enable new features

add docstring examples
address review comments
2026-05-26 09:01:22 +02:00 · 2022-04-22 15:40:09 +02:00 · 2022-04-22 15:34:09 +02:00 · 2022-04-22 14:39:44 +02:00 · 2022-04-22 14:39:44 +02:00 · 2022-04-22 14:39:44 +02:00
1258 changed files with 11388 additions and 22133 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -1,3 +1,3 @@
-build --repo_env=CC=clang --repo_env=CXX=clang++ --copt="-std=c++17"
+build --copt="-std=c++17"

 try-import %workspace%/local.bazelrc
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -16,11 +16,3 @@ updates:
    directory: "ruby/autobuilder"
    schedule:
      interval: "daily"
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    ignore:
-      - dependency-name: '*'
-        update-types: ['version-update:semver-patch', 'version-update:semver-minor']
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -21,10 +21,6 @@ Python:
 Ruby:
  - ruby/**/*
  - change-notes/**/*ruby*
-  
-Swift:
-  - swift/**/*
-  - change-notes/**/*swift*

 documentation:
  - "**/*.qhelp"
@@ -32,4 +28,4 @@ documentation:
  - docs/**/*

 "QL-for-QL": 
-  - ql/**/*
+  - ql/**/*
--- a/.github/workflows/check-qldoc.yml
+++ b/.github/workflows/check-qldoc.yml
@@ -22,7 +22,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ github.token }}

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
        with:
          fetch-depth: 2

@@ -30,8 +30,7 @@ jobs:
        shell: bash
        run: |
          EXIT_CODE=0
-          # TODO: remove the swift exception from the regex when we fix generated QLdoc
-          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!swift)[a-z]*/ql/lib' || true; } | sort -u)"
+          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -o '^[a-z]*/ql/lib' || true; } | sort -u)"
          for pack_dir in ${changed_lib_packs}; do
            lang="${pack_dir%/ql/lib}"
            gh codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/stale@v5
+    - uses: actions/stale@v3
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,12 +28,12 @@ jobs:

    steps:
    - name: Setup dotnet
-      uses: actions/setup-dotnet@v2
+      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: 6.0.101

    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
@@ -49,7 +49,7 @@ jobs:
    #  uses: github/codeql-action/autobuild@main

    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    # 📚 https://git.io/JvXDl

    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
    #    and modify them (or add more) to build your code if your project
--- a/.github/workflows/csv-coverage-metrics.yml
+++ b/.github/workflows/csv-coverage-metrics.yml
@@ -14,11 +14,11 @@ on:
      - ".github/workflows/csv-coverage-metrics.yml"

 jobs:
-  publish-java:
+  publish:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
@@ -31,40 +31,13 @@ jobs:
      - name: Capture coverage information
        run: |
          DATABASE="${{ runner.temp }}/java-database"
-          codeql database analyze --format=sarif-latest --output=metrics-java.sarif -- "$DATABASE" ./java/ql/src/Metrics/Summaries/FrameworkCoverage.ql
-      - uses: actions/upload-artifact@v3
+          codeql database analyze --format=sarif-latest --output=metrics.sarif -- "$DATABASE" ./java/ql/src/Metrics/Summaries/FrameworkCoverage.ql
+      - uses: actions/upload-artifact@v2
        with:
-          name: metrics-java.sarif
-          path: metrics-java.sarif
+          name: metrics.sarif
+          path: metrics.sarif
          retention-days: 20
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
-          sarif_file: metrics-java.sarif
-  
-  publish-csharp:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Setup CodeQL
-        uses: ./.github/actions/fetch-codeql
-      - name: Create empty database
-        run: |
-          DATABASE="${{ runner.temp }}/csharp-database"
-          PROJECT="${{ runner.temp }}/csharp-project"
-          dotnet new classlib --language=C# --output="$PROJECT"
-          codeql database create "$DATABASE" --language=csharp --source-root="$PROJECT" --command 'dotnet build /t:rebuild csharp-project.csproj /p:UseSharedCompilation=false'
-      - name: Capture coverage information
-        run: |
-          DATABASE="${{ runner.temp }}/csharp-database"
-          codeql database analyze --format=sarif-latest --output=metrics-csharp.sarif -- "$DATABASE" ./csharp/ql/src/Metrics/Summaries/FrameworkCoverage.ql
-      - uses: actions/upload-artifact@v3
-        with:
-          name: metrics-csharp.sarif
-          path: metrics-csharp.sarif
-          retention-days: 20
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: metrics-csharp.sarif
+          sarif_file: metrics.sarif
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -28,11 +28,11 @@ jobs:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql) - MERGE
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        path: merge
    - name: Clone self (github/codeql) - BASE
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        fetch-depth: 2
        path: base
@@ -41,7 +41,7 @@ jobs:
        git log -1 --format='%H'
      working-directory: base
    - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
@@ -69,21 +69,21 @@ jobs:
      run: |
        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
    - name: Upload CSV package list
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v2
      with:
        name: csv-framework-coverage-merge
        path: |
          out_merge/framework-coverage-*.csv
          out_merge/framework-coverage-*.rst
    - name: Upload CSV package list
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v2
      with:
        name: csv-framework-coverage-base
        path: |
          out_base/framework-coverage-*.csv
          out_base/framework-coverage-*.rst
    - name: Upload comparison results
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v2
      with:
        name: comparison
        path: |
@@ -93,7 +93,7 @@ jobs:
        mkdir -p pr
        echo ${{ github.event.pull_request.number }} > pr/NR
    - name: Upload PR number
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v2
      with:
        name: pr
        path: pr/
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -20,9 +20,9 @@ jobs:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
    - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v2
      with:
        python-version: 3.8

--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -10,16 +10,16 @@ jobs:

    steps:
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        path: script
    - name: Clone self (github/codeql) for analysis
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        path: codeqlModels
        fetch-depth: 0
    - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
@@ -35,7 +35,7 @@ jobs:
        echo $CLI
        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
    - name: Upload timeseries CSV
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v2
      with:
        name: framework-coverage-timeseries
        path: framework-coverage-timeseries-*.csv
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -17,12 +17,12 @@ jobs:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        path: ql
        fetch-depth: 0
    - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -14,16 +14,16 @@ jobs:

    steps:
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        path: script
    - name: Clone self (github/codeql) for analysis
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        path: codeqlModels
        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
    - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
@@ -37,12 +37,12 @@ jobs:
      run: |
        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
    - name: Upload CSV package list
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v2
      with:
        name: framework-coverage-csv
        path: framework-coverage-*.csv
    - name: Upload RST package list
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v2
      with:
        name: framework-coverage-rst
        path: framework-coverage-*.rst
--- a/.github/workflows/js-ml-tests.yml
+++ b/.github/workflows/js-ml-tests.yml
@@ -22,7 +22,7 @@ jobs:
    name: Check QL formatting
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2

      - uses: ./.github/actions/fetch-codeql

@@ -35,7 +35,7 @@ jobs:
    name: Check QL compilation
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2

      - uses: ./.github/actions/fetch-codeql

@@ -59,7 +59,7 @@ jobs:
    name: Run QL tests
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2

      - uses: ./.github/actions/fetch-codeql

--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -6,6 +6,6 @@ jobs:
  triage:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/labeler@v4
+    - uses: actions/labeler@v2
      with:
        repo-token: "${{ secrets.GITHUB_TOKEN }}"
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -27,12 +27,12 @@ jobs:
        slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
    steps:
      - name: Clone github/codeql from PR
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
        if: github.event.pull_request
        with:
          path: codeql-pr
      - name: Clone github/codeql from main
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
        with:
          path: codeql-main
          ref: main
@@ -91,12 +91,12 @@ jobs:
            name="diff_${basename/_main.qll/""}"
            (diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
          done
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: models
          path: tmp-models/*.qll
          retention-days: 20
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: diffs
          path: tmp-models/*.html
--- a/.github/workflows/mad_regenerate-models.yml
+++ b/.github/workflows/mad_regenerate-models.yml
@@ -26,11 +26,11 @@ jobs:
            ref: "placeholder"
    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
      - name: Setup CodeQL binaries
        uses: ./.github/actions/fetch-codeql
      - name: Clone repositories
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
        with:
          path: repos/${{ matrix.ref }}
          ref: ${{ matrix.ref }}
@@ -55,7 +55,7 @@ jobs:
          find java -name "*.qll" -print0 | xargs -0 git add
          git status
          git diff --cached > models.patch
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: patch
          path: models.patch
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -36,14 +36,14 @@ jobs:
      - run: echo "${PR_NUMBER}" > pr_number.txt
        env:
          PR_NUMBER: ${{ github.event.number }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: comment
          path: pr_number.txt
          if-no-files-found: error
          retention-days: 1

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
        with:
          fetch-depth: 2
          persist-credentials: false
@@ -78,7 +78,7 @@ jobs:
          exit "${EXIT_CODE}"

      - if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v2
        with:
          name: comment
          path: comment_body.txt
@@ -94,7 +94,7 @@ jobs:
          GITHUB_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.number }}

-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: comment
          path: comment_id.txt
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -13,7 +13,7 @@ jobs:
  queries:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - name: Find codeql
        id: find-codeql
        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
@@ -29,7 +29,7 @@ jobs:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
      - name: Cache queries
        id: cache-queries
-        uses: actions/cache@v3
+        uses: actions/cache@v2
        with:
          path: ${{ runner.temp }}/query-pack.zip
          key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}
@@ -44,7 +44,7 @@ jobs:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
          PACKZIP: ${{ runner.temp }}/query-pack.zip
      - name: Upload query pack
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v2
        with:
          name: query-pack-zip
          path: ${{ runner.temp }}/query-pack.zip
@@ -56,10 +56,10 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - name: Cache entire extractor
        id: cache-extractor
-        uses: actions/cache@v3
+        uses: actions/cache@v2
        with:
          path: |
            ql/target/release/ql-autobuilder
@@ -69,7 +69,7 @@ jobs:
          key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
      - name: Cache cargo
        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        uses: actions/cache@v3
+        uses: actions/cache@v2
        with:
          path: |
            ~/.cargo/registry
@@ -91,7 +91,7 @@ jobs:
      - name: Generate dbscheme
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        run: ql/target/release/ql-generator --dbscheme ql/ql/src/ql.dbscheme --library ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: extractor-ubuntu-latest
          path: |
@@ -108,12 +108,12 @@ jobs:
      - queries

    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v3
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
        with:
          name: query-pack-zip
          path: query-pack-zip
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v2
        with:
          name: extractor-ubuntu-latest
          path: linux64
@@ -131,7 +131,7 @@ jobs:
          fi
          cd pack
          zip -rq ../codeql-ql.zip .
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: codeql-ql-pack
          path: codeql-ql.zip
@@ -140,14 +140,14 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        folder: [cpp, csharp, java, javascript, python, ql, ruby, swift]
+        folder: [cpp, csharp, java, javascript, python, ql, ruby]

    needs:
      - package

    steps:
      - name: Download pack
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v2
        with:
          name: codeql-ql-pack
          path: ${{ runner.temp }}/codeql-ql-pack-artifact
@@ -166,7 +166,7 @@ jobs:
          PACK: ${{ runner.temp }}/pack

      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
      - name: Create CodeQL config file
        run: |
          echo "paths:" > ${CONF}
@@ -196,7 +196,7 @@ jobs:
      - name: Copy sarif file to CWD
        run: cp ../results/ql.sarif ./${{ matrix.folder }}.sarif
      - name: Sarif as artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v2
        with:
          name: ${{ matrix.folder }}.sarif
          path: ${{ matrix.folder }}.sarif
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -22,14 +22,14 @@ jobs:
          - github/codeql-go
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2

      - name: Find codeql
        id: find-codeql
        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
        with:
          languages: javascript # does not matter
-      - uses: actions/cache@v3
+      - uses: actions/cache@v2
        with:
          path: |
            ~/.cargo/registry
@@ -41,7 +41,7 @@ jobs:
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
@@ -60,7 +60,7 @@ jobs:
          "${CODEQL}" dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ql"
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: measurements
          path: stats
@@ -70,15 +70,15 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v3
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
        with:
          name: measurements
          path: stats
      - run: |
          python -m pip install --user lxml
          find stats -name 'stats.xml' -print0 | sort -z | xargs -0 python ql/scripts/merge_stats.py --output ql/ql/src/ql.dbscheme.stats --normalise ql_tokeninfo
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: ql.dbscheme.stats
          path: ql/ql/src/ql.dbscheme.stats
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -17,13 +17,13 @@ jobs:
  qltest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - name: Find codeql
        id: find-codeql
        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
        with:
          languages: javascript # does not matter
-      - uses: actions/cache@v3
+      - uses: actions/cache@v2
        with:
          path: |
            ~/.cargo/registry
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -17,16 +17,16 @@ jobs:

    steps:
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        path: codeql 
    - name: Clone github/codeql-go
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
      with:
        repository: 'github/codeql-go'
        path: codeql-go
    - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
@@ -42,7 +42,7 @@ jobs:
      run: |
        PATH="$PATH:codeql-cli/codeql" python codeql/misc/scripts/generate-code-scanning-query-list.py > code-scanning-query-list.csv
    - name: Upload code scanning query list
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v2
      with:
        name: code-scanning-query-list
        path: code-scanning-query-list.csv
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -38,13 +38,13 @@ jobs:
    runs-on: ${{ matrix.os }}

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - name: Install GNU tar
        if: runner.os == 'macOS'
        run: |
          brew install gnu-tar
          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - uses: actions/cache@v3
+      - uses: actions/cache@v2
        with:
          path: |
            ~/.cargo/registry
@@ -62,17 +62,17 @@ jobs:
      - name: Generate dbscheme
        if: ${{ matrix.os == 'ubuntu-latest' }}
        run: target/release/ruby-generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
          name: ruby.dbscheme
          path: ruby/ql/lib/ruby.dbscheme
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
          name: TreeSitter.qll
          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: extractor-${{ matrix.os }}
          path: |
@@ -86,7 +86,7 @@ jobs:
    env:
      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - name: Fetch CodeQL
        run: |
          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
@@ -102,7 +102,7 @@ jobs:
          PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
          codeql/codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: codeql-ruby-queries
          path: |
@@ -113,20 +113,20 @@ jobs:
    runs-on: ubuntu-latest
    needs: [build, compile-queries]
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v3
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
        with:
          name: ruby.dbscheme
          path: ruby/ruby
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v2
        with:
          name: extractor-ubuntu-latest
          path: ruby/linux64
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v2
        with:
          name: extractor-windows-latest
          path: ruby/win64
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v2
        with:
          name: extractor-macos-latest
          path: ruby/osx64
@@ -142,12 +142,12 @@ jobs:
          cp win64/ruby-extractor.exe ruby/tools/win64/extractor.exe
          chmod +x ruby/tools/{linux64,osx64}/{autobuilder,extractor}
          zip -rq codeql-ruby.zip ruby
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: codeql-ruby-pack
          path: ruby/codeql-ruby.zip
          retention-days: 1
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v2
        with:
          name: codeql-ruby-queries
          path: ruby/qlpacks
@@ -159,7 +159,7 @@ jobs:
            ]
          }' > .codeqlmanifest.json
          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: codeql-ruby-bundle
          path: ruby/codeql-ruby-bundle.zip
@@ -177,7 +177,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    needs: [package]
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
        with:
          repository: Shopify/example-ruby-app
          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
@@ -191,7 +191,7 @@ jobs:
          GITHUB_TOKEN: ${{ github.token }}
        working-directory: ${{ runner.temp }}
      - name: Download Ruby bundle
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v2
        with:
          name: codeql-ruby-bundle
          path: ${{ runner.temp }}
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -27,14 +27,14 @@ jobs:
        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2

      - uses: ./.github/actions/fetch-codeql

      - uses: ./ruby/actions/create-extractor-pack

      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
@@ -49,7 +49,7 @@ jobs:
        run: |
          mkdir -p "stats/${{ matrix.repo }}"
          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: measurements
          path: stats
@@ -59,15 +59,15 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v3
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
        with:
          name: measurements
          path: stats
      - run: |
          python -m pip install --user lxml
          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        with:
          name: ruby.dbscheme.stats
          path: ruby/ql/lib/ruby.dbscheme.stats
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -27,14 +27,14 @@ jobs:
  qlformat:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - uses: ./.github/actions/fetch-codeql
      - name: Check QL formatting
        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
  qlcompile:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - uses: ./.github/actions/fetch-codeql
      - name: Check QL compilation
        run: |
@@ -44,7 +44,7 @@ jobs:
  qlupgrade:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - uses: ./.github/actions/fetch-codeql
      - name: Check DB upgrade scripts
        run: |
@@ -67,7 +67,7 @@ jobs:
      matrix:
        slice: ["1/2", "2/2"]
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - uses: ./.github/actions/fetch-codeql
      - uses: ./ruby/actions/create-extractor-pack
      - name: Run QL tests
--- a/.github/workflows/swift-codegen.yml
+++ b/.github/workflows/swift-codegen.yml
@@ -1,32 +0,0 @@
-name: "Swift: Check code generation"
-
-on:
-  pull_request:
-    paths:
-      - "swift/**"
-      - .github/workflows/swift-codegen.yml
-    branches:
-      - main
-
-jobs:
-  codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v3
-        with:
-          python-version: '~3.8'
-          cache: 'pip'
-      - name: Install python dependencies
-        run: |
-          pip install -r swift/codegen/requirements.txt
-      - name: Run unit tests
-        run: |
-          bazel test //swift/codegen/test --test_output=errors
-      - name: Check that code was generated
-        run: |
-          bazel run //swift/codegen
-          git add swift
-          git diff --exit-code --stat HEAD
--- a/.github/workflows/swift-qltest.yml
+++ b/.github/workflows/swift-qltest.yml
@@ -15,7 +15,7 @@ jobs:
  qlformat:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - uses: ./.github/actions/fetch-codeql
      - name: Check QL formatting
        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
@@ -26,16 +26,20 @@ jobs:
      matrix:
        os : [ubuntu-20.04, macos-latest]
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - uses: ./.github/actions/fetch-codeql
-      - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v3
-        with:
-          python-version: '~3.8'
-          cache: 'pip'
-      - name: Install python dependencies
+      - name: Install bazelisk - Linux
+        if: runner.os == 'Linux'
        run: |
-          pip install -r codegen/requirements.txt
+          sudo apt-get update
+          sudo apt-get install -y wget
+          wget https://github.com/bazelbuild/bazelisk/releases/download/v1.11.0/bazelisk-linux-amd64
+          mv bazelisk-linux-amd64 /usr/local/bin/bazel
+          chmod +x /usr/local/bin/bazel
+      - name: Install bazelisk - macOS
+        if: runner.os == 'MacOS'
+        run: |
+          brew install bazelisk
      - name: Build Swift extractor
        run: |
          bazel run //swift:create-extractor-pack
@@ -44,3 +48,4 @@ jobs:
          codeql test run --threads=0 --ram 5000 --search-path "${{ github.workspace }}/swift/extractor-pack" --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition ql/test
        env:
          GITHUB_TOKEN: ${{ github.token }}
+
--- a/.github/workflows/sync-files.yml
+++ b/.github/workflows/sync-files.yml
@@ -14,7 +14,7 @@ jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - name: Check synchronized files
        run: python config/sync-files.py

--- a/.github/workflows/validate-change-notes.yml
+++ b/.github/workflows/validate-change-notes.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2

      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
--- a/.gitignore
+++ b/.gitignore
@@ -20,9 +20,6 @@
 # python virtual environment folder
 .venv/

-# binary files created by pytest-cov
-.coverage
-
 # It's useful (though not required) to be able to unpack codeql in the ql checkout itself
 /codeql/

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,13 +1,12 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
+exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v3.2.0
    hooks:
      - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
      - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)

  - repo: https://github.com/pre-commit/mirrors-clang-format
    rev: v13.0.1
@@ -25,7 +24,6 @@ repos:

      - id: sync-files
        name: Fix files required to be identical
-        files: \.(qll?|qhelp)$
        language: system
        entry: python3 config/sync-files.py --latest
        pass_filenames: false
@@ -38,14 +36,7 @@ repos:

      - id: swift-codegen
        name: Run Swift checked in code generation
-        files: ^swift/(codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements))
+        files: ^swift/(codegen/|.*/generated/|ql/lib/swift\.dbscheme$)
        language: system
        entry: bazel run //swift/codegen
        pass_filenames: false
-
-      - id: swift-codegen-unit-tests
-        name: Run Swift code generation unit tests
-        files: ^swift/codegen/.*\.py$
-        language: system
-        entry: bazel test //swift/codegen/test
-        pass_filenames: false
--- a/6
+++ b/6
@@ -31,9 +31,3 @@
 # Documentation etc
 /*.md @github/code-scanning-product
 /LICENSE @github/code-scanning-product
-
-# Workflows
-/.github/workflows/ @github/codeql-ci-reviewers
-/.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
-/.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
-/.github/workflows/ruby-* @github/codeql-ruby
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,7 +2,7 @@

 We welcome contributions to our CodeQL libraries and queries. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).

-There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries) on [codeql.github.com](https://codeql.github.com).
+There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).

 ## Change notes

@@ -40,7 +40,7 @@ If you have an idea for a query that you would like to share with other CodeQL u

 3. **Formatting**

-    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/about-codeql-for-visual-studio-code).
+    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/about-codeql-for-vscode.html).

    If you prefer, you can either:
    1. install the [pre-commit framework](https://pre-commit.com/) and install the configured hooks on this repo via `pre-commit install`, or
--- a/conftest.py
+++ b/conftest.py
@@ -1 +0,0 @@
-# this empty file adds the repo root to PYTHON_PATH when running pytest
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,17 +1,3 @@
-## 0.1.0
-
-### Breaking Changes
-
-* The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
-
-### New Features
-
-* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
-
-### Minor Analysis Improvements
-
-* The `semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
-
 ## 0.0.13

 ## 0.0.12
--- a/cpp/ql/lib/change-notes/2022-03-28-private-data.md
+++ b/cpp/ql/lib/change-notes/2022-03-28-private-data.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
--- a/cpp/ql/lib/change-notes/2022-03-31-sensitive-exprs.md
+++ b/cpp/ql/lib/change-notes/2022-03-31-sensitive-exprs.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
--- a/cpp/ql/lib/change-notes/2022-04-08-flow-state-barriers.md
+++ b/cpp/ql/lib/change-notes/2022-04-08-flow-state-barriers.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
--- a/cpp/ql/lib/change-notes/2022-04-22-no-size-array.md
+++ b/cpp/ql/lib/change-notes/2022-04-22-no-size-array.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `semmle.code.cpp.commons.Buffer` library has been enhanced to handle array members of classes that do not specify a size.
--- a/cpp/ql/lib/change-notes/2022-04-25-allow-implicit-read-signature.md
+++ b/cpp/ql/lib/change-notes/2022-04-25-allow-implicit-read-signature.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
--- a/cpp/ql/lib/change-notes/2022-04-25-windows-pool-allocation-functions.md
+++ b/cpp/ql/lib/change-notes/2022-04-25-windows-pool-allocation-functions.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* More Windows pool allocation functions are now detected as `AllocationFunction`s.
--- a/cpp/ql/lib/change-notes/released/0.1.0.md
+++ b/cpp/ql/lib/change-notes/released/0.1.0.md
@@ -1,13 +0,0 @@
-## 0.1.0
-
-### Breaking Changes
-
-* The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
-
-### New Features
-
-* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
-
-### Minor Analysis Improvements
-
-* The `semmle.code.cpp.security.SensitiveExprs` library has been enhanced with some additional rules for detecting credentials.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.1.0
+lastReleaseVersion: 0.0.13
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.1.1-dev
+version: 0.1.0-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Field.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Field.qll
@@ -4,6 +4,7 @@

 import semmle.code.cpp.Variable
 import semmle.code.cpp.Enum
+import semmle.code.cpp.exprs.Access

 /**
 * A C structure member or C++ non-static member variable. For example the
--- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -10,18 +10,11 @@ import semmle.code.cpp.dataflow.DataFlow
 *   char data[1]; // v
 * };
 * ```
- * or
- * ```
- * struct myStruct { // c
- *   int amount;
- *   char data[]; // v
- * };
- * ```
- * This requires that `v` is an array of size 0 or 1, or that the array has no size.
+ * This requires that `v` is an array of size 0 or 1.
 */
 predicate memberMayBeVarSize(Class c, MemberVariable v) {
  c = v.getDeclaringType() and
-  exists(ArrayType t | t = v.getUnspecifiedType() | not t.getArraySize() > 1)
+  v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
 }

 /**
@@ -47,18 +40,13 @@ int getBufferSize(Expr bufferExpr, Element why) {
    result = why.(Expr).getType().(ArrayType).getSize() and
    not exists(bufferVar.getUnspecifiedType().(ArrayType).getSize())
    or
-    exists(Class parentClass, VariableAccess parentPtr, int bufferSize |
+    exists(Class parentClass, VariableAccess parentPtr |
      // buffer is the parentPtr->bufferVar of a 'variable size struct'
      memberMayBeVarSize(parentClass, bufferVar) and
      why = bufferVar and
      parentPtr = bufferExpr.(VariableAccess).getQualifier() and
      parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
-      (
-        if exists(bufferVar.getType().getSize())
-        then bufferSize = bufferVar.getType().getSize()
-        else bufferSize = 0
-      ) and
-      result = getBufferSize(parentPtr, _) + bufferSize - parentClass.getSize()
+      result = getBufferSize(parentPtr, _) + bufferVar.getType().getSize() - parentClass.getSize()
    )
  )
  or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -326,7 +326,7 @@ private module Cached {
  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }

  cached
-  predicate clearsContentCached(Node n, ContentSet c) { clearsContent(n, c) }
+  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }

  cached
  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
@@ -373,7 +373,7 @@ private module Cached {
    // For reads, `x.f`, we want to check that the tracked type after the read (which
    // is obtained by popping the head of the access path stack) is compatible with
    // the type of `x.f`.
-    readSet(_, _, n)
+    read(_, _, n)
  }

  cached
@@ -469,7 +469,7 @@ private module Cached {
        // read
        exists(Node mid |
          parameterValueFlowCand(p, mid, false) and
-          readSet(mid, _, node) and
+          read(mid, _, node) and
          read = true
        )
        or
@@ -657,10 +657,8 @@ private module Cached {
       * Holds if `arg` flows to `out` through a call using only
       * value-preserving steps and a single read step, not taking call
       * contexts into account, thus representing a getter-step.
-       *
-       * This predicate is exposed for testing only.
       */
-      predicate getterStep(ArgNode arg, ContentSet c, Node out) {
+      predicate getterStep(ArgNode arg, Content c, Node out) {
        argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
      }

@@ -783,30 +781,28 @@ private module Cached {
    parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
  }

-  cached
-  predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
-
  private predicate store(
    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
  ) {
-    exists(ContentSet cs | c = cs.getAStoreContent() |
-      storeStep(node1, cs, node2) and
-      contentType = getNodeDataFlowType(node1) and
-      containerType = getNodeDataFlowType(node2)
+    storeStep(node1, c, node2) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
+    or
+    exists(Node n1, Node n2 |
+      n1 = node1.(PostUpdateNode).getPreUpdateNode() and
+      n2 = node2.(PostUpdateNode).getPreUpdateNode()
+    |
+      argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
      or
-      exists(Node n1, Node n2 |
-        n1 = node1.(PostUpdateNode).getPreUpdateNode() and
-        n2 = node2.(PostUpdateNode).getPreUpdateNode()
-      |
-        argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, cs, contentType), n1)
-        or
-        readSet(n2, cs, n1) and
-        contentType = getNodeDataFlowType(n1) and
-        containerType = getNodeDataFlowType(n2)
-      )
+      read(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
    )
  }

+  cached
+  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
+
  /**
   * Holds if data can flow from `node1` to `node2` via a direct assignment to
   * `f`.
@@ -936,16 +932,16 @@ class CastingNode extends Node {
 }

 private predicate readStepWithTypes(
-  Node n1, DataFlowType container, ContentSet c, Node n2, DataFlowType content
+  Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
 ) {
-  readSet(n1, c, n2) and
+  read(n1, c, n2) and
  container = getNodeDataFlowType(n1) and
  content = getNodeDataFlowType(n2)
 }

 private newtype TReadStepTypesOption =
  TReadStepTypesNone() or
-  TReadStepTypesSome(DataFlowType container, ContentSet c, DataFlowType content) {
+  TReadStepTypesSome(DataFlowType container, Content c, DataFlowType content) {
    readStepWithTypes(_, container, c, _, content)
  }

@@ -954,7 +950,7 @@ private class ReadStepTypesOption extends TReadStepTypesOption {

  DataFlowType getContainerType() { this = TReadStepTypesSome(result, _, _) }

-  ContentSet getContent() { this = TReadStepTypesSome(_, result, _) }
+  Content getContent() { this = TReadStepTypesSome(_, result, _) }

  DataFlowType getContentType() { this = TReadStepTypesSome(_, _, result) }

@@ -1329,6 +1325,8 @@ abstract class AccessPathFront extends TAccessPathFront {
  abstract boolean toBoolNonEmpty();

  TypedContent getHead() { this = TFrontHead(result) }
+
+  predicate isClearedAt(Node n) { clearsContentCached(n, this.getHead().getContent()) }
 }

 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -821,34 +821,6 @@ private class CollectionContent extends Content, TCollectionContent {
  override string toString() { result = "<element>" }
 }

-/**
- * An entity that represents a set of `Content`s.
- *
- * The set may be interpreted differently depending on whether it is
- * stored into (`getAStoreContent`) or read from (`getAReadContent`).
- */
-class ContentSet instanceof Content {
-  /** Gets a content that may be stored into when storing into this set. */
-  Content getAStoreContent() { result = this }
-
-  /** Gets a content that may be read from when reading from this set. */
-  Content getAReadContent() { result = this }
-
-  /** Gets a textual representation of this content set. */
-  string toString() { result = super.toString() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    super.hasLocationInfo(path, sl, sc, el, ec)
-  }
-}
-
 /**
 * A guard that validates some expression.
 *
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -161,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -161,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -116,7 +116,7 @@ abstract class Configuration extends string {
   * Holds if an arbitrary number of implicit read steps of content `c` may be
   * taken at `node`.
   */
-  predicate allowImplicitRead(Node node, ContentSet c) { none() }
+  predicate allowImplicitRead(Node node, Content c) { none() }

  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
@@ -485,9 +485,8 @@ private predicate additionalJumpStateStep(
  )
 }

-pragma[nomagic]
-private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuration config) {
-  readSet(node1.asNode(), c, node2.asNode()) and
+private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
+  read(node1.asNode(), c, node2.asNode()) and
  stepFilter(node1, node2, config)
  or
  exists(Node n |
@@ -497,25 +496,6 @@ private predicate readSet(NodeEx node1, ContentSet c, NodeEx node2, Configuratio
  )
 }

-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  exists(ContentSet cs |
-    readSet(node1, cs, node2, config) and
-    c = cs.getAReadContent()
-  )
-}
-
-// inline to reduce fan-out via `getAReadContent`
-pragma[inline]
-private predicate clearsContentEx(NodeEx n, Content c) {
-  exists(ContentSet cs |
-    clearsContentCached(n.asNode(), cs) and
-    c = cs.getAReadContent()
-  )
-}
-
-pragma[nomagic]
 private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
@@ -593,9 +573,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(ContentSet c |
-      fwdFlowReadSet(c, node, cc, config) and
-      fwdFlowConsCandSet(c, _, config)
+    exists(Content c |
+      fwdFlowRead(c, node, cc, config) and
+      fwdFlowConsCand(c, config)
    )
    or
    // flow into a callable
@@ -619,10 +599,10 @@ private module Stage1 {
  private predicate fwdFlow(NodeEx node, Configuration config) { fwdFlow(node, _, config) }

  pragma[nomagic]
-  private predicate fwdFlowReadSet(ContentSet c, NodeEx node, Cc cc, Configuration config) {
+  private predicate fwdFlowRead(Content c, NodeEx node, Cc cc, Configuration config) {
    exists(NodeEx mid |
      fwdFlow(mid, cc, config) and
-      readSet(mid, c, node, config)
+      read(mid, c, node, config)
    )
  }

@@ -640,16 +620,6 @@ private module Stage1 {
    )
  }

-  /**
-   * Holds if `cs` may be interpreted in a read as the target of some store
-   * into `c`, in the flow covered by `fwdFlow`.
-   */
-  pragma[nomagic]
-  private predicate fwdFlowConsCandSet(ContentSet cs, Content c, Configuration config) {
-    fwdFlowConsCand(c, config) and
-    c = cs.getAReadContent()
-  }
-
  pragma[nomagic]
  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
    exists(RetNodeEx ret |
@@ -742,9 +712,9 @@ private module Stage1 {
    )
    or
    // read
-    exists(NodeEx mid, ContentSet c |
-      readSet(node, c, mid, config) and
-      fwdFlowConsCandSet(c, _, pragma[only_bind_into](config)) and
+    exists(NodeEx mid, Content c |
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(mid, toReturn, pragma[only_bind_into](config))
    )
    or
@@ -770,10 +740,10 @@ private module Stage1 {
   */
  pragma[nomagic]
  private predicate revFlowConsCand(Content c, Configuration config) {
-    exists(NodeEx mid, NodeEx node, ContentSet cs |
+    exists(NodeEx mid, NodeEx node |
      fwdFlow(node, pragma[only_bind_into](config)) and
-      readSet(node, cs, mid, config) and
-      fwdFlowConsCandSet(cs, c, pragma[only_bind_into](config)) and
+      read(node, c, mid, config) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
    )
  }
@@ -792,7 +762,6 @@ private module Stage1 {
   * Holds if `c` is the target of both a read and a store in the flow covered
   * by `revFlow`.
   */
-  pragma[nomagic]
  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
    revFlowConsCand(c, conf) and
    revFlowStore(c, _, _, conf)
@@ -891,9 +860,9 @@ private module Stage1 {

  pragma[nomagic]
  predicate readStepCand(NodeEx n1, Content c, NodeEx n2, Configuration config) {
-    revFlowIsReadAndStored(pragma[only_bind_into](c), pragma[only_bind_into](config)) and
-    read(n1, c, n2, pragma[only_bind_into](config)) and
-    revFlow(n2, pragma[only_bind_into](config))
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2, pragma[only_bind_into](config))
  }

  pragma[nomagic]
@@ -903,10 +872,7 @@ private module Stage1 {
  predicate revFlow(
    NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
  ) {
-    revFlow(node, toReturn, pragma[only_bind_into](config)) and
-    exists(state) and
-    exists(returnAp) and
-    exists(ap)
+    revFlow(node, toReturn, config) and exists(state) and exists(returnAp) and exists(ap)
  }

  private predicate throughFlowNodeCand(NodeEx node, Configuration config) {
@@ -1183,7 +1149,7 @@ private module Stage2 {

  bindingset[node, state, ap, config]
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
-    PrevStage::revFlowState(state, pragma[only_bind_into](config)) and
+    PrevStage::revFlowState(state, config) and
    exists(ap) and
    not stateBarrier(node, state, config)
  }
@@ -1608,7 +1574,7 @@ private module Stage2 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -1763,9 +1729,9 @@ private module LocalFlowBigStep {
      or
      node.asNode() instanceof OutNodeExt
      or
-      Stage2::storeStepCand(_, _, _, node, _, config)
+      store(_, _, node, _, config)
      or
-      Stage2::readStepCand(_, _, node, config)
+      read(_, _, node, config)
      or
      node instanceof FlowCheckNode
      or
@@ -1786,8 +1752,8 @@ private module LocalFlowBigStep {
      additionalJumpStep(node, next, config) or
      flowIntoCallNodeCand1(_, node, next, config) or
      flowOutOfCallNodeCand1(_, node, next, config) or
-      Stage2::storeStepCand(node, _, _, next, _, config) or
-      Stage2::readStepCand(node, _, next, config)
+      store(node, _, next, _, config) or
+      read(node, _, next, config)
    )
    or
    exists(NodeEx next, FlowState s | Stage2::revFlow(next, s, config) |
@@ -1960,24 +1926,7 @@ private module Stage3 {
  private predicate flowIntoCall = flowIntoCallNodeCand2/5;

  pragma[nomagic]
-  private predicate clearSet(NodeEx node, ContentSet c, Configuration config) {
-    PrevStage::revFlow(node, config) and
-    clearsContentCached(node.asNode(), c)
-  }
-
-  pragma[nomagic]
-  private predicate clearContent(NodeEx node, Content c, Configuration config) {
-    exists(ContentSet cs |
-      PrevStage::readStepCand(_, pragma[only_bind_into](c), _, pragma[only_bind_into](config)) and
-      c = cs.getAReadContent() and
-      clearSet(node, cs, pragma[only_bind_into](config))
-    )
-  }
-
-  pragma[nomagic]
-  private predicate clear(NodeEx node, Ap ap, Configuration config) {
-    clearContent(node, ap.getHead().getContent(), config)
-  }
+  private predicate clear(NodeEx node, Ap ap) { ap.isClearedAt(node.asNode()) }

  pragma[nomagic]
  private predicate castingNodeEx(NodeEx node) { node.asNode() instanceof CastingNode }
@@ -1986,7 +1935,7 @@ private module Stage3 {
  private predicate filter(NodeEx node, FlowState state, Ap ap, Configuration config) {
    exists(state) and
    exists(config) and
-    not clear(node, ap, config) and
+    not clear(node, ap) and
    if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), ap.getType()) else any()
  }

@@ -2414,7 +2363,7 @@ private module Stage3 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -3241,7 +3190,7 @@ private module Stage4 {
    Configuration config
  ) {
    exists(Ap ap2, Content c |
-      PrevStage::storeStepCand(node1, _, tc, node2, contentType, config) and
+      store(node1, tc, node2, contentType, config) and
      revFlowStore(ap2, c, ap1, node1, _, tc, node2, _, _, config) and
      revFlowConsCand(ap2, c, ap1, config)
    )
@@ -4253,7 +4202,7 @@ private module Subpaths {
    exists(NodeEx n1, NodeEx n2 | n1 = n.getNodeEx() and n2 = result.getNodeEx() |
      localFlowBigStep(n1, _, n2, _, _, _, _, _) or
      store(n1, _, n2, _, _) or
-      readSet(n1, _, n2, _)
+      read(n1, _, n2, _)
    )
  }

@@ -4608,7 +4557,7 @@ private module FlowExploration {
      or
      exists(PartialPathNodeRev mid |
        revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
-        not clearsContentEx(node, ap.getHead()) and
+        not clearsContentCached(node.asNode(), ap.getHead()) and
        not fullBarrier(node, config) and
        not stateBarrier(node, state, config) and
        distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
@@ -4624,7 +4573,7 @@ private module FlowExploration {
      partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
      not fullBarrier(node, config) and
      not stateBarrier(node, state, config) and
-      not clearsContentEx(node, ap.getHead().getContent()) and
+      not clearsContentCached(node.asNode(), ap.getHead().getContent()) and
      if node.asNode() instanceof CastingNode
      then compatibleTypes(node.getDataFlowType(), ap.getType())
      else any()
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -326,7 +326,7 @@ private module Cached {
  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }

  cached
-  predicate clearsContentCached(Node n, ContentSet c) { clearsContent(n, c) }
+  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }

  cached
  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
@@ -373,7 +373,7 @@ private module Cached {
    // For reads, `x.f`, we want to check that the tracked type after the read (which
    // is obtained by popping the head of the access path stack) is compatible with
    // the type of `x.f`.
-    readSet(_, _, n)
+    read(_, _, n)
  }

  cached
@@ -469,7 +469,7 @@ private module Cached {
        // read
        exists(Node mid |
          parameterValueFlowCand(p, mid, false) and
-          readSet(mid, _, node) and
+          read(mid, _, node) and
          read = true
        )
        or
@@ -657,10 +657,8 @@ private module Cached {
       * Holds if `arg` flows to `out` through a call using only
       * value-preserving steps and a single read step, not taking call
       * contexts into account, thus representing a getter-step.
-       *
-       * This predicate is exposed for testing only.
       */
-      predicate getterStep(ArgNode arg, ContentSet c, Node out) {
+      predicate getterStep(ArgNode arg, Content c, Node out) {
        argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
      }

@@ -783,30 +781,28 @@ private module Cached {
    parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
  }

-  cached
-  predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
-
  private predicate store(
    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
  ) {
-    exists(ContentSet cs | c = cs.getAStoreContent() |
-      storeStep(node1, cs, node2) and
-      contentType = getNodeDataFlowType(node1) and
-      containerType = getNodeDataFlowType(node2)
+    storeStep(node1, c, node2) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
+    or
+    exists(Node n1, Node n2 |
+      n1 = node1.(PostUpdateNode).getPreUpdateNode() and
+      n2 = node2.(PostUpdateNode).getPreUpdateNode()
+    |
+      argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
      or
-      exists(Node n1, Node n2 |
-        n1 = node1.(PostUpdateNode).getPreUpdateNode() and
-        n2 = node2.(PostUpdateNode).getPreUpdateNode()
-      |
-        argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, cs, contentType), n1)
-        or
-        readSet(n2, cs, n1) and
-        contentType = getNodeDataFlowType(n1) and
-        containerType = getNodeDataFlowType(n2)
-      )
+      read(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
    )
  }

+  cached
+  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
+
  /**
   * Holds if data can flow from `node1` to `node2` via a direct assignment to
   * `f`.
@@ -936,16 +932,16 @@ class CastingNode extends Node {
 }

 private predicate readStepWithTypes(
-  Node n1, DataFlowType container, ContentSet c, Node n2, DataFlowType content
+  Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
 ) {
-  readSet(n1, c, n2) and
+  read(n1, c, n2) and
  container = getNodeDataFlowType(n1) and
  content = getNodeDataFlowType(n2)
 }

 private newtype TReadStepTypesOption =
  TReadStepTypesNone() or
-  TReadStepTypesSome(DataFlowType container, ContentSet c, DataFlowType content) {
+  TReadStepTypesSome(DataFlowType container, Content c, DataFlowType content) {
    readStepWithTypes(_, container, c, _, content)
  }

@@ -954,7 +950,7 @@ private class ReadStepTypesOption extends TReadStepTypesOption {

  DataFlowType getContainerType() { this = TReadStepTypesSome(result, _, _) }

-  ContentSet getContent() { this = TReadStepTypesSome(_, result, _) }
+  Content getContent() { this = TReadStepTypesSome(_, result, _) }

  DataFlowType getContentType() { this = TReadStepTypesSome(_, _, result) }

@@ -1329,6 +1325,8 @@ abstract class AccessPathFront extends TAccessPathFront {
  abstract boolean toBoolNonEmpty();

  TypedContent getHead() { this = TFrontHead(result) }
+
+  predicate isClearedAt(Node n) { clearsContentCached(n, this.getHead().getContent()) }
 }

 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1063,34 +1063,6 @@ private class CollectionContent extends Content, TCollectionContent {
  override string toString() { result = "<element>" }
 }

-/**
- * An entity that represents a set of `Content`s.
- *
- * The set may be interpreted differently depending on whether it is
- * stored into (`getAStoreContent`) or read from (`getAReadContent`).
- */
-class ContentSet instanceof Content {
-  /** Gets a content that may be stored into when storing into this set. */
-  Content getAStoreContent() { result = this }
-
-  /** Gets a content that may be read from when reading from this set. */
-  Content getAReadContent() { result = this }
-
-  /** Gets a textual representation of this content set. */
-  string toString() { result = super.toString() }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
-    super.hasLocationInfo(path, sl, sc, el, ec)
-  }
-}
-
 /**
 * A guard that validates some instruction.
 *
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -161,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -161,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -161,7 +161,7 @@ abstract class Configuration extends DataFlow::Configuration {
    this.isAdditionalTaintStep(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
    defaultImplicitTaintRead(node, c)
  }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -11,6 +11,7 @@ private import TranslatedDeclarationEntry
 private import TranslatedElement
 private import TranslatedFunction
 private import TranslatedInitialization
+private import TranslatedFunction
 private import TranslatedStmt
 import TranslatedCall

--- a/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/internal/CppType.qll
@@ -141,7 +141,7 @@ private predicate isOpaqueType(Type type) {
 * Holds if an `IROpaqueType` with the specified `tag` and `byteSize` should exist.
 */
 predicate hasOpaqueType(Type tag, int byteSize) {
-  isOpaqueType(tag) and byteSize = getTypeSize(tag.getUnspecifiedType())
+  isOpaqueType(tag) and byteSize = getTypeSize(tag)
  or
  tag instanceof UnknownType and Raw::needsUnknownOpaqueType(byteSize)
 }
@@ -153,18 +153,17 @@ private IRType getIRTypeForPRValue(Type type) {
  exists(Type unspecifiedType | unspecifiedType = type.getUnspecifiedType() |
    isOpaqueType(unspecifiedType) and
    exists(IROpaqueType opaqueType | opaqueType = result |
-      opaqueType.getByteSize() = getTypeSize(unspecifiedType) and
+      opaqueType.getByteSize() = getTypeSize(type) and
      opaqueType.getTag() = unspecifiedType
    )
    or
-    unspecifiedType instanceof BoolType and
-    result.(IRBooleanType).getByteSize() = unspecifiedType.getSize()
+    unspecifiedType instanceof BoolType and result.(IRBooleanType).getByteSize() = type.getSize()
    or
    isSignedIntegerType(unspecifiedType) and
-    result.(IRSignedIntegerType).getByteSize() = unspecifiedType.getSize()
+    result.(IRSignedIntegerType).getByteSize() = type.getSize()
    or
    isUnsignedIntegerType(unspecifiedType) and
-    result.(IRUnsignedIntegerType).getByteSize() = unspecifiedType.getSize()
+    result.(IRUnsignedIntegerType).getByteSize() = type.getSize()
    or
    exists(FloatingPointType floatType, IRFloatingPointType irFloatType |
      floatType = unspecifiedType and
@@ -174,8 +173,7 @@ private IRType getIRTypeForPRValue(Type type) {
      irFloatType.getDomain() = floatType.getDomain()
    )
    or
-    isPointerIshType(unspecifiedType) and
-    result.(IRAddressType).getByteSize() = getTypeSize(unspecifiedType)
+    isPointerIshType(unspecifiedType) and result.(IRAddressType).getByteSize() = getTypeSize(type)
    or
    unspecifiedType instanceof FunctionPointerIshType and
    result.(IRFunctionAddressType).getByteSize() = getTypeSize(type)
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
@@ -42,13 +42,10 @@ private class MallocAllocationFunction extends AllocationFunction {
    this.hasGlobalName([
        // --- Windows Memory Management for Windows Drivers
        "ExAllocatePool", // ExAllocatePool(type, size)
-        "ExAllocatePool2", // ExAllocatePool2(flags, size, tag)
-        "ExAllocatePool3", // ExAllocatePool3(flags, size, tag, extparams, extparamscount)
        "ExAllocatePoolWithTag", // ExAllocatePool(type, size, tag)
        "ExAllocatePoolWithTagPriority", // ExAllocatePoolWithTagPriority(type, size, tag, priority)
        "ExAllocatePoolWithQuota", // ExAllocatePoolWithQuota(type, size)
        "ExAllocatePoolWithQuotaTag", // ExAllocatePoolWithQuotaTag(type, size, tag)
-        "ExAllocatePoolZero", // ExAllocatePoolZero(type, size, tag)
        "IoAllocateMdl", // IoAllocateMdl(address, size, flag, flag, irp)
        "IoAllocateErrorLogEntry", // IoAllocateErrorLogEntry(object, size)
        // --- Windows Global / Local legacy allocation
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll
@@ -5,6 +5,7 @@

 import semmle.code.cpp.Function
 import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.Taint
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -1802,3 +1802,5 @@ module SimpleRangeAnalysisInternal {
    defMightOverflowNegatively(def, v) and result = varMaxVal(v)
  }
 }
+
+private import SimpleRangeAnalysisInternal
--- a/cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll
@@ -6,6 +6,7 @@
 */

 import cpp
+import semmle.code.cpp.commons.Alloc
 import semmle.code.cpp.commons.Buffer
 import semmle.code.cpp.commons.Scanf
 import semmle.code.cpp.models.implementations.Strcat
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,12 +1,3 @@
-## 0.1.0
-
-### Minor Analysis Improvements
-
-* The `cpp/cleartext-transmission` query now recognizes additional sources, for sensitive private data such as e-mail addresses and credit card numbers.
-* The `cpp/unused-local-variable` no longer ignores functions that include lambda expressions capturing trivially copyable objects.
-* The `cpp/command-line-injection` query now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations.
-* A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (`cpp/potential-system-data-exposure`) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (`cpp/system-data-exposure`) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
-
 ## 0.0.13

 ## 0.0.12
--- a/Year/Adding365DaysPerYear.ql
+++ b/Year/Adding365DaysPerYear.ql
@@ -13,6 +13,7 @@

 import cpp
 import LeapYear
+import semmle.code.cpp.dataflow.DataFlow

 from Expr source, Expr sink, PossibleYearArithmeticOperationCheckConfiguration config
 where config.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(sink))
--- a/Management/NtohlArrayNoBound.ql
+++ b/Management/NtohlArrayNoBound.ql
@@ -10,6 +10,7 @@

 import cpp
 import NtohlArrayNoBound
+import semmle.code.cpp.dataflow.DataFlow

 from NetworkToBufferSizeConfiguration bufConfig, DataFlow::Node source, DataFlow::Node sink
 where bufConfig.hasFlow(source, sink)
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -15,6 +15,7 @@
 */

 import semmle.code.cpp.security.BufferWrite
+import semmle.code.cpp.commons.Alloc

 /*
 * See CWE-120/UnboundedWrite.ql for a summary of CWE-120 alert cases.
--- a/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
@@ -15,6 +15,7 @@
 */

 import semmle.code.cpp.security.BufferWrite
+import semmle.code.cpp.commons.Alloc

 /*
 * See CWE-120/UnboundedWrite.ql for a summary of CWE-120 alert cases.
--- a/cpp/ql/src/Security/CWE/CWE-611/XXE.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXE.qhelp
@@ -1,57 +0,0 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Parsing untrusted XML files with a weakly configured XML parser may lead to an
-XML external entity (XXE) attack. This type of attack uses external entity references
-to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side
-request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible
-and out-of-band data retrieval techniques may allow attackers to steal sensitive data.
-</p>
-</overview>
-
-<recommendation>
-<p>
-The easiest way to prevent XXE attacks is to disable external entity handling when
-parsing untrusted data. How this is done depends on the library being used. Note that some
-libraries, such as recent versions of <code>libxml</code>, disable entity expansion by default,
-so unless you have explicitly enabled entity expansion, no further action needs to be taken.
-</p>
-</recommendation>
-
-<example>
-<p>
-The following example uses the <code>Xerces-C++</code> XML parser to parse a string <code>data</code>.
-If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since
-the parser is constructed in its default state with <code>setDisableDefaultEntityResolution</code>
-set to <code>false</code>:
-</p>
-<sample src="XXEBad.cpp"/>
-
-<p>
-To guard against XXE attacks, the <code>setDisableDefaultEntityResolution</code> option should be
-set to <code>true</code>.
-</p>
-<sample src="XXEGood.cpp"/>
-</example>
-
-<references>
-<li>
-OWASP:
-<a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.
-</li>
-<li>
-OWASP:
-<a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">XML External Entity Prevention Cheat Sheet</a>.
-</li>
-<li>
-Timothy Morgen:
-<a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a>.
-</li>
-<li>
-Timur Yunusov, Alexey Osipov:
-<a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.
-</li>
-</references>
-</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -1,226 +0,0 @@
-/**
- * @name XML external entity expansion
- * @description Parsing user-controlled XML documents and allowing expansion of
- *              external entity references may lead to disclosure of
- *              confidential data or denial of service.
- * @kind path-problem
- * @id cpp/external-entity-expansion
- * @problem.severity warning
- * @security-severity 9.1
- * @precision medium
- * @tags security
- *       external/cwe/cwe-611
- */
-
-import cpp
-import semmle.code.cpp.ir.dataflow.DataFlow
-import DataFlow::PathGraph
-import semmle.code.cpp.ir.IR
-
-/**
- * A flow state representing a possible configuration of an XML object.
- */
-abstract class XXEFlowState extends DataFlow::FlowState {
-  bindingset[this]
-  XXEFlowState() { any() } // required characteristic predicate
-}
-
-/**
- * An `Expr` that changes the configuration of an XML object, transforming the
- * `XXEFlowState` that flows through it.
- */
-abstract class XXEFlowStateTranformer extends Expr {
-  /**
-   * Gets the flow state that `flowstate` is transformed into.
-   *
-   * Due to limitations of the implementation the transformation defined by this
-   * predicate must be idempotent, that is, for any input `x` it must be that:
-   * ```
-   * transform(tranform(x)) = tranform(x)
-   * ```
-   */
-  abstract XXEFlowState transform(XXEFlowState flowstate);
-}
-
-/**
- * The `AbstractDOMParser` class.
- */
-class AbstractDOMParserClass extends Class {
-  AbstractDOMParserClass() { this.hasName("AbstractDOMParser") }
-}
-
-/**
- * The `XercesDOMParser` class.
- */
-class XercesDOMParserClass extends Class {
-  XercesDOMParserClass() { this.hasName("XercesDOMParser") }
-}
-
-/**
- * Gets a valid flow state for `XercesDOMParser` flow.
- *
- * These flow states take the form `XercesDOM-A-B`, where:
- *  - A is 1 if `setDisableDefaultEntityResolution` is `true`, 0 otherwise.
- *  - B is 1 if `setCreateEntityReferenceNodes` is `true`, 0 otherwise.
- */
-predicate encodeXercesDOMFlowState(
-  string flowstate, int disabledDefaultEntityResolution, int createEntityReferenceNodes
-) {
-  flowstate = "XercesDOM-0-0" and
-  disabledDefaultEntityResolution = 0 and
-  createEntityReferenceNodes = 0
-  or
-  flowstate = "XercesDOM-0-1" and
-  disabledDefaultEntityResolution = 0 and
-  createEntityReferenceNodes = 1
-  or
-  flowstate = "XercesDOM-1-0" and
-  disabledDefaultEntityResolution = 1 and
-  createEntityReferenceNodes = 0
-  or
-  flowstate = "XercesDOM-1-1" and
-  disabledDefaultEntityResolution = 1 and
-  createEntityReferenceNodes = 1
-}
-
-/**
- * A flow state representing the configuration of a `XercesDOMParser` object.
- */
-class XercesDOMParserFlowState extends XXEFlowState {
-  XercesDOMParserFlowState() { encodeXercesDOMFlowState(this, _, _) }
-}
-
-/**
- * A flow state transformer for a call to
- * `AbstractDOMParser.setDisableDefaultEntityResolution`. Transforms the flow
- * state through the qualifier according to the setting in the parameter.
- */
-class DisableDefaultEntityResolutionTranformer extends XXEFlowStateTranformer {
-  Expr newValue;
-
-  DisableDefaultEntityResolutionTranformer() {
-    exists(Call call, Function f |
-      call.getTarget() = f and
-      f.getDeclaringType() instanceof AbstractDOMParserClass and
-      f.hasName("setDisableDefaultEntityResolution") and
-      this = call.getQualifier() and
-      newValue = call.getArgument(0)
-    )
-  }
-
-  final override XXEFlowState transform(XXEFlowState flowstate) {
-    exists(int createEntityReferenceNodes |
-      encodeXercesDOMFlowState(flowstate, _, createEntityReferenceNodes) and
-      (
-        newValue.getValue().toInt() = 1 and // true
-        encodeXercesDOMFlowState(result, 1, createEntityReferenceNodes)
-        or
-        not newValue.getValue().toInt() = 1 and // false or unknown
-        encodeXercesDOMFlowState(result, 0, createEntityReferenceNodes)
-      )
-    )
-  }
-}
-
-/**
- * A flow state transformer for a call to
- * `AbstractDOMParser.setCreateEntityReferenceNodes`. Transforms the flow
- * state through the qualifier according to the setting in the parameter.
- */
-class CreateEntityReferenceNodesTranformer extends XXEFlowStateTranformer {
-  Expr newValue;
-
-  CreateEntityReferenceNodesTranformer() {
-    exists(Call call, Function f |
-      call.getTarget() = f and
-      f.getDeclaringType() instanceof AbstractDOMParserClass and
-      f.hasName("setCreateEntityReferenceNodes") and
-      this = call.getQualifier() and
-      newValue = call.getArgument(0)
-    )
-  }
-
-  final override XXEFlowState transform(XXEFlowState flowstate) {
-    exists(int disabledDefaultEntityResolution |
-      encodeXercesDOMFlowState(flowstate, disabledDefaultEntityResolution, _) and
-      (
-        newValue.getValue().toInt() = 1 and // true
-        encodeXercesDOMFlowState(result, disabledDefaultEntityResolution, 1)
-        or
-        not newValue.getValue().toInt() = 1 and // false or unknown
-        encodeXercesDOMFlowState(result, disabledDefaultEntityResolution, 0)
-      )
-    )
-  }
-}
-
-/**
- * The `AbstractDOMParser.parse` method.
- */
-class ParseFunction extends Function {
-  ParseFunction() { this.getClassAndName("parse") instanceof AbstractDOMParserClass }
-}
-
-/**
- * The `createLSParser` function that returns a newly created `LSParser` object.
- */
-class CreateLSParser extends Function {
-  CreateLSParser() {
-    this.hasName("createLSParser") and
-    this.getUnspecifiedType().(PointerType).getBaseType().getName() = "DOMLSParser" // returns a `DOMLSParser *`.
-  }
-}
-
-/**
- * A configuration for tracking XML objects and their states.
- */
-class XXEConfiguration extends DataFlow::Configuration {
-  XXEConfiguration() { this = "XXEConfiguration" }
-
-  override predicate isSource(DataFlow::Node node, string flowstate) {
-    // source is the write on `this` of a call to the `XercesDOMParser`
-    // constructor.
-    exists(CallInstruction call |
-      call.getStaticCallTarget() = any(XercesDOMParserClass c).getAConstructor() and
-      node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
-        call.getThisArgument() and
-      encodeXercesDOMFlowState(flowstate, 0, 1) // default configuration
-    )
-    or
-    // source is the result of a call to `createLSParser`.
-    exists(Call call |
-      call.getTarget() instanceof CreateLSParser and
-      call = node.asExpr() and
-      encodeXercesDOMFlowState(flowstate, 0, 1) // default configuration
-    )
-  }
-
-  override predicate isSink(DataFlow::Node node, string flowstate) {
-    // sink is the read of the qualifier of a call to `parse`.
-    exists(Call call |
-      call.getTarget() instanceof ParseFunction and
-      call.getQualifier() = node.asConvertedExpr()
-    ) and
-    flowstate instanceof XercesDOMParserFlowState and
-    not encodeXercesDOMFlowState(flowstate, 1, 1) // safe configuration
-  }
-
-  override predicate isAdditionalFlowStep(
-    DataFlow::Node node1, string state1, DataFlow::Node node2, string state2
-  ) {
-    // create additional flow steps for `XXEFlowStateTranformer`s
-    state2 = node2.asConvertedExpr().(XXEFlowStateTranformer).transform(state1) and
-    DataFlow::simpleLocalFlowStep(node1, node2)
-  }
-
-  override predicate isBarrier(DataFlow::Node node, string flowstate) {
-    // when the flowstate is transformed at a call node, block the original
-    // flowstate value.
-    node.asConvertedExpr().(XXEFlowStateTranformer).transform(flowstate) != flowstate
-  }
-}
-
-from XXEConfiguration conf, DataFlow::PathNode source, DataFlow::PathNode sink
-where conf.hasFlowPath(source, sink)
-select sink, source, sink,
-  "This $@ is not configured to prevent an XML external entity (XXE) attack.", source, "XML parser"
--- a/cpp/ql/src/Security/CWE/CWE-611/XXEBad.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXEBad.cpp
@@ -1,4 +0,0 @@
-
-XercesDOMParser *parser = new XercesDOMParser();
-
-parser->parse(data); // BAD (parser is not correctly configured, may expand external entity references)
--- a/cpp/ql/src/Security/CWE/CWE-611/XXEGood.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXEGood.cpp
@@ -1,5 +0,0 @@
-
-XercesDOMParser *parser = new XercesDOMParser();
-
-parser->setDisableDefaultEntityResolution(true);
-parser->parse(data);
--- a/cpp/ql/src/change-notes/2022-03-03-potential-system-data-exposure.md
+++ b/cpp/ql/src/change-notes/2022-03-03-potential-system-data-exposure.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (`cpp/potential-system-data-exposure`) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (`cpp/system-data-exposure`) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
--- a/cpp/ql/src/change-notes/2022-03-21-command-line-injection-with-flow-states.md
+++ b/cpp/ql/src/change-notes/2022-03-21-command-line-injection-with-flow-states.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/command-line-injection` query now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations.
--- a/cpp/ql/src/change-notes/2022-03-25-unused-lambda-capture.md
+++ b/cpp/ql/src/change-notes/2022-03-25-unused-lambda-capture.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/unused-local-variable` no longer ignores functions that include lambda expressions capturing trivially copyable objects.
--- a/cpp/ql/src/change-notes/2022-03-28-cleartext-transmission.md
+++ b/cpp/ql/src/change-notes/2022-03-28-cleartext-transmission.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/cleartext-transmission` query now recognizes additional sources, for sensitive private data such as e-mail addresses and credit card numbers.
--- a/cpp/ql/src/change-notes/2022-04-13-pexternal-entity-expansion.md
+++ b/cpp/ql/src/change-notes/2022-04-13-pexternal-entity-expansion.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* An new query `cpp/external-entity-expansion` has been added. The query detects XML objects that are vulnerable to external entity expansion (XXE) attacks.
--- a/cpp/ql/src/change-notes/released/0.1.0.md
+++ b/cpp/ql/src/change-notes/released/0.1.0.md
@@ -1,8 +0,0 @@
-## 0.1.0
-
-### Minor Analysis Improvements
-
-* The `cpp/cleartext-transmission` query now recognizes additional sources, for sensitive private data such as e-mail addresses and credit card numbers.
-* The `cpp/unused-local-variable` no longer ignores functions that include lambda expressions capturing trivially copyable objects.
-* The `cpp/command-line-injection` query now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations.
-* A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (`cpp/potential-system-data-exposure`) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (`cpp/system-data-exposure`) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.1.0
+lastReleaseVersion: 0.0.13
--- a/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
@@ -16,6 +16,7 @@
 */

 import cpp
+import semmle.code.cpp.exprs.BitwiseOperation
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering

 /**
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.1.1-dev
+version: 0.1.0-dev
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/controlflow/dominance/bbIDominates.expected
+++ b/cpp/ql/test/library-tests/controlflow/dominance/bbIDominates.expected
@@ -31,4 +31,4 @@
 | test2 | 83 | if (...) ...  | 74 | test2 |
 | test2 | 83 | if (...) ...  | 84 | break; |
 | test2 | 83 | if (...) ...  | 85 | if (...) ...  |
-| test2 | 85 | if (...) ...  | 86 | { ... } |
+| test2 | 85 | if (...) ...  | 0 | { ... } |
--- a/cpp/ql/test/library-tests/controlflow/dominance/dominator.expected
+++ b/cpp/ql/test/library-tests/controlflow/dominance/dominator.expected
@@ -118,7 +118,7 @@
 | test | 44 | ... = ... | 42 | j |
 | test | 44 | ExprStmt | 44 | 10 |
 | test | 44 | w | 44 | ... = ... |
-| test | 47 | ... += ... | 50 | { ... } |
+| test | 47 | ... += ... | 50 | for(...;...;...) ... |
 | test | 47 | ExprStmt | 47 | z |
 | test | 47 | w | 47 | ... += ... |
 | test | 47 | z | 47 | w |
@@ -133,7 +133,6 @@
 | test | 50 | j | 50 | ... ++ |
 | test | 50 | j | 50 | ... = ... |
 | test | 50 | label ...: | 50 | j |
-| test | 50 | { ... } | 50 | for(...;...;...) ... |
 | test | 50 | { ... } | 51 | ExprStmt |
 | test | 51 | 30 | 51 | y |
 | test | 51 | ... = ... | 52 | if (...) ...  |
@@ -182,10 +181,10 @@
 | test | 70 | ExprStmt | 70 | 40 |
 | test | 70 | w | 70 | ... = ... |
 | test | 71 | return ... | 71 | w |
+| test2 | 0 | { ... } | 86 | ExprStmt |
 | test2 | 74 | { ... } | 76 | declaration |
-| test2 | 76 | declaration | 77 | { ... } |
+| test2 | 76 | declaration | 77 | for(...;...;...) ... |
 | test2 | 77 | for(...;...;...) ... | 77 | { ... } |
-| test2 | 77 | { ... } | 77 | for(...;...;...) ... |
 | test2 | 77 | { ... } | 78 | ExprStmt |
 | test2 | 78 | 10 | 78 | b |
 | test2 | 78 | ... = ... | 79 | if (...) ...  |
@@ -212,12 +211,11 @@
 | test2 | 83 | if (...) ...  | 83 | a |
 | test2 | 84 | break; | 87 | label ...: |
 | test2 | 85 | 20 | 85 | ... == ... |
-| test2 | 85 | ... == ... | 86 | { ... } |
+| test2 | 85 | ... == ... | 0 | { ... } |
 | test2 | 85 | a | 85 | 20 |
 | test2 | 85 | if (...) ...  | 85 | a |
 | test2 | 86 | ExprStmt | 86 | c |
 | test2 | 86 | c | 86 | return ... |
-| test2 | 86 | { ... } | 86 | ExprStmt |
 | test2 | 87 | label ...: | 88 | ExprStmt |
 | test2 | 88 | ExprStmt | 88 | b |
 | test2 | 88 | b | 88 | return ... |
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
@@ -218,10 +218,10 @@ postWithInFlow
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:23:3:23:3 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | v [post update] | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:23:15:23:15 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:7:28:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.ql
@@ -4,6 +4,7 @@

 import semmle.code.cpp.ir.dataflow.DataFlow
 import IRConfiguration
+import cpp
 import DataFlow::PathGraph

 from DataFlow::PathNode src, DataFlow::PathNode sink, IRConf conf
--- a/cpp/ql/test/library-tests/dataflow/fields/path-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/fields/path-flow.ql
@@ -4,6 +4,7 @@

 import semmle.code.cpp.dataflow.DataFlow
 import ASTConfiguration
+import cpp
 import DataFlow::PathGraph

 from DataFlow::PathNode src, DataFlow::PathNode sink, AstConf conf
--- a/cpp/ql/test/library-tests/depends_initializers/InitializerAccesses.expected
+++ b/cpp/ql/test/library-tests/depends_initializers/InitializerAccesses.expected
@@ -1,7 +1,7 @@
 | initializers.cpp:18:8:18:15 | initializer for y | initializers.cpp:18:9:18:9 | x |
 | initializers.cpp:19:8:19:21 | initializer for z | initializers.cpp:19:9:19:9 | x |
 | initializers.cpp:23:8:23:9 | initializer for j | initializers.cpp:23:9:23:9 | i |
-| initializers.cpp:27:9:27:10 | initializer for aax | initializers.cpp:27:9:27:10 | ax |
+| initializers.cpp:27:8:27:10 | initializer for aax | initializers.cpp:27:9:27:10 | ax |
 | initializers.cpp:30:20:30:35 | initializer for myIntArray | initializers.cpp:30:22:30:22 | i |
 | template_static.cpp:9:24:9:24 | initializer for static_c | template_static.cpp:9:24:9:24 | c |
 | template_static.cpp:10:22:10:24 | initializer for static_v | template_static.cpp:10:24:10:24 | v |
--- a/cpp/ql/test/library-tests/depends_initializers/InitializerCFG.expected
+++ b/cpp/ql/test/library-tests/depends_initializers/InitializerCFG.expected
@@ -8,7 +8,7 @@
 | initializers.cpp:23:8:23:9 | initializer for j |  |
 | initializers.cpp:25:3:25:3 | initializer for a |  |
 | initializers.cpp:26:7:26:10 | initializer for ax |  |
-| initializers.cpp:27:9:27:10 | initializer for aax |  |
+| initializers.cpp:27:8:27:10 | initializer for aax |  |
 | initializers.cpp:30:20:30:35 | initializer for myIntArray |  |
 | initializers.cpp:31:3:31:15 | initializer for myObjectArray |  |
 | template_static.cpp:2:15:2:15 | initializer for c |  |
--- a/cpp/ql/test/library-tests/floats/float128/errors.expected
+++ b/cpp/ql/test/library-tests/floats/float128/errors.expected
@@ -1,4 +1,3 @@
 | file://:0:0:0:0 | There was an error during this compilation |
 | float128.cpp:1:39:1:39 | 128-bit floating-point types are not supported in this configuration |
-| float128.cpp:2:30:2:30 | an attribute specifies a mode incompatible with '<error-type>' |
-| float128.cpp:2:41:2:41 | invalid combination of type specifiers |
+| float128.cpp:2:30:2:30 | 128-bit floating-point types are not supported in this configuration |
--- a/cpp/ql/test/library-tests/floats/float128/usertypes.expected
+++ b/cpp/ql/test/library-tests/floats/float128/usertypes.expected
@@ -1,4 +1,5 @@
 | float128.cpp:1:50:1:60 | _Complex128 | file://:0:0:0:0 | <error-type> |
+| float128.cpp:2:41:2:49 | _Float128 | file://:0:0:0:0 | <error-type> |
 | float128.cpp:13:29:13:54 | __is_floating_point_helper<T> | float128.cpp:10:8:10:17 | false_type |
 | float128.cpp:14:19:14:51 | __is_floating_point_helper<float> | float128.cpp:11:8:11:16 | true_type |
 | float128.cpp:15:19:15:52 | __is_floating_point_helper<double> | float128.cpp:11:8:11:16 | true_type |
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -4833,6 +4833,9 @@
 | ir.cpp:1043:24:1043:24 | SideEffect | ~m1043_20 |
 | ir.cpp:1043:31:1043:31 | Address | &:r1043_9 |
 | ir.cpp:1043:36:1043:55 | Address | &:r1043_11 |
+| ir.cpp:1043:43:1043:43 | Address | &:r1043_16 |
+| ir.cpp:1043:43:1043:43 | Arg(this) | this:r1043_16 |
+| ir.cpp:1043:43:1043:43 | SideEffect | ~m1043_20 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_22 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_24 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_25 |
@@ -4853,11 +4856,8 @@
 | ir.cpp:1043:45:1043:49 | SideEffect | ~m1043_4 |
 | ir.cpp:1043:45:1043:49 | Unary | r1043_13 |
 | ir.cpp:1043:45:1043:49 | Unary | r1043_15 |
-| ir.cpp:1043:52:1043:52 | Address | &:r1043_16 |
-| ir.cpp:1043:52:1043:52 | Arg(this) | this:r1043_16 |
-| ir.cpp:1043:52:1043:52 | SideEffect | ~m1043_20 |
-| ir.cpp:1043:54:1043:54 | Load | ~m1043_20 |
-| ir.cpp:1043:54:1043:54 | Right | r1043_26 |
+| ir.cpp:1043:53:1043:53 | Load | ~m1043_20 |
+| ir.cpp:1043:53:1043:53 | Right | r1043_26 |
 | ir.cpp:1043:58:1043:58 | ChiPartial | partial:m1043_9 |
 | ir.cpp:1043:58:1043:58 | ChiTotal | total:m1043_3 |
 | ir.cpp:1043:58:1043:58 | StoreValue | r1043_8 |
@@ -4972,6 +4972,9 @@
 | ir.cpp:1047:34:1047:34 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:41:1047:41 | Address | &:r1047_9 |
 | ir.cpp:1047:46:1047:65 | Address | &:r1047_11 |
+| ir.cpp:1047:53:1047:53 | Address | &:r1047_16 |
+| ir.cpp:1047:53:1047:53 | Arg(this) | this:r1047_16 |
+| ir.cpp:1047:53:1047:53 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:53:1047:64 | Address | &:r1047_23 |
 | ir.cpp:1047:53:1047:64 | Load | ~m1047_20 |
 | ir.cpp:1047:53:1047:64 | StoreValue | r1047_24 |
@@ -4986,9 +4989,6 @@
 | ir.cpp:1047:55:1047:59 | SideEffect | ~m1047_4 |
 | ir.cpp:1047:55:1047:59 | Unary | r1047_13 |
 | ir.cpp:1047:55:1047:59 | Unary | r1047_15 |
-| ir.cpp:1047:62:1047:62 | Address | &:r1047_16 |
-| ir.cpp:1047:62:1047:62 | Arg(this) | this:r1047_16 |
-| ir.cpp:1047:62:1047:62 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:63:1047:63 | Right | r1047_22 |
 | ir.cpp:1047:68:1047:68 | StoreValue | r1047_8 |
 | ir.cpp:1047:68:1047:68 | Unary | r1047_7 |
@@ -5097,6 +5097,9 @@
 | ir.cpp:1051:39:1051:39 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:46:1051:46 | Address | &:r1051_9 |
 | ir.cpp:1051:51:1051:70 | Address | &:r1051_11 |
+| ir.cpp:1051:58:1051:58 | Address | &:r1051_16 |
+| ir.cpp:1051:58:1051:58 | Arg(this) | this:r1051_16 |
+| ir.cpp:1051:58:1051:58 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_22 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_24 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_26 |
@@ -5117,9 +5120,6 @@
 | ir.cpp:1051:60:1051:64 | SideEffect | ~m1051_4 |
 | ir.cpp:1051:60:1051:64 | Unary | r1051_13 |
 | ir.cpp:1051:60:1051:64 | Unary | r1051_15 |
-| ir.cpp:1051:67:1051:67 | Address | &:r1051_16 |
-| ir.cpp:1051:67:1051:67 | Arg(this) | this:r1051_16 |
-| ir.cpp:1051:67:1051:67 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:73:1051:73 | ChiPartial | partial:m1051_9 |
 | ir.cpp:1051:73:1051:73 | ChiTotal | total:m1051_3 |
 | ir.cpp:1051:73:1051:73 | StoreValue | r1051_8 |
@@ -5184,6 +5184,9 @@
 | ir.cpp:1054:49:1054:49 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:56:1054:56 | Address | &:r1054_9 |
 | ir.cpp:1054:61:1054:88 | Address | &:r1054_11 |
+| ir.cpp:1054:68:1054:68 | Address | &:r1054_16 |
+| ir.cpp:1054:68:1054:68 | Arg(this) | this:r1054_16 |
+| ir.cpp:1054:68:1054:68 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:68:1054:87 | Address | &:r1054_37 |
 | ir.cpp:1054:68:1054:87 | Load | ~m1054_20 |
 | ir.cpp:1054:68:1054:87 | StoreValue | r1054_38 |
@@ -5198,9 +5201,6 @@
 | ir.cpp:1054:70:1054:74 | SideEffect | ~m1054_4 |
 | ir.cpp:1054:70:1054:74 | Unary | r1054_13 |
 | ir.cpp:1054:70:1054:74 | Unary | r1054_15 |
-| ir.cpp:1054:77:1054:77 | Address | &:r1054_16 |
-| ir.cpp:1054:77:1054:77 | Arg(this) | this:r1054_16 |
-| ir.cpp:1054:77:1054:77 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:78:1054:82 | Address | &:r1054_22 |
 | ir.cpp:1054:78:1054:82 | Address | &:r1054_24 |
 | ir.cpp:1054:78:1054:82 | Left | r1054_25 |
--- a/cpp/ql/test/library-tests/lambdas/captures/elements.expected
+++ b/cpp/ql/test/library-tests/lambdas/captures/elements.expected
@@ -156,10 +156,10 @@
 | captures.cpp:23:12:23:16 | x |
 | captures.cpp:23:12:23:16 | y |
 | captures.cpp:23:12:23:20 | ... + ... |
+| captures.cpp:23:16:23:16 | (reference dereference) |
 | captures.cpp:23:16:23:16 | definition of y |
 | captures.cpp:23:16:23:16 | y |
 | captures.cpp:23:16:23:16 | y |
-| captures.cpp:23:18:23:18 | (reference dereference) |
 | captures.cpp:23:20:23:20 | z |
 | captures.cpp:26:3:26:24 | return ... |
 | captures.cpp:26:10:26:17 | (const lambda [] type at line 22, col. 19)... |
--- a/cpp/ql/test/library-tests/sideEffects/stmts/stmts.expected
+++ b/cpp/ql/test/library-tests/sideEffects/stmts/stmts.expected
@@ -2,7 +2,6 @@
 | stmts.c:3:5:3:10 | declaration | true | true |
 | stmts.c:4:5:4:18 | declaration | true | true |
 | stmts.c:5:5:5:16 | declaration | false | true |
-| stmts.c:7:5:7:5 | { ... } | true | true |
 | stmts.c:7:5:14:5 | switch (...) ...  | true | true |
 | stmts.c:7:15:14:5 | { ... } | true | true |
 | stmts.c:8:9:8:15 | case ...: | true | true |
--- a/cpp/ql/test/library-tests/switch/blocks.expected
+++ b/cpp/ql/test/library-tests/switch/blocks.expected
@@ -1,9 +1,12 @@
-| switch.c:2:5:2:5 | f | switch.c:2:14:12:1 | { ... } | switch.c:3:5:3:5 | { ... } |
+| switch.c:2:5:2:5 | f | switch.c:2:14:12:1 | { ... } | switch.c:3:5:10:5 | switch (...) ...  |
+| switch.c:2:5:2:5 | f | switch.c:2:14:12:1 | { ... } | switch.c:10:5:10:5 | label ...: |
 | switch.c:2:5:2:5 | f | switch.c:2:14:12:1 | { ... } | switch.c:11:5:11:13 | return ... |
 | switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:15:2:15:7 | declaration |
-| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:17:5:17:5 | { ... } |
+| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:17:5:26:5 | switch (...) ...  |
+| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:26:5:26:5 | label ...: |
 | switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:28:5:29:5 | switch (...) ...  |
-| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:31:5:31:5 | { ... } |
+| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:31:5:44:2 | switch (...) ...  |
+| switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:44:2:44:2 | label ...: |
 | switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:46:2:51:2 | switch (...) ...  |
 | switch.c:14:6:14:6 | g | switch.c:14:15:52:1 | { ... } | switch.c:52:1:52:1 | return ... |
 | switch.cpp:4:5:4:5 | f | switch.cpp:4:14:9:1 | { ... } | switch.cpp:5:5:8:5 | switch (...) ...  |
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Esben Sparre Andreasen	e5b198837a	enable new features	2022-04-22 15:40:09 +02:00
Esben Sparre Andreasen	94b0f1adc0	add docstring examples	2022-04-22 15:34:09 +02:00
Esben Sparre Andreasen	f67a586fb5	address review comments	2022-04-22 14:39:44 +02:00
Esben Sparre Andreasen	df34784834	Apply suggestions from code review Co-authored-by: Henry Mercer <henrymercer@github.com>	2022-04-22 14:39:44 +02:00
Esben Sparre Andreasen	cd2761b8f2	fix semantic merge conflict	2022-04-22 14:39:44 +02:00
Esben Sparre Andreasen	446fbcdbe1	rename new features	2022-04-22 14:39:44 +02:00
Esben Sparre Andreasen	b3f09e0203	add more features	2022-04-22 14:39:44 +02:00
Esben Sparre Andreasen	c466fab22d	improve feature documentation	2022-04-22 14:39:44 +02:00
Esben Sparre Andreasen	c74857f44d	improve feature tests with more cases	2022-04-22 14:39:44 +02:00
Esben Sparre Andreasen	b65db6c07c	improve access path strings	2022-04-22 14:39:44 +02:00
Esben Sparre Andreasen	1cea33d80e	support import in getSimpleAccessPath	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	09a273927a	support await in getSimpleAccessPath	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	aa37ae6b70	avoid using new feautes by default	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	5f9d3e1e58	add CompareFeatures.ql	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	bf708b9181	add generic tests for features	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	6277650a0d	Document EndpointFeatures.qll	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	3baa9de45d	add ParameterAccessPathSimpleFromArgumentTraversal	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	e5ddc57aa6	improve getSimpleAccessPath	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	62bf841c5d	refactor calleeAccessPath feature to class	2022-04-22 14:39:43 +02:00
Stephan Brandauer	b14feb0022	refactor getACallBasedTokenFeature to class-use	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	09db824078	Add CalleeAccessPathSimpleFromArgumentTraversal	2022-04-22 14:39:43 +02:00
Esben Sparre Andreasen	eaba3c120f	refactor EndpointFeatures.ql to use classes	2022-04-22 14:39:43 +02:00
				`@@ -1 +0,0 @@`
				`# this empty file adds the repo root to PYTHON_PATH when running pytest`