SemGuard moduloCheck(SemSsaVariable v, int val, int mod, boolean testIsTrue) {
-    exists(SemExpr rem, SemConstantIntegerExpr c, int r, boolean polarity |
-      result.isEquality(rem, c, polarity) and
-      c.getIntValue() = r and
-      rem = modExpr(v.getAUse(), mod) and
-      (
-        testIsTrue = polarity and val = r
-        or
-        testIsTrue = polarity.booleanNot() and
-        mod = 2 and
-        val = 1 - r and
-        (r = 0 or r = 1)
-      )
-    )
-  }
-
-  /**
-   * Holds if a guard ensures that `v` at `pos` is congruent with `val` modulo `mod`.
-   */
-  private predicate moduloGuardedRead(SemSsaVariable v, SemSsaReadPosition pos, int val, int mod) {
-    exists(SemGuard guard, boolean testIsTrue |
-      pos.hasReadOfVar(v) and
-      guard = moduloCheck(v, val, mod, testIsTrue) and
-      semGuardControlsSsaRead(guard, pos, testIsTrue)
-    )
-  }
-
-  /** Holds if `factor` is a power of 2 that divides `mask`. */
-  bindingset[mask]
-  private predicate andmaskFactor(int mask, int factor) {
-    mask % factor = 0 and
-    factor = 2.pow([1 .. 30])
-  }
-
-  /** Holds if `e` is evenly divisible by `factor`. */
-  private predicate evenlyDivisibleExpr(SemExpr e, int factor) {
-    exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() |
-      e.(SemMulExpr).getAnOperand() = c and factor = k.abs() and factor >= 2
+/**
+ * Gets a guard that tests whether `v` is congruent with `val` modulo `mod` on
+ * its `testIsTrue` branch.
+ */
+private SemGuard moduloCheck(SemSsaVariable v, int val, int mod, boolean testIsTrue) {
+  exists(SemExpr rem, SemConstantIntegerExpr c, int r, boolean polarity |
+    result.isEquality(rem, c, polarity) and
+    c.getIntValue() = r and
+    rem = modExpr(v.getAUse(), mod) and
+    (
+      testIsTrue = polarity and val = r
       or
-      e.(SemShiftLeftExpr).getRightOperand() = c and factor = 2.pow(k) and k > 0
-      or
-      e.(SemBitAndExpr).getAnOperand() = c and factor = max(int f | andmaskFactor(k, f))
+      testIsTrue = polarity.booleanNot() and
+      mod = 2 and
+      val = 1 - r and
+      (r = 0 or r = 1)
     )
-  }
+  )
+}
 
-  /**
-   * Holds if `rix` is the number of input edges to `phi`.
-   */
-  private predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
-    rix = max(int r | rankedPhiInput(phi, _, _, r))
-  }
+/**
+ * Holds if a guard ensures that `v` at `pos` is congruent with `val` modulo `mod`.
+ */
+private predicate moduloGuardedRead(SemSsaVariable v, SemSsaReadPosition pos, int val, int mod) {
+  exists(SemGuard guard, boolean testIsTrue |
+    pos.hasReadOfVar(v) and
+    guard = moduloCheck(v, val, mod, testIsTrue) and
+    semGuardControlsSsaRead(guard, pos, testIsTrue)
+  )
+}
 
-  /**
-   * Gets the remainder of `val` modulo `mod`.
-   *
-   * For `mod = 0` the result equals `val` and for `mod > 1` the result is within
-   * the range `[0 .. mod-1]`.
-   */
-  bindingset[val, mod]
-  private int remainder(int val, int mod) {
-    mod = 0 and result = val
+/** Holds if `factor` is a power of 2 that divides `mask`. */
+bindingset[mask]
+private predicate andmaskFactor(int mask, int factor) {
+  mask % factor = 0 and
+  factor = 2.pow([1 .. 30])
+}
+
+/** Holds if `e` is evenly divisible by `factor`. */
+private predicate evenlyDivisibleExpr(SemExpr e, int factor) {
+  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() |
+    e.(SemMulExpr).getAnOperand() = c and factor = k.abs() and factor >= 2
     or
-    mod > 1 and result = ((val % mod) + mod) % mod
-  }
+    e.(SemShiftLeftExpr).getRightOperand() = c and factor = 2.pow(k) and k > 0
+    or
+    e.(SemBitAndExpr).getAnOperand() = c and factor = max(int f | andmaskFactor(k, f))
+  )
+}
 
-  /**
-   * Holds if `inp` is an input to `phi` and equals `phi` modulo `mod` along `edge`.
-   */
-  private predicate phiSelfModulus(
-    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int mod
-  ) {
-    exists(Bounds::SemSsaBound phibound, int v, int m |
-      edge.phiInput(phi, inp) and
-      phibound.getAVariable() = phi and
-      ssaModulus(inp, edge, phibound, v, m) and
-      mod = m.gcd(v) and
-      mod != 1
-    )
-  }
+/**
+ * Holds if `rix` is the number of input edges to `phi`.
+ */
+private predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
+  rix = max(int r | rankedPhiInput(phi, _, _, r))
+}
 
-  /**
-   * Holds if `b + val` modulo `mod` is a candidate congruence class for `phi`.
-   */
-  private predicate phiModulusInit(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
-    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-      edge.phiInput(phi, inp) and
-      ssaModulus(inp, edge, b, val, mod)
-    )
-  }
+/**
+ * Gets the remainder of `val` modulo `mod`.
+ *
+ * For `mod = 0` the result equals `val` and for `mod > 1` the result is within
+ * the range `[0 .. mod-1]`.
+ */
+bindingset[val, mod]
+private int remainder(int val, int mod) {
+  mod = 0 and result = val
+  or
+  mod > 1 and result = ((val % mod) + mod) % mod
+}
 
-  /**
-   * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
+/**
+ * Holds if `inp` is an input to `phi` and equals `phi` modulo `mod` along `edge`.
+ */
+private predicate phiSelfModulus(
+  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int mod
+) {
+  exists(SemSsaBound phibound, int v, int m |
+    edge.phiInput(phi, inp) and
+    phibound.getAVariable() = phi and
+    ssaModulus(inp, edge, phibound, v, m) and
+    mod = m.gcd(v) and
+    mod != 1
+  )
+}
+
+/**
+ * Holds if `b + val` modulo `mod` is a candidate congruence class for `phi`.
+ */
+private predicate phiModulusInit(SemSsaPhiNode phi, SemBound b, int val, int mod) {
+  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+    edge.phiInput(phi, inp) and
+    ssaModulus(inp, edge, b, val, mod)
+  )
+}
+
+/**
+ * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
+ */
+pragma[nomagic]
+private predicate phiModulusRankStep(SemSsaPhiNode phi, SemBound b, int val, int mod, int rix) {
+  /*
+   * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
+   * class for the phi node.
    */
-  pragma[nomagic]
-  private predicate phiModulusRankStep(
-    SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod, int rix
-  ) {
+
+  rix = 0 and
+  phiModulusInit(phi, b, val, mod)
+  or
+  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
+    mod != 1 and
+    val = remainder(v1, mod)
+  |
     /*
-     * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
-     * class for the phi node.
+     * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
+     * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
+     * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
      */
 
-    rix = 0 and
-    phiModulusInit(phi, b, val, mod)
-    or
-    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
-      mod != 1 and
-      val = remainder(v1, mod)
-    |
-      /*
-       * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
-       * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
-       * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
-       */
-
-      exists(int v2, int m2 |
-        rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
-        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
-        ssaModulus(inp, edge, b, v2, m2) and
-        mod = m1.gcd(m2).gcd(v1 - v2)
-      )
-      or
-      /*
-       * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
-       * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
-       * common denominator of `m1` and `m2`.
-       */
-
-      exists(int m2 |
-        rankedPhiInput(phi, inp, edge, rix) and
-        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
-        phiSelfModulus(phi, inp, edge, m2) and
-        mod = m1.gcd(m2)
-      )
+    exists(int v2, int m2 |
+      rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
+      phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+      ssaModulus(inp, edge, b, v2, m2) and
+      mod = m1.gcd(m2).gcd(v1 - v2)
     )
-  }
+    or
+    /*
+     * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
+     * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
+     * common denominator of `m1` and `m2`.
+     */
 
-  /**
-   * Holds if `phi` is equal to `b + val` modulo `mod`.
-   */
-  private predicate phiModulus(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
-    exists(int r |
-      maxPhiInputRank(phi, r) and
-      phiModulusRankStep(phi, b, val, mod, r)
+    exists(int m2 |
+      rankedPhiInput(phi, inp, edge, rix) and
+      phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+      phiSelfModulus(phi, inp, edge, m2) and
+      mod = m1.gcd(m2)
     )
-  }
+  )
+}
 
-  /**
-   * Holds if `v` at `pos` is equal to `b + val` modulo `mod`.
-   */
-  private predicate ssaModulus(
-    SemSsaVariable v, SemSsaReadPosition pos, Bounds::SemBound b, int val, int mod
-  ) {
-    phiModulus(v, b, val, mod) and pos.hasReadOfVar(v)
+/**
+ * Holds if `phi` is equal to `b + val` modulo `mod`.
+ */
+private predicate phiModulus(SemSsaPhiNode phi, SemBound b, int val, int mod) {
+  exists(int r |
+    maxPhiInputRank(phi, r) and
+    phiModulusRankStep(phi, b, val, mod, r)
+  )
+}
+
+/**
+ * Holds if `v` at `pos` is equal to `b + val` modulo `mod`.
+ */
+private predicate ssaModulus(SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int val, int mod) {
+  phiModulus(v, b, val, mod) and pos.hasReadOfVar(v)
+  or
+  b.(SemSsaBound).getAVariable() = v and pos.hasReadOfVar(v) and val = 0 and mod = 0
+  or
+  exists(SemExpr e, int val0, int delta |
+    semExprModulus(e, b, val0, mod) and
+    valueFlowStepSsa(v, pos, e, delta) and
+    val = remainder(val0 + delta, mod)
+  )
+  or
+  moduloGuardedRead(v, pos, val, mod) and b instanceof SemZeroBound
+}
+
+/**
+ * Holds if `e` is equal to `b + val` modulo `mod`.
+ *
+ * There are two cases for the modulus:
+ * - `mod = 0`: The equality `e = b + val` is an ordinary equality.
+ * - `mod > 1`: `val` lies within the range `[0 .. mod-1]`.
+ */
+cached
+predicate semExprModulus(SemExpr e, SemBound b, int val, int mod) {
+  not ignoreExprModulus(e) and
+  (
+    e = b.getExpr(val) and mod = 0
     or
-    b.(Bounds::SemSsaBound).getAVariable() = v and pos.hasReadOfVar(v) and val = 0 and mod = 0
+    evenlyDivisibleExpr(e, mod) and
+    val = 0 and
+    b instanceof SemZeroBound
     or
-    exists(SemExpr e, int val0, int delta |
-      semExprModulus(e, b, val0, mod) and
-      valueFlowStepSsa(v, pos, e, delta) and
+    exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
+      ssaModulus(v, bb, b, val, mod) and
+      e = v.getAUse() and
+      bb.getAnExpr() = e
+    )
+    or
+    exists(SemExpr mid, int val0, int delta |
+      semExprModulus(mid, b, val0, mod) and
+      semValueFlowStep(e, mid, delta) and
       val = remainder(val0 + delta, mod)
     )
     or
-    moduloGuardedRead(v, pos, val, mod) and b instanceof Bounds::SemZeroBound
-  }
-
-  /**
-   * Holds if `e` is equal to `b + val` modulo `mod`.
-   *
-   * There are two cases for the modulus:
-   * - `mod = 0`: The equality `e = b + val` is an ordinary equality.
-   * - `mod > 1`: `val` lies within the range `[0 .. mod-1]`.
-   */
-  cached
-  predicate semExprModulus(SemExpr e, Bounds::SemBound b, int val, int mod) {
-    not ignoreExprModulus(e) and
-    (
-      e = b.getExpr(D::fromInt(val)) and mod = 0
-      or
-      evenlyDivisibleExpr(e, mod) and
-      val = 0 and
-      b instanceof Bounds::SemZeroBound
-      or
-      exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
-        ssaModulus(v, bb, b, val, mod) and
-        e = v.getAUse() and
-        bb.getAnExpr() = e
-      )
-      or
-      exists(SemExpr mid, int val0, int delta |
-        semExprModulus(mid, b, val0, mod) and
-        U::semValueFlowStep(e, mid, D::fromInt(delta)) and
-        val = remainder(val0 + delta, mod)
-      )
-      or
-      exists(SemConditionalExpr cond, int v1, int v2, int m1, int m2 |
-        cond = e and
-        condExprBranchModulus(cond, true, b, v1, m1) and
-        condExprBranchModulus(cond, false, b, v2, m2) and
-        mod = m1.gcd(m2).gcd(v1 - v2) and
-        mod != 1 and
-        val = remainder(v1, mod)
-      )
-      or
-      exists(Bounds::SemBound b1, Bounds::SemBound b2, int v1, int v2, int m1, int m2 |
-        addModulus(e, true, b1, v1, m1) and
-        addModulus(e, false, b2, v2, m2) and
-        mod = m1.gcd(m2) and
-        mod != 1 and
-        val = remainder(v1 + v2, mod)
-      |
-        b = b1 and b2 instanceof Bounds::SemZeroBound
-        or
-        b = b2 and b1 instanceof Bounds::SemZeroBound
-      )
-      or
-      exists(int v1, int v2, int m1, int m2 |
-        subModulus(e, true, b, v1, m1) and
-        subModulus(e, false, any(Bounds::SemZeroBound zb), v2, m2) and
-        mod = m1.gcd(m2) and
-        mod != 1 and
-        val = remainder(v1 - v2, mod)
-      )
+    exists(SemConditionalExpr cond, int v1, int v2, int m1, int m2 |
+      cond = e and
+      condExprBranchModulus(cond, true, b, v1, m1) and
+      condExprBranchModulus(cond, false, b, v2, m2) and
+      mod = m1.gcd(m2).gcd(v1 - v2) and
+      mod != 1 and
+      val = remainder(v1, mod)
     )
-  }
-
-  private predicate condExprBranchModulus(
-    SemConditionalExpr cond, boolean branch, Bounds::SemBound b, int val, int mod
-  ) {
-    semExprModulus(cond.getBranchExpr(branch), b, val, mod)
-  }
-
-  private predicate addModulus(SemExpr add, boolean isLeft, Bounds::SemBound b, int val, int mod) {
-    exists(SemExpr larg, SemExpr rarg | nonConstAddition(add, larg, rarg) |
-      semExprModulus(larg, b, val, mod) and isLeft = true
+    or
+    exists(SemBound b1, SemBound b2, int v1, int v2, int m1, int m2 |
+      addModulus(e, true, b1, v1, m1) and
+      addModulus(e, false, b2, v2, m2) and
+      mod = m1.gcd(m2) and
+      mod != 1 and
+      val = remainder(v1 + v2, mod)
+    |
+      b = b1 and b2 instanceof SemZeroBound
       or
-      semExprModulus(rarg, b, val, mod) and isLeft = false
+      b = b2 and b1 instanceof SemZeroBound
     )
-  }
-
-  private predicate subModulus(SemExpr sub, boolean isLeft, Bounds::SemBound b, int val, int mod) {
-    exists(SemExpr larg, SemExpr rarg | nonConstSubtraction(sub, larg, rarg) |
-      semExprModulus(larg, b, val, mod) and isLeft = true
-      or
-      semExprModulus(rarg, b, val, mod) and isLeft = false
+    or
+    exists(int v1, int v2, int m1, int m2 |
+      subModulus(e, true, b, v1, m1) and
+      subModulus(e, false, any(SemZeroBound zb), v2, m2) and
+      mod = m1.gcd(m2) and
+      mod != 1 and
+      val = remainder(v1 - v2, mod)
+    )
+  )
+}
+
+private predicate condExprBranchModulus(
+  SemConditionalExpr cond, boolean branch, SemBound b, int val, int mod
+) {
+  semExprModulus(cond.getBranchExpr(branch), b, val, mod)
+}
+
+private predicate addModulus(SemExpr add, boolean isLeft, SemBound b, int val, int mod) {
+  exists(SemExpr larg, SemExpr rarg | nonConstAddition(add, larg, rarg) |
+    semExprModulus(larg, b, val, mod) and isLeft = true
+    or
+    semExprModulus(rarg, b, val, mod) and isLeft = false
+  )
+}
+
+private predicate subModulus(SemExpr sub, boolean isLeft, SemBound b, int val, int mod) {
+  exists(SemExpr larg, SemExpr rarg | nonConstSubtraction(sub, larg, rarg) |
+    semExprModulus(larg, b, val, mod) and isLeft = true
+    or
+    semExprModulus(rarg, b, val, mod) and isLeft = false
+  )
+}
+
+/**
+ * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
+ * in an arbitrary 1-based numbering of the input edges to `phi`.
+ */
+private predicate rankedPhiInput(
+  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
+) {
+  edge.phiInput(phi, inp) and
+  edge =
+    rank[r](SemSsaReadPositionPhiInputEdge e |
+      e.phiInput(phi, _)
+    |
+      e order by e.getOrigBlock().getUniqueId()
     )
-  }
-
-  /**
-   * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
-   * in an arbitrary 1-based numbering of the input edges to `phi`.
-   */
-  private predicate rankedPhiInput(
-    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
-  ) {
-    edge.phiInput(phi, inp) and
-    edge =
-      rank[r](SemSsaReadPositionPhiInputEdge e |
-        e.phiInput(phi, _)
-      |
-        e order by e.getOrigBlock().getUniqueId()
-      )
-  }
 }

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll

@@ -1,24 +1,832 @@
-private import RangeAnalysisStage
-private import RangeAnalysisSpecific
-private import experimental.semmle.code.cpp.semantic.analysis.FloatDelta
+/**
+ * Provides classes and predicates for range analysis.
+ *
+ * An inferred bound can either be a specific integer, the abstract value of an
+ * SSA variable, or the abstract value of an interesting expression. The latter
+ * category includes array lengths that are not SSA variables.
+ *
+ * If an inferred bound relies directly on a condition, then this condition is
+ * reported as the reason for the bound.
+ */
+
+/*
+ * This library tackles range analysis as a flow problem. Consider e.g.:
+ * ```
+ *   len = arr.length;
+ *   if (x < len) { ... y = x-1; ... y ... }
+ * ```
+ * In this case we would like to infer `y <= arr.length - 2`, and this is
+ * accomplished by tracking the bound through a sequence of steps:
+ * ```
+ *   arr.length --> len = .. --> x < len --> x-1 --> y = .. --> y
+ * ```
+ *
+ * In its simplest form the step relation `E1 --> E2` relates two expressions
+ * such that `E1 <= B` implies `E2 <= B` for any `B` (with a second separate
+ * step relation handling lower bounds). Examples of such steps include
+ * assignments `E2 = E1` and conditions `x <= E1` where `E2` is a use of `x`
+ * guarded by the condition.
+ *
+ * In order to handle subtractions and additions with constants, and strict
+ * comparisons, the step relation is augmented with an integer delta. With this
+ * generalization `E1 --(delta)--> E2` relates two expressions and an integer
+ * such that `E1 <= B` implies `E2 <= B + delta` for any `B`. This corresponds
+ * to the predicate `boundFlowStep`.
+ *
+ * The complete range analysis is then implemented as the transitive closure of
+ * the step relation summing the deltas along the way. If `E1` transitively
+ * steps to `E2`, `delta` is the sum of deltas along the path, and `B` is an
+ * interesting bound equal to the value of `E1` then `E2 <= B + delta`. This
+ * corresponds to the predicate `bounded`.
+ *
+ * Phi nodes need a little bit of extra handling. Consider `x0 = phi(x1, x2)`.
+ * There are essentially two cases:
+ * - If `x1 <= B + d1` and `x2 <= B + d2` then `x0 <= B + max(d1,d2)`.
+ * - If `x1 <= B + d1` and `x2 <= x0 + d2` with `d2 <= 0` then `x0 <= B + d1`.
+ * The first case is for whenever a bound can be proven without taking looping
+ * into account. The second case is relevant when `x2` comes from a back-edge
+ * where we can prove that the variable has been non-increasing through the
+ * loop-iteration as this means that any upper bound that holds prior to the
+ * loop also holds for the variable during the loop.
+ * This generalizes to a phi node with `n` inputs, so if
+ * `x0 = phi(x1, ..., xn)` and `xi <= B + delta` for one of the inputs, then we
+ * also have `x0 <= B + delta` if we can prove either:
+ * - `xj <= B + d` with `d <= delta` or
+ * - `xj <= x0 + d` with `d <= 0`
+ * for each input `xj`.
+ *
+ * As all inferred bounds can be related directly to a path in the source code
+ * the only source of non-termination is if successive redundant (and thereby
+ * increasingly worse) bounds are calculated along a loop in the source code.
+ * We prevent this by weakening the bound to a small finite set of bounds when
+ * a path follows a second back-edge (we postpone weakening till the second
+ * back-edge as a precise bound might require traversing a loop once).
+ */
+
+private import RangeAnalysisSpecific as Specific
 private import RangeUtils
-private import experimental.semmle.code.cpp.semantic.SemanticBound as SemanticBound
+private import SignAnalysisCommon
+private import ModulusAnalysis
+private import experimental.semmle.code.cpp.semantic.Semantic
+private import ConstantAnalysis
 
-module Bounds implements BoundSig<FloatDelta> {
-  class SemBound instanceof SemanticBound::SemBound {
-    string toString() { result = super.toString() }
-
-    SemExpr getExpr(float delta) { result = super.getExpr(delta) }
+cached
+private module RangeAnalysisCache {
+  cached
+  module RangeAnalysisPublic {
+    /**
+     * Holds if `b + delta` is a valid bound for `e`.
+     * - `upper = true`  : `e <= b + delta`
+     * - `upper = false` : `e >= b + delta`
+     *
+     * The reason for the bound is given by `reason` and may be either a condition
+     * or `NoReason` if the bound was proven directly without the use of a bounding
+     * condition.
+     */
+    cached
+    predicate semBounded(SemExpr e, SemBound b, int delta, boolean upper, SemReason reason) {
+      bounded(e, b, delta, upper, _, _, reason) and
+      bestBound(e, b, delta, upper)
+    }
   }
 
-  class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
-
-  class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
+  /**
+   * Holds if `guard = boundFlowCond(_, _, _, _, _) or guard = eqFlowCond(_, _, _, _, _)`.
+   */
+  cached
+  predicate possibleReason(SemGuard guard) {
+    guard = boundFlowCond(_, _, _, _, _) or guard = semEqFlowCond(_, _, _, _, _)
   }
 }
 
-private module CppRangeAnalysis =
-  RangeStage<FloatDelta, Bounds, CppLangImpl, RangeUtil<FloatDelta, CppLangImpl>>;
+private import RangeAnalysisCache
+import RangeAnalysisPublic
 
-import CppRangeAnalysis
+/**
+ * Holds if `b + delta` is a valid bound for `e` and this is the best such delta.
+ * - `upper = true`  : `e <= b + delta`
+ * - `upper = false` : `e >= b + delta`
+ */
+private predicate bestBound(SemExpr e, SemBound b, int delta, boolean upper) {
+  delta = min(int d | bounded(e, b, d, upper, _, _, _)) and upper = true
+  or
+  delta = max(int d | bounded(e, b, d, upper, _, _, _)) and upper = false
+}
+
+/**
+ * Holds if `comp` corresponds to:
+ * - `upper = true`  : `v <= e + delta` or `v < e + delta`
+ * - `upper = false` : `v >= e + delta` or `v > e + delta`
+ */
+private predicate boundCondition(
+  SemRelationalExpr comp, SemSsaVariable v, SemExpr e, int delta, boolean upper
+) {
+  comp.getLesserOperand() = semSsaRead(v, delta) and e = comp.getGreaterOperand() and upper = true
+  or
+  comp.getGreaterOperand() = semSsaRead(v, delta) and e = comp.getLesserOperand() and upper = false
+  or
+  exists(SemSubExpr sub, SemConstantIntegerExpr c, int d |
+    // (v - d) - e < c
+    comp.getLesserOperand() = sub and
+    comp.getGreaterOperand() = c and
+    sub.getLeftOperand() = semSsaRead(v, d) and
+    sub.getRightOperand() = e and
+    upper = true and
+    delta = d + c.getIntValue()
+    or
+    // (v - d) - e > c
+    comp.getGreaterOperand() = sub and
+    comp.getLesserOperand() = c and
+    sub.getLeftOperand() = semSsaRead(v, d) and
+    sub.getRightOperand() = e and
+    upper = false and
+    delta = d + c.getIntValue()
+    or
+    // e - (v - d) < c
+    comp.getLesserOperand() = sub and
+    comp.getGreaterOperand() = c and
+    sub.getLeftOperand() = e and
+    sub.getRightOperand() = semSsaRead(v, d) and
+    upper = false and
+    delta = d - c.getIntValue()
+    or
+    // e - (v - d) > c
+    comp.getGreaterOperand() = sub and
+    comp.getLesserOperand() = c and
+    sub.getLeftOperand() = e and
+    sub.getRightOperand() = semSsaRead(v, d) and
+    upper = true and
+    delta = d - c.getIntValue()
+  )
+}
+
+/**
+ * Holds if `comp` is a comparison between `x` and `y` for which `y - x` has a
+ * fixed value modulo some `mod > 1`, such that the comparison can be
+ * strengthened by `strengthen` when evaluating to `testIsTrue`.
+ */
+private predicate modulusComparison(SemRelationalExpr comp, boolean testIsTrue, int strengthen) {
+  exists(
+    SemBound b, int v1, int v2, int mod1, int mod2, int mod, boolean resultIsStrict, int d, int k
+  |
+    // If `x <= y` and `x =(mod) b + v1` and `y =(mod) b + v2` then
+    // `0 <= y - x =(mod) v2 - v1`. By choosing `k =(mod) v2 - v1` with
+    // `0 <= k < mod` we get `k <= y - x`. If the resulting comparison is
+    // strict then the strengthening amount is instead `k - 1` modulo `mod`:
+    // `x < y` means `0 <= y - x - 1 =(mod) k - 1` so `k - 1 <= y - x - 1` and
+    // thus `k - 1 < y - x` with `0 <= k - 1 < mod`.
+    semExprModulus(comp.getLesserOperand(), b, v1, mod1) and
+    semExprModulus(comp.getGreaterOperand(), b, v2, mod2) and
+    mod = mod1.gcd(mod2) and
+    mod != 1 and
+    (testIsTrue = true or testIsTrue = false) and
+    (
+      if comp.isStrict()
+      then resultIsStrict = testIsTrue
+      else resultIsStrict = testIsTrue.booleanNot()
+    ) and
+    (
+      resultIsStrict = true and d = 1
+      or
+      resultIsStrict = false and d = 0
+    ) and
+    (
+      testIsTrue = true and k = v2 - v1
+      or
+      testIsTrue = false and k = v1 - v2
+    ) and
+    strengthen = (((k - d) % mod) + mod) % mod
+  )
+}
+
+/**
+ * Gets a condition that tests whether `v` is bounded by `e + delta`.
+ *
+ * If the condition evaluates to `testIsTrue`:
+ * - `upper = true`  : `v <= e + delta`
+ * - `upper = false` : `v >= e + delta`
+ */
+private SemGuard boundFlowCond(
+  SemSsaVariable v, SemExpr e, int delta, boolean upper, boolean testIsTrue
+) {
+  exists(
+    SemRelationalExpr comp, int d1, int d2, int d3, int strengthen, boolean compIsUpper,
+    boolean resultIsStrict
+  |
+    comp = result.asExpr() and
+    boundCondition(comp, v, e, d1, compIsUpper) and
+    (testIsTrue = true or testIsTrue = false) and
+    upper = compIsUpper.booleanXor(testIsTrue.booleanNot()) and
+    (
+      if comp.isStrict()
+      then resultIsStrict = testIsTrue
+      else resultIsStrict = testIsTrue.booleanNot()
+    ) and
+    (
+      if
+        getTrackedTypeForSsaVariable(v) instanceof SemIntegerType or
+        getTrackedTypeForSsaVariable(v) instanceof SemAddressType
+      then
+        upper = true and strengthen = -1
+        or
+        upper = false and strengthen = 1
+      else strengthen = 0
+    ) and
+    (
+      exists(int k | modulusComparison(comp, testIsTrue, k) and d2 = strengthen * k)
+      or
+      not modulusComparison(comp, testIsTrue, _) and d2 = 0
+    ) and
+    // A strict inequality `x < y` can be strengthened to `x <= y - 1`.
+    (
+      resultIsStrict = true and d3 = strengthen
+      or
+      resultIsStrict = false and d3 = 0
+    ) and
+    delta = d1 + d2 + d3
+  )
+  or
+  exists(boolean testIsTrue0 |
+    semImplies_v2(result, testIsTrue, boundFlowCond(v, e, delta, upper, testIsTrue0), testIsTrue0)
+  )
+  or
+  result = semEqFlowCond(v, e, delta, true, testIsTrue) and
+  (upper = true or upper = false)
+  or
+  // guard that tests whether `v2` is bounded by `e + delta + d1 - d2` and
+  // exists a guard `guardEq` such that `v = v2 - d1 + d2`.
+  exists(SemSsaVariable v2, SemGuard guardEq, boolean eqIsTrue, int d1, int d2 |
+    guardEq = semEqFlowCond(v, semSsaRead(v2, d1), d2, true, eqIsTrue) and
+    result = boundFlowCond(v2, e, delta + d1 - d2, upper, testIsTrue) and
+    // guardEq needs to control guard
+    guardEq.directlyControls(result.getBasicBlock(), eqIsTrue)
+  )
+}
+
+private newtype TSemReason =
+  TSemNoReason() or
+  TSemCondReason(SemGuard guard) { possibleReason(guard) }
+
+/**
+ * A reason for an inferred bound. This can either be `CondReason` if the bound
+ * is due to a specific condition, or `NoReason` if the bound is inferred
+ * without going through a bounding condition.
+ */
+abstract class SemReason extends TSemReason {
+  /** Gets a textual representation of this reason. */
+  abstract string toString();
+}
+
+/**
+ * A reason for an inferred bound that indicates that the bound is inferred
+ * without going through a bounding condition.
+ */
+class SemNoReason extends SemReason, TSemNoReason {
+  override string toString() { result = "NoReason" }
+}
+
+/** A reason for an inferred bound pointing to a condition. */
+class SemCondReason extends SemReason, TSemCondReason {
+  /** Gets the condition that is the reason for the bound. */
+  SemGuard getCond() { this = TSemCondReason(result) }
+
+  override string toString() { result = getCond().toString() }
+}
+
+/**
+ * Holds if `e + delta` is a valid bound for `v` at `pos`.
+ * - `upper = true`  : `v <= e + delta`
+ * - `upper = false` : `v >= e + delta`
+ */
+private predicate boundFlowStepSsa(
+  SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta, boolean upper, SemReason reason
+) {
+  semSsaUpdateStep(v, e, delta) and
+  pos.hasReadOfVar(v) and
+  (upper = true or upper = false) and
+  reason = TSemNoReason()
+  or
+  exists(SemGuard guard, boolean testIsTrue |
+    pos.hasReadOfVar(v) and
+    guard = boundFlowCond(v, e, delta, upper, testIsTrue) and
+    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
+    reason = TSemCondReason(guard)
+  )
+}
+
+/** Holds if `v != e + delta` at `pos` and `v` is of integral type. */
+private predicate unequalFlowStepIntegralSsa(
+  SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta, SemReason reason
+) {
+  getTrackedTypeForSsaVariable(v) instanceof SemIntegerType and
+  exists(SemGuard guard, boolean testIsTrue |
+    pos.hasReadOfVar(v) and
+    guard = semEqFlowCond(v, e, delta, false, testIsTrue) and
+    semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue) and
+    reason = TSemCondReason(guard)
+  )
+}
+
+/**
+ * An expression that does conversion, boxing, or unboxing
+ */
+private class ConvertOrBoxExpr extends SemUnaryExpr {
+  ConvertOrBoxExpr() {
+    this instanceof SemConvertExpr
+    or
+    this instanceof SemBoxExpr
+    or
+    this instanceof SemUnboxExpr
+  }
+}
+
+/**
+ * A cast that can be ignored for the purpose of range analysis.
+ */
+private class SafeCastExpr extends ConvertOrBoxExpr {
+  SafeCastExpr() {
+    conversionCannotOverflow(getTrackedType(pragma[only_bind_into](getOperand())),
+      getTrackedType(this))
+  }
+}
+
+/**
+ * Holds if `typ` is a small integral type with the given lower and upper bounds.
+ */
+private predicate typeBound(SemIntegerType typ, int lowerbound, int upperbound) {
+  exists(int bitSize | bitSize = typ.getByteSize() * 8 |
+    bitSize < 32 and
+    (
+      if typ.isSigned()
+      then (
+        upperbound = 1.bitShiftLeft(bitSize - 1) - 1 and
+        lowerbound = -upperbound - 1
+      ) else (
+        lowerbound = 0 and
+        upperbound = 1.bitShiftLeft(bitSize) - 1
+      )
+    )
+  )
+}
+
+/**
+ * A cast to a small integral type that may overflow or underflow.
+ */
+private class NarrowingCastExpr extends ConvertOrBoxExpr {
+  NarrowingCastExpr() {
+    not this instanceof SafeCastExpr and
+    typeBound(getTrackedType(this), _, _)
+  }
+
+  /** Gets the lower bound of the resulting type. */
+  int getLowerBound() { typeBound(getTrackedType(this), result, _) }
+
+  /** Gets the upper bound of the resulting type. */
+  int getUpperBound() { typeBound(getTrackedType(this), _, result) }
+}
+
+/** Holds if `e >= 1` as determined by sign analysis. */
+private predicate strictlyPositiveIntegralExpr(SemExpr e) {
+  semStrictlyPositive(e) and getTrackedType(e) instanceof SemIntegerType
+}
+
+/** Holds if `e <= -1` as determined by sign analysis. */
+private predicate strictlyNegativeIntegralExpr(SemExpr e) {
+  semStrictlyNegative(e) and getTrackedType(e) instanceof SemIntegerType
+}
+
+/**
+ * Holds if `e1 + delta` is a valid bound for `e2`.
+ * - `upper = true`  : `e2 <= e1 + delta`
+ * - `upper = false` : `e2 >= e1 + delta`
+ */
+private predicate boundFlowStep(SemExpr e2, SemExpr e1, int delta, boolean upper) {
+  semValueFlowStep(e2, e1, delta) and
+  (upper = true or upper = false)
+  or
+  e2.(SafeCastExpr).getOperand() = e1 and
+  delta = 0 and
+  (upper = true or upper = false)
+  or
+  exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
+    // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
+    not x instanceof SemConstantIntegerExpr and
+    not e1 instanceof SemConstantIntegerExpr and
+    if strictlyPositiveIntegralExpr(x)
+    then upper = false and delta = 1
+    else
+      if semPositive(x)
+      then upper = false and delta = 0
+      else
+        if strictlyNegativeIntegralExpr(x)
+        then upper = true and delta = -1
+        else
+          if semNegative(x)
+          then upper = true and delta = 0
+          else none()
+  )
+  or
+  exists(SemExpr x, SemSubExpr sub |
+    e2 = sub and
+    sub.getLeftOperand() = e1 and
+    sub.getRightOperand() = x
+  |
+    // `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
+    not x instanceof SemConstantIntegerExpr and
+    if strictlyPositiveIntegralExpr(x)
+    then upper = true and delta = -1
+    else
+      if semPositive(x)
+      then upper = true and delta = 0
+      else
+        if strictlyNegativeIntegralExpr(x)
+        then upper = false and delta = 1
+        else
+          if semNegative(x)
+          then upper = false and delta = 0
+          else none()
+  )
+  or
+  e2.(SemRemExpr).getRightOperand() = e1 and
+  semPositive(e1) and
+  delta = -1 and
+  upper = true
+  or
+  e2.(SemRemExpr).getLeftOperand() = e1 and semPositive(e1) and delta = 0 and upper = true
+  or
+  e2.(SemBitAndExpr).getAnOperand() = e1 and
+  semPositive(e1) and
+  delta = 0 and
+  upper = true
+  or
+  e2.(SemBitOrExpr).getAnOperand() = e1 and
+  semPositive(e2) and
+  delta = 0 and
+  upper = false
+  or
+  Specific::hasBound(e2, e1, delta, upper)
+}
+
+/** Holds if `e2 = e1 * factor` and `factor > 0`. */
+private predicate boundFlowStepMul(SemExpr e2, SemExpr e1, int factor) {
+  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() and k > 0 |
+    e2.(SemMulExpr).hasOperands(e1, c) and factor = k
+    or
+    exists(SemShiftLeftExpr e |
+      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
+    )
+  )
+}
+
+/**
+ * Holds if `e2 = e1 / factor` and `factor > 0`.
+ *
+ * This conflates division, right shift, and unsigned right shift and is
+ * therefore only valid for non-negative numbers.
+ */
+private predicate boundFlowStepDiv(SemExpr e2, SemExpr e1, int factor) {
+  exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() and k > 0 |
+    exists(SemDivExpr e |
+      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = k
+    )
+    or
+    exists(SemShiftRightExpr e |
+      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
+    )
+    or
+    exists(SemShiftRightUnsignedExpr e |
+      e = e2 and e.getLeftOperand() = e1 and e.getRightOperand() = c and factor = 2.pow(k)
+    )
+  )
+}
+
+/**
+ * Holds if `b + delta` is a valid bound for `v` at `pos`.
+ * - `upper = true`  : `v <= b + delta`
+ * - `upper = false` : `v >= b + delta`
+ */
+private predicate boundedSsa(
+  SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int delta, boolean upper,
+  boolean fromBackEdge, int origdelta, SemReason reason
+) {
+  exists(SemExpr mid, int d1, int d2, SemReason r1, SemReason r2 |
+    boundFlowStepSsa(v, pos, mid, d1, upper, r1) and
+    bounded(mid, b, d2, upper, fromBackEdge, origdelta, r2) and
+    // upper = true:  v <= mid + d1 <= b + d1 + d2 = b + delta
+    // upper = false: v >= mid + d1 >= b + d1 + d2 = b + delta
+    delta = d1 + d2 and
+    (if r1 instanceof SemNoReason then reason = r2 else reason = r1)
+  )
+  or
+  exists(int d, SemReason r1, SemReason r2 |
+    boundedSsa(v, pos, b, d, upper, fromBackEdge, origdelta, r2) or
+    boundedPhi(v, b, d, upper, fromBackEdge, origdelta, r2)
+  |
+    unequalIntegralSsa(v, pos, b, d, r1) and
+    (
+      upper = true and delta = d - 1
+      or
+      upper = false and delta = d + 1
+    ) and
+    (
+      reason = r1
+      or
+      reason = r2 and not r2 instanceof SemNoReason
+    )
+  )
+}
+
+/**
+ * Holds if `v != b + delta` at `pos` and `v` is of integral type.
+ */
+private predicate unequalIntegralSsa(
+  SemSsaVariable v, SemSsaReadPosition pos, SemBound b, int delta, SemReason reason
+) {
+  exists(SemExpr e, int d1, int d2 |
+    unequalFlowStepIntegralSsa(v, pos, e, d1, reason) and
+    boundedUpper(e, b, d1) and
+    boundedLower(e, b, d2) and
+    delta = d2 + d1
+  )
+}
+
+/**
+ * Holds if `b + delta` is an upper bound for `e`.
+ *
+ * This predicate only exists to prevent a bad standard order in `unequalIntegralSsa`.
+ */
+pragma[nomagic]
+private predicate boundedUpper(SemExpr e, SemBound b, int delta) {
+  bounded(e, b, delta, true, _, _, _)
+}
+
+/**
+ * Holds if `b + delta` is a lower bound for `e`.
+ *
+ * This predicate only exists to prevent a bad standard order in `unequalIntegralSsa`.
+ */
+pragma[nomagic]
+private predicate boundedLower(SemExpr e, SemBound b, int delta) {
+  bounded(e, b, delta, false, _, _, _)
+}
+
+/** Weakens a delta to lie in the range `[-1..1]`. */
+bindingset[delta, upper]
+private int weakenDelta(boolean upper, int delta) {
+  delta in [-1 .. 1] and result = delta
+  or
+  upper = true and result = -1 and delta < -1
+  or
+  upper = false and result = 1 and delta > 1
+}
+
+/**
+ * Holds if `b + delta` is a valid bound for `inp` when used as an input to
+ * `phi` along `edge`.
+ * - `upper = true`  : `inp <= b + delta`
+ * - `upper = false` : `inp >= b + delta`
+ */
+private predicate boundedPhiInp(
+  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, SemBound b, int delta,
+  boolean upper, boolean fromBackEdge, int origdelta, SemReason reason
+) {
+  edge.phiInput(phi, inp) and
+  exists(int d, boolean fromBackEdge0 |
+    boundedSsa(inp, edge, b, d, upper, fromBackEdge0, origdelta, reason)
+    or
+    boundedPhi(inp, b, d, upper, fromBackEdge0, origdelta, reason)
+    or
+    b.(SemSsaBound).getAVariable() = inp and
+    d = 0 and
+    (upper = true or upper = false) and
+    fromBackEdge0 = false and
+    origdelta = 0 and
+    reason = TSemNoReason()
+  |
+    if semBackEdge(phi, inp, edge)
+    then
+      fromBackEdge = true and
+      (
+        fromBackEdge0 = true and delta = weakenDelta(upper, d - origdelta) + origdelta
+        or
+        fromBackEdge0 = false and delta = d
+      )
+    else (
+      delta = d and fromBackEdge = fromBackEdge0
+    )
+  )
+}
+
+/**
+ * Holds if `b + delta` is a valid bound for `inp` when used as an input to
+ * `phi` along `edge`.
+ * - `upper = true`  : `inp <= b + delta`
+ * - `upper = false` : `inp >= b + delta`
+ *
+ * Equivalent to `boundedPhiInp(phi, inp, edge, b, delta, upper, _, _, _)`.
+ */
+pragma[noinline]
+private predicate boundedPhiInp1(
+  SemSsaPhiNode phi, SemBound b, boolean upper, SemSsaVariable inp,
+  SemSsaReadPositionPhiInputEdge edge, int delta
+) {
+  boundedPhiInp(phi, inp, edge, b, delta, upper, _, _, _)
+}
+
+/**
+ * Holds if `phi` is a valid bound for `inp` when used as an input to `phi`
+ * along `edge`.
+ * - `upper = true`  : `inp <= phi`
+ * - `upper = false` : `inp >= phi`
+ */
+private predicate selfBoundedPhiInp(
+  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, boolean upper
+) {
+  exists(int d, SemSsaBound phibound |
+    phibound.getAVariable() = phi and
+    boundedPhiInp(phi, inp, edge, phibound, d, upper, _, _, _) and
+    (
+      upper = true and d <= 0
+      or
+      upper = false and d >= 0
+    )
+  )
+}
+
+/**
+ * Holds if `b + delta` is a valid bound for some input, `inp`, to `phi`, and
+ * thus a candidate bound for `phi`.
+ * - `upper = true`  : `inp <= b + delta`
+ * - `upper = false` : `inp >= b + delta`
+ */
+pragma[noinline]
+private predicate boundedPhiCand(
+  SemSsaPhiNode phi, boolean upper, SemBound b, int delta, boolean fromBackEdge, int origdelta,
+  SemReason reason
+) {
+  exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+    boundedPhiInp(phi, inp, edge, b, delta, upper, fromBackEdge, origdelta, reason)
+  )
+}
+
+/**
+ * Holds if the candidate bound `b + delta` for `phi` is valid for the phi input
+ * `inp` along `edge`.
+ */
+private predicate boundedPhiCandValidForEdge(
+  SemSsaPhiNode phi, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
+  SemReason reason, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge
+) {
+  boundedPhiCand(phi, upper, b, delta, fromBackEdge, origdelta, reason) and
+  (
+    exists(int d | boundedPhiInp1(phi, b, upper, inp, edge, d) | upper = true and d <= delta)
+    or
+    exists(int d | boundedPhiInp1(phi, b, upper, inp, edge, d) | upper = false and d >= delta)
+    or
+    selfBoundedPhiInp(phi, inp, edge, upper)
+  )
+}
+
+/**
+ * Holds if `b + delta` is a valid bound for `phi`.
+ * - `upper = true`  : `phi <= b + delta`
+ * - `upper = false` : `phi >= b + delta`
+ */
+private predicate boundedPhi(
+  SemSsaPhiNode phi, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
+  SemReason reason
+) {
+  forex(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge | edge.phiInput(phi, inp) |
+    boundedPhiCandValidForEdge(phi, b, delta, upper, fromBackEdge, origdelta, reason, inp, edge)
+  )
+}
+
+/**
+ * Holds if `e` has an upper (for `upper = true`) or lower
+ * (for `upper = false`) bound of `b`.
+ */
+private predicate baseBound(SemExpr e, int b, boolean upper) {
+  Specific::hasConstantBound(e, b, upper)
+  or
+  upper = false and
+  b = 0 and
+  semPositive(e.(SemBitAndExpr).getAnOperand()) and
+  // REVIEW: We let the language opt out here to preserve original results.
+  not Specific::ignoreZeroLowerBound(e)
+}
+
+/**
+ * Holds if the value being cast has an upper (for `upper = true`) or lower
+ * (for `upper = false`) bound within the bounds of the resulting type.
+ * For `upper = true` this means that the cast will not overflow and for
+ * `upper = false` this means that the cast will not underflow.
+ */
+private predicate safeNarrowingCast(NarrowingCastExpr cast, boolean upper) {
+  exists(int bound | bounded(cast.getOperand(), any(SemZeroBound zb), bound, upper, _, _, _) |
+    upper = true and bound <= cast.getUpperBound()
+    or
+    upper = false and bound >= cast.getLowerBound()
+  )
+}
+
+pragma[noinline]
+private predicate boundedCastExpr(
+  NarrowingCastExpr cast, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
+  SemReason reason
+) {
+  bounded(cast.getOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+}
+
+/**
+ * Holds if `b + delta` is a valid bound for `e`.
+ * - `upper = true`  : `e <= b + delta`
+ * - `upper = false` : `e >= b + delta`
+ */
+private predicate bounded(
+  SemExpr e, SemBound b, int delta, boolean upper, boolean fromBackEdge, int origdelta,
+  SemReason reason
+) {
+  not Specific::ignoreExprBound(e) and
+  (
+    e = b.getExpr(delta) and
+    (upper = true or upper = false) and
+    fromBackEdge = false and
+    origdelta = delta and
+    reason = TSemNoReason()
+    or
+    baseBound(e, delta, upper) and
+    b instanceof SemZeroBound and
+    fromBackEdge = false and
+    origdelta = delta and
+    reason = TSemNoReason()
+    or
+    exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
+      boundedSsa(v, bb, b, delta, upper, fromBackEdge, origdelta, reason) and
+      e = v.getAUse() and
+      bb.getBlock() = e.getBasicBlock()
+    )
+    or
+    exists(SemExpr mid, int d1, int d2 |
+      boundFlowStep(e, mid, d1, upper) and
+      // Constants have easy, base-case bounds, so let's not infer any recursive bounds.
+      not e instanceof SemConstantIntegerExpr and
+      bounded(mid, b, d2, upper, fromBackEdge, origdelta, reason) and
+      // upper = true:  e <= mid + d1 <= b + d1 + d2 = b + delta
+      // upper = false: e >= mid + d1 >= b + d1 + d2 = b + delta
+      delta = d1 + d2
+    )
+    or
+    exists(SemSsaPhiNode phi |
+      boundedPhi(phi, b, delta, upper, fromBackEdge, origdelta, reason) and
+      e = phi.getAUse()
+    )
+    or
+    exists(SemExpr mid, int factor, int d |
+      boundFlowStepMul(e, mid, factor) and
+      not e instanceof SemConstantIntegerExpr and
+      bounded(mid, b, d, upper, fromBackEdge, origdelta, reason) and
+      b instanceof SemZeroBound and
+      delta = d * factor
+    )
+    or
+    exists(SemExpr mid, int factor, int d |
+      boundFlowStepDiv(e, mid, factor) and
+      not e instanceof SemConstantIntegerExpr and
+      bounded(mid, b, d, upper, fromBackEdge, origdelta, reason) and
+      b instanceof SemZeroBound and
+      d >= 0 and
+      delta = d / factor
+    )
+    or
+    exists(NarrowingCastExpr cast |
+      cast = e and
+      safeNarrowingCast(cast, upper.booleanNot()) and
+      boundedCastExpr(cast, b, delta, upper, fromBackEdge, origdelta, reason)
+    )
+    or
+    exists(
+      SemConditionalExpr cond, int d1, int d2, boolean fbe1, boolean fbe2, int od1, int od2,
+      SemReason r1, SemReason r2
+    |
+      cond = e and
+      boundedConditionalExpr(cond, b, upper, true, d1, fbe1, od1, r1) and
+      boundedConditionalExpr(cond, b, upper, false, d2, fbe2, od2, r2) and
+      (
+        delta = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
+        or
+        delta = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
+      )
+    |
+      upper = true and delta = d1.maximum(d2)
+      or
+      upper = false and delta = d1.minimum(d2)
+    )
+  )
+}
+
+private predicate boundedConditionalExpr(
+  SemConditionalExpr cond, SemBound b, boolean upper, boolean branch, int delta,
+  boolean fromBackEdge, int origdelta, SemReason reason
+) {
+  bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
+}

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisSpecific.qll

@@ -3,90 +3,86 @@
  */
 
 private import experimental.semmle.code.cpp.semantic.Semantic
-private import RangeAnalysisStage
-private import experimental.semmle.code.cpp.semantic.analysis.FloatDelta
 
-module CppLangImpl implements LangSig<FloatDelta> {
-  /**
-   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
-   *
-   * This predicate is to keep the results identical to the original Java implementation. It should be
-   * removed once we have the new implementation matching the old results exactly.
-   */
-  predicate ignoreSsaReadCopy(SemExpr e) { none() }
+/**
+ * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+ *
+ * This predicate is to keep the results identical to the original Java implementation. It should be
+ * removed once we have the new implementation matching the old results exactly.
+ */
+predicate ignoreSsaReadCopy(SemExpr e) { none() }
 
-  /**
-   * Ignore the bound on this expression.
-   *
-   * This predicate is to keep the results identical to the original Java implementation. It should be
-   * removed once we have the new implementation matching the old results exactly.
-   */
-  predicate ignoreExprBound(SemExpr e) { none() }
+/**
+ * Ignore the bound on this expression.
+ *
+ * This predicate is to keep the results identical to the original Java implementation. It should be
+ * removed once we have the new implementation matching the old results exactly.
+ */
+predicate ignoreExprBound(SemExpr e) { none() }
 
-  /**
-   * Ignore any inferred zero lower bound on this expression.
-   *
-   * This predicate is to keep the results identical to the original Java implementation. It should be
-   * removed once we have the new implementation matching the old results exactly.
-   */
-  predicate ignoreZeroLowerBound(SemExpr e) { none() }
+/**
+ * Ignore any inferred zero lower bound on this expression.
+ *
+ * This predicate is to keep the results identical to the original Java implementation. It should be
+ * removed once we have the new implementation matching the old results exactly.
+ */
+predicate ignoreZeroLowerBound(SemExpr e) { none() }
 
-  /**
-   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
-   *
-   * This predicate is to keep the results identical to the original Java implementation. It should be
-   * removed once we have the new implementation matching the old results exactly.
-   */
-  predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
+/**
+ * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+ *
+ * This predicate is to keep the results identical to the original Java implementation. It should be
+ * removed once we have the new implementation matching the old results exactly.
+ */
+predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
 
-  /**
-   * Holds if the specified variable should be excluded from the result of `ssaRead()`.
-   *
-   * This predicate is to keep the results identical to the original Java implementation. It should be
-   * removed once we have the new implementation matching the old results exactly.
-   */
-  predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
+/**
+ * Holds if the specified variable should be excluded from the result of `ssaRead()`.
+ *
+ * This predicate is to keep the results identical to the original Java implementation. It should be
+ * removed once we have the new implementation matching the old results exactly.
+ */
+predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
 
-  /**
-   * Adds additional results to `ssaRead()` that are specific to Java.
-   *
-   * This predicate handles propagation of offsets for post-increment and post-decrement expressions
-   * in exactly the same way as the old Java implementation. Once the new implementation matches the
-   * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
-   * or not they come from a post-increment/decrement expression.
-   */
-  SemExpr specificSsaRead(SemSsaVariable v, float delta) { none() }
+/**
+ * Adds additional results to `ssaRead()` that are specific to Java.
+ *
+ * This predicate handles propagation of offsets for post-increment and post-decrement expressions
+ * in exactly the same way as the old Java implementation. Once the new implementation matches the
+ * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
+ * or not they come from a post-increment/decrement expression.
+ */
+SemExpr specificSsaRead(SemSsaVariable v, int delta) { none() }
 
-  /**
-   * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
-   */
-  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
+/**
+ * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
+ */
+predicate hasConstantBound(SemExpr e, int bound, boolean upper) { none() }
 
-  /**
-   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
-   */
-  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
+/**
+ * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
+ */
+predicate hasBound(SemExpr e, SemExpr bound, int delta, boolean upper) { none() }
 
-  /**
-   * Holds if the value of `dest` is known to be `src + delta`.
-   */
-  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
+/**
+ * Holds if the value of `dest` is known to be `src + delta`.
+ */
+predicate additionalValueFlowStep(SemExpr dest, SemExpr src, int delta) { none() }
 
-  /**
-   * Gets the type that range analysis should use to track the result of the specified expression,
-   * if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateType(SemExpr e) { none() }
+/**
+ * Gets the type that range analysis should use to track the result of the specified expression,
+ * if a type other than the original type of the expression is to be used.
+ *
+ * This predicate is commonly used in languages that support immutable "boxed" types that are
+ * actually references but whose values can be tracked as the type contained in the box.
+ */
+SemType getAlternateType(SemExpr e) { none() }
 
-  /**
-   * Gets the type that range analysis should use to track the result of the specified source
-   * variable, if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
-}
+/**
+ * Gets the type that range analysis should use to track the result of the specified source
+ * variable, if a type other than the original type of the expression is to be used.
+ *
+ * This predicate is commonly used in languages that support immutable "boxed" types that are
+ * actually references but whose values can be tracked as the type contained in the box.
+ */
+SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeUtils.qll

@@ -3,138 +3,133 @@
  */
 
 private import experimental.semmle.code.cpp.semantic.Semantic
-private import RangeAnalysisSpecific
-private import RangeAnalysisStage as Range
+private import RangeAnalysisSpecific as Specific
 private import ConstantAnalysis
 
-module RangeUtil<Range::DeltaSig D, Range::LangSig<D> Lang> implements Range::UtilSig<D> {
-  /**
-   * Gets an expression that equals `v - d`.
-   */
-  SemExpr semSsaRead(SemSsaVariable v, D::Delta delta) {
-    // There are various language-specific extension points that can be removed once we no longer
-    // expect to match the original Java implementation's results exactly.
-    result = v.getAUse() and delta = D::fromInt(0)
-    or
-    exists(D::Delta d1, SemConstantIntegerExpr c |
-      result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
-      delta = D::fromFloat(D::toFloat(d1) - c.getIntValue()) and
-      not Lang::ignoreSsaReadArithmeticExpr(result)
-    )
-    or
-    exists(SemSubExpr sub, D::Delta d1, SemConstantIntegerExpr c |
-      result = sub and
-      sub.getLeftOperand() = semSsaRead(v, d1) and
-      sub.getRightOperand() = c and
-      delta = D::fromFloat(D::toFloat(d1) + c.getIntValue()) and
-      not Lang::ignoreSsaReadArithmeticExpr(result)
-    )
-    or
-    result = v.(SemSsaExplicitUpdate).getSourceExpr() and
-    delta = D::fromFloat(0) and
-    not Lang::ignoreSsaReadAssignment(v)
-    or
-    result = Lang::specificSsaRead(v, delta)
-    or
-    result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta) and
-    not Lang::ignoreSsaReadCopy(result)
-    or
-    result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
-  }
-
-  /**
-   * Gets a condition that tests whether `v` equals `e + delta`.
-   *
-   * If the condition evaluates to `testIsTrue`:
-   * - `isEq = true`  : `v == e + delta`
-   * - `isEq = false` : `v != e + delta`
-   */
-  SemGuard semEqFlowCond(
-    SemSsaVariable v, SemExpr e, D::Delta delta, boolean isEq, boolean testIsTrue
-  ) {
-    exists(boolean eqpolarity |
-      result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
-      (testIsTrue = true or testIsTrue = false) and
-      eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
-    )
-    or
-    exists(boolean testIsTrue0 |
-      semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
-    )
-  }
-
-  /**
-   * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
-   */
-  predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, D::Delta delta) {
-    exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
-      defExpr.(SemCopyValueExpr).getOperand() = e and delta = D::fromFloat(0)
-      or
-      defExpr.(SemStoreExpr).getOperand() = e and delta = D::fromFloat(0)
-      or
-      defExpr.(SemAddOneExpr).getOperand() = e and delta = D::fromFloat(1)
-      or
-      defExpr.(SemSubOneExpr).getOperand() = e and delta = D::fromFloat(-1)
-      or
-      e = defExpr and
-      not (
-        defExpr instanceof SemCopyValueExpr or
-        defExpr instanceof SemStoreExpr or
-        defExpr instanceof SemAddOneExpr or
-        defExpr instanceof SemSubOneExpr
-      ) and
-      delta = D::fromFloat(0)
-    )
-  }
-
-  /**
-   * Holds if `e1 + delta` equals `e2`.
-   */
-  predicate semValueFlowStep(SemExpr e2, SemExpr e1, D::Delta delta) {
-    e2.(SemCopyValueExpr).getOperand() = e1 and delta = D::fromFloat(0)
-    or
-    e2.(SemStoreExpr).getOperand() = e1 and delta = D::fromFloat(0)
-    or
-    e2.(SemAddOneExpr).getOperand() = e1 and delta = D::fromFloat(1)
-    or
-    e2.(SemSubOneExpr).getOperand() = e1 and delta = D::fromFloat(-1)
-    or
-    Lang::additionalValueFlowStep(e2, e1, delta)
-    or
-    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-      D::fromInt(x.(SemConstantIntegerExpr).getIntValue()) = delta
-    )
-    or
-    exists(SemExpr x, SemSubExpr sub |
-      e2 = sub and
-      sub.getLeftOperand() = e1 and
-      sub.getRightOperand() = x
-    |
-      D::fromInt(-x.(SemConstantIntegerExpr).getIntValue()) = delta
-    )
-  }
-
-  /**
-   * Gets the type used to track the specified expression's range information.
-   *
-   * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
-   * primitive types as the underlying primitive type.
-   */
-  SemType getTrackedType(SemExpr e) {
-    result = Lang::getAlternateType(e)
-    or
-    not exists(Lang::getAlternateType(e)) and result = e.getSemType()
-  }
-
-  /**
-   * Gets the type used to track the specified source variable's range information.
-   *
-   * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
-   * primitive types as the underlying primitive type.
-   */
-  SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
-    result = Lang::getAlternateTypeForSsaVariable(var)
-    or
-    not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
-  }
+/**
+ * Gets an expression that equals `v - d`.
+ */
+SemExpr semSsaRead(SemSsaVariable v, int delta) {
+  // There are various language-specific extension points that can be removed once we no longer
+  // expect to match the original Java implementation's results exactly.
+  result = v.getAUse() and delta = 0
+  or
+  exists(int d1, SemConstantIntegerExpr c |
+    result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
+    delta = d1 - c.getIntValue() and
+    not Specific::ignoreSsaReadArithmeticExpr(result)
+  )
+  or
+  exists(SemSubExpr sub, int d1, SemConstantIntegerExpr c |
+    result = sub and
+    sub.getLeftOperand() = semSsaRead(v, d1) and
+    sub.getRightOperand() = c and
+    delta = d1 + c.getIntValue() and
+    not Specific::ignoreSsaReadArithmeticExpr(result)
+  )
+  or
+  result = v.(SemSsaExplicitUpdate).getSourceExpr() and
+  delta = 0 and
+  not Specific::ignoreSsaReadAssignment(v)
+  or
+  result = Specific::specificSsaRead(v, delta)
+  or
+  result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta) and
+  not Specific::ignoreSsaReadCopy(result)
+  or
+  result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
+}
+
+/**
+ * Gets a condition that tests whether `v` equals `e + delta`.
+ *
+ * If the condition evaluates to `testIsTrue`:
+ * - `isEq = true`  : `v == e + delta`
+ * - `isEq = false` : `v != e + delta`
+ */
+SemGuard semEqFlowCond(SemSsaVariable v, SemExpr e, int delta, boolean isEq, boolean testIsTrue) {
+  exists(boolean eqpolarity |
+    result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
+    (testIsTrue = true or testIsTrue = false) and
+    eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
+  )
+  or
+  exists(boolean testIsTrue0 |
+    semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
+  )
+}
+
+/**
+ * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
+ */
+predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, int delta) {
+  exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
+    defExpr.(SemCopyValueExpr).getOperand() = e and delta = 0
+    or
+    defExpr.(SemStoreExpr).getOperand() = e and delta = 0
+    or
+    defExpr.(SemAddOneExpr).getOperand() = e and delta = 1
+    or
+    defExpr.(SemSubOneExpr).getOperand() = e and delta = -1
+    or
+    e = defExpr and
+    not (
+      defExpr instanceof SemCopyValueExpr or
+      defExpr instanceof SemStoreExpr or
+      defExpr instanceof SemAddOneExpr or
+      defExpr instanceof SemSubOneExpr
+    ) and
+    delta = 0
+  )
+}
+
+/**
+ * Holds if `e1 + delta` equals `e2`.
+ */
+predicate semValueFlowStep(SemExpr e2, SemExpr e1, int delta) {
+  e2.(SemCopyValueExpr).getOperand() = e1 and delta = 0
+  or
+  e2.(SemStoreExpr).getOperand() = e1 and delta = 0
+  or
+  e2.(SemAddOneExpr).getOperand() = e1 and delta = 1
+  or
+  e2.(SemSubOneExpr).getOperand() = e1 and delta = -1
+  or
+  Specific::additionalValueFlowStep(e2, e1, delta)
+  or
+  exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
+    x.(SemConstantIntegerExpr).getIntValue() = delta
+  )
+  or
+  exists(SemExpr x, SemSubExpr sub |
+    e2 = sub and
+    sub.getLeftOperand() = e1 and
+    sub.getRightOperand() = x
+  |
+    x.(SemConstantIntegerExpr).getIntValue() = -delta
+  )
+}
+
+/**
+ * Gets the type used to track the specified expression's range information.
+ *
+ * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
+ * primitive types as the underlying primitive type.
+ */
+SemType getTrackedType(SemExpr e) {
+  result = Specific::getAlternateType(e)
+  or
+  not exists(Specific::getAlternateType(e)) and result = e.getSemType()
+}
+
+/**
+ * Gets the type used to track the specified source variable's range information.
+ *
+ * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
+ * primitive types as the underlying primitive type.
+ */
+SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
+  result = Specific::getAlternateTypeForSsaVariable(var)
+  or
+  not exists(Specific::getAlternateTypeForSsaVariable(var)) and result = var.getType()
 }

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/SignAnalysisCommon.qll

@@ -6,494 +6,488 @@
  * three-valued domain `{negative, zero, positive}`.
  */
 
-private import RangeAnalysisStage
 private import SignAnalysisSpecific as Specific
 private import experimental.semmle.code.cpp.semantic.Semantic
 private import ConstantAnalysis
 private import RangeUtils
 private import Sign
 
-module SignAnalysis<DeltaSig D, UtilSig<D> Utils> {
-  /**
-   * An SSA definition for which the analysis can compute the sign.
-   *
-   * The actual computation of the sign is done in an override of the `getSign()` predicate. The
-   * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
-   * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
-   * recursive.
-   */
-  abstract private class SignDef instanceof SemSsaVariable {
-    final string toString() { result = super.toString() }
+/**
+ * An SSA definition for which the analysis can compute the sign.
+ *
+ * The actual computation of the sign is done in an override of the `getSign()` predicate. The
+ * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
+ * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
+ * recursive.
+ */
+abstract private class SignDef instanceof SemSsaVariable {
+  final string toString() { result = super.toString() }
 
-    /** Gets the possible signs of this SSA definition. */
-    abstract Sign getSign();
-  }
+  /** Gets the possible signs of this SSA definition. */
+  abstract Sign getSign();
+}
 
-  /** An SSA definition whose sign is computed based on standard flow. */
-  abstract private class FlowSignDef extends SignDef {
-    abstract override Sign getSign();
-  }
+/** An SSA definition whose sign is computed based on standard flow. */
+abstract private class FlowSignDef extends SignDef {
+  abstract override Sign getSign();
+}
 
-  /** An SSA definition whose sign is determined by the sign of that definitions source expression. */
-  private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
-    final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
-  }
+/** An SSA definition whose sign is determined by the sign of that definitions source expression. */
+private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
+  final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
+}
 
-  /** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
-  private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
-    final override Sign getSign() {
-      exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
-        edge.phiInput(this, inp) and
-        result = semSsaSign(inp, edge)
-      )
-    }
-  }
-
-  /** An SSA definition whose sign is computed by a language-specific implementation. */
-  abstract class CustomSignDef extends SignDef {
-    abstract override Sign getSign();
-  }
-
-  /**
-   * An expression for which the analysis can compute the sign.
-   *
-   * The actual computation of the sign is done in an override of the `getSign()` predicate. The
-   * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
-   * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
-   * recursive.
-   *
-   * Concrete implementations extend one of the following subclasses:
-   * - `ConstantSignExpr`, for expressions with a compile-time constant value.
-   * - `FlowSignExpr`, for expressions whose sign can be computed from the signs of their operands.
-   * - `CustomsignExpr`, for expressions whose sign can be computed by a language-specific
-   *   implementation.
-   *
-   * If the same expression matches more than one of the above subclasses, the sign is computed as
-   * follows:
-   * - The sign of a `ConstantSignExpr` is computed solely from `ConstantSignExpr.getSign()`,
-   *   regardless of any other subclasses.
-   * - If a non-`ConstantSignExpr` expression matches exactly one of `FlowSignExpr` or
-   *   `CustomSignExpr`, the sign is computed by that class' `getSign()` predicate.
-   * - If a non-`ConstantSignExpr` expression matches both `FlowSignExpr` and `CustomSignExpr`, the
-   *   sign is the _intersection_ of the signs of those two classes' `getSign()` predicates. Thus,
-   *   both classes have the opportunity to _restrict_ the set of possible signs, not to generate new
-   *   possible signs.
-   * - If an expression does not match any of the three subclasses, then it can have any sign.
-   *
-   * Note that the `getSign()` predicate is introduced only in subclasses of `SignExpr`.
-   */
-  abstract class SignExpr instanceof SemExpr {
-    SignExpr() { not Specific::ignoreExprSign(this) }
-
-    final string toString() { result = super.toString() }
-
-    abstract Sign getSign();
-  }
-
-  /** An expression whose sign is determined by its constant numeric value. */
-  private class ConstantSignExpr extends SignExpr {
-    ConstantSignExpr() {
-      this instanceof SemConstantIntegerExpr or
-      exists(this.(SemNumericLiteralExpr).getApproximateFloatValue())
-    }
-
-    final override Sign getSign() {
-      exists(int i | this.(SemConstantIntegerExpr).getIntValue() = i |
-        i < 0 and result = TNeg()
-        or
-        i = 0 and result = TZero()
-        or
-        i > 0 and result = TPos()
-      )
-      or
-      not exists(this.(SemConstantIntegerExpr).getIntValue()) and
-      exists(float f | f = this.(SemNumericLiteralExpr).getApproximateFloatValue() |
-        f < 0 and result = TNeg()
-        or
-        f = 0 and result = TZero()
-        or
-        f > 0 and result = TPos()
-      )
-    }
-  }
-
-  abstract private class NonConstantSignExpr extends SignExpr {
-    NonConstantSignExpr() { not this instanceof ConstantSignExpr }
-
-    final override Sign getSign() {
-      // The result is the _intersection_ of the signs computed from flow and by the language.
-      (result = this.(FlowSignExpr).getSignRestriction() or not this instanceof FlowSignExpr) and
-      (result = this.(CustomSignExpr).getSignRestriction() or not this instanceof CustomSignExpr)
-    }
-  }
-
-  /** An expression whose sign is computed from the signs of its operands. */
-  abstract private class FlowSignExpr extends NonConstantSignExpr {
-    abstract Sign getSignRestriction();
-  }
-
-  /** An expression whose sign is computed by a language-specific implementation. */
-  abstract class CustomSignExpr extends NonConstantSignExpr {
-    abstract Sign getSignRestriction();
-  }
-
-  /** An expression whose sign is unknown. */
-  private class UnknownSignExpr extends SignExpr {
-    UnknownSignExpr() {
-      not this instanceof FlowSignExpr and
-      not this instanceof CustomSignExpr and
-      not this instanceof ConstantSignExpr and
-      (
-        // Only track numeric types.
-        Utils::getTrackedType(this) instanceof SemNumericType
-        or
-        // Unless the language says to track this expression anyway.
-        Specific::trackUnknownNonNumericExpr(this)
-      )
-    }
-
-    final override Sign getSign() { semAnySign(result) }
-  }
-
-  /**
-   * A `Load` expression whose sign is computed from the sign of its SSA definition, restricted by
-   * inference from any intervening guards.
-   */
-  class UseSignExpr extends FlowSignExpr {
-    SemSsaVariable v;
-
-    UseSignExpr() { v.getAUse() = this }
-
-    override Sign getSignRestriction() {
-      // Propagate via SSA
-      // Propagate the sign from the def of `v`, incorporating any inference from guards.
-      result = semSsaSign(v, any(SemSsaReadPositionBlock bb | bb.getAnExpr() = this))
-      or
-      // No block for this read. Just use the sign of the def.
-      // REVIEW: How can this happen?
-      not exists(SemSsaReadPositionBlock bb | bb.getAnExpr() = this) and
-      result = semSsaDefSign(v)
-    }
-  }
-
-  /** A binary expression whose sign is computed from the signs of its operands. */
-  private class BinarySignExpr extends FlowSignExpr {
-    SemBinaryExpr binary;
-
-    BinarySignExpr() { binary = this }
-
-    override Sign getSignRestriction() {
-      exists(SemExpr left, SemExpr right |
-        binaryExprOperands(binary, left, right) and
-        result =
-          semExprSign(pragma[only_bind_out](left))
-              .applyBinaryOp(semExprSign(pragma[only_bind_out](right)), binary.getOpcode())
-      )
-      or
-      exists(SemDivExpr div | div = binary |
-        result = semExprSign(div.getLeftOperand()) and
-        result != TZero() and
-        div.getRightOperand().(SemFloatingPointLiteralExpr).getFloatValue() = 0
-      )
-    }
-  }
-
-  pragma[nomagic]
-  private predicate binaryExprOperands(SemBinaryExpr binary, SemExpr left, SemExpr right) {
-    binary.getLeftOperand() = left and binary.getRightOperand() = right
-  }
-
-  /**
-   * A `Convert`, `Box`, or `Unbox` expression.
-   */
-  private class SemCastExpr instanceof SemUnaryExpr {
-    string toString() { result = super.toString() }
-
-    SemCastExpr() {
-      this instanceof SemConvertExpr
-      or
-      this instanceof SemBoxExpr
-      or
-      this instanceof SemUnboxExpr
-    }
-  }
-
-  /** A unary expression whose sign is computed from the sign of its operand. */
-  private class UnarySignExpr extends FlowSignExpr {
-    SemUnaryExpr unary;
-
-    UnarySignExpr() { unary = this and not this instanceof SemCastExpr }
-
-    override Sign getSignRestriction() {
-      result =
-        semExprSign(pragma[only_bind_out](unary.getOperand())).applyUnaryOp(unary.getOpcode())
-    }
-  }
-
-  /**
-   * A `Convert`, `Box`, or `Unbox` expression, whose sign is computed based on
-   * the sign of its operand and the source and destination types.
-   */
-  abstract private class CastSignExpr extends FlowSignExpr {
-    SemUnaryExpr cast;
-
-    CastSignExpr() { cast = this and cast instanceof SemCastExpr }
-
-    override Sign getSignRestriction() { result = semExprSign(cast.getOperand()) }
-  }
-
-  /**
-   * A `Convert` expression.
-   */
-  private class ConvertSignExpr extends CastSignExpr {
-    override SemConvertExpr cast;
-  }
-
-  /**
-   * A `Box` expression.
-   */
-  private class BoxSignExpr extends CastSignExpr {
-    override SemBoxExpr cast;
-  }
-
-  /**
-   * An `Unbox` expression.
-   */
-  private class UnboxSignExpr extends CastSignExpr {
-    override SemUnboxExpr cast;
-
-    UnboxSignExpr() {
-      exists(SemType fromType | fromType = Utils::getTrackedType(cast.getOperand()) |
-        // Only numeric source types are handled here.
-        fromType instanceof SemNumericType
-      )
-    }
-  }
-
-  private predicate unknownSign(SemExpr e) { e instanceof UnknownSignExpr }
-
-  /**
-   * Holds if `lowerbound` is a lower bound for `v` at `pos`. This is restricted
-   * to only include bounds for which we might determine a sign.
-   */
-  private predicate lowerBound(
-    SemExpr lowerbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
-  ) {
-    exists(boolean testIsTrue, SemRelationalExpr comp |
-      pos.hasReadOfVar(v) and
-      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
-      not unknownSign(lowerbound)
-    |
-      testIsTrue = true and
-      comp.getLesserOperand() = lowerbound and
-      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
-      (if comp.isStrict() then isStrict = true else isStrict = false)
-      or
-      testIsTrue = false and
-      comp.getGreaterOperand() = lowerbound and
-      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
-      (if comp.isStrict() then isStrict = false else isStrict = true)
+/** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
+private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
+  final override Sign getSign() {
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+      edge.phiInput(this, inp) and
+      result = semSsaSign(inp, edge)
     )
   }
-
-  /**
-   * Holds if `upperbound` is an upper bound for `v` at `pos`. This is restricted
-   * to only include bounds for which we might determine a sign.
-   */
-  private predicate upperBound(
-    SemExpr upperbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
-  ) {
-    exists(boolean testIsTrue, SemRelationalExpr comp |
-      pos.hasReadOfVar(v) and
-      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
-      not unknownSign(upperbound)
-    |
-      testIsTrue = true and
-      comp.getGreaterOperand() = upperbound and
-      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
-      (if comp.isStrict() then isStrict = true else isStrict = false)
-      or
-      testIsTrue = false and
-      comp.getLesserOperand() = upperbound and
-      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
-      (if comp.isStrict() then isStrict = false else isStrict = true)
-    )
-  }
-
-  /**
-   * Holds if `eqbound` is an equality/inequality for `v` at `pos`. This is
-   * restricted to only include bounds for which we might determine a sign. The
-   * boolean `isEq` gives the polarity:
-   *  - `isEq = true` : `v = eqbound`
-   *  - `isEq = false` : `v != eqbound`
-   */
-  private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isEq) {
-    exists(SemGuard guard, boolean testIsTrue, boolean polarity |
-      pos.hasReadOfVar(v) and
-      semGuardControlsSsaRead(guard, pos, testIsTrue) and
-      guard.isEquality(eqbound, Utils::semSsaRead(v, D::fromInt(0)), polarity) and
-      isEq = polarity.booleanXor(testIsTrue).booleanNot() and
-      not unknownSign(eqbound)
-    )
-  }
-
-  /**
-   * Holds if `bound` is a bound for `v` at `pos` that needs to be positive in
-   * order for `v` to be positive.
-   */
-  private predicate posBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-    upperBound(bound, v, pos, _) or
-    eqBound(bound, v, pos, true)
-  }
-
-  /**
-   * Holds if `bound` is a bound for `v` at `pos` that needs to be negative in
-   * order for `v` to be negative.
-   */
-  private predicate negBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-    lowerBound(bound, v, pos, _) or
-    eqBound(bound, v, pos, true)
-  }
-
-  /**
-   * Holds if `bound` is a bound for `v` at `pos` that can restrict whether `v`
-   * can be zero.
-   */
-  private predicate zeroBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-    lowerBound(bound, v, pos, _) or
-    upperBound(bound, v, pos, _) or
-    eqBound(bound, v, pos, _)
-  }
-
-  /** Holds if `bound` allows `v` to be positive at `pos`. */
-  private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-    posBound(bound, v, pos) and TPos() = semExprSign(bound)
-  }
-
-  /** Holds if `bound` allows `v` to be negative at `pos`. */
-  private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-    negBound(bound, v, pos) and TNeg() = semExprSign(bound)
-  }
-
-  /** Holds if `bound` allows `v` to be zero at `pos`. */
-  private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
-    lowerBound(bound, v, pos, _) and TNeg() = semExprSign(bound)
-    or
-    lowerBound(bound, v, pos, false) and TZero() = semExprSign(bound)
-    or
-    upperBound(bound, v, pos, _) and TPos() = semExprSign(bound)
-    or
-    upperBound(bound, v, pos, false) and TZero() = semExprSign(bound)
-    or
-    eqBound(bound, v, pos, true) and TZero() = semExprSign(bound)
-    or
-    eqBound(bound, v, pos, false) and TZero() != semExprSign(bound)
-  }
-
-  /**
-   * Holds if there is a bound that might restrict whether `v` has the sign `s`
-   * at `pos`.
-   */
-  private predicate hasGuard(SemSsaVariable v, SemSsaReadPosition pos, Sign s) {
-    s = TPos() and posBound(_, v, pos)
-    or
-    s = TNeg() and negBound(_, v, pos)
-    or
-    s = TZero() and zeroBound(_, v, pos)
-  }
-
-  /**
-   * Gets a possible sign of `v` at `pos` based on its definition, where the sign
-   * might be ruled out by a guard.
-   */
-  pragma[noinline]
-  private Sign guardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-    result = semSsaDefSign(v) and
-    pos.hasReadOfVar(v) and
-    hasGuard(v, pos, result)
-  }
-
-  /**
-   * Gets a possible sign of `v` at `pos` based on its definition, where no guard
-   * can rule it out.
-   */
-  pragma[noinline]
-  private Sign unguardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-    result = semSsaDefSign(v) and
-    pos.hasReadOfVar(v) and
-    not hasGuard(v, pos, result)
-  }
-
-  /**
-   * Gets a possible sign of `v` at read position `pos`, where a guard could have
-   * ruled out the sign but does not.
-   * This does not check that the definition of `v` also allows the sign.
-   */
-  private Sign guardedSsaSignOk(SemSsaVariable v, SemSsaReadPosition pos) {
-    result = TPos() and
-    forex(SemExpr bound | posBound(bound, v, pos) | posBoundOk(bound, v, pos))
-    or
-    result = TNeg() and
-    forex(SemExpr bound | negBound(bound, v, pos) | negBoundOk(bound, v, pos))
-    or
-    result = TZero() and
-    forex(SemExpr bound | zeroBound(bound, v, pos) | zeroBoundOk(bound, v, pos))
-  }
-
-  /** Gets a possible sign for `v` at `pos`. */
-  private Sign semSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
-    result = unguardedSsaSign(v, pos)
-    or
-    result = guardedSsaSign(v, pos) and
-    result = guardedSsaSignOk(v, pos)
-  }
-
-  /** Gets a possible sign for `v`. */
-  pragma[nomagic]
-  Sign semSsaDefSign(SemSsaVariable v) { result = v.(SignDef).getSign() }
-
-  /** Gets a possible sign for `e`. */
-  cached
-  Sign semExprSign(SemExpr e) {
-    exists(Sign s | s = e.(SignExpr).getSign() |
-      if
-        Utils::getTrackedType(e) instanceof SemUnsignedIntegerType and
-        s = TNeg() and
-        not Specific::ignoreTypeRestrictions(e)
-      then result = TPos()
-      else result = s
-    )
-  }
-
-  /**
-   * Dummy predicate that holds for any sign. This is added to improve readability
-   * of cases where the sign is unrestricted.
-   */
-  predicate semAnySign(Sign s) { any() }
-
-  /** Holds if `e` can be positive and cannot be negative. */
-  predicate semPositive(SemExpr e) {
-    semExprSign(e) = TPos() and
-    not semExprSign(e) = TNeg()
-  }
-
-  /** Holds if `e` can be negative and cannot be positive. */
-  predicate semNegative(SemExpr e) {
-    semExprSign(e) = TNeg() and
-    not semExprSign(e) = TPos()
-  }
-
-  /** Holds if `e` is strictly positive. */
-  predicate semStrictlyPositive(SemExpr e) {
-    semExprSign(e) = TPos() and
-    not semExprSign(e) = TNeg() and
-    not semExprSign(e) = TZero()
-  }
-
-  /** Holds if `e` is strictly negative. */
-  predicate semStrictlyNegative(SemExpr e) {
-    semExprSign(e) = TNeg() and
-    not semExprSign(e) = TPos() and
-    not semExprSign(e) = TZero()
-  }
+}
+
+/** An SSA definition whose sign is computed by a language-specific implementation. */
+abstract class CustomSignDef extends SignDef {
+  abstract override Sign getSign();
+}
+
+/**
+ * An expression for which the analysis can compute the sign.
+ *
+ * The actual computation of the sign is done in an override of the `getSign()` predicate. The
+ * charpred of any subclass must _not_ invoke `getSign()`, directly or indirectly. This ensures
+ * that the charpred does not introduce negative recursion. The `getSign()` predicate may be
+ * recursive.
+ *
+ * Concrete implementations extend one of the following subclasses:
+ * - `ConstantSignExpr`, for expressions with a compile-time constant value.
+ * - `FlowSignExpr`, for expressions whose sign can be computed from the signs of their operands.
+ * - `CustomsignExpr`, for expressions whose sign can be computed by a language-specific
+ *   implementation.
+ *
+ * If the same expression matches more than one of the above subclasses, the sign is computed as
+ * follows:
+ * - The sign of a `ConstantSignExpr` is computed solely from `ConstantSignExpr.getSign()`,
+ *   regardless of any other subclasses.
+ * - If a non-`ConstantSignExpr` expression matches exactly one of `FlowSignExpr` or
+ *   `CustomSignExpr`, the sign is computed by that class' `getSign()` predicate.
+ * - If a non-`ConstantSignExpr` expression matches both `FlowSignExpr` and `CustomSignExpr`, the
+ *   sign is the _intersection_ of the signs of those two classes' `getSign()` predicates. Thus,
+ *   both classes have the opportunity to _restrict_ the set of possible signs, not to generate new
+ *   possible signs.
+ * - If an expression does not match any of the three subclasses, then it can have any sign.
+ *
+ * Note that the `getSign()` predicate is introduced only in subclasses of `SignExpr`.
+ */
+abstract class SignExpr instanceof SemExpr {
+  SignExpr() { not Specific::ignoreExprSign(this) }
+
+  final string toString() { result = super.toString() }
+
+  abstract Sign getSign();
+}
+
+/** An expression whose sign is determined by its constant numeric value. */
+private class ConstantSignExpr extends SignExpr {
+  ConstantSignExpr() {
+    this instanceof SemConstantIntegerExpr or
+    exists(this.(SemNumericLiteralExpr).getApproximateFloatValue())
+  }
+
+  final override Sign getSign() {
+    exists(int i | this.(SemConstantIntegerExpr).getIntValue() = i |
+      i < 0 and result = TNeg()
+      or
+      i = 0 and result = TZero()
+      or
+      i > 0 and result = TPos()
+    )
+    or
+    not exists(this.(SemConstantIntegerExpr).getIntValue()) and
+    exists(float f | f = this.(SemNumericLiteralExpr).getApproximateFloatValue() |
+      f < 0 and result = TNeg()
+      or
+      f = 0 and result = TZero()
+      or
+      f > 0 and result = TPos()
+    )
+  }
+}
+
+abstract private class NonConstantSignExpr extends SignExpr {
+  NonConstantSignExpr() { not this instanceof ConstantSignExpr }
+
+  final override Sign getSign() {
+    // The result is the _intersection_ of the signs computed from flow and by the language.
+    (result = this.(FlowSignExpr).getSignRestriction() or not this instanceof FlowSignExpr) and
+    (result = this.(CustomSignExpr).getSignRestriction() or not this instanceof CustomSignExpr)
+  }
+}
+
+/** An expression whose sign is computed from the signs of its operands. */
+abstract private class FlowSignExpr extends NonConstantSignExpr {
+  abstract Sign getSignRestriction();
+}
+
+/** An expression whose sign is computed by a language-specific implementation. */
+abstract class CustomSignExpr extends NonConstantSignExpr {
+  abstract Sign getSignRestriction();
+}
+
+/** An expression whose sign is unknown. */
+private class UnknownSignExpr extends SignExpr {
+  UnknownSignExpr() {
+    not this instanceof FlowSignExpr and
+    not this instanceof CustomSignExpr and
+    not this instanceof ConstantSignExpr and
+    (
+      // Only track numeric types.
+      getTrackedType(this) instanceof SemNumericType
+      or
+      // Unless the language says to track this expression anyway.
+      Specific::trackUnknownNonNumericExpr(this)
+    )
+  }
+
+  final override Sign getSign() { semAnySign(result) }
+}
+
+/**
+ * A `Load` expression whose sign is computed from the sign of its SSA definition, restricted by
+ * inference from any intervening guards.
+ */
+class UseSignExpr extends FlowSignExpr {
+  SemSsaVariable v;
+
+  UseSignExpr() { v.getAUse() = this }
+
+  override Sign getSignRestriction() {
+    // Propagate via SSA
+    // Propagate the sign from the def of `v`, incorporating any inference from guards.
+    result = semSsaSign(v, any(SemSsaReadPositionBlock bb | bb.getAnExpr() = this))
+    or
+    // No block for this read. Just use the sign of the def.
+    // REVIEW: How can this happen?
+    not exists(SemSsaReadPositionBlock bb | bb.getAnExpr() = this) and
+    result = semSsaDefSign(v)
+  }
+}
+
+/** A binary expression whose sign is computed from the signs of its operands. */
+private class BinarySignExpr extends FlowSignExpr {
+  SemBinaryExpr binary;
+
+  BinarySignExpr() { binary = this }
+
+  override Sign getSignRestriction() {
+    exists(SemExpr left, SemExpr right |
+      binaryExprOperands(binary, left, right) and
+      result =
+        semExprSign(pragma[only_bind_out](left))
+            .applyBinaryOp(semExprSign(pragma[only_bind_out](right)), binary.getOpcode())
+    )
+    or
+    exists(SemDivExpr div | div = binary |
+      result = semExprSign(div.getLeftOperand()) and
+      result != TZero() and
+      div.getRightOperand().(SemFloatingPointLiteralExpr).getFloatValue() = 0
+    )
+  }
+}
+
+pragma[nomagic]
+private predicate binaryExprOperands(SemBinaryExpr binary, SemExpr left, SemExpr right) {
+  binary.getLeftOperand() = left and binary.getRightOperand() = right
+}
+
+/**
+ * A `Convert`, `Box`, or `Unbox` expression.
+ */
+private class SemCastExpr extends SemUnaryExpr {
+  SemCastExpr() {
+    this instanceof SemConvertExpr
+    or
+    this instanceof SemBoxExpr
+    or
+    this instanceof SemUnboxExpr
+  }
+}
+
+/** A unary expression whose sign is computed from the sign of its operand. */
+private class UnarySignExpr extends FlowSignExpr {
+  SemUnaryExpr unary;
+
+  UnarySignExpr() { unary = this and not this instanceof SemCastExpr }
+
+  override Sign getSignRestriction() {
+    result = semExprSign(pragma[only_bind_out](unary.getOperand())).applyUnaryOp(unary.getOpcode())
+  }
+}
+
+/**
+ * A `Convert`, `Box`, or `Unbox` expression, whose sign is computed based on
+ * the sign of its operand and the source and destination types.
+ */
+abstract private class CastSignExpr extends FlowSignExpr {
+  SemUnaryExpr cast;
+
+  CastSignExpr() { cast = this and cast instanceof SemCastExpr }
+
+  override Sign getSignRestriction() { result = semExprSign(cast.getOperand()) }
+}
+
+/**
+ * A `Convert` expression.
+ */
+private class ConvertSignExpr extends CastSignExpr {
+  override SemConvertExpr cast;
+}
+
+/**
+ * A `Box` expression.
+ */
+private class BoxSignExpr extends CastSignExpr {
+  override SemBoxExpr cast;
+}
+
+/**
+ * An `Unbox` expression.
+ */
+private class UnboxSignExpr extends CastSignExpr {
+  override SemUnboxExpr cast;
+
+  UnboxSignExpr() {
+    exists(SemType fromType | fromType = getTrackedType(cast.getOperand()) |
+      // Only numeric source types are handled here.
+      fromType instanceof SemNumericType
+    )
+  }
+}
+
+private predicate unknownSign(SemExpr e) { e instanceof UnknownSignExpr }
+
+/**
+ * Holds if `lowerbound` is a lower bound for `v` at `pos`. This is restricted
+ * to only include bounds for which we might determine a sign.
+ */
+private predicate lowerBound(
+  SemExpr lowerbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
+) {
+  exists(boolean testIsTrue, SemRelationalExpr comp |
+    pos.hasReadOfVar(v) and
+    semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+    not unknownSign(lowerbound)
+  |
+    testIsTrue = true and
+    comp.getLesserOperand() = lowerbound and
+    comp.getGreaterOperand() = semSsaRead(v, 0) and
+    (if comp.isStrict() then isStrict = true else isStrict = false)
+    or
+    testIsTrue = false and
+    comp.getGreaterOperand() = lowerbound and
+    comp.getLesserOperand() = semSsaRead(v, 0) and
+    (if comp.isStrict() then isStrict = false else isStrict = true)
+  )
+}
+
+/**
+ * Holds if `upperbound` is an upper bound for `v` at `pos`. This is restricted
+ * to only include bounds for which we might determine a sign.
+ */
+private predicate upperBound(
+  SemExpr upperbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
+) {
+  exists(boolean testIsTrue, SemRelationalExpr comp |
+    pos.hasReadOfVar(v) and
+    semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+    not unknownSign(upperbound)
+  |
+    testIsTrue = true and
+    comp.getGreaterOperand() = upperbound and
+    comp.getLesserOperand() = semSsaRead(v, 0) and
+    (if comp.isStrict() then isStrict = true else isStrict = false)
+    or
+    testIsTrue = false and
+    comp.getLesserOperand() = upperbound and
+    comp.getGreaterOperand() = semSsaRead(v, 0) and
+    (if comp.isStrict() then isStrict = false else isStrict = true)
+  )
+}
+
+/**
+ * Holds if `eqbound` is an equality/inequality for `v` at `pos`. This is
+ * restricted to only include bounds for which we might determine a sign. The
+ * boolean `isEq` gives the polarity:
+ *  - `isEq = true` : `v = eqbound`
+ *  - `isEq = false` : `v != eqbound`
+ */
+private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isEq) {
+  exists(SemGuard guard, boolean testIsTrue, boolean polarity |
+    pos.hasReadOfVar(v) and
+    semGuardControlsSsaRead(guard, pos, testIsTrue) and
+    guard.isEquality(eqbound, semSsaRead(v, 0), polarity) and
+    isEq = polarity.booleanXor(testIsTrue).booleanNot() and
+    not unknownSign(eqbound)
+  )
+}
+
+/**
+ * Holds if `bound` is a bound for `v` at `pos` that needs to be positive in
+ * order for `v` to be positive.
+ */
+private predicate posBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+  upperBound(bound, v, pos, _) or
+  eqBound(bound, v, pos, true)
+}
+
+/**
+ * Holds if `bound` is a bound for `v` at `pos` that needs to be negative in
+ * order for `v` to be negative.
+ */
+private predicate negBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+  lowerBound(bound, v, pos, _) or
+  eqBound(bound, v, pos, true)
+}
+
+/**
+ * Holds if `bound` is a bound for `v` at `pos` that can restrict whether `v`
+ * can be zero.
+ */
+private predicate zeroBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+  lowerBound(bound, v, pos, _) or
+  upperBound(bound, v, pos, _) or
+  eqBound(bound, v, pos, _)
+}
+
+/** Holds if `bound` allows `v` to be positive at `pos`. */
+private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+  posBound(bound, v, pos) and TPos() = semExprSign(bound)
+}
+
+/** Holds if `bound` allows `v` to be negative at `pos`. */
+private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+  negBound(bound, v, pos) and TNeg() = semExprSign(bound)
+}
+
+/** Holds if `bound` allows `v` to be zero at `pos`. */
+private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
+  lowerBound(bound, v, pos, _) and TNeg() = semExprSign(bound)
+  or
+  lowerBound(bound, v, pos, false) and TZero() = semExprSign(bound)
+  or
+  upperBound(bound, v, pos, _) and TPos() = semExprSign(bound)
+  or
+  upperBound(bound, v, pos, false) and TZero() = semExprSign(bound)
+  or
+  eqBound(bound, v, pos, true) and TZero() = semExprSign(bound)
+  or
+  eqBound(bound, v, pos, false) and TZero() != semExprSign(bound)
+}
+
+/**
+ * Holds if there is a bound that might restrict whether `v` has the sign `s`
+ * at `pos`.
+ */
+private predicate hasGuard(SemSsaVariable v, SemSsaReadPosition pos, Sign s) {
+  s = TPos() and posBound(_, v, pos)
+  or
+  s = TNeg() and negBound(_, v, pos)
+  or
+  s = TZero() and zeroBound(_, v, pos)
+}
+
+/**
+ * Gets a possible sign of `v` at `pos` based on its definition, where the sign
+ * might be ruled out by a guard.
+ */
+pragma[noinline]
+private Sign guardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+  result = semSsaDefSign(v) and
+  pos.hasReadOfVar(v) and
+  hasGuard(v, pos, result)
+}
+
+/**
+ * Gets a possible sign of `v` at `pos` based on its definition, where no guard
+ * can rule it out.
+ */
+pragma[noinline]
+private Sign unguardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+  result = semSsaDefSign(v) and
+  pos.hasReadOfVar(v) and
+  not hasGuard(v, pos, result)
+}
+
+/**
+ * Gets a possible sign of `v` at read position `pos`, where a guard could have
+ * ruled out the sign but does not.
+ * This does not check that the definition of `v` also allows the sign.
+ */
+private Sign guardedSsaSignOk(SemSsaVariable v, SemSsaReadPosition pos) {
+  result = TPos() and
+  forex(SemExpr bound | posBound(bound, v, pos) | posBoundOk(bound, v, pos))
+  or
+  result = TNeg() and
+  forex(SemExpr bound | negBound(bound, v, pos) | negBoundOk(bound, v, pos))
+  or
+  result = TZero() and
+  forex(SemExpr bound | zeroBound(bound, v, pos) | zeroBoundOk(bound, v, pos))
+}
+
+/** Gets a possible sign for `v` at `pos`. */
+private Sign semSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
+  result = unguardedSsaSign(v, pos)
+  or
+  result = guardedSsaSign(v, pos) and
+  result = guardedSsaSignOk(v, pos)
+}
+
+/** Gets a possible sign for `v`. */
+pragma[nomagic]
+Sign semSsaDefSign(SemSsaVariable v) { result = v.(SignDef).getSign() }
+
+/** Gets a possible sign for `e`. */
+cached
+Sign semExprSign(SemExpr e) {
+  exists(Sign s | s = e.(SignExpr).getSign() |
+    if
+      getTrackedType(e) instanceof SemUnsignedIntegerType and
+      s = TNeg() and
+      not Specific::ignoreTypeRestrictions(e)
+    then result = TPos()
+    else result = s
+  )
+}
+
+/**
+ * Dummy predicate that holds for any sign. This is added to improve readability
+ * of cases where the sign is unrestricted.
+ */
+predicate semAnySign(Sign s) { any() }
+
+/** Holds if `e` can be positive and cannot be negative. */
+predicate semPositive(SemExpr e) {
+  semExprSign(e) = TPos() and
+  not semExprSign(e) = TNeg()
+}
+
+/** Holds if `e` can be negative and cannot be positive. */
+predicate semNegative(SemExpr e) {
+  semExprSign(e) = TNeg() and
+  not semExprSign(e) = TPos()
+}
+
+/** Holds if `e` is strictly positive. */
+predicate semStrictlyPositive(SemExpr e) {
+  semExprSign(e) = TPos() and
+  not semExprSign(e) = TNeg() and
+  not semExprSign(e) = TZero()
+}
+
+/** Holds if `e` is strictly negative. */
+predicate semStrictlyNegative(SemExpr e) {
+  semExprSign(e) = TNeg() and
+  not semExprSign(e) = TPos() and
+  not semExprSign(e) = TZero()
 }

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.5.2-dev
+version: 0.4.6-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,4 +7,3 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/ssa: ${workspace}
-  codeql/tutorial: ${workspace}

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -318,7 +318,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   MetricFunction getMetrics() { result = this }
 
   /** Holds if this function calls the function `f`. */
-  predicate calls(Function f) { this.calls(f, _) }
+  predicate calls(Function f) { exists(Locatable l | this.calls(f, l)) }
 
   /**
    * Holds if this function calls the function `f` in the `FunctionCall`
@@ -335,7 +335,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   }
 
   /** Holds if this function accesses a function or variable or enumerator `a`. */
-  predicate accesses(Declaration a) { this.accesses(a, _) }
+  predicate accesses(Declaration a) { exists(Locatable l | this.accesses(a, l)) }
 
   /**
    * Holds if this function accesses a function or variable or enumerator `a`

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -10,14 +10,12 @@ import semmle.code.cpp.File
  */
 class Location extends @location {
   /** Gets the container corresponding to this location. */
-  pragma[nomagic]
   Container getContainer() { this.fullLocationInfo(result, _, _, _, _) }
 
   /** Gets the file corresponding to this location, if any. */
   File getFile() { result = this.getContainer() }
 
   /** Gets the 1-based line number (inclusive) where this location starts. */
-  pragma[nomagic]
   int getStartLine() { this.fullLocationInfo(_, result, _, _, _) }
 
   /** Gets the 1-based column number (inclusive) where this location starts. */

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -816,12 +816,6 @@ private predicate floatingPointTypeMapping(
   or
   // _Float128x
   kind = 50 and base = 2 and domain = TRealDomain() and realKind = 50 and extended = true
-  or
-  // _Float16
-  kind = 52 and base = 2 and domain = TRealDomain() and realKind = 52 and extended = false
-  or
-  // _Complex _Float16
-  kind = 53 and base = 2 and domain = TComplexDomain() and realKind = 52 and extended = false
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Dependency.qll

@@ -33,7 +33,7 @@ DependencyOptions getDependencyOptions() { any() }
 class DependsSource extends Element {
   DependsSource() {
     // not inside a template instantiation
-    not this.isFromTemplateInstantiation(_) or
+    not exists(Element other | this.isFromTemplateInstantiation(other)) or
     // allow DeclarationEntrys of template specializations
     this.(DeclarationEntry).getDeclaration().(Function).isConstructedFrom(_) or
     this.(DeclarationEntry).getDeclaration().(Class).isConstructedFrom(_)

cpp/ql/lib/semmle/code/cpp/commons/Exclusions.qll

@@ -69,9 +69,12 @@ predicate functionContainsDisabledCode(Function f) {
  */
 predicate functionContainsPreprocCode(Function f) {
   // `f` contains a preprocessor branch
-  exists(string file, int pbdStartLine, int fBlockStartLine, int fBlockEndLine |
+  exists(
+    PreprocessorBranchDirective pbd, string file, int pbdStartLine, int fBlockStartLine,
+    int fBlockEndLine
+  |
     functionLocation(f, file, fBlockStartLine, fBlockEndLine) and
-    pbdLocation(_, file, pbdStartLine) and
+    pbdLocation(pbd, file, pbdStartLine) and
     pbdStartLine <= fBlockEndLine and
     pbdStartLine >= fBlockStartLine
   )

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -244,7 +244,9 @@ class ScanfFormatLiteral extends Expr {
   /**
    * Gets the maximum width option of the nth input (empty string if none is given).
    */
-  string getMaxWidthOpt(int n) { this.parseConvSpec(n, _, result, _, _) }
+  string getMaxWidthOpt(int n) {
+    exists(string spec, string len, string conv | this.parseConvSpec(n, spec, result, len, conv))
+  }
 
   /**
    * Gets the maximum width of the nth input.
@@ -254,12 +256,18 @@ class ScanfFormatLiteral extends Expr {
   /**
    * Gets the length flag of the nth conversion specifier.
    */
-  string getLength(int n) { this.parseConvSpec(n, _, _, result, _) }
+  string getLength(int n) {
+    exists(string spec, string width, string conv |
+      this.parseConvSpec(n, spec, width, result, conv)
+    )
+  }
 
   /**
    * Gets the conversion character of the nth conversion specifier.
    */
-  string getConversionChar(int n) { this.parseConvSpec(n, _, _, _, result) }
+  string getConversionChar(int n) {
+    exists(string spec, string width, string len | this.parseConvSpec(n, spec, width, len, result))
+  }
 
   /**
    * Gets the maximum length of the string that can be produced by the nth

cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll

@@ -54,7 +54,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
    * only condition under which a `SubBasicBlock` may have multiple
    * predecessors.
    */
-  predicate firstInBB() { this.getRankInBasicBlock(_) = 1 }
+  predicate firstInBB() { exists(BasicBlock bb | this.getRankInBasicBlock(bb) = 1) }
 
   /**
    * Holds if this `SubBasicBlock` comes last in its basic block. This is the

cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll

@@ -441,8 +441,8 @@ library class ExprEvaluator extends int {
       req = mid.(AssignExpr).getRValue()
     )
     or
-    exists(Variable v, boolean sub1 |
-      this.interestingVariableAccess(e, _, v, sub1) and
+    exists(VariableAccess va, Variable v, boolean sub1 |
+      this.interestingVariableAccess(e, va, v, sub1) and
       req = v.getAnAssignedValue() and
       (sub1 = true implies not this.ignoreVariableAssignment(e, v, req)) and
       sub = false
@@ -876,7 +876,7 @@ private predicate nonAnalyzableVariableDefinition(Variable v, StmtParent def) {
  * empirically to have effect only on a few rare and pathological examples.
  */
 private predicate tractableVariable(Variable v) {
-  not nonAnalyzableVariableDefinition(v, _) or
+  not exists(StmtParent def | nonAnalyzableVariableDefinition(v, def)) or
   strictcount(StmtParent def | nonAnalyzableVariableDefinition(v, def)) < 1000
 }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -916,15 +916,15 @@ private module Cached {
     TDataFlowCallSome(DataFlowCall call)
 
   cached
-  newtype TParamNodeOption =
-    TParamNodeNone() or
-    TParamNodeSome(ParamNode p)
+  newtype TParameterPositionOption =
+    TParameterPositionNone() or
+    TParameterPositionSome(ParameterPosition pos)
 
   cached
   newtype TReturnCtx =
     TReturnCtxNone() or
     TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnPosition pos)
+    TReturnCtxMaybeFlowThrough(ReturnKindExt kind)
 
   cached
   newtype TTypedContentApprox =
@@ -1343,15 +1343,15 @@ class DataFlowCallOption extends TDataFlowCallOption {
   }
 }
 
-/** An optional `ParamNode`. */
-class ParamNodeOption extends TParamNodeOption {
+/** An optional `ParameterPosition`. */
+class ParameterPositionOption extends TParameterPositionOption {
   string toString() {
-    this = TParamNodeNone() and
+    this = TParameterPositionNone() and
     result = "(none)"
     or
-    exists(ParamNode p |
-      this = TParamNodeSome(p) and
-      result = p.toString()
+    exists(ParameterPosition pos |
+      this = TParameterPositionSome(pos) and
+      result = pos.toString()
     )
   }
 }
@@ -1363,7 +1363,7 @@ class ParamNodeOption extends TParamNodeOption {
  *
  * - `TReturnCtxNone()`: no return flow.
  * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
+ * - `TReturnCtxMaybeFlowThrough(ReturnKindExt kind)`: return flow, of kind `kind`, and
  *    flow through may be possible.
  */
 class ReturnCtx extends TReturnCtx {
@@ -1374,9 +1374,9 @@ class ReturnCtx extends TReturnCtx {
     this = TReturnCtxNoFlowThrough() and
     result = "(no flow through)"
     or
-    exists(ReturnPosition pos |
-      this = TReturnCtxMaybeFlowThrough(pos) and
-      result = pos.toString()
+    exists(ReturnKindExt kind |
+      this = TReturnCtxMaybeFlowThrough(kind) and
+      result = kind.toString()
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -45,16 +45,6 @@ module Consistency {
     ) {
       none()
     }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
-    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
-    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
   }
 
   private class RelevantNode extends Node {
@@ -111,7 +101,9 @@ module Consistency {
     exists(int c |
       c =
         strictcount(Node n |
-          not n.hasLocationInfo(_, _, _, _, _) and
+          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+          ) and
           not any(ConsistencyConfiguration conf).missingLocationExclude(n)
         ) and
       msg = "Nodes without location: " + c
@@ -256,7 +248,6 @@ module Consistency {
   query predicate uniqueParameterNodeAtPosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
     msg = "Parameters with overlapping positions."
@@ -265,7 +256,6 @@ module Consistency {
   query predicate uniqueParameterNodePosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
     msg = "Parameter node with multiple positions."

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll

@@ -450,8 +450,10 @@ module FlowVar_internal {
     }
 
     override string toString() {
-      this.definedByExpr(_, _) and
-      result = "assignment to " + v
+      exists(Expr e |
+        this.definedByExpr(e, _) and
+        result = "assignment to " + v
+      )
       or
       this.definedByInitialValue(_) and
       result = "initial value of " + v

cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll

@@ -54,7 +54,7 @@ class SubBasicBlock extends ControlFlowNodeBase {
    * only condition under which a `SubBasicBlock` may have multiple
    * predecessors.
    */
-  predicate firstInBB() { this.getRankInBasicBlock(_) = 1 }
+  predicate firstInBB() { exists(BasicBlock bb | this.getRankInBasicBlock(bb) = 1) }
 
   /**
    * Holds if this `SubBasicBlock` comes last in its basic block. This is the

cpp/ql/lib/semmle/code/cpp/dispatch/VirtualDispatchPrototype.qll

@@ -70,8 +70,8 @@ module VirtualDispatch {
    * that is, `c` or one of its supertypes overrides `f`.
    */
   private predicate cannotInherit(Class c, MemberFunction f) {
-    exists(MemberFunction override |
-      cannotInheritHelper(c, f, _, override) and
+    exists(Class overridingType, MemberFunction override |
+      cannotInheritHelper(c, f, overridingType, override) and
       override.overrides+(f)
     )
   }

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -53,7 +53,7 @@ class Expr extends StmtParent, @expr {
   Declaration getEnclosingDeclaration() { result = exprEnclosingElement(this) }
 
   /** Gets a child of this expression. */
-  Expr getAChild() { result = this.getChild(_) }
+  Expr getAChild() { exists(int n | result = this.getChild(n)) }
 
   /** Gets the parent of this expression, if any. */
   Element getParent() { exprparents(underlyingElement(this), _, unresolveElement(result)) }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -622,11 +622,7 @@ private predicate parameterFlowThroughAllowed(ParamNodeEx p, ReturnKindExt kind)
 }
 
 private module Stage1 implements StageSig {
-  class Ap extends int {
-    // workaround for bad functionality-induced joins (happens when using `Unit`)
-    pragma[nomagic]
-    Ap() { this in [0 .. 1] and this < 1 }
-  }
+  class Ap = Unit;
 
   private class Cc = boolean;
 
@@ -876,9 +872,9 @@ private module Stage1 implements StageSig {
 
   pragma[nomagic]
   private predicate revFlowOut(ReturnPosition pos, Configuration config) {
-    exists(NodeEx out |
+    exists(DataFlowCall call, NodeEx out |
       revFlow(out, _, config) and
-      viableReturnPosOutNodeCandFwd1(_, pos, out, config)
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
     )
   }
 
@@ -1331,8 +1327,8 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       fwdFlow0(node, state, cc, summaryCtx, argAp, ap, apa, config) and
       PrevStage::revFlow(node, state, apa, config) and
@@ -1341,21 +1337,21 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[inline]
     additional predicate fwdFlow(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, Configuration config
     ) {
       fwdFlow(node, state, cc, summaryCtx, argAp, ap, _, config)
     }
 
     pragma[nomagic]
     private predicate fwdFlow0(
-      NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap,
-      ApApprox apa, Configuration config
+      NodeEx node, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      Ap ap, ApApprox apa, Configuration config
     ) {
       sourceNode(node, state, config) and
       (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
       argAp = apNone() and
-      summaryCtx = TParamNodeNone() and
+      summaryCtx = TParameterPositionNone() and
       ap = getApNil(node) and
       apa = getApprox(ap)
       or
@@ -1376,7 +1372,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, pragma[only_bind_into](state), _, _, _, ap, apa, pragma[only_bind_into](config)) and
         jumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone()
       )
       or
@@ -1384,7 +1380,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStep(mid, node, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1394,7 +1390,7 @@ private module MkStage<StageSig PrevStage> {
         fwdFlow(mid, state0, _, _, _, nil, pragma[only_bind_into](config)) and
         additionalJumpStateStep(mid, state0, node, state, config) and
         cc = ccNone() and
-        summaryCtx = TParamNodeNone() and
+        summaryCtx = TParameterPositionNone() and
         argAp = apNone() and
         ap = getApNil(node) and
         apa = getApprox(ap)
@@ -1418,10 +1414,10 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowIn(_, node, state, _, cc, _, _, ap, apa, config) and
       if PrevStage::parameterMayFlowThrough(node, apa, config)
       then (
-        summaryCtx = TParamNodeSome(node.asNode()) and
+        summaryCtx = TParameterPositionSome(node.(ParamNodeEx).getPosition()) and
         argAp = apSome(ap)
       ) else (
-        summaryCtx = TParamNodeNone() and argAp = apNone()
+        summaryCtx = TParameterPositionNone() and argAp = apNone()
       )
       or
       // flow out of a callable
@@ -1437,19 +1433,16 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(
-        DataFlowCall call, CcCall ccc, RetNodeEx ret, boolean allowsFieldFlow, ApApprox innerArgApa
-      |
-        fwdFlowThrough(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, node, allowsFieldFlow, innerArgApa, apa, config) and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(DataFlowCall call, ParameterPosition summaryCtx0, Ap argAp0 |
+        fwdFlowOutFromArg(call, node, state, summaryCtx0, argAp0, ap, apa, config) and
+        fwdFlowIsEntered(call, cc, summaryCtx, argAp, summaryCtx0, argAp0, config)
       )
     }
 
     pragma[nomagic]
     private predicate fwdFlowStore(
       NodeEx node1, Ap ap1, TypedContent tc, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       exists(DataFlowType contentType, ApApprox apa1 |
         fwdFlow(node1, state, cc, summaryCtx, argAp, ap1, apa1, config) and
@@ -1480,31 +1473,27 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRead0(
-      NodeEx node1, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, ApNonNil ap,
-      Configuration config
+      NodeEx node1, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ApNonNil ap, Configuration config
     ) {
       fwdFlow(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, _, _, config)
     }
 
-    bindingset[ap, c]
-    pragma[inline_late]
-    private predicate hasHeadContent(Ap ap, Content c) { getHeadContent(ap) = c }
-
     pragma[nomagic]
     private predicate fwdFlowRead(
       Ap ap, Content c, NodeEx node1, NodeEx node2, FlowState state, Cc cc,
-      ParamNodeOption summaryCtx, ApOption argAp, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Configuration config
     ) {
       fwdFlowRead0(node1, state, cc, summaryCtx, argAp, ap, config) and
       PrevStage::readStepCand(node1, c, node2, config) and
-      hasHeadContent(ap, c)
+      getHeadContent(ap) = c
     }
 
     pragma[nomagic]
     private predicate fwdFlowIn(
       DataFlowCall call, ParamNodeEx p, FlowState state, Cc outercc, CcCall innercc,
-      ParamNodeOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
+      ParameterPositionOption summaryCtx, ApOption argAp, Ap ap, ApApprox apa, Configuration config
     ) {
       exists(ArgNodeEx arg, boolean allowsFieldFlow |
         fwdFlow(arg, state, outercc, summaryCtx, argAp, ap, apa, config) and
@@ -1516,38 +1505,64 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate fwdFlowRetFromArg(
-      RetNodeEx ret, FlowState state, CcCall ccc, ParamNodeEx summaryCtx, Ap argAp, ApApprox argApa,
-      Ap ap, ApApprox apa, Configuration config
+      RetNodeEx ret, FlowState state, CcCall ccc, ParameterPosition summaryCtx, ParamNodeEx p,
+      Ap argAp, ApApprox argApa, Ap ap, ApApprox apa, Configuration config
     ) {
-      exists(ReturnKindExt kind |
+      exists(DataFlowCallable c, ReturnKindExt kind |
         fwdFlow(pragma[only_bind_into](ret), state, ccc,
-          TParamNodeSome(pragma[only_bind_into](summaryCtx.asNode())),
-          pragma[only_bind_into](apSome(argAp)), ap, pragma[only_bind_into](apa),
-          pragma[only_bind_into](config)) and
+          TParameterPositionSome(pragma[only_bind_into](summaryCtx)), apSome(argAp), ap, apa, config) and
+        getApprox(argAp) = argApa and
+        c = ret.getEnclosingCallable() and
         kind = ret.getKind() and
-        parameterFlowThroughAllowed(summaryCtx, kind) and
-        argApa = getApprox(argAp) and
-        PrevStage::returnMayFlowThrough(ret, argApa, apa, kind, pragma[only_bind_into](config))
+        p.isParameterOf(c, pragma[only_bind_into](summaryCtx)) and
+        parameterFlowThroughAllowed(p, kind)
       )
     }
 
     pragma[inline]
-    private predicate fwdFlowThrough0(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ParamNodeEx innerSummaryCtx,
-      Ap innerArgAp, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowInMayFlowThrough(
+      DataFlowCall call, Cc cc, CcCall innerCc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParamNodeEx param, Ap ap, ApApprox apa, Configuration config
     ) {
-      fwdFlowRetFromArg(ret, state, ccc, innerSummaryCtx, innerArgAp, innerArgApa, ap, apa, config) and
-      fwdFlowIsEntered(call, cc, ccc, summaryCtx, argAp, innerSummaryCtx, innerArgAp, config)
+      fwdFlowIn(call, pragma[only_bind_into](param), _, cc, innerCc, summaryCtx, argAp, ap,
+        pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
+      PrevStage::parameterMayFlowThrough(param, apa, config)
+    }
+
+    // dedup before joining with `flowThroughOutOfCall`
+    pragma[nomagic]
+    private predicate fwdFlowInMayFlowThroughProj(
+      DataFlowCall call, CcCall innerCc, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThrough(call, _, innerCc, _, _, _, _, apa, config)
+    }
+
+    /**
+     * Same as `flowThroughOutOfCall`, but restricted to calls that are reached
+     * in the flow covered by `fwdFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
+    pragma[nomagic]
+    private predicate fwdFlowThroughOutOfCall(
+      DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
+      ApApprox argApa, ApApprox apa, Configuration config
+    ) {
+      fwdFlowInMayFlowThroughProj(call, ccc, argApa, config) and
+      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config)
     }
 
     pragma[nomagic]
-    private predicate fwdFlowThrough(
-      DataFlowCall call, Cc cc, FlowState state, CcCall ccc, ParamNodeOption summaryCtx,
-      ApOption argAp, Ap ap, ApApprox apa, RetNodeEx ret, ApApprox innerArgApa, Configuration config
+    private predicate fwdFlowOutFromArg(
+      DataFlowCall call, NodeEx out, FlowState state, ParameterPosition summaryCtx, Ap argAp, Ap ap,
+      ApApprox apa, Configuration config
     ) {
-      fwdFlowThrough0(call, cc, state, ccc, summaryCtx, argAp, ap, apa, ret, _, _, innerArgApa,
-        config)
+      exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc, ApApprox argApa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc),
+          summaryCtx, _, argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa),
+          config) and
+        fwdFlowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
+      )
     }
 
     /**
@@ -1556,14 +1571,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate fwdFlowIsEntered(
-      DataFlowCall call, Cc cc, CcCall innerCc, ParamNodeOption summaryCtx, ApOption argAp,
-      ParamNodeEx p, Ap ap, Configuration config
+      DataFlowCall call, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+      ParameterPosition pos, Ap ap, Configuration config
     ) {
-      exists(ApApprox apa |
-        fwdFlowIn(call, pragma[only_bind_into](p), _, cc, innerCc, summaryCtx, argAp, ap,
-          pragma[only_bind_into](apa), pragma[only_bind_into](config)) and
-        PrevStage::parameterMayFlowThrough(p, apa, config) and
-        PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config))
+      exists(ParamNodeEx param |
+        fwdFlowInMayFlowThrough(call, cc, _, summaryCtx, argAp, param, ap, _, config) and
+        pos = param.getPosition()
       )
     }
 
@@ -1583,31 +1596,23 @@ private module MkStage<StageSig PrevStage> {
       fwdFlowConsCand(ap1, c, ap2, config)
     }
 
-    pragma[nomagic]
-    private predicate returnFlowsThrough0(
-      DataFlowCall call, FlowState state, CcCall ccc, Ap ap, ApApprox apa, RetNodeEx ret,
-      ParamNodeEx innerSummaryCtx, Ap innerArgAp, ApApprox innerArgApa, Configuration config
-    ) {
-      fwdFlowThrough0(call, _, state, ccc, _, _, ap, apa, ret, innerSummaryCtx, innerArgAp,
-        innerArgApa, config)
-    }
-
     pragma[nomagic]
     private predicate returnFlowsThrough(
-      RetNodeEx ret, ReturnPosition pos, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
+      RetNodeEx ret, ReturnKindExt kind, FlowState state, CcCall ccc, ParamNodeEx p, Ap argAp,
       Ap ap, Configuration config
     ) {
-      exists(DataFlowCall call, ApApprox apa, boolean allowsFieldFlow, ApApprox innerArgApa |
-        returnFlowsThrough0(call, state, ccc, ap, apa, ret, p, argAp, innerArgApa, config) and
-        flowThroughOutOfCall(call, ccc, ret, _, allowsFieldFlow, innerArgApa, apa, config) and
-        pos = ret.getReturnPosition() and
-        if allowsFieldFlow = false then ap instanceof ApNil else any()
+      exists(boolean allowsFieldFlow, ApApprox argApa, ApApprox apa |
+        fwdFlowRetFromArg(pragma[only_bind_into](ret), state, pragma[only_bind_into](ccc), _, p,
+          argAp, pragma[only_bind_into](argApa), ap, pragma[only_bind_into](apa), config) and
+        kind = ret.getKind() and
+        fwdFlowThroughOutOfCall(_, ccc, ret, _, allowsFieldFlow, argApa, apa, config) and
+        (if allowsFieldFlow = false then ap instanceof ApNil else any())
       )
     }
 
     pragma[nomagic]
     private predicate flowThroughIntoCall(
-      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp, Ap ap,
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
       Configuration config
     ) {
       exists(ApApprox argApa |
@@ -1615,7 +1620,7 @@ private module MkStage<StageSig PrevStage> {
           allowsFieldFlow, argApa, pragma[only_bind_into](config)) and
         fwdFlow(arg, _, _, _, _, pragma[only_bind_into](argAp), argApa,
           pragma[only_bind_into](config)) and
-        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), ap,
+        returnFlowsThrough(_, _, _, _, p, pragma[only_bind_into](argAp), _,
           pragma[only_bind_into](config)) and
         if allowsFieldFlow = false then argAp instanceof ApNil else any()
       )
@@ -1634,13 +1639,12 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate flowOutOfCallAp(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, NodeEx out, boolean allowsFieldFlow,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, NodeEx out, boolean allowsFieldFlow,
       Ap ap, Configuration config
     ) {
       exists(ApApprox apa |
-        flowOutOfCallApa(call, ret, _, out, allowsFieldFlow, apa, config) and
-        fwdFlow(ret, _, _, _, _, ap, apa, config) and
-        pos = ret.getReturnPosition()
+        flowOutOfCallApa(call, ret, kind, out, allowsFieldFlow, apa, config) and
+        fwdFlow(ret, _, _, _, _, ap, apa, config)
       )
     }
 
@@ -1735,17 +1739,17 @@ private module MkStage<StageSig PrevStage> {
       )
       or
       // flow through a callable
-      exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
+      exists(DataFlowCall call, ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, node, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
       or
       // flow out of a callable
-      exists(ReturnPosition pos |
-        revFlowOut(_, node, pos, state, _, _, ap, config) and
-        if returnFlowsThrough(node, pos, state, _, _, _, ap, config)
+      exists(ReturnKindExt kind |
+        revFlowOut(_, node, kind, state, _, _, ap, config) and
+        if returnFlowsThrough(node, kind, state, _, _, _, ap, config)
         then (
-          returnCtx = TReturnCtxMaybeFlowThrough(pos) and
+          returnCtx = TReturnCtxMaybeFlowThrough(kind) and
           returnAp = apSome(ap)
         ) else (
           returnCtx = TReturnCtxNoFlowThrough() and returnAp = apNone()
@@ -1778,33 +1782,47 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate revFlowOut(
-      DataFlowCall call, RetNodeEx ret, ReturnPosition pos, FlowState state, ReturnCtx returnCtx,
+      DataFlowCall call, RetNodeEx ret, ReturnKindExt kind, FlowState state, ReturnCtx returnCtx,
       ApOption returnAp, Ap ap, Configuration config
     ) {
       exists(NodeEx out, boolean allowsFieldFlow |
         revFlow(out, state, returnCtx, returnAp, ap, config) and
-        flowOutOfCallAp(call, ret, pos, out, allowsFieldFlow, ap, config) and
+        flowOutOfCallAp(call, ret, kind, out, allowsFieldFlow, ap, config) and
         if allowsFieldFlow = false then ap instanceof ApNil else any()
       )
     }
 
+    /**
+     * Same as `flowThroughIntoCall`, but restricted to calls that are reached
+     * in the flow covered by `revFlow`, where data might flow through the target
+     * callable and back out at `call`.
+     */
     pragma[nomagic]
-    private predicate revFlowParamToReturn(
-      ParamNodeEx p, FlowState state, ReturnPosition pos, Ap returnAp, Ap ap, Configuration config
+    private predicate revFlowThroughIntoCall(
+      DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow, Ap argAp,
+      Configuration config
     ) {
-      revFlow(pragma[only_bind_into](p), state, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp),
-        pragma[only_bind_into](ap), pragma[only_bind_into](config)) and
-      parameterFlowThroughAllowed(p, pos.getKind()) and
-      PrevStage::parameterMayFlowThrough(p, getApprox(ap), config)
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, argAp, config) and
+      revFlowIsReturned(call, _, _, _, _, config)
     }
 
     pragma[nomagic]
-    private predicate revFlowThrough(
-      DataFlowCall call, ReturnCtx returnCtx, ParamNodeEx p, FlowState state, ReturnPosition pos,
-      ApOption returnAp, Ap ap, Ap innerReturnAp, Configuration config
+    private predicate revFlowParamToReturn(
+      ParamNodeEx p, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap, Configuration config
     ) {
-      revFlowParamToReturn(p, state, pos, innerReturnAp, ap, config) and
-      revFlowIsReturned(call, returnCtx, returnAp, pos, innerReturnAp, config)
+      revFlow(p, state, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
+    }
+
+    pragma[nomagic]
+    private predicate revFlowInToReturn(
+      DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnKindExt kind, Ap returnAp, Ap ap,
+      Configuration config
+    ) {
+      exists(ParamNodeEx p, boolean allowsFieldFlow |
+        revFlowParamToReturn(p, state, kind, returnAp, ap, config) and
+        revFlowThroughIntoCall(call, arg, p, allowsFieldFlow, ap, config)
+      )
     }
 
     /**
@@ -1814,12 +1832,12 @@ private module MkStage<StageSig PrevStage> {
      */
     pragma[nomagic]
     private predicate revFlowIsReturned(
-      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnPosition pos, Ap ap,
+      DataFlowCall call, ReturnCtx returnCtx, ApOption returnAp, ReturnKindExt kind, Ap ap,
       Configuration config
     ) {
       exists(RetNodeEx ret, FlowState state, CcCall ccc |
-        revFlowOut(call, ret, pos, state, returnCtx, returnAp, ap, config) and
-        returnFlowsThrough(ret, pos, state, ccc, _, _, ap, config) and
+        revFlowOut(call, ret, kind, state, returnCtx, returnAp, ap, config) and
+        returnFlowsThrough(ret, kind, state, ccc, _, _, ap, config) and
         matchesCall(ccc, call)
       )
     }
@@ -1897,17 +1915,17 @@ private module MkStage<StageSig PrevStage> {
 
     pragma[nomagic]
     private predicate parameterFlowsThroughRev(
-      ParamNodeEx p, Ap ap, ReturnPosition pos, Ap returnAp, Configuration config
+      ParamNodeEx p, Ap ap, ReturnKindExt kind, Ap returnAp, Configuration config
     ) {
-      revFlow(p, _, TReturnCtxMaybeFlowThrough(pos), apSome(returnAp), ap, config) and
-      parameterFlowThroughAllowed(p, pos.getKind())
+      revFlow(p, _, TReturnCtxMaybeFlowThrough(kind), apSome(returnAp), ap, config) and
+      parameterFlowThroughAllowed(p, kind)
     }
 
     pragma[nomagic]
     predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
-      exists(ReturnPosition pos |
-        returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
-        parameterFlowsThroughRev(p, ap, pos, _, config)
+      exists(RetNodeEx ret, ReturnKindExt kind |
+        returnFlowsThrough(ret, kind, _, _, p, ap, _, config) and
+        parameterFlowsThroughRev(p, ap, kind, _, config)
       )
     }
 
@@ -1915,21 +1933,20 @@ private module MkStage<StageSig PrevStage> {
     predicate returnMayFlowThrough(
       RetNodeEx ret, Ap argAp, Ap ap, ReturnKindExt kind, Configuration config
     ) {
-      exists(ParamNodeEx p, ReturnPosition pos |
-        returnFlowsThrough(ret, pos, _, _, p, argAp, ap, config) and
-        parameterFlowsThroughRev(p, argAp, pos, ap, config) and
-        kind = pos.getKind()
+      exists(ParamNodeEx p |
+        returnFlowsThrough(ret, kind, _, _, p, argAp, ap, config) and
+        parameterFlowsThroughRev(p, argAp, kind, ap, config)
       )
     }
 
     pragma[nomagic]
-    private predicate revFlowThroughArg(
+    predicate revFlowInToReturnIsReturned(
       DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
       Ap ap, Configuration config
     ) {
-      exists(ParamNodeEx p, Ap innerReturnAp |
-        revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
-        flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
+      exists(ReturnKindExt returnKind0, Ap returnAp0 |
+        revFlowInToReturn(call, arg, state, returnKind0, returnAp0, ap, config) and
+        revFlowIsReturned(call, returnCtx, returnAp, returnKind0, returnAp0, config)
       )
     }
 
@@ -1937,7 +1954,7 @@ private module MkStage<StageSig PrevStage> {
     predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
       exists(ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap |
         revFlow(arg, state, returnCtx, returnAp, ap, config) and
-        revFlowThroughArg(call, arg, state, returnCtx, returnAp, ap, config)
+        revFlowInToReturnIsReturned(call, arg, state, returnCtx, returnAp, ap, config)
       )
     }
 
@@ -1950,9 +1967,8 @@ private module MkStage<StageSig PrevStage> {
       conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
       states = count(FlowState state | fwdFlow(_, state, _, _, _, _, config)) and
       tuples =
-        count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, ApOption argAp, Ap ap |
-          fwdFlow(n, state, cc, summaryCtx, argAp, ap, config)
-        )
+        count(NodeEx n, FlowState state, Cc cc, ParameterPositionOption summaryCtx, ApOption argAp,
+          Ap ap | fwdFlow(n, state, cc, summaryCtx, argAp, ap, config))
       or
       fwd = false and
       nodes = count(NodeEx node | revFlow(node, _, _, _, _, config)) and
@@ -2807,12 +2823,13 @@ private Configuration unbindConf(Configuration conf) {
 
 pragma[nomagic]
 private predicate nodeMayUseSummary0(
-  NodeEx n, ParamNodeEx p, FlowState state, AccessPathApprox apa, Configuration config
+  NodeEx n, DataFlowCallable c, ParameterPosition pos, FlowState state, AccessPathApprox apa,
+  Configuration config
 ) {
   exists(AccessPathApprox apa0 |
-    Stage5::parameterMayFlowThrough(p, _, _) and
+    c = n.getEnclosingCallable() and
     Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0, config) and
-    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()),
+    Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParameterPositionSome(pos),
       TAccessPathApproxSome(apa), apa0, config)
   )
 }
@@ -2821,9 +2838,10 @@ pragma[nomagic]
 private predicate nodeMayUseSummary(
   NodeEx n, FlowState state, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParamNodeEx p |
+  exists(DataFlowCallable c, ParameterPosition pos, ParamNodeEx p |
     Stage5::parameterMayFlowThrough(p, apa, config) and
-    nodeMayUseSummary0(n, p, state, apa, config)
+    nodeMayUseSummary0(n, c, pos, state, apa, config) and
+    p.isParameterOf(c, pos)
   )
 }
 
@@ -3753,8 +3771,8 @@ private predicate paramFlowsThrough(
   ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
   AccessPathApprox apa, Configuration config
 ) {
-  exists(RetNodeEx ret |
-    pathNode(_, ret, state, cc, sc, ap, config, _) and
+  exists(PathNodeMid mid, RetNodeEx ret |
+    pathNode(mid, ret, state, cc, sc, ap, config, _) and
     kind = ret.getKind() and
     apa = ap.getApprox() and
     parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4216,15 +4234,17 @@ private module FlowExploration {
       ap = TRevPartialNil() and
       exists(config.explorationLimit())
       or
-      revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
-      not clearsContentEx(node, ap.getHead()) and
-      (
-        notExpectsContent(node) or
-        expectsContentEx(node, ap.getHead())
-      ) and
-      not fullBarrier(node, config) and
-      not stateBarrier(node, state, config) and
-      distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
+        not clearsContentEx(node, ap.getHead()) and
+        (
+          notExpectsContent(node) or
+          expectsContentEx(node, ap.getHead())
+        ) and
+        not fullBarrier(node, config) and
+        not stateBarrier(node, state, config) and
+        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
+      )
     }
 
   pragma[nomagic]
@@ -4232,17 +4252,19 @@ private module FlowExploration {
     NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
   ) {
-    partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
-    not fullBarrier(node, config) and
-    not stateBarrier(node, state, config) and
-    not clearsContentEx(node, ap.getHead().getContent()) and
-    (
-      notExpectsContent(node) or
-      expectsContentEx(node, ap.getHead().getContent())
-    ) and
-    if node.asNode() instanceof CastingNode
-    then compatibleTypes(node.getDataFlowType(), ap.getType())
-    else any()
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
+      not fullBarrier(node, config) and
+      not stateBarrier(node, state, config) and
+      not clearsContentEx(node, ap.getHead().getContent()) and
+      (
+        notExpectsContent(node) or
+        expectsContentEx(node, ap.getHead().getContent())
+      ) and
+      if node.asNode() instanceof CastingNode
+      then compatibleTypes(node.getDataFlowType(), ap.getType())
+      else any()
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -916,15 +916,15 @@ private module Cached {
     TDataFlowCallSome(DataFlowCall call)
 
   cached
-  newtype TParamNodeOption =
-    TParamNodeNone() or
-    TParamNodeSome(ParamNode p)
+  newtype TParameterPositionOption =
+    TParameterPositionNone() or
+    TParameterPositionSome(ParameterPosition pos)
 
   cached
   newtype TReturnCtx =
     TReturnCtxNone() or
     TReturnCtxNoFlowThrough() or
-    TReturnCtxMaybeFlowThrough(ReturnPosition pos)
+    TReturnCtxMaybeFlowThrough(ReturnKindExt kind)
 
   cached
   newtype TTypedContentApprox =
@@ -1343,15 +1343,15 @@ class DataFlowCallOption extends TDataFlowCallOption {
   }
 }
 
-/** An optional `ParamNode`. */
-class ParamNodeOption extends TParamNodeOption {
+/** An optional `ParameterPosition`. */
+class ParameterPositionOption extends TParameterPositionOption {
   string toString() {
-    this = TParamNodeNone() and
+    this = TParameterPositionNone() and
     result = "(none)"
     or
-    exists(ParamNode p |
-      this = TParamNodeSome(p) and
-      result = p.toString()
+    exists(ParameterPosition pos |
+      this = TParameterPositionSome(pos) and
+      result = pos.toString()
     )
   }
 }
@@ -1363,7 +1363,7 @@ class ParamNodeOption extends TParamNodeOption {
  *
  * - `TReturnCtxNone()`: no return flow.
  * - `TReturnCtxNoFlowThrough()`: return flow, but flow through is not possible.
- * - `TReturnCtxMaybeFlowThrough(ReturnPosition pos)`: return flow, of kind `pos`, and
+ * - `TReturnCtxMaybeFlowThrough(ReturnKindExt kind)`: return flow, of kind `kind`, and
  *    flow through may be possible.
  */
 class ReturnCtx extends TReturnCtx {
@@ -1374,9 +1374,9 @@ class ReturnCtx extends TReturnCtx {
     this = TReturnCtxNoFlowThrough() and
     result = "(no flow through)"
     or
-    exists(ReturnPosition pos |
-      this = TReturnCtxMaybeFlowThrough(pos) and
-      result = pos.toString()
+    exists(ReturnKindExt kind |
+      this = TReturnCtxMaybeFlowThrough(kind) and
+      result = kind.toString()
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll

@@ -45,16 +45,6 @@ module Consistency {
     ) {
       none()
     }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodeAtPosition`. */
-    predicate uniqueParameterNodeAtPositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
-
-    /** Holds if `(c, pos, p)` should be excluded from the consistency test `uniqueParameterNodePosition`. */
-    predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {
-      none()
-    }
   }
 
   private class RelevantNode extends Node {
@@ -111,7 +101,9 @@ module Consistency {
     exists(int c |
       c =
         strictcount(Node n |
-          not n.hasLocationInfo(_, _, _, _, _) and
+          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+          ) and
           not any(ConsistencyConfiguration conf).missingLocationExclude(n)
         ) and
       msg = "Nodes without location: " + c
@@ -256,7 +248,6 @@ module Consistency {
   query predicate uniqueParameterNodeAtPosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodeAtPositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(Node p0 | isParameterNode(p0, c, pos))) and
     msg = "Parameters with overlapping positions."
@@ -265,7 +256,6 @@ module Consistency {
   query predicate uniqueParameterNodePosition(
     DataFlowCallable c, ParameterPosition pos, Node p, string msg
   ) {
-    not any(ConsistencyConfiguration conf).uniqueParameterNodePositionExclude(c, pos, p) and
     isParameterNode(p, c, pos) and
     not exists(unique(ParameterPosition pos0 | isParameterNode(p, c, pos0))) and
     msg = "Parameter node with multiple positions."

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -169,11 +169,19 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
  */
 predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
   exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
+    (
+      nodeIn = callInput(call, modelIn)
+      or
+      exists(int n |
+        modelIn.isParameterDerefOrQualifierObject(n) and
+        if n = -1
+        then nodeIn = callInput(call, any(InQualifierObject inQualifier))
+        else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
+      )
+    ) and
+    nodeOut = callOutput(call, modelOut) and
     call.getStaticCallTarget() = func and
     func.hasTaintFlow(modelIn, modelOut)
-  |
-    nodeIn = callInput(call, modelIn) and
-    nodeOut = callOutput(call, modelOut)
   )
   or
   // Taint flow from one argument to another and data flow from an argument to a

cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll

@@ -30,7 +30,6 @@ private newtype TOpcode =
   TNegate() or
   TShiftLeft() or
   TShiftRight() or
-  TUnsignedShiftRight() or
   TBitAnd() or
   TBitOr() or
   TBitXor() or
@@ -653,15 +652,6 @@ module Opcode {
     final override string toString() { result = "ShiftRight" }
   }
 
-  /**
-   * The `Opcode` for a `UnsignedShiftRightInstruction`.
-   *
-   * See the `UnsignedShiftRightInstruction` documentation for more details.
-   */
-  class UnsignedShiftRight extends BinaryBitwiseOpcode, TUnsignedShiftRight {
-    final override string toString() { result = "UnsignedShiftRight" }
-  }
-
   /**
    * The `Opcode` for a `BitAndInstruction`.
    *

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -1204,17 +1204,6 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
   ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }
 
-/**
- * An instruction that shifts its left operand to the right by the number of bits specified by its
- * right operand.
- *
- * Both operands must have an integer type. The result has the same type as the left operand.
- * The leftmost bits are zero-filled.
- */
-class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
-  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
-}
-
 /**
  * An instruction that performs a binary arithmetic operation involving at least one pointer
  * operand.

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll

@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
       this = reusedPhiOperand(use, def, predecessorBlock, _)
     )
     or
-    this = chiOperand(_, _)
+    exists(Instruction use | this = chiOperand(use, _))
   }
 
   /** Gets a textual representation of this element. */

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -329,12 +329,12 @@ private module Cached {
   cached
   Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
     exists(
-      Alias::VirtualVariable vvar, OldInstruction oldInstr, OldBlock defBlock, int defRank,
-      int defOffset, OldBlock useBlock, int useRank
+      Alias::VirtualVariable vvar, OldInstruction oldInstr, Alias::MemoryLocation defLocation,
+      OldBlock defBlock, int defRank, int defOffset, OldBlock useBlock, int useRank
     |
       chiInstr = getChi(oldInstr) and
       vvar = Alias::getResultMemoryLocation(oldInstr).getVirtualVariable() and
-      hasDefinitionAtRank(vvar, _, defBlock, defRank, defOffset) and
+      hasDefinitionAtRank(vvar, defLocation, defBlock, defRank, defOffset) and
       hasUseAtRank(vvar, useBlock, useRank, oldInstr) and
       definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
       result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -1204,17 +1204,6 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
   ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }
 
-/**
- * An instruction that shifts its left operand to the right by the number of bits specified by its
- * right operand.
- *
- * Both operands must have an integer type. The result has the same type as the left operand.
- * The leftmost bits are zero-filled.
- */
-class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
-  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
-}
-
 /**
  * An instruction that performs a binary arithmetic operation involving at least one pointer
  * operand.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll

@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
       this = reusedPhiOperand(use, def, predecessorBlock, _)
     )
     or
-    this = chiOperand(_, _)
+    exists(Instruction use | this = chiOperand(use, _))
   }
 
   /** Gets a textual representation of this element. */

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll

@@ -72,19 +72,7 @@ newtype TInstructionTag =
   AsmInputTag(int elementIndex) { exists(AsmStmt asm | exists(asm.getChild(elementIndex))) } or
   ThisAddressTag() or
   ThisLoadTag() or
-  StructuredBindingAccessTag() or
-  // The next three cases handle generation of the constants -1, 0 and 1 for __except handling.
-  TryExceptGenerateNegativeOne() or
-  TryExceptGenerateZero() or
-  TryExceptGenerateOne() or
-  // The next three cases handle generation of comparisons for __except handling.
-  TryExceptCompareNegativeOne() or
-  TryExceptCompareZero() or
-  TryExceptCompareOne() or
-  // The next three cases handle generation of branching for __except handling.
-  TryExceptCompareNegativeOneBranch() or
-  TryExceptCompareZeroBranch() or
-  TryExceptCompareOneBranch()
+  StructuredBindingAccessTag()
 
 class InstructionTag extends TInstructionTag {
   final string toString() { result = "Tag" }
@@ -236,22 +224,4 @@ string getInstructionTagId(TInstructionTag tag) {
   tag = ThisLoadTag() and result = "ThisLoad"
   or
   tag = StructuredBindingAccessTag() and result = "StructuredBindingAccess"
-  or
-  tag = TryExceptCompareNegativeOne() and result = "TryExceptCompareNegativeOne"
-  or
-  tag = TryExceptCompareZero() and result = "TryExceptCompareZero"
-  or
-  tag = TryExceptCompareOne() and result = "TryExceptCompareOne"
-  or
-  tag = TryExceptGenerateNegativeOne() and result = "TryExceptGenerateNegativeOne"
-  or
-  tag = TryExceptGenerateZero() and result = "TryExceptGenerateNegativeOne"
-  or
-  tag = TryExceptGenerateOne() and result = "TryExceptGenerateOne"
-  or
-  tag = TryExceptCompareNegativeOneBranch() and result = "TryExceptCompareNegativeOneBranch"
-  or
-  tag = TryExceptCompareZeroBranch() and result = "TryExceptCompareZeroBranch"
-  or
-  tag = TryExceptCompareOneBranch() and result = "TryExceptCompareOneBranch"
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -675,7 +675,6 @@ newtype TTranslatedElement =
   } or
   // A statement
   TTranslatedStmt(Stmt stmt) { translateStmt(stmt) } or
-  TTranslatedMicrosoftTryExceptHandler(MicrosoftTryExceptStmt stmt) or
   // A function
   TTranslatedFunction(Function func) { translateFunction(func) } or
   // A constructor init list

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -298,11 +298,11 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati
     opcode instanceof Opcode::Store and
     resultType = getTypeForPRValue(expr.getType())
     or
-    exists(int elementCount |
+    exists(int startIndex, int elementCount |
       // If the initializer string isn't large enough to fill the target, then
       // we have to generate another instruction sequence to store a constant
       // zero into the remainder of the array.
-      zeroInitRange(_, elementCount) and
+      zeroInitRange(startIndex, elementCount) and
       (
         // Create a constant zero whose size is the size of the remaining
         // space in the target array.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll

@@ -13,222 +13,6 @@ private import TranslatedInitialization
 
 TranslatedStmt getTranslatedStmt(Stmt stmt) { result.getAst() = stmt }
 
-TranslatedMicrosoftTryExceptHandler getTranslatedMicrosoftTryExceptHandler(
-  MicrosoftTryExceptStmt tryExcept
-) {
-  result.getAst() = tryExcept.getExcept()
-}
-
-class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
-  TTranslatedMicrosoftTryExceptHandler {
-  MicrosoftTryExceptStmt tryExcept;
-
-  TranslatedMicrosoftTryExceptHandler() { this = TTranslatedMicrosoftTryExceptHandler(tryExcept) }
-
-  final override string toString() { result = tryExcept.toString() }
-
-  final override Locatable getAst() { result = tryExcept.getExcept() }
-
-  override Instruction getFirstInstruction() { result = this.getChild(0).getFirstInstruction() }
-
-  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
-    // t1 = -1
-    tag = TryExceptGenerateNegativeOne() and
-    opcode instanceof Opcode::Constant and
-    resultType = getIntType()
-    or
-    // t2 = cmp t1, condition
-    tag = TryExceptCompareNegativeOne() and
-    opcode instanceof Opcode::CompareEQ and
-    resultType = getBoolType()
-    or
-    // if t2 goto ... else goto ...
-    tag = TryExceptCompareNegativeOneBranch() and
-    opcode instanceof Opcode::ConditionalBranch and
-    resultType = getVoidType()
-    or
-    // t1 = 0
-    tag = TryExceptGenerateZero() and
-    opcode instanceof Opcode::Constant and
-    resultType = getIntType()
-    or
-    // t2 = cmp t1, condition
-    tag = TryExceptCompareZero() and
-    opcode instanceof Opcode::CompareEQ and
-    resultType = getBoolType()
-    or
-    // if t2 goto ... else goto ...
-    tag = TryExceptCompareZeroBranch() and
-    opcode instanceof Opcode::ConditionalBranch and
-    resultType = getVoidType()
-    or
-    // t1 = 1
-    tag = TryExceptGenerateOne() and
-    opcode instanceof Opcode::Constant and
-    resultType = getIntType()
-    or
-    // t2 = cmp t1, condition
-    tag = TryExceptCompareOne() and
-    opcode instanceof Opcode::CompareEQ and
-    resultType = getBoolType()
-    or
-    // if t2 goto ... else goto ...
-    tag = TryExceptCompareOneBranch() and
-    opcode instanceof Opcode::ConditionalBranch and
-    resultType = getVoidType()
-    or
-    // unwind stack
-    tag = UnwindTag() and
-    opcode instanceof Opcode::Unwind and
-    resultType = getVoidType()
-  }
-
-  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
-    tag = TryExceptCompareNegativeOne() and
-    (
-      operandTag instanceof LeftOperandTag and
-      result = this.getTranslatedCondition().getResult()
-      or
-      operandTag instanceof RightOperandTag and
-      result = this.getInstruction(TryExceptGenerateNegativeOne())
-    )
-    or
-    tag = TryExceptCompareNegativeOneBranch() and
-    operandTag instanceof ConditionOperandTag and
-    result = this.getInstruction(TryExceptCompareNegativeOne())
-    or
-    tag = TryExceptCompareZero() and
-    (
-      operandTag instanceof LeftOperandTag and
-      result = this.getTranslatedCondition().getResult()
-      or
-      operandTag instanceof RightOperandTag and
-      result = this.getInstruction(TryExceptGenerateZero())
-    )
-    or
-    tag = TryExceptCompareZeroBranch() and
-    operandTag instanceof ConditionOperandTag and
-    result = this.getInstruction(TryExceptCompareZero())
-    or
-    tag = TryExceptCompareOne() and
-    (
-      operandTag instanceof LeftOperandTag and
-      result = this.getTranslatedCondition().getResult()
-      or
-      operandTag instanceof RightOperandTag and
-      result = this.getInstruction(TryExceptGenerateOne())
-    )
-    or
-    tag = TryExceptCompareOneBranch() and
-    operandTag instanceof ConditionOperandTag and
-    result = this.getInstruction(TryExceptCompareOne())
-  }
-
-  override string getInstructionConstantValue(InstructionTag tag) {
-    tag = TryExceptGenerateNegativeOne() and
-    result = "-1"
-    or
-    tag = TryExceptGenerateZero() and
-    result = "0"
-    or
-    tag = TryExceptGenerateOne() and
-    result = "1"
-  }
-
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
-    // Generate -1 -> Compare condition
-    tag = TryExceptGenerateNegativeOne() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareNegativeOne())
-    or
-    // Compare condition -> Branch
-    tag = TryExceptCompareNegativeOne() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareNegativeOneBranch())
-    or
-    // Branch -> Unwind or Generate 0
-    tag = TryExceptCompareNegativeOneBranch() and
-    (
-      kind instanceof TrueEdge and
-      // TODO: This is not really correct. The semantics of `EXCEPTION_CONTINUE_EXECUTION` is that
-      // we should continue execution at the point where the exception occurred. But we don't have
-      // any instruction to model this behavior.
-      result = this.getInstruction(UnwindTag())
-      or
-      kind instanceof FalseEdge and
-      result = this.getInstruction(TryExceptGenerateZero())
-    )
-    or
-    // Generate 0 -> Compare condition
-    tag = TryExceptGenerateZero() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareZero())
-    or
-    // Compare condition -> Branch
-    tag = TryExceptCompareZero() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareZeroBranch())
-    or
-    // Branch -> Unwind or Generate 1
-    tag = TryExceptCompareZeroBranch() and
-    (
-      kind instanceof TrueEdge and
-      result = this.getInstruction(UnwindTag())
-      or
-      kind instanceof FalseEdge and
-      result = this.getInstruction(TryExceptGenerateOne())
-    )
-    or
-    // Generate 1 -> Compare condition
-    tag = TryExceptGenerateOne() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareOne())
-    or
-    // Compare condition -> Branch
-    tag = TryExceptCompareOne() and
-    kind instanceof GotoEdge and
-    result = this.getInstruction(TryExceptCompareOneBranch())
-    or
-    // Branch -> Handler (the condition value is always 0, -1 or 1, and we've checked for 0 or -1 already.)
-    tag = TryExceptCompareOneBranch() and
-    (
-      kind instanceof TrueEdge and
-      result = this.getTranslatedHandler().getFirstInstruction()
-    )
-    or
-    // Unwind -> Parent
-    tag = UnwindTag() and
-    kind instanceof GotoEdge and
-    result = this.getParent().getChildSuccessor(this)
-  }
-
-  override Instruction getChildSuccessor(TranslatedElement child) {
-    child = this.getTranslatedCondition() and
-    result = this.getInstruction(TryExceptGenerateNegativeOne())
-    or
-    child = this.getTranslatedHandler() and
-    result = this.getParent().getChildSuccessor(this)
-  }
-
-  private TranslatedExpr getTranslatedCondition() {
-    result = getTranslatedExpr(tryExcept.getCondition())
-  }
-
-  private TranslatedStmt getTranslatedHandler() {
-    result = getTranslatedStmt(tryExcept.getExcept())
-  }
-
-  override TranslatedElement getChild(int id) {
-    id = 0 and
-    result = this.getTranslatedCondition()
-    or
-    id = 1 and
-    result = this.getTranslatedHandler()
-  }
-
-  final override Function getFunction() { result = tryExcept.getEnclosingFunction() }
-}
-
 abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
   Stmt stmt;
 
@@ -465,57 +249,15 @@ class TranslatedUnreachableReturnStmt extends TranslatedReturnStmt {
 }
 
 /**
- * A C/C++ `try` statement, or a `__try __except` or `__try __finally` statement.
- */
-private class TryOrMicrosoftTryStmt extends Stmt {
-  TryOrMicrosoftTryStmt() {
-    this instanceof TryStmt or
-    this instanceof MicrosoftTryStmt
-  }
-
-  /** Gets the number of `catch block`s of this statement. */
-  int getNumberOfCatchClauses() {
-    result = this.(TryStmt).getNumberOfCatchClauses()
-    or
-    this instanceof MicrosoftTryExceptStmt and
-    result = 1
-    or
-    this instanceof MicrosoftTryFinallyStmt and
-    result = 0
-  }
-
-  /** Gets the `body` statement of this statement. */
-  Stmt getStmt() {
-    result = this.(TryStmt).getStmt()
-    or
-    result = this.(MicrosoftTryStmt).getStmt()
-  }
-
-  /** Gets the `i`th translated handler of this statement. */
-  TranslatedElement getTranslatedHandler(int index) {
-    result = getTranslatedStmt(this.(TryStmt).getChild(index + 1))
-    or
-    index = 0 and
-    result = getTranslatedMicrosoftTryExceptHandler(this)
-  }
-
-  /** Gets the `finally` statement (usually a BlockStmt), if any. */
-  Stmt getFinally() { result = this.(MicrosoftTryFinallyStmt).getFinally() }
-}
-
-/**
- * The IR translation of a C++ `try` (or a `__try __except` or `__try __finally`) statement.
+ * The IR translation of a C++ `try` statement.
  */
 class TranslatedTryStmt extends TranslatedStmt {
-  override TryOrMicrosoftTryStmt stmt;
+  override TryStmt stmt;
 
   override TranslatedElement getChild(int id) {
     id = 0 and result = getBody()
     or
     result = getHandler(id - 1)
-    or
-    id = stmt.getNumberOfCatchClauses() + 1 and
-    result = this.getFinally()
   }
 
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
@@ -527,20 +269,8 @@ class TranslatedTryStmt extends TranslatedStmt {
   override Instruction getFirstInstruction() { result = getBody().getFirstInstruction() }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
-    // All non-finally children go to the successor of the `try` if
-    // there is no finally block, but if there is a finally block
-    // then we go to that one.
-    child = [this.getBody(), this.getHandler(_)] and
-    (
-      not exists(this.getFinally()) and
-      result = this.getParent().getChildSuccessor(this)
-      or
-      result = this.getFinally().getFirstInstruction()
-    )
-    or
-    // And after the finally block we go to the successor of the `try`.
-    child = this.getFinally() and
-    result = this.getParent().getChildSuccessor(this)
+    // All children go to the successor of the `try`.
+    child = getAChild() and result = getParent().getChildSuccessor(this)
   }
 
   final Instruction getNextHandler(TranslatedHandler handler) {
@@ -560,9 +290,9 @@ class TranslatedTryStmt extends TranslatedStmt {
     result = getHandler(0).getFirstInstruction()
   }
 
-  private TranslatedElement getHandler(int index) { result = stmt.getTranslatedHandler(index) }
-
-  private TranslatedStmt getFinally() { result = getTranslatedStmt(stmt.getFinally()) }
+  private TranslatedHandler getHandler(int index) {
+    result = getTranslatedStmt(stmt.getChild(index + 1))
+  }
 
   private TranslatedStmt getBody() { result = getTranslatedStmt(stmt.getStmt()) }
 }

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -1204,17 +1204,6 @@ class ShiftRightInstruction extends BinaryBitwiseInstruction {
   ShiftRightInstruction() { this.getOpcode() instanceof Opcode::ShiftRight }
 }
 
-/**
- * An instruction that shifts its left operand to the right by the number of bits specified by its
- * right operand.
- *
- * Both operands must have an integer type. The result has the same type as the left operand.
- * The leftmost bits are zero-filled.
- */
-class UnsignedShiftRightInstruction extends BinaryBitwiseInstruction {
-  UnsignedShiftRightInstruction() { this.getOpcode() instanceof Opcode::UnsignedShiftRight }
-}
-
 /**
  * An instruction that performs a binary arithmetic operation involving at least one pointer
  * operand.

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll

@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
       this = reusedPhiOperand(use, def, predecessorBlock, _)
     )
     or
-    this = chiOperand(_, _)
+    exists(Instruction use | this = chiOperand(use, _))
   }
 
   /** Gets a textual representation of this element. */

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -329,12 +329,12 @@ private module Cached {
   cached
   Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
     exists(
-      Alias::VirtualVariable vvar, OldInstruction oldInstr, OldBlock defBlock, int defRank,
-      int defOffset, OldBlock useBlock, int useRank
+      Alias::VirtualVariable vvar, OldInstruction oldInstr, Alias::MemoryLocation defLocation,
+      OldBlock defBlock, int defRank, int defOffset, OldBlock useBlock, int useRank
     |
       chiInstr = getChi(oldInstr) and
       vvar = Alias::getResultMemoryLocation(oldInstr).getVirtualVariable() and
-      hasDefinitionAtRank(vvar, _, defBlock, defRank, defOffset) and
+      hasDefinitionAtRank(vvar, defLocation, defBlock, defRank, defOffset) and
       hasUseAtRank(vvar, useBlock, useRank, oldInstr) and
       definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
       result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)

cpp/ql/lib/semmle/code/cpp/ir/internal/IRCppLanguage.qll

@@ -67,7 +67,9 @@ class Class = Cpp::Class; // Used for inheritance conversions
 
 predicate getIdentityString = Print::getIdentityString/1;
 
-predicate hasCaseEdge(string minValue, string maxValue) { hasCaseEdge(_, minValue, maxValue) }
+predicate hasCaseEdge(string minValue, string maxValue) {
+  exists(Cpp::SwitchCase switchCase | hasCaseEdge(switchCase, minValue, maxValue))
+}
 
 predicate hasPositionalArgIndex(int argIndex) {
   exists(Cpp::FunctionCall call | exists(call.getArgument(argIndex))) or

cpp/ql/lib/semmle/code/cpp/metrics/MetricClass.qll

@@ -99,10 +99,10 @@ class MetricClass extends Class {
   }
 
   /** Gets any method that accesses some local field. */
-  Function getAccessingMethod() { this.accessesLocalField(result, _) }
+  Function getAccessingMethod() { exists(Field f | this.accessesLocalField(result, f)) }
 
   /** Gets any field that is accessed by a local method. */
-  Field getAccessedField() { this.accessesLocalField(_, result) }
+  Field getAccessedField() { exists(Function func | this.accessesLocalField(func, result)) }
 
   /** Gets the Henderson-Sellers lack-of-cohesion metric. */
   float getLackOfCohesionHS() {
@@ -517,10 +517,10 @@ private predicate dependsOnClassSimple(Class source, Class dest) {
     )
     or
     // a class depends on classes for which a call to its member function is done from a function
-    exists(MemberFunction target, MemberFunction f |
+    exists(MemberFunction target, MemberFunction f, Locatable l |
       f.getDeclaringType() = source and
       f instanceof MemberFunction and
-      f.calls(target, _) and
+      f.calls(target, l) and
       target instanceof MemberFunction and
       target.getDeclaringType() = dest
     )

cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll

@@ -206,7 +206,7 @@ private class IteratorAssignArithmeticOperatorModel extends IteratorAssignArithm
     input.isReturnValueDeref() and
     output.isParameterDeref(0)
     or
-    (input.isParameter(1) or input.isParameterDeref(1)) and
+    input.isParameterDeref(1) and
     output.isParameterDeref(0)
   }
 }
@@ -305,7 +305,7 @@ private class IteratorAssignArithmeticMemberOperator extends MemberFunction, Dat
     input.isReturnValueDeref() and
     output.isQualifierObject()
     or
-    (input.isParameter(0) or input.isParameterDeref(0)) and
+    input.isParameterDeref(0) and
     output.isQualifierObject()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/StdSet.qll

@@ -27,12 +27,7 @@ private class StdSetConstructor extends Constructor, TaintFunction {
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // taint flow from any parameter of an iterator type to the qualifier
-    (
-      // AST dataflow doesn't have indirection for iterators.
-      // Once we deprecate AST dataflow we can delete this first disjunct.
-      input.isParameter(this.getAnIteratorParameterIndex()) or
-      input.isParameterDeref(this.getAnIteratorParameterIndex())
-    ) and
+    input.isParameterDeref(this.getAnIteratorParameterIndex()) and
     (
       output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
       or
@@ -50,12 +45,7 @@ private class StdSetInsert extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from last parameter to qualifier and return value
     // (where the return value is a pair, this should really flow just to the first part of it)
-    (
-      // AST dataflow doesn't have indirection for iterators.
-      // Once we deprecate AST dataflow we can delete this first disjunct.
-      input.isParameter(this.getNumberOfParameters() - 1) or
-      input.isParameterDeref(this.getNumberOfParameters() - 1)
-    ) and
+    input.isParameterDeref(this.getNumberOfParameters() - 1) and
     (
       output.isQualifierObject() or
       output.isReturnValue()

cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

@@ -38,7 +38,8 @@ private class StdBasicStringIterator extends Iterator, Type {
  */
 abstract private class StdStringTaintFunction extends TaintFunction {
   /**
-   * Gets the index of a parameter to this function that is a string.
+   * Gets the index of a parameter to this function that is a string (or
+   * character).
    */
   final int getAStringParameterIndex() {
     exists(Type paramType | paramType = this.getParameter(result).getUnspecifiedType() |
@@ -49,14 +50,7 @@ abstract private class StdStringTaintFunction extends TaintFunction {
       paramType instanceof ReferenceType and
       not paramType.(ReferenceType).getBaseType() =
         this.getDeclaringType().getTemplateArgument(2).(Type).getUnspecifiedType()
-    )
-  }
-
-  /**
-   * Gets the index of a parameter to this function that is a character.
-   */
-  final int getACharParameterIndex() {
-    exists(Type paramType | paramType = this.getParameter(result).getUnspecifiedType() |
+      or
       // i.e. `std::basic_string::CharT`
       paramType = this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType()
     )
@@ -85,7 +79,6 @@ private class StdStringConstructor extends Constructor, StdStringTaintFunction {
     // taint flow from any parameter of the value type to the returned object
     (
       input.isParameterDeref(this.getAStringParameterIndex()) or
-      input.isParameter(this.getACharParameterIndex()) or
       input.isParameter(this.getAnIteratorParameterIndex())
     ) and
     (
@@ -135,7 +128,7 @@ private class StdStringPush extends StdStringTaintFunction {
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to qualifier
-    input.isParameter(0) and
+    input.isParameterDeref(0) and
     output.isQualifierObject()
   }
 }
@@ -187,7 +180,6 @@ private class StdStringAppend extends StdStringTaintFunction {
     (
       input.isQualifierObject() or
       input.isParameterDeref(this.getAStringParameterIndex()) or
-      input.isParameter(this.getACharParameterIndex()) or
       input.isParameter(this.getAnIteratorParameterIndex())
     ) and
     (
@@ -218,7 +210,6 @@ private class StdStringInsert extends StdStringTaintFunction {
     (
       input.isQualifierObject() or
       input.isParameterDeref(this.getAStringParameterIndex()) or
-      input.isParameter(this.getACharParameterIndex()) or
       input.isParameter(this.getAnIteratorParameterIndex())
     ) and
     (
@@ -245,7 +236,6 @@ private class StdStringAssign extends StdStringTaintFunction {
     // flow from parameter to string itself (qualifier) and return value
     (
       input.isParameterDeref(this.getAStringParameterIndex()) or
-      input.isParameter(this.getACharParameterIndex()) or
       input.isParameter(this.getAnIteratorParameterIndex())
     ) and
     (