Merge pull request #17808 from github/release-prep/2.19.2

Release preparation for version 2.19.2
Fix typos in changelogs
2026-05-16 20:27:06 +02:00 · 2024-10-18 17:36:23 +02:00 · 2024-10-18 15:28:05 +00:00 · 2024-10-18 15:16:21 +00:00 · 2024-10-18 17:13:50 +02:00 · 2024-10-18 17:06:20 +02:00
8769 changed files with 456195 additions and 166195 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -24,5 +24,7 @@ common --registry=file:///%workspace%/misc/bazel/registry
 common --registry=https://bcr.bazel.build

 common --@rules_dotnet//dotnet/settings:strict_deps=false
+common --experimental_isolated_extension_usages
+common --incompatible_use_plus_in_repo_names

 try-import %workspace%/local.bazelrc
--- a/.bazelrc.internal
+++ b/.bazelrc.internal
@@ -8,3 +8,4 @@ common --registry=https://bcr.bazel.build
 # its implementation packages without providing any code itself.
 # We either can depend on internal implementation details, or turn of strict deps.
 common --@rules_dotnet//dotnet/settings:strict_deps=false
+common --experimental_isolated_extension_usages
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-7.2.1
+5f5d70b6c4d2fb1a889479569107f1692239e8a7
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -30,6 +30,10 @@ Ruby:
  - ruby/**/*
  - change-notes/**/*ruby*

+Rust:
+  - rust/**/*
+  - change-notes/**/*rust*
+
 Swift:
  - swift/**/*
  - change-notes/**/*swift*
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -0,0 +1,14 @@
+### Pull Request checklist
+
+#### All query authors
+
+- [ ] A change note is added if necessary. See [the documentation](https://github.com/github/codeql/blob/main/docs/change-notes.md) in this repository.
+- [ ] All new queries have appropriate `.qhelp`. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md) in this repository.
+- [ ] QL tests are added if necessary. See [Testing custom queries](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries) in the GitHub documentation.
+- [ ] New and changed queries have correct query metadata. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md) in this repository.
+
+#### Internal query authors only
+
+- [ ] Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to `.ql`, `.qll`, or `.qhelp` files. See [the documentation](https://github.com/github/codeql-team/blob/main/docs/best-practices/validating-autofix-for-query-changes.md) (internal access required).
+- [ ] Changes are validated [at scale](https://github.com/github/codeql-dca/) (internal access required).
+- [ ] Adding a new query? Consider also [adding the query to autofix](https://github.com/github/codeml-autofix/blob/main/docs/updating-query-support.md#adding-a-new-query-to-the-query-suite).
--- a/.github/workflows/buildifier.yml
+++ b/.github/workflows/buildifier.yml
@@ -24,5 +24,5 @@ jobs:
          extra_args: >
            buildifier --all-files 2>&1 ||
            (
-              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel:buildifier"; exit 1
+              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel/buildifier"; exit 1
            )
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -16,11 +16,12 @@ on:
      - "shared/**/*.qll"
      - "!**/experimental/**"
      - "!ql/**"
+      - "!rust/**"
      - ".github/workflows/check-change-note.yml"

 jobs:
  check-change-note:
-    env: 
+    env:
      REPO: ${{ github.repository }}
      PULL_REQUEST_NUMBER: ${{ github.event.number }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -33,7 +34,7 @@ jobs:
          !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
        run: |
          change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
-          
+
          if [ -z "$change_note_files" ]; then
            echo "No change note found. Either add one, or add the 'no-change-note-required' label."
            exit 1
--- a/.github/workflows/cpp-swift-analysis.yml
+++ b/.github/workflows/cpp-swift-analysis.yml
@@ -37,7 +37,7 @@ jobs:
      with:
        languages: cpp
        config-file: ./.github/codeql/codeql-config.yml
-  
+
    - name: "[Ubuntu] Remove GCC 13 from runner image"
      shell: bash
      run: |
@@ -48,7 +48,7 @@ jobs:
    - name: "Build Swift extractor using Bazel"
      run: |
        bazel clean --expunge
-        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
+        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local
        bazel shutdown

    - name: Perform CodeQL Analysis
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -29,45 +29,6 @@ permissions:
  contents: read

 jobs:
-  qlupgrade:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/fetch-codeql
-      - name: Check DB upgrade scripts
-        run: |
-          echo >empty.trap
-          codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
-          codeql dataset upgrade testdb --additional-packs ql/lib
-          diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
-      - name: Check DB downgrade scripts
-        run: |
-          echo >empty.trap
-          rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
-          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
-           --dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
-           xargs codeql execute upgrades testdb
-          diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
-  qltest:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-      matrix:
-        slice: ["1/2", "2/2"]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./csharp/actions/create-extractor-pack
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: csharp-qltest-${{ matrix.slice }}
-      - name: Run QL tests
-        run: |
-          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
  unit-tests:
    strategy:
      matrix:
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -3,6 +3,7 @@ on:
  push:
    paths:
      - "go/**"
+      - "shared/**"
      - .github/workflows/go-tests.yml
      - .github/actions/**
      - codeql-workspace.yml
@@ -12,6 +13,7 @@ on:
  pull_request:
    paths:
      - "go/**"
+      - "shared/**"
      - .github/workflows/go-tests.yml
      - .github/actions/**
      - codeql-workspace.yml
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -65,8 +65,8 @@ jobs:
        id: cache-extractor
        with:
          path: |
-            ruby/extractor/target/release/codeql-extractor-ruby
-            ruby/extractor/target/release/codeql-extractor-ruby.exe
+            target/release/codeql-extractor-ruby
+            target/release/codeql-extractor-ruby.exe
            ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
      - uses: actions/cache@v3
@@ -75,7 +75,7 @@ jobs:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
-            ruby/target
+            target
          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
      - name: Check formatting
        if: steps.cache-extractor.outputs.cache-hit != 'true'
@@ -91,7 +91,7 @@ jobs:
        run: cd extractor && cargo build --release
      - name: Generate dbscheme
        if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
-        run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+        run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
      - uses: actions/upload-artifact@v3
        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
@@ -106,8 +106,8 @@ jobs:
        with:
          name: extractor-${{ matrix.os }}
          path: |
-            ruby/extractor/target/release/codeql-extractor-ruby
-            ruby/extractor/target/release/codeql-extractor-ruby.exe
+            target/release/codeql-extractor-ruby
+            target/release/codeql-extractor-ruby.exe
          retention-days: 1
  compile-queries:
    if: github.repository_owner == 'github'
@@ -140,6 +140,7 @@ jobs:
          path: |
            ${{ runner.temp }}/query-packs/*
          retention-days: 1
+          include-hidden-files: true

  package:
    runs-on: ubuntu-latest
@@ -176,6 +177,7 @@ jobs:
          name: codeql-ruby-pack
          path: ruby/codeql-ruby.zip
          retention-days: 1
+          include-hidden-files: true
      - uses: actions/download-artifact@v3
        with:
          name: codeql-ruby-queries
@@ -193,6 +195,7 @@ jobs:
          name: codeql-ruby-bundle
          path: ruby/codeql-ruby-bundle.zip
          retention-days: 1
+          include-hidden-files: true

  test:
    defaults:
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -0,0 +1,58 @@
+name: "Rust"
+
+on:
+  pull_request:
+    paths:
+      - "rust/**"
+      - "misc/bazel/**"
+      - "misc/codegen/**"
+      - "shared/**"
+      - "MODULE.bazel"
+      - .github/workflows/rust.yml
+      - .github/actions/**
+      - codeql-workspace.yml
+      - "!**/*.md"
+      - "!**/*.qhelp"
+    branches:
+      - rust-experiment
+      - main
+      - rc/*
+      - codeql-cli-*
+
+permissions:
+  contents: read
+
+jobs:
+  rust-code:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Format
+        working-directory: rust/extractor
+        shell: bash
+        run: |
+          cargo fmt --check
+      - name: Compilation
+        working-directory: rust/extractor
+        shell: bash
+        run: cargo check
+      - name: Clippy
+        working-directory: rust/extractor
+        shell: bash
+        run: |
+          cargo clippy --fix
+          git diff --exit-code
+  rust-codegen:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install CodeQL
+        uses: ./.github/actions/fetch-codeql
+      - name: Code generation
+        shell: bash
+        run: |
+          bazel run //rust/codegen
+          git add .
+          git diff --exit-code HEAD
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,8 @@
 .cache

 # qltest projects and artifacts
+*.actual
 */ql/test/**/*.testproj
-*/ql/test/**/*.actual
 */ql/test/**/go.sum

 # Visual studio temporaries, except a file used by QL4VS
@@ -65,3 +65,9 @@ node_modules/

 # bazel-built in-tree extractor packs
 /*/extractor-pack
+
+# Jetbrains IDE files
+.idea
+
+# cargo build directory
+/target
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,9 +5,9 @@ repos:
    rev: v3.2.0
    hooks:
      - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
      - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$

  - repo: https://github.com/pre-commit/mirrors-clang-format
    rev: v17.0.6
@@ -15,7 +15,7 @@ repos:
      - id: clang-format

  - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v1.6.0
+    rev: v2.0.4
    hooks:
      - id: autopep8
        files: ^misc/codegen/.*\.py
@@ -26,7 +26,7 @@ repos:
        name: Format bazel files
        files: \.(bazel|bzl)
        language: system
-        entry: bazel run //misc/bazel:buildifier
+        entry: bazel run //misc/bazel/buildifier
        pass_filenames: false

 #      DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
@@ -45,7 +45,7 @@ repos:

      - id: sync-files
        name: Fix files required to be identical
-        files: \.(qll?|qhelp|swift)$|^config/identical-files\.json$
+        files: \.(qll?|qhelp|swift|toml)$|^config/identical-files\.json$
        language: system
        entry: python3 config/sync-files.py --latest
        pass_filenames: false
@@ -58,7 +58,7 @@ repos:

      - id: swift-codegen
        name: Run Swift checked in code generation
-        files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
+        files: ^misc/codegen/|^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
        language: system
        entry: bazel run //swift/codegen -- --quiet
        pass_filenames: false
@@ -69,3 +69,17 @@ repos:
        language: system
        entry: bazel test //misc/codegen/test
        pass_filenames: false
+
+      - id: rust-codegen
+        name: Run Rust checked in code generation
+        files: ^misc/codegen/|^rust/(schema.py$|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
+        language: system
+        entry: bazel run //rust/codegen -- --quiet
+        pass_filenames: false
+
+      - id: rust-lint
+        name: Run fmt and clippy on Rust code
+        files: ^rust/extractor/(.*rs|Cargo.toml)$
+        language: system
+        entry: python3 rust/lint.py
+        pass_filenames: false
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -0,0 +1,16 @@
+# This is the shared workspace file for extractor using shared/tree-sitter/extractor
+[workspace]
+
+resolver = "2"
+members = [
+    "shared/tree-sitter-extractor",
+    "ruby/extractor",
+    "rust/extractor",
+    "rust/extractor/macros",
+    "rust/ast-generator",
+]
+
+[patch.crates-io]
+# patch for build script bug preventing bazel build
+# see https://github.com/rust-lang/rustc_apfloat/pull/17
+rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -1,6 +1,7 @@
 module(
-    name = "codeql",
+    name = "ql",
    version = "0.0",
+    repo_name = "codeql",
 )

 # this points to our internal repository when `codeql` is checked out as a submodule thereof
@@ -14,27 +15,29 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages

 bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.48.0")
-bazel_dep(name = "rules_pkg", version = "0.10.1")
+bazel_dep(name = "rules_go", version = "0.50.0")
+bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.32.2")
+bazel_dep(name = "rules_python", version = "0.35.0")
 bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
-bazel_dep(name = "gazelle", version = "0.37.0")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
+bazel_dep(name = "gazelle", version = "0.38.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.46.0")
+bazel_dep(name = "rules_rust", version = "0.52.2")

 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)

-crate = use_extension(
+# crate_py but shortened due to Windows file path considerations
+cp = use_extension(
    "@rules_rust//crate_universe:extension.bzl",
    "crate",
+    isolate = True,
 )
-crate.from_cargo(
+cp.from_cargo(
    name = "py_deps",
    cargo_lockfile = "//python/extractor/tsg-python:Cargo.lock",
    manifests = [
@@ -42,15 +45,27 @@ crate.from_cargo(
        "//python/extractor/tsg-python/tsp:Cargo.toml",
    ],
 )
-crate.from_cargo(
-    name = "ruby_deps",
-    cargo_lockfile = "//ruby/extractor:Cargo.lock",
+use_repo(cp, "py_deps")
+
+# deps for ruby+rust, but shortened due to windows file paths
+r = use_extension(
+    "@rules_rust//crate_universe:extension.bzl",
+    "crate",
+    isolate = True,
+)
+r.from_cargo(
+    name = "r",
+    cargo_lockfile = "//:Cargo.lock",
    manifests = [
+        "//:Cargo.toml",
        "//ruby/extractor:Cargo.toml",
-        "//ruby/extractor/codeql-extractor-fake-crate:Cargo.toml",
+        "//rust/extractor:Cargo.toml",
+        "//rust/extractor/macros:Cargo.toml",
+        "//rust/ast-generator:Cargo.toml",
+        "//shared/tree-sitter-extractor:Cargo.toml",
    ],
 )
-use_repo(crate, "py_deps", "ruby_deps")
+use_repo(r, tree_sitter_extractors_deps = "r")

 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
 dotnet.toolchain(dotnet_version = "8.0.101")
@@ -113,6 +128,7 @@ use_repo(
    "kotlin-compiler-1.9.20-Beta",
    "kotlin-compiler-2.0.0-RC1",
    "kotlin-compiler-2.0.20-Beta2",
+    "kotlin-compiler-2.1.0-Beta1",
    "kotlin-compiler-embeddable-1.5.0",
    "kotlin-compiler-embeddable-1.5.10",
    "kotlin-compiler-embeddable-1.5.20",
@@ -126,6 +142,7 @@ use_repo(
    "kotlin-compiler-embeddable-1.9.20-Beta",
    "kotlin-compiler-embeddable-2.0.0-RC1",
    "kotlin-compiler-embeddable-2.0.20-Beta2",
+    "kotlin-compiler-embeddable-2.1.0-Beta1",
    "kotlin-stdlib-1.5.0",
    "kotlin-stdlib-1.5.10",
    "kotlin-stdlib-1.5.20",
@@ -139,10 +156,11 @@ use_repo(
    "kotlin-stdlib-1.9.20-Beta",
    "kotlin-stdlib-2.0.0-RC1",
    "kotlin-stdlib-2.0.20-Beta2",
+    "kotlin-stdlib-2.1.0-Beta1",
 )

 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.22.2")
+go_sdk.download(version = "1.23.1")

 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -57,10 +57,6 @@
    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
  ],
-  "Model as Data Generation Java/C# - CaptureModels": [
-    "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
-    "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
-  ],
  "Sign Java/C#": [
    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
@@ -356,8 +352,8 @@
    "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
    "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
  ],
-  "shared tree-sitter extractor cargo.toml": [
-    "shared/tree-sitter-extractor/Cargo.toml",
-    "ruby/extractor/codeql-extractor-fake-crate/Cargo.toml"
+  "Diagnostics.qll": [
+    "ruby/ql/lib/codeql/ruby/Diagnostics.qll",
+    "rust/ql/lib/codeql/rust/Diagnostics.qll"
  ]
 }
--- a/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/exprs.ql
+++ b/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/exprs.ql
@@ -0,0 +1,17 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_expr {
+  string toString() { none() }
+}
+
+predicate isExprWithNewBuiltin(Expr expr) {
+  exists(int kind | exprs(expr, kind, _) | 385 <= kind and kind <= 388)
+}
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
+select expr, kind_new, location
--- a/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/old.dbscheme
+++ b/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/old.dbscheme
--- a/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/sizeof_bind.ql
+++ b/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/sizeof_bind.ql
@@ -0,0 +1,14 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Type extends @type {
+  string toString() { none() }
+}
+
+from Expr expr, Type type, int kind
+where
+  sizeof_bind(expr, type) and
+  exprs(expr, kind, _) and
+  (kind = 93 or kind = 94)
+select expr, type
--- a/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/upgrade.properties
+++ b/cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/upgrade.properties
@@ -0,0 +1,4 @@
+description: Add new builtin operations
+compatibility: partial
+exprs.rel: run exprs.qlo
+sizeof_bind.rel: run sizeof_bind.qlo
--- a/cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/downgrades.ql
+++ b/cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/downgrades.ql
@@ -0,0 +1,32 @@
+/*
+ * Approach: replace conversion expressions of kind 389 (= @c11_generic) by
+ * conversion expressions of kind 12 (= @parexpr), i.e., a `ParenthesisExpr`,
+ * and drop the relation which its child expressions, which are just syntactic
+ * sugar. Parenthesis expressions are equally benign as C11 _Generic expressions,
+ * and behave similarly in the context of the IR.
+ */
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location {
+  string toString() { none() }
+}
+
+class ExprParent extends @exprparent {
+  string toString() { none() }
+}
+
+query predicate new_exprs(Expr expr, int new_kind, Location loc) {
+  exists(int kind | exprs(expr, kind, loc) | if kind = 389 then new_kind = 12 else new_kind = kind)
+}
+
+query predicate new_exprparents(Expr expr, int index, ExprParent expr_parent) {
+  exprparents(expr, index, expr_parent) and
+  (
+    not expr_parent instanceof @expr
+    or
+    exists(int kind | exprs(expr_parent.(Expr), kind, _) | kind != 389)
+  )
+}
--- a/cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/old.dbscheme
+++ b/cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/old.dbscheme
--- a/cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties
+++ b/cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties
@@ -0,0 +1,4 @@
+description: Expose C11 _Generics
+compatibility: partial
+exprs.rel: run downgrades.ql new_exprs
+exprparents.rel: run downgrades.ql new_exprparents
--- a/cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/old.dbscheme
+++ b/cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/old.dbscheme
--- a/cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/upgrade.properties
+++ b/cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/upgrade.properties
@@ -0,0 +1,3 @@
+description: description: Support explicit(bool) specifiers
+compatibility: full
+explicit_specifier_exprs.rel: delete
--- a/cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/exprs.ql
+++ b/cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/exprs.ql
@@ -0,0 +1,15 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_expr {
+  string toString() { none() }
+}
+
+predicate isExprRequires(Expr expr) { exists(int kind | exprs(expr, kind, _) | kind = 390) }
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if isExprRequires(expr) then kind_new = 1 else kind_new = kind
+select expr, kind_new, location
--- a/cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/old.dbscheme
+++ b/cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/old.dbscheme
--- a/cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/upgrade.properties
+++ b/cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/upgrade.properties
@@ -0,0 +1,3 @@
+description: Add requires expr
+compatibility: partial
+exprs.rel: run exprs.qlo
--- a/cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/coroutine.ql
+++ b/cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/coroutine.ql
@@ -0,0 +1,18 @@
+class Function extends @function {
+  string toString() { none() }
+}
+
+class Type extends @type {
+  string toString() { none() }
+}
+
+class Variable extends @variable {
+  string toString() { none() }
+}
+
+from Function func, Type traits, Variable handle, Variable promise
+where
+  coroutine(func, traits) and
+  coroutine_placeholder_variable(handle, 1, func) and
+  coroutine_placeholder_variable(promise, 2, func)
+select func, traits, handle, promise
--- a/cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/old.dbscheme
+++ b/cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/old.dbscheme
--- a/cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties
+++ b/cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties
@@ -0,0 +1,4 @@
+description: Improve handling of coroutine placeholder variables
+compatibility: full
+coroutine.rel: run coroutine.qlo
+coroutine_placeholder_variable.rel: delete
--- a/cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/old.dbscheme
+++ b/cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/old.dbscheme
--- a/cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/upgrade.properties
+++ b/cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/upgrade.properties
@@ -0,0 +1,3 @@
+description: Add relation between deduction guides and class templates
+compatibility: full
+deduction_guide_for_class.rel: delete
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,61 @@
+## 2.0.2
+
+### Minor Analysis Improvements
+
+* Added taint flow model for `fopen` and related functions.
+* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.
+
+## 2.0.1
+
+No user-facing changes.
+
+## 2.0.0
+
+### Breaking Changes
+
+* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
+* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
+* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
+* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
+* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
+* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
+* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
+
+### New Features
+
+* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
+* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
+* Added a subclass of `Expr` for `__datasizeof` expressions.
+
+### Minor Analysis Improvements
+
+* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
+* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.
+
+## 1.4.2
+
+No user-facing changes.
+
+## 1.4.1
+
+No user-facing changes.
+
+## 1.4.0
+
+### New Features
+
+* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
+* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
+* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
+* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
+
+### Minor Analysis Improvements
+
+* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
+* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
+* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.
+
 ## 1.3.0

 ### New Features
--- a/cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration
+++ b/cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration
@@ -1,4 +0,0 @@
---
-category: feature
---
-* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
--- a/cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration.md
+++ b/cpp/ql/lib/change-notes/2024-07-23-using-enum-declaration.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.
--- a/cpp/ql/lib/change-notes/2024-07-25-alias-analysis-perf.md
+++ b/cpp/ql/lib/change-notes/2024-07-25-alias-analysis-perf.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
--- a/cpp/ql/lib/change-notes/2024-07-31-constexpr-if.md
+++ b/cpp/ql/lib/change-notes/2024-07-31-constexpr-if.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
--- a/cpp/ql/lib/change-notes/released/1.4.0.md
+++ b/cpp/ql/lib/change-notes/released/1.4.0.md
@@ -0,0 +1,14 @@
+## 1.4.0
+
+### New Features
+
+* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
+* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
+* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
+* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
+
+### Minor Analysis Improvements
+
+* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
+* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
+* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.
--- a/cpp/ql/lib/change-notes/released/1.4.1.md
+++ b/cpp/ql/lib/change-notes/released/1.4.1.md
@@ -0,0 +1,3 @@
+## 1.4.1
+
+No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/1.4.2.md
+++ b/cpp/ql/lib/change-notes/released/1.4.2.md
@@ -0,0 +1,3 @@
+## 1.4.2
+
+No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/2.0.0.md
+++ b/cpp/ql/lib/change-notes/released/2.0.0.md
@@ -0,0 +1,23 @@
+## 2.0.0
+
+### Breaking Changes
+
+* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
+* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
+* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
+* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
+* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
+* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
+* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
+
+### New Features
+
+* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
+* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
+* Added a subclass of `Expr` for `__datasizeof` expressions.
+
+### Minor Analysis Improvements
+
+* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
+* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.
--- a/cpp/ql/lib/change-notes/released/2.0.1.md
+++ b/cpp/ql/lib/change-notes/released/2.0.1.md
@@ -0,0 +1,3 @@
+## 2.0.1
+
+No user-facing changes.
--- a/cpp/ql/lib/change-notes/released/2.0.2.md
+++ b/cpp/ql/lib/change-notes/released/2.0.2.md
@@ -0,0 +1,6 @@
+## 2.0.2
+
+### Minor Analysis Improvements
+
+* Added taint flow model for `fopen` and related functions.
+* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.0
+lastReleaseVersion: 2.0.2
--- a/cpp/ql/lib/cpp.qll
+++ b/cpp/ql/lib/cpp.qll
@@ -17,6 +17,7 @@ import semmle.code.cpp.File
 import semmle.code.cpp.Linkage
 import semmle.code.cpp.Location
 import semmle.code.cpp.Compilation
+import semmle.code.cpp.Concept
 import semmle.code.cpp.Element
 import semmle.code.cpp.Namespace
 import semmle.code.cpp.Specifier
--- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
@@ -36,16 +36,6 @@ module PrivateCleartextWrite {
    }
  }

-  deprecated class WriteConfig extends TaintTracking::Configuration {
-    WriteConfig() { this = "Write configuration" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-  }
-
  private module WriteConfig implements DataFlow::ConfigSig {
    predicate isSource(DataFlow::Node source) { source instanceof Source }

--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.3.1-dev
+version: 2.0.2
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Concept.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Concept.qll
@@ -0,0 +1,14 @@
+/**
+ * Provides classes for working with C++ concepts.
+ */
+
+import semmle.code.cpp.exprs.Expr
+
+/**
+ * A C++ requires expression.
+ */
+class RequiresExpr extends Expr, @requires_expr {
+  override string toString() { result = "requires ..." }
+
+  override string getAPrimaryQlClass() { result = "RequiresExpr" }
+}
--- a/cpp/ql/lib/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Declaration.qll
@@ -60,18 +60,6 @@ class Declaration extends Locatable, @declaration {
   */
  string getQualifiedName() { result = underlyingElement(this).(Q::Declaration).getQualifiedName() }

-  /**
-   * DEPRECATED: Prefer `hasGlobalName` or the 2-argument or 3-argument
-   * `hasQualifiedName` predicates. To get the exact same results as this
-   * predicate in all edge cases, use `getQualifiedName()`.
-   *
-   * Holds if this declaration has the fully-qualified name `qualifiedName`.
-   * See `getQualifiedName`.
-   */
-  deprecated predicate hasQualifiedName(string qualifiedName) {
-    this.getQualifiedName() = qualifiedName
-  }
-
  /**
   * Holds if this declaration has a fully-qualified name with a name-space
   * component of `namespaceQualifier`, a declaring type of `typeQualifier`,
@@ -185,9 +173,6 @@ class Declaration extends Locatable, @declaration {
  /** Holds if the declaration has a definition. */
  predicate hasDefinition() { exists(this.getDefinition()) }

-  /** DEPRECATED: Use `hasDefinition` instead. */
-  deprecated predicate isDefined() { this.hasDefinition() }
-
  /** Gets the preferred location of this declaration, if any. */
  override Location getLocation() { none() }

--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -30,46 +30,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {

  override string getName() { functions(underlyingElement(this), result, _) }

-  /**
-   * DEPRECATED: Use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-   * Gets the full signature of this function, including return type, parameter
-   * types, and template arguments.
-   *
-   * For example, in the following code:
-   * ```
-   * template<typename T> T min(T x, T y);
-   * int z = min(5, 7);
-   * ```
-   * The full signature of the function called on the last line would be
-   * `min<int>(int, int) -> int`, and the full signature of the uninstantiated
-   * template on the first line would be `min<T>(T, T) -> T`.
-   */
-  deprecated string getFullSignature() {
-    exists(string name, string templateArgs, string args |
-      result = name + templateArgs + args + " -> " + this.getType().toString() and
-      name = this.getQualifiedName() and
-      (
-        if exists(this.getATemplateArgument())
-        then
-          templateArgs =
-            "<" +
-              concat(int i |
-                exists(this.getTemplateArgument(i))
-              |
-                this.getTemplateArgument(i).toString(), ", " order by i
-              ) + ">"
-        else templateArgs = ""
-      ) and
-      args =
-        "(" +
-          concat(int i |
-            exists(this.getParameter(i))
-          |
-            this.getParameter(i).getType().toString(), ", " order by i
-          ) + ")"
-    )
-  }
-
  /** Gets a specifier of this function. */
  override Specifier getASpecifier() {
    funspecifiers(underlyingElement(this), unresolveElement(result)) or
@@ -158,6 +118,26 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   */
  predicate isConsteval() { this.hasSpecifier("is_consteval") }

+  /**
+   * Holds if this function is declared to be `explicit`.
+   */
+  predicate isExplicit() { this.hasSpecifier("explicit") }
+
+  /**
+   * Gets the constant expression that determines whether the function is explicit.
+   *
+   * For example, for the following code the result is the expression `sizeof(T) == 1`:
+   * ```
+   * template<typename T> struct C {
+   *   explicit(sizeof(T) == 1)
+   *   C(const T);
+   * };
+   * ```
+   */
+  Expr getExplicitExpr() {
+    explicit_specifier_exprs(underlyingElement(this), unresolveElement(result))
+  }
+
  /**
   * Holds if this function is declared with `__attribute__((naked))` or
   * `__declspec(naked)`.
@@ -520,6 +500,17 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   * Gets the nearest enclosing AccessHolder.
   */
  override AccessHolder getEnclosingAccessHolder() { result = this.getDeclaringType() }
+
+  /**
+   * Holds if this function has extraction errors that create an `ErrorExpr`.
+   */
+  predicate hasErrors() {
+    exists(ErrorExpr e |
+      e.getEnclosingFunction() = this and
+      // Exclude the first allocator call argument because it is always extracted as `ErrorExpr`.
+      not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
+    )
+  }
 }

 pragma[noinline]
@@ -671,7 +662,8 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {

  /**
   * Holds if this declaration is an implicit function declaration, that is,
-   * where a function is used before it is declared (under older C standards).
+   * where a function is used before it is declared (under older C standards,
+   * or when there were parse errors).
   */
  predicate isImplicit() { fun_implicit(underlyingElement(this)) }

@@ -898,4 +890,11 @@ class UserDefinedLiteral extends Function {
 */
 class DeductionGuide extends Function {
  DeductionGuide() { functions(underlyingElement(this), _, 8) }
+
+  /**
+   * Gets the class template for which this is a deduction guide.
+   */
+  TemplateClass getTemplateClass() {
+    deduction_guide_for_class(underlyingElement(this), unresolveElement(result))
+  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
@@ -80,6 +80,8 @@ private Declaration getAnEnclosingDeclaration(Locatable ast) {
  or
  result = ast.(Parameter).getFunction()
  or
+  result = ast.(Parameter).getCatchBlock().getEnclosingFunction()
+  or
  result = ast.(Expr).getEnclosingDeclaration()
  or
  result = ast.(Initializer).getDeclaration()
@@ -286,9 +288,6 @@ abstract class BaseAstNode extends PrintAstNode {
   * Gets the AST represented by this node.
   */
  final Locatable getAst() { result = ast }
-
-  /** DEPRECATED: Alias for getAst */
-  deprecated Locatable getAST() { result = this.getAst() }
 }

 /**
@@ -385,6 +384,21 @@ class CastNode extends ConversionNode {
  }
 }

+/**
+ * A node representing a `C11GenericExpr`.
+ */
+class C11GenericNode extends ConversionNode {
+  C11GenericExpr generic;
+
+  C11GenericNode() { generic = conv }
+
+  override AstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex - count(generic.getAChild()))
+    or
+    result.getAst() = generic.getChild(childIndex)
+  }
+}
+
 /**
 * A node representing a `StmtExpr`.
 */
@@ -498,6 +512,22 @@ class DeclStmtNode extends StmtNode {
  }
 }

+/**
+ * A node representing a `Handler`.
+ */
+class HandlerNode extends ChildStmtNode {
+  Handler handler;
+
+  HandlerNode() { handler = stmt }
+
+  override BaseAstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex)
+    or
+    childIndex = -1 and
+    result.getAst() = handler.getParameter()
+  }
+}
+
 /**
 * A node representing a `Parameter`.
 */
@@ -742,6 +772,8 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
    or
    s.(ConstexprIfStmt).getElse() = e and pred = "getElse()"
    or
+    s.(Handler).getParameter() = e and pred = "getParameter()"
+    or
    s.(IfStmt).getInitialization() = e and pred = "getInitialization()"
    or
    s.(IfStmt).getCondition() = e and pred = "getCondition()"
@@ -860,6 +892,15 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
    or
    expr.(BuiltInVarArgsStart).getLastNamedParameter() = ele and pred = "getLastNamedParameter()"
    or
+    expr.(C11GenericExpr).getControllingExpr() = ele and pred = "getControllingExpr()"
+    or
+    exists(int n |
+      expr.(C11GenericExpr).getAssociationType(n) = ele.(TypeName).getType() and
+      pred = "getAssociationType(" + n + ")"
+      or
+      expr.(C11GenericExpr).getAssociationExpr(n) = ele and pred = "getAssociationExpr(" + n + ")"
+    )
+    or
    expr.(Call).getQualifier() = ele and pred = "getQualifier()"
    or
    exists(int n | expr.(Call).getArgument(n) = ele and pred = "getArgument(" + n.toString() + ")")
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -39,8 +39,8 @@ class Type extends Locatable, @type {

  /**
   * Gets a specifier of this type, recursively looking through `typedef` and
-   * `decltype`. For example, in the context of `typedef const int *restrict
-   * t`, the type `volatile t` has specifiers `volatile` and `restrict` but not
+   * `decltype`. For example, in the context of `typedef const int *restrict t`,
+   * the type `volatile t` has specifiers `volatile` and `restrict` but not
   * `const` since the `const` is attached to the type being pointed to rather
   * than the pointer itself.
   */
--- a/cpp/ql/lib/semmle/code/cpp/Variable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Variable.qll
@@ -409,11 +409,18 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
    exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
    or
    orphaned_variables(underlyingElement(this), unresolveElement(result))
+    or
+    coroutine_placeholder_variable(underlyingElement(this), _, unresolveElement(result))
  }

  override predicate isStatic() {
    super.isStatic() or orphaned_variables(underlyingElement(this), _)
  }
+
+  override predicate isCompilerGenerated() {
+    super.isCompilerGenerated() or
+    coroutine_placeholder_variable(underlyingElement(this), _, _)
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll
@@ -7,15 +7,6 @@ import semmle.code.cpp.models.interfaces.Deallocation
 */
 predicate freeFunction(Function f, int argNum) { argNum = f.(DeallocationFunction).getFreedArg() }

-/**
- * A call to a library routine that frees memory.
- *
- * DEPRECATED: Use `DeallocationExpr` instead (this also includes `delete` expressions).
- */
-deprecated predicate freeCall(FunctionCall fc, Expr arg) {
-  arg = fc.(DeallocationExpr).getFreedExpr()
-}
-
 /**
 * Is e some kind of allocation or deallocation (`new`, `alloc`, `realloc`, `delete`, `free` etc)?
 */
--- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -57,7 +57,7 @@ private int isSource(Expr bufferExpr, Element why) {
  exists(Type bufferType |
    // buffer is the address of a variable
    why = bufferExpr.(AddressOfExpr).getAddressable() and
-    bufferType = why.(Variable).getType() and
+    bufferType = why.(Variable).getUnspecifiedType() and
    result = bufferType.getSize() and
    not bufferType instanceof ReferenceType and
    not any(Union u).getAMemberVariable() = why
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
@@ -953,21 +953,3 @@ private class SummarizedCallableAdapter extends SummarizedCallable {
    interpretSummary(this, _, _, _, provenance, _)
  }
 }
-
-// adapter class for converting Mad neutrals to `NeutralCallable`s
-private class NeutralCallableAdapter extends NeutralCallable {
-  string kind;
-  string provenance_;
-
-  NeutralCallableAdapter() {
-    // Neutral models have not been implemented for CPP.
-    none() and
-    exists(this) and
-    exists(kind) and
-    exists(provenance_)
-  }
-
-  override string getKind() { result = kind }
-
-  override predicate hasProvenance(Provenance provenance) { provenance = provenance_ }
-}
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
@@ -1885,3 +1885,59 @@ class BuiltInOperationIsWinInterface extends BuiltInOperation, @iswininterface {

  override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinInterface" }
 }
+
+/**
+ * A C++ `__is_trivially_equality_comparable` built-in operation.
+ *
+ * Returns `true` if comparing two objects of type `_Tp` is equivalent to
+ * comparing their object representations.
+ *
+ * ```
+ * template<typename _Tp>
+ *   struct is_trivially_equality_comparable
+ *   : public integral_constant<bool, __is_trivially_equality_comparable(_Tp)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsTriviallyEqualityComparable extends BuiltInOperation,
+  @istriviallyequalitycomparable
+{
+  override string toString() { result = "__is_trivially_equality_comparable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyEqualityComparable" }
+}
+
+/**
+ * A C++ `__is_scoped_enum` built-in operation (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * Returns `true` if a type is a scoped enum.
+ * ```
+ * template<typename _Tp>
+ * constexpr bool is_scoped_enum = __is_scoped_enum(_Tp);
+ * ```
+ */
+class BuiltInOperationIsScopedEnum extends BuiltInOperation, @isscopedenum {
+  override string toString() { result = "__is_scoped_enum" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsScopedEnum" }
+}
+
+/**
+ * A C++ `__is_trivially_relocatable` built-in operation.
+ *
+ * Returns `true` if moving an object of type `_Tp` is equivalent to
+ * copying the underlying bytes.
+ *
+ * ```
+ * template<typename _Tp>
+ *   struct is_trivially_relocatable
+ *   : public integral_constant<bool, __is_trivially_relocatable(_Tp)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istriviallyrelocatable {
+  override string toString() { result = "__is_trivially_relocatable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
+}
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll
@@ -791,6 +791,53 @@ class AlignofTypeOperator extends AlignofOperator {
  override string toString() { result = "alignof(" + this.getTypeOperand().getName() + ")" }
 }

+/**
+ * A C++ `__datasizeof` expression (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * The `__datasizeof` expression behaves identically to `sizeof` except
+ * that the result ignores tail padding.
+ */
+class DatasizeofOperator extends Expr, @datasizeof {
+  override int getPrecedence() { result = 16 }
+}
+
+/**
+ * A C++ `__datasizeof` expression whose operand is an expression.
+ */
+class DatasizeofExprOperator extends DatasizeofOperator {
+  DatasizeofExprOperator() { exists(this.getChild(0)) }
+
+  override string getAPrimaryQlClass() { result = "DatasizeofExprOperator" }
+
+  /** Gets the contained expression. */
+  Expr getExprOperand() { result = this.getChild(0) }
+
+  override string toString() { result = "__datasizeof(<expr>)" }
+
+  override predicate mayBeImpure() { this.getExprOperand().mayBeImpure() }
+
+  override predicate mayBeGloballyImpure() { this.getExprOperand().mayBeGloballyImpure() }
+}
+
+/**
+ * A C++ `__datasizeof` expression whose operand is a type name.
+ */
+class DatasizeofTypeOperator extends DatasizeofOperator {
+  DatasizeofTypeOperator() { sizeof_bind(underlyingElement(this), _) }
+
+  override string getAPrimaryQlClass() { result = "DatasizeofTypeOperator" }
+
+  /** Gets the contained type. */
+  Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
+
+  override string toString() { result = "__datasizeof(" + this.getTypeOperand().getName() + ")" }
+
+  override predicate mayBeImpure() { none() }
+
+  override predicate mayBeGloballyImpure() { none() }
+}
+
 /**
 * A C/C++ array to pointer conversion.
 *
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -304,6 +304,8 @@ class Expr extends StmtParent, @expr {
      e instanceof NoExceptExpr
      or
      e instanceof AlignofOperator
+      or
+      e instanceof DatasizeofOperator
    )
    or
    exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
@@ -630,6 +632,106 @@ class ParenthesisExpr extends Conversion, @parexpr {
  override string getAPrimaryQlClass() { result = "ParenthesisExpr" }
 }

+/**
+ * A node representing a C11 `_Generic` selection expression.
+ *
+ * For example:
+ * ```
+ * _Generic(e, int: "int", default: "unknown")
+ * ```
+ */
+class C11GenericExpr extends Conversion, @c11_generic {
+  int associationCount;
+
+  C11GenericExpr() { associationCount = (count(this.getAChild()) - 1) / 2 }
+
+  override string toString() { result = "_Generic" }
+
+  override string getAPrimaryQlClass() { result = "C11GenericExpr" }
+
+  /**
+   * Gets the controlling expression of the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the result is `e`.
+   */
+  Expr getControllingExpr() { result = this.getChild(0) }
+
+  /**
+   * Gets the type of the `n`th element in the association list of the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the type of the 0th element is `int`. In the case of the default element the
+   * type will an instance of `VoidType`.
+   */
+  Type getAssociationType(int n) {
+    n in [0 .. associationCount - 1] and
+    result = this.getChild(n * 2 + 1).(TypeName).getType()
+  }
+
+  /**
+   * Gets the type of an element in the association list of the generic selection.
+   */
+  Type getAnAssociationType() { result = this.getAssociationType(_) }
+
+  /**
+   * Gets the expression of the `n`th element in the association list of
+   * the generic selection.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * the expression for 0th element is `"a"`, and the expression for the
+   * 1st element is `"b"`. For the selected expression, this predicate
+   * will yield a `ReuseExpr`, such that
+   * ```
+   * this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
+   * ```
+   */
+  Expr getAssociationExpr(int n) {
+    n in [0 .. associationCount - 1] and
+    result = this.getChild(n * 2 + 2)
+  }
+
+  /**
+   * Gets the expression of an element in the association list of the generic selection.
+   */
+  Expr getAnAssociationExpr() { result = this.getAssociationExpr(_) }
+
+  /**
+   * Holds if the `n`th element of the association list of the generic selection is the
+   * default element.
+   *
+   * For example, for
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * this holds for 1.
+   */
+  predicate isDefaultAssociation(int n) { this.getAssociationType(n) instanceof VoidType }
+
+  /**
+   * Holds if the `n`th element of the association list of the generic selection is the
+   * one whose expression was selected.
+   *
+   * For example, with `e` of type `int` and
+   * ```
+   * _Generic(e, int: "a", default: "b")
+   * ```
+   * this holds for 0.
+   */
+  predicate isSelectedAssociation(int n) {
+    this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
+  }
+}
+
 /**
 * A C/C++ expression that could not be resolved, or that can no longer be
 * represented due to a database upgrade or downgrade.
@@ -666,6 +768,8 @@ class AssumeExpr extends Expr, @assume {

 /**
 * A C/C++ comma expression.
+ *
+ * For example:
 * ```
 * int c = compute1(), compute2(), resulting_value;
 * ```
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll
@@ -195,17 +195,6 @@ class ClassAggregateLiteral extends AggregateLiteral {
   */
  Expr getAFieldExpr(Field field) { result = this.getFieldExpr(field, _) }

-  /**
-   * DEPRECATED: Use `getAFieldExpr` instead.
-   *
-   * Gets the expression within the aggregate literal that is used to initialize
-   * field `field`, if present.
-   *
-   * This predicate may have multiple results since a field can be initialized
-   * multiple times in the same initializer.
-   */
-  deprecated Expr getFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
-
  /**
   * Gets the expression within the aggregate literal that is used to initialize
   * field `field`, if present. The expression is the `position`'th entry in the
@@ -300,17 +289,6 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
   */
  Expr getAnElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }

-  /**
-   * DEPRECATED: Use `getAnElementExpr` instead.
-   *
-   * Gets the expression within the aggregate literal that is used to initialize
-   * element `elementIndex`, if present.
-   *
-   * This predicate may have multiple results since an element can be initialized
-   * multiple times in the same initializer.
-   */
-  deprecated Expr getElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
-
  /**
   * Gets the expression within the aggregate literal that is used to initialize
   * element `elementIndex`, if present. The expression is the `position`'th entry
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
   */
  predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }

-  /**
-   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
-   *
-   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
-   * measured in approximate number of interprocedural steps.
-   */
-  deprecated int explorationLimit() { none() }
-
  /**
   * Holds if hidden nodes should be included in the data flow graph.
   *
@@ -290,15 +282,9 @@ deprecated private module Config implements FullStateConfigSig {

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }

-  predicate sourceGrouping(Node source, string sourceGroup) {
-    any(Configuration config).sourceGrouping(source, sourceGroup)
-  }
-
-  predicate sinkGrouping(Node sink, string sinkGroup) {
-    any(Configuration config).sinkGrouping(sink, sinkGroup)
-  }
-
  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+
+  predicate observeDiffInformedIncrementalMode() { none() }
 }

 deprecated private import Impl<Config> as I
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
@@ -546,7 +546,7 @@ module ProductFlow {
      Flow1::PathGraph::edges(pred1, succ1, _, _) and
      exists(ReturnKindExt returnKind |
        succ1.getNode() = returnKind.getAnOutNode(call) and
-        paramReturnNode(_, pred1.asParameterReturnNode(), _, returnKind)
+        returnKind = getParamReturnPosition(_, pred1.asParameterReturnNode()).getKind()
      )
    }

@@ -574,7 +574,7 @@ module ProductFlow {
      Flow2::PathGraph::edges(pred2, succ2, _, _) and
      exists(ReturnKindExt returnKind |
        succ2.getNode() = returnKind.getAnOutNode(call) and
-        paramReturnNode(_, pred2.asParameterReturnNode(), _, returnKind)
+        returnKind = getParamReturnPosition(_, pred2.asParameterReturnNode()).getKind()
      )
    }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll
@@ -50,9 +50,6 @@ abstract private class AbstractIRVariable extends TIRVariable {
   */
  abstract Language::AST getAst();

-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
  /**
   * Gets an identifier string for the variable. This identifier is unique
   * within the function.
@@ -96,9 +93,6 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {

  final override Language::AST getAst() { result = var }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
  final override string getUniqueId() {
    result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
  }
@@ -163,9 +157,6 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {

  final override Language::AST getAst() { result = ast }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
  override string toString() { result = this.getBaseString() + this.getLocationString() }

  override string getUniqueId() { none() }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll
@@ -6,6 +6,112 @@
 * uses, however, it is better to write a query that imports `PrintIR.qll`, extends
 * `PrintIRConfiguration`, and overrides `shouldPrintDeclaration()` to select a subset of declarations
 * to dump.
+ *
+ * Anatomy of a printed IR instruction
+ *
+ * An instruction:
+ *
+ * ```
+ * # 2281|     v2281_19(void) = Call[~String]     : func:r2281_18, this:r2281_17
+ * ```
+ *
+ * The prefix `# 2281|` specifies that this instruction was generated by the C++ source code on line 2281.
+ * Scrolling up in the printed output, one will eventually find the name of the file to which the line
+ * belongs.
+ *
+ * `v2281_19(void)` is the result of the instruction. Here, `v` means this is a void result or operand (so
+ * there should be no later uses of the result; see below for other possible values). The `2281_19` is a
+ * unique ID for the result. This is usually just the line number plus a small integer suffix to make it
+ * unique within the function. The type of the result is `void`. In this case, it is `void`, because
+ * `~String` returns `void`. The type of the result is usually just the name of the appropriate C++ type,
+ * but it will sometimes be a type like `glval<int>`, which means result holds a glvalue, which at the
+ * IR level works like a pointer. In other words, in the source code the type was `int`, but it is really
+ * more like an `int*`. We see this, for example, in `x = y;`, where `x` is a glvalue.
+ *
+ * `Call` is the opcode of the instruction. Common opcodes include:
+ *
+ * * Arithmetic operations: `Add`, `Sub`, `Mul`, etc.
+ * * Memory access operations: `Load`, `Store`.
+ * * Function calls: `Call`.
+ * * Literals: `Constant`.
+ * * Variable addresses: `VariableAddress`.
+ * * Function entry points: `EnterFunction`.
+ * * Return from a function: `Return`, `ReturnVoid`. Note that the value being returned is set separately by a
+ *   `Store` to a special `#return` variable.
+ * * Stack unwinding for C++ function that throw and where the exception escapes the function: `Unwind`.
+ * * Common exit point for `Unwind` and `Return`: `ExitFunction`.
+ * * SSA-related opcodes: `Phi`, `Chi`.
+ *
+ * `[~String]` denotes additional information. The information might be present earlier in the IR, as is the case
+ * for `Call`, where it is the name of the called function. This is also the case for `Load` and `Store`, where it
+ * is the name of the variable that loaded or stored (if known). In the case of `Constant`, `FieldAddress`, and
+ * `VariableAddress`, the information between brackets does not occur earlier.
+ *
+ * `func:r2281_18` and `this:r28281_17` are the operands of the instruction. The `func:` prefix denotes the operand
+ * that holds the address of the called function. The `this:` prefix denotes the argument to the special `this`
+ * parameter of an instance member function. `r2281_18`, `r2281_17` are the unique IDs of the operands. Each of these
+ * matches the ID of a previously seen result, showing where that value came from. The `r` means that these are
+ * "register" operands (see below).
+ *
+ * Result and operand kinds:
+ *
+ * Every result and operand is one of these three kinds:
+ *
+ * * `r` "register". These operands are not stored in any particular memory location. We can think of them as
+ *   temporary values created during the evaluation of an expression. A register operand almost always has one
+ *   use, often in the same block as its definition.
+ * *  `m` "memory". These operands represents accesses to a specific memory location. The location could be a
+ *    local variable, a global variable, a field of an object, an element of an array, or any memory that we happen
+ *    to have a pointer to. These only occur as the result of a `Store`, the source operand of a `Load` or on the
+ *    SSA instructions (`Phi`, `Chi`).
+ * * `v` "void". Really just a register operand, but we mark register operands of type void with this special prefix
+ *   so we know that there is no actual value there.
+ *
+ * Branches in the IR:
+ *
+ * The IR is divided into basic blocks. At the end of each block, there are one or more edges showing the possible
+ * control flow successors of the block.
+ *
+ * ```
+ * #   44|     v44_3(void)    = ConditionalBranch : r44_2
+ * #-----|   False -> Block 4
+ * #-----|   True -> Block 3
+ * ```
+ * Here we have a block that ends with a conditional branch. The two edges show where the control flows to depending
+ * on whether the condition is true or false.
+ *
+ * SSA instructions:
+ *
+ * We use `Phi` instructions in SSA to create a single definition for a variable that might be assigned on multiple
+ * control flow paths. The `Phi` instruction merges the potential values of that variable from each predecessor edge,
+ * and the resulting definition is then used wherever that variable is accessed later on.
+ *
+ * When dealing with aliased memory, we use the `Chi` instruction to create a single definition for memory that might
+ * or might not have been updated by a store, depending on the actual address that was written to. For example, take:
+ *
+ * ```cpp
+ * int x = 5;
+ * int y = 7;
+ * int* p = condition ? &x : &y;
+ * *p = 6;
+ * return x;
+ * ```
+ *
+ * At the point where we store to `*p`, we do not know whether `p` points to `x` or `y`. Thus, we do not know whether
+ * `return x;` is going to return the value that `x` was originally initialized to (5), or whether it will return 6,
+ *  because it was overwritten by `*p = 6;`. We insert a `Chi` instruction immediately after the store to `*p`:
+ *
+ * ```
+ * r2(int)     = Constant[6]
+ * r3(int*)    = <<value of p>>
+ * m4(int)     = Store           : &r3, r2  // Stores the constant 6 to *p
+ * m5(unknown) = Chi             : total:m1, partial:m4
+ * ```
+ * The `partial:` operand represents the memory that was just stored. The `total:` operand represents the previous
+ * contents of all of the memory that `p` might have pointed to (in this case, both `x` and `y`). The result of the
+ * `Chi` represents the new contents of whatever memory the `total:` operand referred to. We usually do not know exactly
+ * which parts of that memory were overwritten, but it does model that any of that memory could have been modified, so
+ * that later instructions do not assume that the memory was unchanged.
 */

 private import internal.IRInternal
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
@@ -285,9 +285,6 @@ abstract private class MemoryLocation0 extends TMemoryLocation {
  predicate isAlwaysAllocatedOnStack() { none() }

  final predicate canReuseSsa() { none() }
-
-  /** DEPRECATED: Alias for canReuseSsa */
-  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll
@@ -50,9 +50,6 @@ abstract private class AbstractIRVariable extends TIRVariable {
   */
  abstract Language::AST getAst();

-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
  /**
   * Gets an identifier string for the variable. This identifier is unique
   * within the function.
@@ -96,9 +93,6 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {

  final override Language::AST getAst() { result = var }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
  final override string getUniqueId() {
    result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
  }
@@ -163,9 +157,6 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {

  final override Language::AST getAst() { result = ast }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
  override string toString() { result = this.getBaseString() + this.getLocationString() }

  override string getUniqueId() { none() }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll
@@ -6,6 +6,112 @@
 * uses, however, it is better to write a query that imports `PrintIR.qll`, extends
 * `PrintIRConfiguration`, and overrides `shouldPrintDeclaration()` to select a subset of declarations
 * to dump.
+ *
+ * Anatomy of a printed IR instruction
+ *
+ * An instruction:
+ *
+ * ```
+ * # 2281|     v2281_19(void) = Call[~String]     : func:r2281_18, this:r2281_17
+ * ```
+ *
+ * The prefix `# 2281|` specifies that this instruction was generated by the C++ source code on line 2281.
+ * Scrolling up in the printed output, one will eventually find the name of the file to which the line
+ * belongs.
+ *
+ * `v2281_19(void)` is the result of the instruction. Here, `v` means this is a void result or operand (so
+ * there should be no later uses of the result; see below for other possible values). The `2281_19` is a
+ * unique ID for the result. This is usually just the line number plus a small integer suffix to make it
+ * unique within the function. The type of the result is `void`. In this case, it is `void`, because
+ * `~String` returns `void`. The type of the result is usually just the name of the appropriate C++ type,
+ * but it will sometimes be a type like `glval<int>`, which means result holds a glvalue, which at the
+ * IR level works like a pointer. In other words, in the source code the type was `int`, but it is really
+ * more like an `int*`. We see this, for example, in `x = y;`, where `x` is a glvalue.
+ *
+ * `Call` is the opcode of the instruction. Common opcodes include:
+ *
+ * * Arithmetic operations: `Add`, `Sub`, `Mul`, etc.
+ * * Memory access operations: `Load`, `Store`.
+ * * Function calls: `Call`.
+ * * Literals: `Constant`.
+ * * Variable addresses: `VariableAddress`.
+ * * Function entry points: `EnterFunction`.
+ * * Return from a function: `Return`, `ReturnVoid`. Note that the value being returned is set separately by a
+ *   `Store` to a special `#return` variable.
+ * * Stack unwinding for C++ function that throw and where the exception escapes the function: `Unwind`.
+ * * Common exit point for `Unwind` and `Return`: `ExitFunction`.
+ * * SSA-related opcodes: `Phi`, `Chi`.
+ *
+ * `[~String]` denotes additional information. The information might be present earlier in the IR, as is the case
+ * for `Call`, where it is the name of the called function. This is also the case for `Load` and `Store`, where it
+ * is the name of the variable that loaded or stored (if known). In the case of `Constant`, `FieldAddress`, and
+ * `VariableAddress`, the information between brackets does not occur earlier.
+ *
+ * `func:r2281_18` and `this:r28281_17` are the operands of the instruction. The `func:` prefix denotes the operand
+ * that holds the address of the called function. The `this:` prefix denotes the argument to the special `this`
+ * parameter of an instance member function. `r2281_18`, `r2281_17` are the unique IDs of the operands. Each of these
+ * matches the ID of a previously seen result, showing where that value came from. The `r` means that these are
+ * "register" operands (see below).
+ *
+ * Result and operand kinds:
+ *
+ * Every result and operand is one of these three kinds:
+ *
+ * * `r` "register". These operands are not stored in any particular memory location. We can think of them as
+ *   temporary values created during the evaluation of an expression. A register operand almost always has one
+ *   use, often in the same block as its definition.
+ * *  `m` "memory". These operands represents accesses to a specific memory location. The location could be a
+ *    local variable, a global variable, a field of an object, an element of an array, or any memory that we happen
+ *    to have a pointer to. These only occur as the result of a `Store`, the source operand of a `Load` or on the
+ *    SSA instructions (`Phi`, `Chi`).
+ * * `v` "void". Really just a register operand, but we mark register operands of type void with this special prefix
+ *   so we know that there is no actual value there.
+ *
+ * Branches in the IR:
+ *
+ * The IR is divided into basic blocks. At the end of each block, there are one or more edges showing the possible
+ * control flow successors of the block.
+ *
+ * ```
+ * #   44|     v44_3(void)    = ConditionalBranch : r44_2
+ * #-----|   False -> Block 4
+ * #-----|   True -> Block 3
+ * ```
+ * Here we have a block that ends with a conditional branch. The two edges show where the control flows to depending
+ * on whether the condition is true or false.
+ *
+ * SSA instructions:
+ *
+ * We use `Phi` instructions in SSA to create a single definition for a variable that might be assigned on multiple
+ * control flow paths. The `Phi` instruction merges the potential values of that variable from each predecessor edge,
+ * and the resulting definition is then used wherever that variable is accessed later on.
+ *
+ * When dealing with aliased memory, we use the `Chi` instruction to create a single definition for memory that might
+ * or might not have been updated by a store, depending on the actual address that was written to. For example, take:
+ *
+ * ```cpp
+ * int x = 5;
+ * int y = 7;
+ * int* p = condition ? &x : &y;
+ * *p = 6;
+ * return x;
+ * ```
+ *
+ * At the point where we store to `*p`, we do not know whether `p` points to `x` or `y`. Thus, we do not know whether
+ * `return x;` is going to return the value that `x` was originally initialized to (5), or whether it will return 6,
+ *  because it was overwritten by `*p = 6;`. We insert a `Chi` instruction immediately after the store to `*p`:
+ *
+ * ```
+ * r2(int)     = Constant[6]
+ * r3(int*)    = <<value of p>>
+ * m4(int)     = Store           : &r3, r2  // Stores the constant 6 to *p
+ * m5(unknown) = Chi             : total:m1, partial:m4
+ * ```
+ * The `partial:` operand represents the memory that was just stored. The `total:` operand represents the previous
+ * contents of all of the memory that `p` might have pointed to (in this case, both `x` and `y`). The result of the
+ * `Chi` represents the new contents of whatever memory the `total:` operand referred to. We usually do not know exactly
+ * which parts of that memory were overwritten, but it does model that any of that memory could have been modified, so
+ * that later instructions do not assume that the memory was unchanged.
 */

 private import internal.IRInternal
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -216,9 +216,6 @@ abstract class TranslatedSideEffects extends TranslatedElement {

  final override Locatable getAst() { result = this.getExpr() }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Declaration getFunction() { result = getEnclosingDeclaration(this.getExpr()) }

  final override TranslatedElement getChild(int i) {
@@ -616,9 +613,6 @@ class TranslatedArgumentExprSideEffect extends TranslatedArgumentSideEffect,

  final override Locatable getAst() { result = arg }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Type getIndirectionType() {
    result = arg.getUnspecifiedType().(DerivedType).getBaseType()
    or
@@ -651,9 +645,6 @@ class TranslatedStructorQualifierSideEffect extends TranslatedArgumentSideEffect

  final override Locatable getAst() { result = call }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Type getIndirectionType() { result = call.getTarget().getDeclaringType() }

  final override string getArgString() { result = "this" }
@@ -675,9 +666,6 @@ class TranslatedCallSideEffect extends TranslatedSideEffect, TTranslatedCallSide

  override Locatable getAst() { result = expr }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  override Expr getPrimaryExpr() { result = expr }

  override predicate sortOrder(int group, int indexInGroup) {
@@ -716,9 +704,6 @@ class TranslatedAllocationSideEffect extends TranslatedSideEffect, TTranslatedAl

  override Locatable getAst() { result = expr }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  override Expr getPrimaryExpr() { result = expr }

  override predicate sortOrder(int group, int indexInGroup) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll
@@ -29,9 +29,6 @@ abstract class TranslatedCondition extends TranslatedElement {

  final override Locatable getAst() { result = expr }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final ConditionContext getConditionContext() { result = this.getParent() }

  final Expr getExpr() { result = expr }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll
@@ -45,9 +45,6 @@ abstract class TranslatedDeclarationEntry extends TranslatedElement, TTranslated
  final override string toString() { result = entry.toString() }

  final override Locatable getAst() { result = entry.getAst() }
-
-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
 }

 /**
@@ -248,9 +245,6 @@ class TranslatedStaticLocalVariableInitialization extends TranslatedElement,

  final override Locatable getAst() { result = entry.getAst() }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override LocalVariable getVariable() { result = var }

  final override Declaration getFunction() { result = var.getFunction() }
@@ -277,9 +271,6 @@ class TranslatedConditionDecl extends TranslatedLocalVariableDeclaration, TTrans

  override Locatable getAst() { result = conditionDeclExpr }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  override Declaration getFunction() { result = getEnclosingFunction(conditionDeclExpr) }

  override LocalVariable getVariable() { result = conditionDeclExpr.getVariable() }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -128,6 +128,9 @@ private predicate ignoreExprAndDescendants(Expr expr) {
    vaStartExpr.getLastNamedParameter().getFullyConverted() = expr
  )
  or
+  // The children of C11 _Generic expressions are just surface syntax.
+  exists(C11GenericExpr generic | generic.getAChild() = expr)
+  or
  // Do not translate implicit destructor calls for unnamed temporary variables that are
  // conditionally constructed (until we have a mechanism for calling these only when the
  // temporary's constructor was run)
@@ -432,6 +435,9 @@ predicate ignoreLoad(Expr expr) {
    // The load is duplicated from the right operand.
    isExtractorFrontendVersion65OrHigher() and expr instanceof CommaExpr
    or
+    // The load is duplicated from the chosen expression.
+    expr instanceof C11GenericExpr
+    or
    expr.(PointerDereferenceExpr).getOperand().getFullyConverted().getType().getUnspecifiedType()
      instanceof FunctionPointerType
    or
@@ -761,7 +767,10 @@ newtype TTranslatedElement =
  } or
  // A statement
  TTranslatedStmt(Stmt stmt) { translateStmt(stmt) } or
+  // The `__except` block of a `__try __except` statement
  TTranslatedMicrosoftTryExceptHandler(MicrosoftTryExceptStmt stmt) or
+  // The `__finally` block of a `__try __finally` statement
+  TTranslatedMicrosoftTryFinallyHandler(MicrosoftTryFinallyStmt stmt) or
  // A function
  TTranslatedFunction(Function func) { translateFunction(func) } or
  // A constructor init list
@@ -920,9 +929,6 @@ abstract class TranslatedElement extends TTranslatedElement {
   */
  abstract Locatable getAst();

-  /** DEPRECATED: Alias for getAst */
-  deprecated Locatable getAST() { result = this.getAst() }
-
  /** Gets the location of this element. */
  Location getLocation() { result = this.getAst().getLocation() }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll
@@ -893,7 +893,8 @@ class TranslatedTransparentConversion extends TranslatedTransparentExpr {
    (
      expr instanceof ParenthesisExpr or
      expr instanceof ReferenceDereferenceExpr or
-      expr instanceof ReferenceToExpr
+      expr instanceof ReferenceToExpr or
+      expr instanceof C11GenericExpr
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -67,9 +67,6 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {

  final override Locatable getAst() { result = func }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  /**
   * Gets the function being translated.
   */
@@ -212,8 +209,13 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
      (
        // Only generate the `Unwind` instruction if there is any exception
        // handling present in the function.
-        exists(TryStmt try | try.getEnclosingFunction() = func) or
+        exists(TryOrMicrosoftTryStmt try | try.getEnclosingFunction() = func)
+        or
        exists(ThrowExpr throw | throw.getEnclosingFunction() = func)
+        or
+        exists(FunctionCall call | call.getEnclosingFunction() = func |
+          getTranslatedExpr(call).(TranslatedCallExpr).mayThrowException()
+        )
      )
      or
      tag = AliasedUseTag() and
@@ -483,9 +485,6 @@ class TranslatedThisParameter extends TranslatedParameter, TTranslatedThisParame

  final override Locatable getAst() { result = func }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Function getFunction() { result = func }

  final override predicate hasIndirection() { any() }
@@ -518,9 +517,6 @@ class TranslatedPositionalParameter extends TranslatedParameter, TTranslatedPara

  final override Locatable getAst() { result = param }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Function getFunction() {
    result = param.getFunction() or
    result = param.getCatchBlock().getEnclosingFunction()
@@ -558,9 +554,6 @@ class TranslatedEllipsisParameter extends TranslatedParameter, TTranslatedEllips

  final override Locatable getAst() { result = func }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Function getFunction() { result = func }

  final override predicate hasIndirection() { any() }
@@ -597,9 +590,6 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon

  override Locatable getAst() { result = func }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  override TranslatedElement getChild(int id) {
    exists(ConstructorFieldInit fieldInit |
      fieldInit = func.(Constructor).getInitializer(id) and
@@ -677,9 +667,6 @@ class TranslatedDestructorDestructionList extends TranslatedElement,

  override Locatable getAst() { result = func }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  override TranslatedElement getChild(int id) {
    exists(DestructorFieldDestruction fieldDestruction |
      fieldDestruction = func.(Destructor).getDestruction(id) and
@@ -733,9 +720,6 @@ class TranslatedReadEffects extends TranslatedElement, TTranslatedReadEffects {

  override Locatable getAst() { result = func }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  override Function getFunction() { result = func }

  override string toString() { result = "read effects: " + func.toString() }
@@ -839,9 +823,6 @@ class TranslatedThisReadEffect extends TranslatedReadEffect, TTranslatedThisRead

  override Locatable getAst() { result = func }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  override Function getFunction() { result = func }

  override string toString() { result = "read effect: this" }
@@ -865,9 +846,6 @@ class TranslatedParameterReadEffect extends TranslatedReadEffect, TTranslatedPar

  override Locatable getAst() { result = param }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  override string toString() { result = "read effect: " + param.toString() }

  override Function getFunction() { result = param.getFunction() }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll
@@ -153,9 +153,6 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn

  final override Locatable getAst() { result = expr }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  /**
   * Gets the expression that is doing the initialization.
   */
@@ -528,9 +525,6 @@ abstract class TranslatedFieldInitialization extends TranslatedElement {

  final override Locatable getAst() { result = ast }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Declaration getFunction() {
    result = getEnclosingFunction(ast) or
    result = getEnclosingVariable(ast).(GlobalOrNamespaceVariable) or
@@ -701,9 +695,6 @@ abstract class TranslatedElementInitialization extends TranslatedElement {

  final override Locatable getAst() { result = initList }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Declaration getFunction() {
    result = getEnclosingFunction(initList)
    or
@@ -912,9 +903,6 @@ abstract class TranslatedStructorCallFromStructor extends TranslatedElement, Str

  final override Locatable getAst() { result = call }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override TranslatedElement getChild(int id) {
    id = 0 and
    result = this.getStructorCall()
@@ -1058,9 +1046,6 @@ class TranslatedConstructorBareInit extends TranslatedElement, TTranslatedConstr

  override Locatable getAst() { result = init }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override string toString() { result = "construct base (no constructor)" }

  override Instruction getFirstInstruction(EdgeKind kind) {
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
@@ -79,11 +79,6 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
    tag = TryExceptCompareOneBranch() and
    opcode instanceof Opcode::ConditionalBranch and
    resultType = getVoidType()
-    or
-    // unwind stack
-    tag = UnwindTag() and
-    opcode instanceof Opcode::Unwind and
-    resultType = getVoidType()
  }

  final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
@@ -156,7 +151,7 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
      // TODO: This is not really correct. The semantics of `EXCEPTION_CONTINUE_EXECUTION` is that
      // we should continue execution at the point where the exception occurred. But we don't have
      // any instruction to model this behavior.
-      result = this.getInstruction(UnwindTag())
+      result = this.getExceptionSuccessorInstruction(any(GotoEdge edge))
      or
      kind instanceof FalseEdge and
      result = this.getInstruction(TryExceptGenerateZero())
@@ -176,7 +171,7 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
    tag = TryExceptCompareZeroBranch() and
    (
      kind instanceof TrueEdge and
-      result = this.getInstruction(UnwindTag())
+      result = this.getExceptionSuccessorInstruction(any(GotoEdge edge))
      or
      kind instanceof FalseEdge and
      result = this.getInstruction(TryExceptGenerateOne())
@@ -196,10 +191,6 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
    tag = TryExceptCompareOneBranch() and
    kind instanceof TrueEdge and
    result = this.getTranslatedHandler().getFirstInstruction(any(GotoEdge edge))
-    or
-    // Unwind -> Parent
-    tag = UnwindTag() and
-    result = this.getParent().getChildSuccessor(this, kind)
  }

  override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
@@ -215,8 +206,6 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,

  override Instruction getALastInstructionInternal() {
    result = this.getTranslatedHandler().getALastInstruction()
-    or
-    result = this.getInstruction(UnwindTag())
  }

  private TranslatedExpr getTranslatedCondition() {
@@ -236,6 +225,68 @@ class TranslatedMicrosoftTryExceptHandler extends TranslatedElement,
  }

  final override Function getFunction() { result = tryExcept.getEnclosingFunction() }
+
+  override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
+    // A throw from within a `__except` block flows to the handler for the parent of
+    // the `__try`.
+    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind)
+  }
+}
+
+TranslatedMicrosoftTryFinallyHandler getTranslatedMicrosoftTryFinallyHandler(
+  MicrosoftTryFinallyStmt tryFinally
+) {
+  result.getAst() = tryFinally.getFinally()
+}
+
+class TranslatedMicrosoftTryFinallyHandler extends TranslatedElement,
+  TTranslatedMicrosoftTryFinallyHandler
+{
+  MicrosoftTryFinallyStmt tryFinally;
+
+  TranslatedMicrosoftTryFinallyHandler() {
+    this = TTranslatedMicrosoftTryFinallyHandler(tryFinally)
+  }
+
+  final override string toString() { result = tryFinally.toString() }
+
+  final override Locatable getAst() { result = tryFinally.getFinally() }
+
+  override Instruction getFirstInstruction(EdgeKind kind) {
+    result = this.getTranslatedFinally().getFirstInstruction(kind)
+  }
+
+  override Instruction getALastInstructionInternal() {
+    result = this.getTranslatedFinally().getALastInstruction()
+  }
+
+  override Instruction getChildSuccessorInternal(TranslatedElement child, EdgeKind kind) {
+    child = this.getTranslatedFinally() and
+    result = this.getParent().getChildSuccessor(this, kind)
+  }
+
+  override Instruction getInstructionSuccessorInternal(InstructionTag tag, EdgeKind kind) { none() }
+
+  override TranslatedElement getChild(int id) {
+    id = 0 and
+    result = this.getTranslatedFinally()
+  }
+
+  override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
+    none()
+  }
+
+  final override Function getFunction() { result = tryFinally.getEnclosingFunction() }
+
+  private TranslatedStmt getTranslatedFinally() {
+    result = getTranslatedStmt(tryFinally.getFinally())
+  }
+
+  override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
+    // A throw from within a `__finally` block flows to the handler for the parent of
+    // the `__try`.
+    result = this.getParent().getParent().getExceptionSuccessorInstruction(kind)
+  }
 }

 abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {
@@ -268,9 +319,6 @@ abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt {

  final override Locatable getAst() { result = stmt }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Locatable getAST() { result = this.getAst() }
-
  final override Function getFunction() { result = stmt.getEnclosingFunction() }
 }

@@ -586,7 +634,7 @@ class TranslatedNoValueReturnStmt extends TranslatedReturnStmt, TranslatedVariab
 /**
 * A C/C++ `try` statement, or a `__try __except` or `__try __finally` statement.
 */
-private class TryOrMicrosoftTryStmt extends Stmt {
+class TryOrMicrosoftTryStmt extends Stmt {
  TryOrMicrosoftTryStmt() {
    this instanceof TryStmt or
    this instanceof MicrosoftTryStmt
@@ -619,7 +667,9 @@ private class TryOrMicrosoftTryStmt extends Stmt {
  }

  /** Gets the `finally` statement (usually a BlockStmt), if any. */
-  Stmt getFinally() { result = this.(MicrosoftTryFinallyStmt).getFinally() }
+  TranslatedElement getTranslatedFinally() {
+    result = getTranslatedMicrosoftTryFinallyHandler(this)
+  }
 }

 /**
@@ -689,11 +739,14 @@ class TranslatedTryStmt extends TranslatedStmt {

  final override Instruction getExceptionSuccessorInstruction(EdgeKind kind) {
    result = this.getHandler(0).getFirstInstruction(kind)
+    or
+    not exists(this.getHandler(_)) and
+    result = this.getFinally().getFirstInstruction(kind)
  }

  private TranslatedElement getHandler(int index) { result = stmt.getTranslatedHandler(index) }

-  private TranslatedStmt getFinally() { result = getTranslatedStmt(stmt.getFinally()) }
+  private TranslatedElement getFinally() { result = stmt.getTranslatedFinally() }

  private TranslatedStmt getBody() { result = getTranslatedStmt(stmt.getStmt()) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll
@@ -50,9 +50,6 @@ abstract private class AbstractIRVariable extends TIRVariable {
   */
  abstract Language::AST getAst();

-  /** DEPRECATED: Alias for getAst */
-  deprecated Language::AST getAST() { result = this.getAst() }
-
  /**
   * Gets an identifier string for the variable. This identifier is unique
   * within the function.
@@ -96,9 +93,6 @@ class IRUserVariable extends AbstractIRVariable, TIRUserVariable {

  final override Language::AST getAst() { result = var }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
  final override string getUniqueId() {
    result = this.getVariable().toString() + " " + this.getVariable().getLocation().toString()
  }
@@ -163,9 +157,6 @@ abstract private class AbstractIRGeneratedVariable extends AbstractIRVariable {

  final override Language::AST getAst() { result = ast }

-  /** DEPRECATED: Alias for getAst */
-  deprecated override Language::AST getAST() { result = this.getAst() }
-
  override string toString() { result = this.getBaseString() + this.getLocationString() }

  override string getUniqueId() { none() }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll
@@ -6,6 +6,112 @@
 * uses, however, it is better to write a query that imports `PrintIR.qll`, extends
 * `PrintIRConfiguration`, and overrides `shouldPrintDeclaration()` to select a subset of declarations
 * to dump.
+ *
+ * Anatomy of a printed IR instruction
+ *
+ * An instruction:
+ *
+ * ```
+ * # 2281|     v2281_19(void) = Call[~String]     : func:r2281_18, this:r2281_17
+ * ```
+ *
+ * The prefix `# 2281|` specifies that this instruction was generated by the C++ source code on line 2281.
+ * Scrolling up in the printed output, one will eventually find the name of the file to which the line
+ * belongs.
+ *
+ * `v2281_19(void)` is the result of the instruction. Here, `v` means this is a void result or operand (so
+ * there should be no later uses of the result; see below for other possible values). The `2281_19` is a
+ * unique ID for the result. This is usually just the line number plus a small integer suffix to make it
+ * unique within the function. The type of the result is `void`. In this case, it is `void`, because
+ * `~String` returns `void`. The type of the result is usually just the name of the appropriate C++ type,
+ * but it will sometimes be a type like `glval<int>`, which means result holds a glvalue, which at the
+ * IR level works like a pointer. In other words, in the source code the type was `int`, but it is really
+ * more like an `int*`. We see this, for example, in `x = y;`, where `x` is a glvalue.
+ *
+ * `Call` is the opcode of the instruction. Common opcodes include:
+ *
+ * * Arithmetic operations: `Add`, `Sub`, `Mul`, etc.
+ * * Memory access operations: `Load`, `Store`.
+ * * Function calls: `Call`.
+ * * Literals: `Constant`.
+ * * Variable addresses: `VariableAddress`.
+ * * Function entry points: `EnterFunction`.
+ * * Return from a function: `Return`, `ReturnVoid`. Note that the value being returned is set separately by a
+ *   `Store` to a special `#return` variable.
+ * * Stack unwinding for C++ function that throw and where the exception escapes the function: `Unwind`.
+ * * Common exit point for `Unwind` and `Return`: `ExitFunction`.
+ * * SSA-related opcodes: `Phi`, `Chi`.
+ *
+ * `[~String]` denotes additional information. The information might be present earlier in the IR, as is the case
+ * for `Call`, where it is the name of the called function. This is also the case for `Load` and `Store`, where it
+ * is the name of the variable that loaded or stored (if known). In the case of `Constant`, `FieldAddress`, and
+ * `VariableAddress`, the information between brackets does not occur earlier.
+ *
+ * `func:r2281_18` and `this:r28281_17` are the operands of the instruction. The `func:` prefix denotes the operand
+ * that holds the address of the called function. The `this:` prefix denotes the argument to the special `this`
+ * parameter of an instance member function. `r2281_18`, `r2281_17` are the unique IDs of the operands. Each of these
+ * matches the ID of a previously seen result, showing where that value came from. The `r` means that these are
+ * "register" operands (see below).
+ *
+ * Result and operand kinds:
+ *
+ * Every result and operand is one of these three kinds:
+ *
+ * * `r` "register". These operands are not stored in any particular memory location. We can think of them as
+ *   temporary values created during the evaluation of an expression. A register operand almost always has one
+ *   use, often in the same block as its definition.
+ * *  `m` "memory". These operands represents accesses to a specific memory location. The location could be a
+ *    local variable, a global variable, a field of an object, an element of an array, or any memory that we happen
+ *    to have a pointer to. These only occur as the result of a `Store`, the source operand of a `Load` or on the
+ *    SSA instructions (`Phi`, `Chi`).
+ * * `v` "void". Really just a register operand, but we mark register operands of type void with this special prefix
+ *   so we know that there is no actual value there.
+ *
+ * Branches in the IR:
+ *
+ * The IR is divided into basic blocks. At the end of each block, there are one or more edges showing the possible
+ * control flow successors of the block.
+ *
+ * ```
+ * #   44|     v44_3(void)    = ConditionalBranch : r44_2
+ * #-----|   False -> Block 4
+ * #-----|   True -> Block 3
+ * ```
+ * Here we have a block that ends with a conditional branch. The two edges show where the control flows to depending
+ * on whether the condition is true or false.
+ *
+ * SSA instructions:
+ *
+ * We use `Phi` instructions in SSA to create a single definition for a variable that might be assigned on multiple
+ * control flow paths. The `Phi` instruction merges the potential values of that variable from each predecessor edge,
+ * and the resulting definition is then used wherever that variable is accessed later on.
+ *
+ * When dealing with aliased memory, we use the `Chi` instruction to create a single definition for memory that might
+ * or might not have been updated by a store, depending on the actual address that was written to. For example, take:
+ *
+ * ```cpp
+ * int x = 5;
+ * int y = 7;
+ * int* p = condition ? &x : &y;
+ * *p = 6;
+ * return x;
+ * ```
+ *
+ * At the point where we store to `*p`, we do not know whether `p` points to `x` or `y`. Thus, we do not know whether
+ * `return x;` is going to return the value that `x` was originally initialized to (5), or whether it will return 6,
+ *  because it was overwritten by `*p = 6;`. We insert a `Chi` instruction immediately after the store to `*p`:
+ *
+ * ```
+ * r2(int)     = Constant[6]
+ * r3(int*)    = <<value of p>>
+ * m4(int)     = Store           : &r3, r2  // Stores the constant 6 to *p
+ * m5(unknown) = Chi             : total:m1, partial:m4
+ * ```
+ * The `partial:` operand represents the memory that was just stored. The `total:` operand represents the previous
+ * contents of all of the memory that `p` might have pointed to (in this case, both `x` and `y`). The result of the
+ * `Chi` represents the new contents of whatever memory the `total:` operand referred to. We usually do not know exactly
+ * which parts of that memory were overwritten, but it does model that any of that memory could have been modified, so
+ * that later instructions do not assume that the memory was unchanged.
 */

 private import internal.IRInternal
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
@@ -71,9 +71,6 @@ class MemoryLocation extends TMemoryLocation {
  final string getUniqueId() { result = var.getUniqueId() }

  final predicate canReuseSsa() { canReuseSsaForVariable(var) }
-
-  /** DEPRECATED: Alias for canReuseSsa */
-  deprecated predicate canReuseSSA() { this.canReuseSsa() }
 }

 predicate canReuseSsaForOldResult(Instruction instr) { none() }
--- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll
@@ -42,6 +42,7 @@ private import implementations.Accept
 private import implementations.Poll
 private import implementations.Select
 private import implementations.MySql
+private import implementations.NoexceptFunction
 private import implementations.ODBC
 private import implementations.SqLite3
 private import implementations.PostgreSql
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
@@ -5,13 +5,13 @@
 */

 import semmle.code.cpp.models.interfaces.Allocation
-import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.DataFlow

 /**
 * An allocation function (such as `realloc`) that has an argument for the size
 * in bytes, and an argument for an existing pointer that is to be reallocated.
 */
-private class ReallocAllocationFunction extends AllocationFunction, TaintFunction {
+private class ReallocAllocationFunction extends AllocationFunction, DataFlowFunction {
  int sizeArg;
  int reallocArg;

@@ -44,7 +44,7 @@ private class ReallocAllocationFunction extends AllocationFunction, TaintFunctio

  override int getReallocPtrArg() { result = reallocArg }

-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
    input.isParameterDeref(this.getReallocPtrArg()) and output.isReturnValueDeref()
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll
@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect

 /** The function `fopen` and friends. */
-private class Fopen extends Function, AliasFunction, SideEffectFunction {
+private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFunction {
  Fopen() {
    this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
    or
@@ -47,4 +47,22 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction {
    i = 0 and
    buffer = true
  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      this.hasGlobalOrStdName(["fopen", "freopen"]) or
+      this.hasGlobalName(["_wfopen", "_fsopen", "_wfsopen"])
+    ) and
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    or
+    // The out parameter is a pointer to a `FILE*`.
+    this.hasGlobalOrStdName("fopen_s") and
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0, 2)
+    or
+    this.hasGlobalName(["_open", "_wopen"]) and
+    input.isParameterDeref(0) and
+    output.isReturnValue()
+  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll
@@ -9,13 +9,14 @@ import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.NonThrowing

 /**
 * The standard functions `memcpy`, `memmove` and `bcopy`; and the gcc variant
 * `__builtin___memcpy_chk`.
 */
 private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction,
-  AliasFunction
+  AliasFunction, NonThrowingFunction
 {
  MemcpyFunction() {
    // memcpy(dest, src, num)
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll
@@ -8,9 +8,10 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
+import semmle.code.cpp.models.interfaces.NonThrowing

 private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,
-  SideEffectFunction
+  SideEffectFunction, NonThrowingFunction
 {
  MemsetFunctionModel() {
    this.hasGlobalOrStdOrBslName("memset")
--- a/Show More
+++ b/Show More