Update qhelp for py/path-injection.

.github/dependabot.yml

@@ -31,12 +31,3 @@ updates:
           - "golang.org/x/*"
     reviewers:
       - "github/codeql-go"
-
-  - package-ecosystem: "gomod"
-    directory: "go/ql/test"
-    schedule:
-      interval: "monthly"
-    ignore:
-      - dependency-name: "*"
-    reviewers:
-      - "github/codeql-go"

.github/workflows/check-change-note.yml

@@ -9,42 +9,26 @@ on:
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
       - "*/ql/lib/**/*.yml"
-      - "shared/**/*.ql"
-      - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:
-    env: 
-      REPO: ${{ github.repository }}
-      PULL_REQUEST_NUMBER: ${{ github.event.number }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     runs-on: ubuntu-latest
     steps:
-
       - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
         if: |
           github.event.pull_request.draft == false &&
           !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
-          
-          if [ -z "$change_note_files" ]; then
-            echo "No change note found. Either add one, or add the 'no-change-note-required' label."
-            exit 1
-          fi
-
-          echo "Change notes found:"
-          echo "$change_note_files"
-
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
+          grep true -c
       - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          bad_change_note_file_names=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))][] | select((test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$")) | not)')
-
-          if [ -n "$bad_change_note_file_names" ]; then
-            echo "The following change note file names are invalid:"
-            echo "$bad_change_note_file_names"
-            exit 1
-          fi
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
+          grep true -c

.github/workflows/csharp-qltest.yml

@@ -91,7 +91,7 @@ jobs:
         run: |
           # Generate (Asp)NetCore stubs
           STUBS_PATH=stubs_output
-          python3 scripts/stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
+          python3 ql/src/Stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
           rm -rf ql/test/resources/stubs/_frameworks
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -89,32 +89,9 @@ jobs:
       - name: Save PR number
         run: |
           mkdir -p pr
-          echo ${PR_NUMBER} > pr/NR
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+          echo ${{ github.event.pull_request.number }} > pr/NR
       - name: Upload PR number
         uses: actions/upload-artifact@v3
         with:
           name: pr
           path: pr/
-      - name: Save comment ID (if it exists)
-        run: |
-          # Find the latest comment starting with COMMENT_PREFIX
-          COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports."
-          COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty')
-          if [[ -z ${COMMENT_ID} ]]
-          then
-            echo "Comment not found. Not uploading 'comment/ID' artifact."
-          else
-            mkdir -p comment
-            echo ${COMMENT_ID} > comment/ID
-          fi
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-      - name: Upload comment ID (if it exists)
-        uses: actions/upload-artifact@v3
-        with:
-          name: comment
-          path: comment/
-          if-no-files-found: ignore

codeql-workspace.yml

@@ -6,7 +6,7 @@ provide:
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"
   - "*/ql/automodel/test/qlpack.yml"
-  - "shared/**/qlpack.yml"
+  - "shared/*/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
   - "go/build/codeql-extractor-go/codeql-extractor.yml"
@@ -29,7 +29,6 @@ provide:
   - "swift/extractor-pack/codeql-extractor.yml"
   - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
-  - ".github/codeql/extensions/**/codeql-pack.yml"
 
 versionPolicies:
   default:

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -145,9 +145,9 @@ namespace Semmle.Autobuild.Cpp.Tests
 
         bool IBuildActions.IsMacOs() => IsMacOs;
 
-        public bool IsRunningOnAppleSilicon { get; set; }
+        public bool IsArm { get; set; }
 
-        bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
+        bool IBuildActions.IsArm() => IsArm;
 
         string IBuildActions.PathCombine(params string[] parts)
         {

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/builtintypes.ql

@@ -1,19 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
-where
-  builtintypes(type, name, kind, size, sign, alignment) and
-  if
-    type instanceof @fp16 or
-    type instanceof @std_bfloat16 or
-    type instanceof @std_float16 or
-    type instanceof @complex_std_float32 or
-    type instanceof @complex_float32x or
-    type instanceof @complex_std_float64 or
-    type instanceof @complex_float64x or
-    type instanceof @complex_std_float128
-  then kind_new = 2
-  else kind_new = kind
-select type, name, kind_new, size, sign, alignment

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce new floating-point types from C23 and C++23
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/downgrades/8cba93a44180e0d50a80a660950800d822b981fc/upgrade.properties

@@ -1,2 +0,0 @@
-description: Removed @assignpaddexpr and @assignpsubexpr from @assign_bitwise_expr
-compatibility: full

cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce extractor version numbers
-compatibility: breaking
-extractor_version.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,25 +1,3 @@
-## 0.11.0
-
-### Breaking Changes
-
-* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
-
-### New Features
-
-* Added a new class `AdditionalCallTarget` for specifying additional call targets.
-
-### Minor Analysis Improvements
-
-* More field accesses are identified as `ImplicitThisFieldAccess`.
-* Added support for new floating-point types in C23 and C++23.
-
-## 0.10.1
-
-### Minor Analysis Improvements
-
-* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
-* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
-
 ## 0.10.0
 
 ### Minor Analysis Improvements

cpp/ql/lib/change-notes/2023-10-09-outdated-deprecations.md

@@ -1,6 +1,5 @@
-## 0.10.1
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
 * Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.

cpp/ql/lib/change-notes/2023-10-30-realloc-flow.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added taint models for `realloc` and related functions.

cpp/ql/lib/change-notes/2023-10-31-assign-pointer-add-sub-expr.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.

cpp/ql/lib/change-notes/2023-10-31-odbc-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added SQL API models for `ODBC`.

cpp/ql/lib/change-notes/2023-11-08-strsafe-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added models for the `sprintf` variants from the `StrSafe.h` header.

cpp/ql/lib/change-notes/2023-11-10-strlcpy-strlcat-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added models for `strlcpy` and `strlcat`.

cpp/ql/lib/change-notes/2023-11-15-return-stack-allocated-memory.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.

cpp/ql/lib/change-notes/released/0.11.0.md

@@ -1,14 +0,0 @@
-## 0.11.0
-
-### Breaking Changes
-
-* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
-
-### New Features
-
-* Added a new class `AdditionalCallTarget` for specifying additional call targets.
-
-### Minor Analysis Improvements
-
-* More field accesses are identified as `ImplicitThisFieldAccess`.
-* Added support for new floating-point types in C23 and C++23.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.11.0
+lastReleaseVersion: 0.10.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.11.1-dev
+version: 0.10.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,7 +7,6 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/dataflow: ${workspace}
-  codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -32,7 +32,7 @@ private module Input implements InputSig {
 private module Impl = Make<Input>;
 
 /** A file or folder. */
-class Container extends ElementBase, Impl::Container {
+class Container extends Locatable, Impl::Container {
   override string toString() { result = Impl::Container.super.toString() }
 }
 
@@ -47,6 +47,11 @@ class Container extends ElementBase, Impl::Container {
  * To get the full path, use `getAbsolutePath`.
  */
 class Folder extends Container, Impl::Folder {
+  override Location getLocation() {
+    result.getContainer() = this and
+    result.hasLocationInfo(_, 0, 0, 0, 0)
+  }
+
   override string getAPrimaryQlClass() { result = "Folder" }
 }
 
@@ -62,7 +67,7 @@ class Folder extends Container, Impl::Folder {
  * The base name further decomposes into the _stem_ and _extension_ -- see
  * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
  */
-class File extends Container, Locatable, Impl::File {
+class File extends Container, Impl::File {
   override string getAPrimaryQlClass() { result = "File" }
 
   override Location getLocation() {

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -819,30 +819,6 @@ private predicate floatingPointTypeMapping(
   or
   // _Complex _Float16
   kind = 53 and base = 2 and domain = TComplexDomain() and realKind = 52 and extended = false
-  or
-  // __fp16
-  kind = 54 and base = 2 and domain = TRealDomain() and realKind = 54 and extended = false
-  or
-  // __bf16
-  kind = 55 and base = 2 and domain = TRealDomain() and realKind = 55 and extended = false
-  or
-  // std::float16_t
-  kind = 56 and base = 2 and domain = TRealDomain() and realKind = 56 and extended = false
-  or
-  // _Complex _Float32
-  kind = 57 and base = 2 and domain = TComplexDomain() and realKind = 45 and extended = false
-  or
-  // _Complex _Float32x
-  kind = 58 and base = 2 and domain = TComplexDomain() and realKind = 46 and extended = true
-  or
-  // _Complex _Float64
-  kind = 59 and base = 2 and domain = TComplexDomain() and realKind = 47 and extended = false
-  or
-  // _Complex _Float64x
-  kind = 60 and base = 2 and domain = TComplexDomain() and realKind = 48 and extended = true
-  or
-  // _Complex _Float128
-  kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -306,13 +306,15 @@ private predicate exprHasReferenceConversion(Expr e) { referenceConversion(e.get
  *   }
  * };
  * ```
+ * Note: the C++ front-end often automatically desugars `field` to
+ * `this->field`, so most accesses of `this->field` are instances
+ * of `PointerFieldAccess` (with `ThisExpr` as the qualifier), not
+ * `ImplicitThisFieldAccess`.
  */
 class ImplicitThisFieldAccess extends FieldAccess {
   override string getAPrimaryQlClass() { result = "ImplicitThisFieldAccess" }
 
-  ImplicitThisFieldAccess() {
-    this.getQualifier().(ThisExpr).isCompilerGenerated() or not exists(this.getQualifier())
-  }
+  ImplicitThisFieldAccess() { not exists(this.getQualifier()) }
 }
 
 /**
@@ -330,7 +332,7 @@ class PointerToFieldLiteral extends ImplicitThisFieldAccess {
     // access without a qualifier. The only other unqualified field accesses it
     // emits are for compiler-generated constructors and destructors. When we
     // filter those out, there are only pointer-to-field literals left.
-    not this.isCompilerGenerated() and not exists(this.getQualifier())
+    not this.isCompilerGenerated()
   }
 
   override predicate isConstant() { any() }

cpp/ql/lib/semmle/code/cpp/internal/ExtractorVersion.qll

@@ -1,15 +0,0 @@
-/**
- * INTERNAL: Do not use. Provides predicates for getting the CodeQL and frontend
- * version used during database extraction.
- */
-
-/** Get the extractor CodeQL version */
-string getExtractorCodeQLVersion() { extractor_version(result, _) }
-
-/** Get the extractor frontend version */
-string getExtractorFrontendVersion() { extractor_version(_, result) }
-
-predicate isExtractorFrontendVersion65OrHigher() {
-  // Version numbers we not included in the database before 6.5.
-  exists(getExtractorCodeQLVersion())
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll

@@ -31,11 +31,6 @@ abstract class MustFlowConfiguration extends string {
    */
   abstract predicate isSink(Operand sink);
 
-  /**
-   * Holds if data flow through `instr` is prohibited.
-   */
-  predicate isBarrier(Instruction instr) { none() }
-
   /**
    * Holds if the additional flow step from `node1` to `node2` must be taken
    * into account in the analysis.
@@ -53,21 +48,18 @@ abstract class MustFlowConfiguration extends string {
    */
   final predicate hasFlowPath(MustFlowPathNode source, MustFlowPathSink sink) {
     this.isSource(source.getInstruction()) and
-    source.getASuccessor*() = sink
+    source.getASuccessor+() = sink
   }
 }
 
 /** Holds if `node` flows from a source. */
 pragma[nomagic]
 private predicate flowsFromSource(Instruction node, MustFlowConfiguration config) {
-  not config.isBarrier(node) and
-  (
-    config.isSource(node)
-    or
-    exists(Instruction mid |
-      step(mid, node, config) and
-      flowsFromSource(mid, pragma[only_bind_into](config))
-    )
+  config.isSource(node)
+  or
+  exists(Instruction mid |
+    step(mid, node, config) and
+    flowsFromSource(mid, pragma[only_bind_into](config))
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -7,12 +7,9 @@ private import DataFlowImplCommon as DataFlowImplCommon
 
 /**
  * Gets a function that might be called by `call`.
- *
- * This predicate does not take additional call targets
- * from `AdditionalCallTarget` into account.
  */
 cached
-DataFlowCallable defaultViableCallable(DataFlowCall call) {
+DataFlowCallable viableCallable(DataFlowCall call) {
   DataFlowImplCommon::forceCachingInSameStage() and
   result = call.getStaticCallTarget()
   or
@@ -32,17 +29,6 @@ DataFlowCallable defaultViableCallable(DataFlowCall call) {
   result = call.(VirtualDispatch::DataSensitiveCall).resolve()
 }
 
-/**
- * Gets a function that might be called by `call`.
- */
-cached
-DataFlowCallable viableCallable(DataFlowCall call) {
-  result = defaultViableCallable(call)
-  or
-  // Additional call targets
-  result = any(AdditionalCallTarget additional).viableTarget(call.getUnconvertedResultExpression())
-}
-
 /**
  * Provides virtual dispatch support compatible with the original
  * implementation of `semmle.code.cpp.security.TaintTracking`.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -81,14 +81,6 @@ class Node0Impl extends TIRDataFlowNode0 {
   /** Gets the operands corresponding to this node, if any. */
   Operand asOperand() { result = this.(OperandNode0).getOperand() }
 
-  /** Gets the location of this node. */
-  final Location getLocation() { result = this.getLocationImpl() }
-
-  /** INTERNAL: Do not use. */
-  Location getLocationImpl() {
-    none() // overridden by subclasses
-  }
-
   /** INTERNAL: Do not use. */
   string toStringImpl() {
     none() // overridden by subclasses
@@ -139,15 +131,9 @@ abstract class InstructionNode0 extends Node0Impl {
   override DataFlowType getType() { result = getInstructionType(instr, _) }
 
   override string toStringImpl() {
-    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = instr.getAst().toString()
-  }
-
-  override Location getLocationImpl() {
-    if exists(instr.getAst().getLocation())
-    then result = instr.getAst().getLocation()
-    else result instanceof UnknownDefaultLocation
+    // This predicate is overridden in subclasses. This default implementation
+    // does not use `Instruction.toString` because that's expensive to compute.
+    result = instr.getOpcode().toString()
   }
 
   final override predicate isGLValue() { exists(getInstructionType(instr, true)) }
@@ -187,17 +173,7 @@ abstract class OperandNode0 extends Node0Impl {
 
   override DataFlowType getType() { result = getOperandType(op, _) }
 
-  override string toStringImpl() {
-    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = op.getDef().getAst().toString()
-  }
-
-  override Location getLocationImpl() {
-    if exists(op.getDef().getAst().getLocation())
-    then result = op.getDef().getAst().getLocation()
-    else result instanceof UnknownDefaultLocation
-  }
+  override string toStringImpl() { result = op.toString() }
 
   final override predicate isGLValue() { exists(getOperandType(op, true)) }
 }
@@ -656,20 +632,20 @@ predicate jumpStep(Node n1, Node n2) {
       v = globalUse.getVariable() and
       n1.(FinalGlobalValue).getGlobalUse() = globalUse
     |
-      globalUse.getIndirection() = 1 and
+      globalUse.getIndirectionIndex() = 1 and
       v = n2.asVariable()
       or
-      v = n2.asIndirectVariable(globalUse.getIndirection())
+      v = n2.asIndirectVariable(globalUse.getIndirectionIndex())
     )
     or
     exists(Ssa::GlobalDef globalDef |
       v = globalDef.getVariable() and
       n2.(InitialGlobalValue).getGlobalDef() = globalDef
     |
-      globalDef.getIndirection() = 1 and
+      globalDef.getIndirectionIndex() = 1 and
       v = n1.asVariable()
       or
-      v = n1.asIndirectVariable(globalDef.getIndirection())
+      v = n1.asIndirectVariable(globalDef.getIndirectionIndex())
     )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -14,7 +14,6 @@ private import DataFlowPrivate
 private import ModelUtil
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
-private import codeql.util.Unit
 
 /**
  * The IR dataflow graph consists of the following nodes:
@@ -44,12 +43,11 @@ private newtype TIRDataFlowNode =
   TIndirectArgumentOutNode(ArgumentOperand operand, int indirectionIndex) {
     Ssa::isModifiableByCall(operand, indirectionIndex)
   } or
-  TRawIndirectOperand0(Node0Impl node, int indirectionIndex) {
-    Ssa::hasRawIndirectOperand(node.asOperand(), indirectionIndex)
+  TRawIndirectOperand(Operand op, int indirectionIndex) {
+    Ssa::hasRawIndirectOperand(op, indirectionIndex)
   } or
-  TRawIndirectInstruction0(Node0Impl node, int indirectionIndex) {
-    not exists(node.asOperand()) and
-    Ssa::hasRawIndirectInstruction(node.asInstruction(), indirectionIndex)
+  TRawIndirectInstruction(Instruction instr, int indirectionIndex) {
+    Ssa::hasRawIndirectInstruction(instr, indirectionIndex)
   } or
   TFinalParameterNode(Parameter p, int indirectionIndex) {
     exists(Ssa::FinalParameterUse use |
@@ -432,10 +430,6 @@ private class Node0 extends Node, TNode0 {
 
   override Declaration getFunction() { result = node.getFunction() }
 
-  override Location getLocationImpl() { result = node.getLocation() }
-
-  override string toStringImpl() { result = node.toString() }
-
   override DataFlowType getType() { result = node.getType() }
 
   override predicate isGLValue() { node.isGLValue() }
@@ -452,6 +446,18 @@ class InstructionNode extends Node0 {
 
   /** Gets the instruction corresponding to this node. */
   Instruction getInstruction() { result = instr }
+
+  override Location getLocationImpl() {
+    if exists(instr.getAst().getLocation())
+    then result = instr.getAst().getLocation()
+    else result instanceof UnknownDefaultLocation
+  }
+
+  override string toStringImpl() {
+    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = instr.getAst().toString()
+  }
 }
 
 /**
@@ -465,6 +471,18 @@ class OperandNode extends Node, Node0 {
 
   /** Gets the operand corresponding to this node. */
   Operand getOperand() { result = op }
+
+  override Location getLocationImpl() {
+    if exists(op.getDef().getAst().getLocation())
+    then result = op.getDef().getAst().getLocation()
+    else result instanceof UnknownDefaultLocation
+  }
+
+  override string toStringImpl() {
+    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = op.getDef().getAst().toString()
+  }
 }
 
 /**
@@ -899,146 +917,48 @@ Type getTypeImpl(Type t, int indirectionIndex) {
   result instanceof UnknownType
 }
 
-private module RawIndirectNodes {
-  /**
-   * INTERNAL: Do not use.
-   *
-   * A node that represents the indirect value of an operand in the IR
-   * after `index` number of loads.
-   */
-  private class RawIndirectOperand0 extends Node, TRawIndirectOperand0 {
-    Node0Impl node;
-    int indirectionIndex;
+/**
+ * INTERNAL: Do not use.
+ *
+ * A node that represents the indirect value of an operand in the IR
+ * after `index` number of loads.
+ */
+class RawIndirectOperand extends Node, TRawIndirectOperand {
+  Operand operand;
+  int indirectionIndex;
 
-    RawIndirectOperand0() { this = TRawIndirectOperand0(node, indirectionIndex) }
+  RawIndirectOperand() { this = TRawIndirectOperand(operand, indirectionIndex) }
 
-    /** Gets the underlying instruction. */
-    Operand getOperand() { result = node.asOperand() }
+  /** Gets the underlying instruction. */
+  Operand getOperand() { result = operand }
 
-    /** Gets the underlying indirection index. */
-    int getIndirectionIndex() { result = indirectionIndex }
+  /** Gets the underlying indirection index. */
+  int getIndirectionIndex() { result = indirectionIndex }
 
-    override Declaration getFunction() {
-      result = this.getOperand().getDef().getEnclosingFunction()
-    }
+  override Declaration getFunction() { result = this.getOperand().getDef().getEnclosingFunction() }
 
-    override Declaration getEnclosingCallable() { result = this.getFunction() }
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
-        type = getOperandType(this.getOperand(), isGLValue) and
-        if isGLValue = true then sub = 1 else sub = 0
-      |
-        result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
-      )
-    }
-
-    final override Location getLocationImpl() {
-      if exists(this.getOperand().getLocation())
-      then result = this.getOperand().getLocation()
-      else result instanceof UnknownDefaultLocation
-    }
-
-    override string toStringImpl() {
-      result = operandNode(this.getOperand()).toStringImpl() + " indirection"
-    }
+  override DataFlowType getType() {
+    exists(int sub, DataFlowType type, boolean isGLValue |
+      type = getOperandType(operand, isGLValue) and
+      if isGLValue = true then sub = 1 else sub = 0
+    |
+      result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
+    )
   }
 
-  /**
-   * INTERNAL: Do not use.
-   *
-   * A node that represents the indirect value of an instruction in the IR
-   * after `index` number of loads.
-   */
-  private class RawIndirectInstruction0 extends Node, TRawIndirectInstruction0 {
-    Node0Impl node;
-    int indirectionIndex;
-
-    RawIndirectInstruction0() { this = TRawIndirectInstruction0(node, indirectionIndex) }
-
-    /** Gets the underlying instruction. */
-    Instruction getInstruction() { result = node.asInstruction() }
-
-    /** Gets the underlying indirection index. */
-    int getIndirectionIndex() { result = indirectionIndex }
-
-    override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
-
-    override Declaration getEnclosingCallable() { result = this.getFunction() }
-
-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
-        type = getInstructionType(this.getInstruction(), isGLValue) and
-        if isGLValue = true then sub = 1 else sub = 0
-      |
-        result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
-      )
-    }
-
-    final override Location getLocationImpl() {
-      if exists(this.getInstruction().getLocation())
-      then result = this.getInstruction().getLocation()
-      else result instanceof UnknownDefaultLocation
-    }
-
-    override string toStringImpl() {
-      result = instructionNode(this.getInstruction()).toStringImpl() + " indirection"
-    }
+  final override Location getLocationImpl() {
+    if exists(this.getOperand().getLocation())
+    then result = this.getOperand().getLocation()
+    else result instanceof UnknownDefaultLocation
   }
 
-  /**
-   * INTERNAL: Do not use.
-   *
-   * A node that represents the indirect value of an operand in the IR
-   * after a number of loads.
-   */
-  class RawIndirectOperand extends Node {
-    int indirectionIndex;
-    Operand operand;
-
-    RawIndirectOperand() {
-      exists(Node0Impl node | operand = node.asOperand() |
-        this = TRawIndirectOperand0(node, indirectionIndex)
-        or
-        this = TRawIndirectInstruction0(node, indirectionIndex)
-      )
-    }
-
-    /** Gets the operand associated with this node. */
-    Operand getOperand() { result = operand }
-
-    /** Gets the underlying indirection index. */
-    int getIndirectionIndex() { result = indirectionIndex }
-  }
-
-  /**
-   * INTERNAL: Do not use.
-   *
-   * A node that represents the indirect value of an instruction in the IR
-   * after a number of loads.
-   */
-  class RawIndirectInstruction extends Node {
-    int indirectionIndex;
-    Instruction instr;
-
-    RawIndirectInstruction() {
-      exists(Node0Impl node | instr = node.asInstruction() |
-        this = TRawIndirectOperand0(node, indirectionIndex)
-        or
-        this = TRawIndirectInstruction0(node, indirectionIndex)
-      )
-    }
-
-    /** Gets the instruction associated with this node. */
-    Instruction getInstruction() { result = instr }
-
-    /** Gets the underlying indirection index. */
-    int getIndirectionIndex() { result = indirectionIndex }
+  override string toStringImpl() {
+    result = operandNode(this.getOperand()).toStringImpl() + " indirection"
   }
 }
 
-import RawIndirectNodes
-
 /**
  * INTERNAL: do not use.
  *
@@ -1100,6 +1020,48 @@ class UninitializedNode extends Node {
   LocalVariable getLocalVariable() { result = v }
 }
 
+/**
+ * INTERNAL: Do not use.
+ *
+ * A node that represents the indirect value of an instruction in the IR
+ * after `index` number of loads.
+ */
+class RawIndirectInstruction extends Node, TRawIndirectInstruction {
+  Instruction instr;
+  int indirectionIndex;
+
+  RawIndirectInstruction() { this = TRawIndirectInstruction(instr, indirectionIndex) }
+
+  /** Gets the underlying instruction. */
+  Instruction getInstruction() { result = instr }
+
+  /** Gets the underlying indirection index. */
+  int getIndirectionIndex() { result = indirectionIndex }
+
+  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
+
+  override Declaration getEnclosingCallable() { result = this.getFunction() }
+
+  override DataFlowType getType() {
+    exists(int sub, DataFlowType type, boolean isGLValue |
+      type = getInstructionType(instr, isGLValue) and
+      if isGLValue = true then sub = 1 else sub = 0
+    |
+      result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
+    )
+  }
+
+  final override Location getLocationImpl() {
+    if exists(this.getInstruction().getLocation())
+    then result = this.getInstruction().getLocation()
+    else result instanceof UnknownDefaultLocation
+  }
+
+  override string toStringImpl() {
+    result = instructionNode(this.getInstruction()).toStringImpl() + " indirection"
+  }
+}
+
 private module GetConvertedResultExpression {
   private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
   private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
@@ -1637,29 +1599,26 @@ private module Cached {
   predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFrom, nodeTo) }
 
   private predicate indirectionOperandFlow(RawIndirectOperand nodeFrom, Node nodeTo) {
-    nodeFrom != nodeTo and
-    (
-      // Reduce the indirection count by 1 if we're passing through a `LoadInstruction`.
-      exists(int ind, LoadInstruction load |
-        hasOperandAndIndex(nodeFrom, load.getSourceAddressOperand(), ind) and
-        nodeHasInstruction(nodeTo, load, ind - 1)
-      )
-      or
-      // If an operand flows to an instruction, then the indirection of
-      // the operand also flows to the indirection of the instruction.
-      exists(Operand operand, Instruction instr, int indirectionIndex |
-        simpleInstructionLocalFlowStep(operand, instr) and
-        hasOperandAndIndex(nodeFrom, operand, pragma[only_bind_into](indirectionIndex)) and
-        hasInstructionAndIndex(nodeTo, instr, pragma[only_bind_into](indirectionIndex))
-      )
-      or
-      // If there's indirect flow to an operand, then there's also indirect
-      // flow to the operand after applying some pointer arithmetic.
-      exists(PointerArithmeticInstruction pointerArith, int indirectionIndex |
-        hasOperandAndIndex(nodeFrom, pointerArith.getAnOperand(),
-          pragma[only_bind_into](indirectionIndex)) and
-        hasInstructionAndIndex(nodeTo, pointerArith, pragma[only_bind_into](indirectionIndex))
-      )
+    // Reduce the indirection count by 1 if we're passing through a `LoadInstruction`.
+    exists(int ind, LoadInstruction load |
+      hasOperandAndIndex(nodeFrom, load.getSourceAddressOperand(), ind) and
+      nodeHasInstruction(nodeTo, load, ind - 1)
+    )
+    or
+    // If an operand flows to an instruction, then the indirection of
+    // the operand also flows to the indirection of the instruction.
+    exists(Operand operand, Instruction instr, int indirectionIndex |
+      simpleInstructionLocalFlowStep(operand, instr) and
+      hasOperandAndIndex(nodeFrom, operand, pragma[only_bind_into](indirectionIndex)) and
+      hasInstructionAndIndex(nodeTo, instr, pragma[only_bind_into](indirectionIndex))
+    )
+    or
+    // If there's indirect flow to an operand, then there's also indirect
+    // flow to the operand after applying some pointer arithmetic.
+    exists(PointerArithmeticInstruction pointerArith, int indirectionIndex |
+      hasOperandAndIndex(nodeFrom, pointerArith.getAnOperand(),
+        pragma[only_bind_into](indirectionIndex)) and
+      hasInstructionAndIndex(nodeTo, pointerArith, pragma[only_bind_into](indirectionIndex))
     )
   }
 
@@ -1685,7 +1644,6 @@ private module Cached {
   private predicate indirectionInstructionFlow(
     RawIndirectInstruction nodeFrom, IndirectOperand nodeTo
   ) {
-    nodeFrom != nodeTo and
     // If there's flow from an instruction to an operand, then there's also flow from the
     // indirect instruction to the indirect operand.
     exists(Operand operand, Instruction instr, int indirectionIndex |
@@ -2279,43 +2237,3 @@ module InstructionBarrierGuard<instructionGuardChecksSig/3 instructionGuardCheck
     )
   }
 }
-
-/**
- * A unit class for adding additional call steps.
- *
- * Extend this class to add additional call steps to the data flow graph.
- *
- * For example, if the following subclass is added:
- * ```ql
- * class MyAdditionalCallTarget extends DataFlow::AdditionalCallTarget {
- *   override Function viableTarget(Call call) {
- *     call.getTarget().hasName("f") and
- *     result.hasName("g")
- *   }
- * }
- * ```
- * then flow from `source()` to `x` in `sink(x)` is reported in the following example:
- * ```cpp
- * void sink(int);
- * int source();
- * void f(int);
- *
- * void g(int x) {
- *   sink(x);
- * }
- *
- * void test() {
- *   int x = source();
- *   f(x);
- * }
- * ```
- *
- * Note: To prevent reevaluation of cached dataflow-related predicates any
- * subclass of `AdditionalCallTarget` must be imported in all dataflow queries.
- */
-class AdditionalCallTarget extends Unit {
-  /**
-   * Gets a viable target for `call`.
-   */
-  abstract DataFlowCallable viableTarget(Call call);
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -31,35 +31,26 @@ DataFlow::Node callInput(CallInstruction call, FunctionInput input) {
   )
 }
 
-/**
- * Gets the node that represents the output of `call` with kind `output` at
- * indirection index `indirectionIndex`.
- */
-private Node callOutputWithIndirectionIndex(
-  CallInstruction call, FunctionOutput output, int indirectionIndex
-) {
-  // The return value
-  simpleOutNode(result, call) and
-  output.isReturnValue() and
-  indirectionIndex = 0
-  or
-  // The side effect of a call on the value pointed to by an argument or qualifier
-  exists(int index |
-    result.(IndirectArgumentOutNode).getArgumentIndex() = index and
-    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex - 1 and
-    result.(IndirectArgumentOutNode).getCallInstruction() = call and
-    output.isParameterDerefOrQualifierObject(index, indirectionIndex - 1)
-  )
-  or
-  result = getIndirectReturnOutNode(call, indirectionIndex) and
-  output.isReturnValueDeref(indirectionIndex)
-}
-
 /**
  * Gets the instruction that holds the `output` for `call`.
  */
 Node callOutput(CallInstruction call, FunctionOutput output) {
-  result = callOutputWithIndirectionIndex(call, output, _)
+  // The return value
+  simpleOutNode(result, call) and
+  output.isReturnValue()
+  or
+  // The side effect of a call on the value pointed to by an argument or qualifier
+  exists(int index, int indirectionIndex |
+    result.(IndirectArgumentOutNode).getArgumentIndex() = index and
+    result.(IndirectArgumentOutNode).getIndirectionIndex() = indirectionIndex and
+    result.(IndirectArgumentOutNode).getCallInstruction() = call and
+    output.isParameterDerefOrQualifierObject(index, indirectionIndex)
+  )
+  or
+  exists(int ind |
+    result = getIndirectReturnOutNode(call, ind) and
+    output.isReturnValueDeref(ind)
+  )
 }
 
 DataFlow::Node callInput(CallInstruction call, FunctionInput input, int d) {
@@ -85,15 +76,19 @@ private IndirectReturnOutNode getIndirectReturnOutNode(CallInstruction call, int
  */
 bindingset[d]
 Node callOutput(CallInstruction call, FunctionOutput output, int d) {
-  exists(DataFlow::Node n, int indirectionIndex |
-    n = callOutputWithIndirectionIndex(call, output, indirectionIndex) and d > 0
-  |
+  exists(DataFlow::Node n | n = callOutput(call, output) and d > 0 |
     // The return value
-    result = callOutputWithIndirectionIndex(call, output, indirectionIndex + d)
+    result = getIndirectReturnOutNode(n.asInstruction(), d)
     or
     // If there isn't an indirect out node for the call with indirection `d` then
     // we conflate this with the underlying `CallInstruction`.
-    not exists(getIndirectReturnOutNode(call, indirectionIndex + d)) and
+    not exists(getIndirectReturnOutNode(call, d)) and
     n = result
+    or
+    // The side effect of a call on the value pointed to by an argument or qualifier
+    exists(Operand operand, int indirectionIndex |
+      Ssa::outNodeHasAddressAndIndex(n, operand, indirectionIndex) and
+      Ssa::outNodeHasAddressAndIndex(result, operand, indirectionIndex + d)
+    )
   )
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -113,12 +113,22 @@ private newtype TDefOrUseImpl =
   TGlobalUse(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
     // Represents a final "use" of a global variable to ensure that
     // the assignment to a global variable isn't ruled out as dead.
-    isGlobalUse(v, f, _, indirectionIndex)
+    exists(VariableAddressInstruction vai, int defIndex |
+      vai.getEnclosingIRFunction() = f and
+      vai.getAstVariable() = v and
+      isDef(_, _, _, vai, _, defIndex) and
+      indirectionIndex = [0 .. defIndex] + 1
+    )
   } or
   TGlobalDefImpl(GlobalLikeVariable v, IRFunction f, int indirectionIndex) {
     // Represents the initial "definition" of a global variable when entering
     // a function body.
-    isGlobalDefImpl(v, f, _, indirectionIndex)
+    exists(VariableAddressInstruction vai |
+      vai.getEnclosingIRFunction() = f and
+      vai.getAstVariable() = v and
+      isUse(_, _, vai, _, indirectionIndex) and
+      not isDef(_, _, vai.getAUse(), _, _, _)
+    )
   } or
   TIteratorDef(
     Operand iteratorDerefAddress, BaseSourceVariableInstruction container, int indirectionIndex
@@ -140,27 +150,6 @@ private newtype TDefOrUseImpl =
     )
   }
 
-private predicate isGlobalUse(
-  GlobalLikeVariable v, IRFunction f, int indirection, int indirectionIndex
-) {
-  exists(VariableAddressInstruction vai |
-    vai.getEnclosingIRFunction() = f and
-    vai.getAstVariable() = v and
-    isDef(_, _, _, vai, indirection, indirectionIndex)
-  )
-}
-
-private predicate isGlobalDefImpl(
-  GlobalLikeVariable v, IRFunction f, int indirection, int indirectionIndex
-) {
-  exists(VariableAddressInstruction vai |
-    vai.getEnclosingIRFunction() = f and
-    vai.getAstVariable() = v and
-    isUse(_, _, vai, indirection, indirectionIndex) and
-    not isDef(_, _, _, vai, _, indirectionIndex)
-  )
-}
-
 private predicate unspecifiedTypeIsModifiableAt(Type unspecified, int indirectionIndex) {
   indirectionIndex = [1 .. getIndirectionForUnspecifiedType(unspecified).getNumberOfIndirections()] and
   exists(CppType cppType |
@@ -449,7 +438,7 @@ class GlobalUse extends UseImpl, TGlobalUse {
 
   override FinalGlobalValue getNode() { result.getGlobalUse() = this }
 
-  override int getIndirection() { isGlobalUse(global, f, result, ind) }
+  override int getIndirection() { result = ind + 1 }
 
   /** Gets the global variable associated with this use. */
   GlobalLikeVariable getVariable() { result = global }
@@ -471,9 +460,7 @@ class GlobalUse extends UseImpl, TGlobalUse {
     )
   }
 
-  override SourceVariable getSourceVariable() {
-    sourceVariableIsGlobal(result, global, f, this.getIndirection())
-  }
+  override SourceVariable getSourceVariable() { sourceVariableIsGlobal(result, global, f, ind) }
 
   final override Cpp::Location getLocation() { result = f.getLocation() }
 
@@ -514,18 +501,16 @@ class GlobalDefImpl extends DefOrUseImpl, TGlobalDefImpl {
 
   /** Gets the global variable associated with this definition. */
   override SourceVariable getSourceVariable() {
-    sourceVariableIsGlobal(result, global, f, this.getIndirection())
+    sourceVariableIsGlobal(result, global, f, indirectionIndex)
   }
 
-  int getIndirection() { result = indirectionIndex }
-
   /**
    * Gets the type of this use after specifiers have been deeply stripped
    * and typedefs have been resolved.
    */
   Type getUnspecifiedType() { result = global.getUnspecifiedType() }
 
-  override string toString() { result = "Def of " + this.getSourceVariable() }
+  override string toString() { result = "GlobalDef" }
 
   override Location getLocation() { result = f.getLocation() }
 
@@ -995,7 +980,7 @@ class GlobalDef extends TGlobalDef, SsaDefOrUse {
   final override Location getLocation() { result = global.getLocation() }
 
   /** Gets a textual representation of this definition. */
-  override string toString() { result = global.toString() }
+  override string toString() { result = "GlobalDef" }
 
   /**
    * Holds if this definition has index `index` in block `block`, and
@@ -1005,9 +990,6 @@ class GlobalDef extends TGlobalDef, SsaDefOrUse {
     global.hasIndexInBlock(block, index, sv)
   }
 
-  /** Gets the indirection index of this definition. */
-  int getIndirection() { result = global.getIndirection() }
-
   /** Gets the indirection index of this definition. */
   int getIndirectionIndex() { result = global.getIndirectionIndex() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -228,7 +228,7 @@ private class PointerWrapperTypeIndirection extends Indirection instanceof Point
   override predicate isAdditionalDereference(Instruction deref, Operand address) {
     exists(CallInstruction call |
       operandForFullyConvertedCall(getAUse(deref), call) and
-      this = call.getStaticCallTarget().getClassAndName(["operator*", "operator->", "get"]) and
+      this = call.getStaticCallTarget().getClassAndName("operator*") and
       address = call.getThisArgumentOperand()
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -1,6 +1,5 @@
 private import cpp
 import semmle.code.cpp.ir.implementation.raw.IR
-private import semmle.code.cpp.internal.ExtractorVersion
 private import semmle.code.cpp.ir.IRConfiguration
 private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
@@ -362,12 +361,6 @@ predicate ignoreLoad(Expr expr) {
     or
     expr instanceof FunctionAccess
     or
-    // The load is duplicated from the operand.
-    isExtractorFrontendVersion65OrHigher() and expr instanceof ParenthesisExpr
-    or
-    // The load is duplicated from the right operand.
-    isExtractorFrontendVersion65OrHigher() and expr instanceof CommaExpr
-    or
     expr.(PointerDereferenceExpr).getOperand().getFullyConverted().getType().getUnspecifiedType()
       instanceof FunctionPointerType
     or

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -1,5 +1,4 @@
 private import cpp
-private import semmle.code.cpp.internal.ExtractorVersion
 private import semmle.code.cpp.ir.implementation.IRType
 private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
@@ -650,9 +649,7 @@ class TranslatedPrefixCrementOperation extends TranslatedCrementOperation {
   override PrefixCrementOperation expr;
 
   override Instruction getResult() {
-    // The following distinction is needed to work around extractor limitations
-    // in old versions of the extractor.
-    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
+    if expr.isPRValueCategory()
     then
       // If this is C, then the result of a prefix crement is a prvalue for the
       // new value assigned to the operand. If this is C++, then the result is
@@ -1507,9 +1504,7 @@ class TranslatedAssignExpr extends TranslatedNonConstantExpr {
   }
 
   final override Instruction getResult() {
-    // The following distinction is needed to work around extractor limitations
-    // in old versions of the extractor.
-    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
+    if expr.isPRValueCategory()
     then
       // If this is C, then the result of an assignment is a prvalue for the new
       // value assigned to the left operand. If this is C++, then the result is
@@ -1647,9 +1642,7 @@ class TranslatedAssignOperation extends TranslatedNonConstantExpr {
   }
 
   final override Instruction getResult() {
-    // The following distinction is needed to work around extractor limitations
-    // in old versions of the extractor.
-    if expr.isPRValueCategory() and not isExtractorFrontendVersion65OrHigher()
+    if expr.isPRValueCategory()
     then
       // If this is C, then the result of an assignment is a prvalue for the new
       // value assigned to the left operand. If this is C++, then the result is
@@ -2198,16 +2191,8 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
         not this.elseIsVoid() and tag = ConditionValueFalseStoreTag()
       ) and
       opcode instanceof Opcode::Store and
-      if isExtractorFrontendVersion65OrHigher()
-      then
-        not expr.hasLValueToRValueConversion() and
-        resultType = this.getResultType()
-        or
-        expr.hasLValueToRValueConversion() and
-        resultType = getTypeForPRValue(expr.getType())
-      else resultType = this.getResultType()
+      resultType = this.getResultType()
       or
-      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
       opcode instanceof Opcode::Load and
       resultType = this.getResultType()
@@ -2237,16 +2222,8 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
       )
       or
       tag = ConditionValueResultTempAddressTag() and
-      if isExtractorFrontendVersion65OrHigher()
-      then
-        not expr.hasLValueToRValueConversion() and
-        result = this.getInstruction(ConditionValueResultLoadTag())
-        or
-        expr.hasLValueToRValueConversion() and
-        result = this.getParent().getChildSuccessor(this)
-      else result = this.getInstruction(ConditionValueResultLoadTag())
+      result = this.getInstruction(ConditionValueResultLoadTag())
       or
-      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
       result = this.getParent().getChildSuccessor(this)
     )
@@ -2275,24 +2252,18 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
         result = this.getElse().getResult()
       )
       or
-      (not expr.hasLValueToRValueConversion() or not isExtractorFrontendVersion65OrHigher()) and
       tag = ConditionValueResultLoadTag() and
-      operandTag instanceof AddressOperandTag and
-      result = this.getInstruction(ConditionValueResultTempAddressTag())
+      (
+        operandTag instanceof AddressOperandTag and
+        result = this.getInstruction(ConditionValueResultTempAddressTag())
+      )
     )
   }
 
   final override predicate hasTempVariable(TempVariableTag tag, CppType type) {
     not this.resultIsVoid() and
     tag = ConditionValueTempVar() and
-    if isExtractorFrontendVersion65OrHigher()
-    then
-      not expr.hasLValueToRValueConversion() and
-      type = this.getResultType()
-      or
-      expr.hasLValueToRValueConversion() and
-      type = getTypeForPRValue(expr.getType())
-    else type = this.getResultType()
+    type = this.getResultType()
   }
 
   final override IRVariable getInstructionVariable(InstructionTag tag) {
@@ -2307,14 +2278,7 @@ abstract class TranslatedConditionalExpr extends TranslatedNonConstantExpr {
 
   final override Instruction getResult() {
     not this.resultIsVoid() and
-    if isExtractorFrontendVersion65OrHigher()
-    then
-      expr.hasLValueToRValueConversion() and
-      result = this.getInstruction(ConditionValueResultTempAddressTag())
-      or
-      not expr.hasLValueToRValueConversion() and
-      result = this.getInstruction(ConditionValueResultLoadTag())
-    else result = this.getInstruction(ConditionValueResultLoadTag())
+    result = this.getInstruction(ConditionValueResultLoadTag())
   }
 
   override Instruction getChildSuccessor(TranslatedElement child) {
@@ -3274,18 +3238,10 @@ predicate exprNeedsCopyIfNotLoaded(Expr expr) {
     expr instanceof AssignExpr
     or
     expr instanceof AssignOperation and
-    (
-      not expr.isPRValueCategory() // is C++
-      or
-      isExtractorFrontendVersion65OrHigher()
-    )
+    not expr.isPRValueCategory() // is C++
     or
     expr instanceof PrefixCrementOperation and
-    (
-      not expr.isPRValueCategory() // is C++
-      or
-      isExtractorFrontendVersion65OrHigher()
-    )
+    not expr.isPRValueCategory() // is C++
     or
     // Because the load is on the `e` in `e++`.
     expr instanceof PostfixCrementOperation

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -19,7 +19,6 @@ private import implementations.Strtok
 private import implementations.Strset
 private import implementations.Strcrement
 private import implementations.Strnextc
-private import implementations.Strtol
 private import implementations.StdContainer
 private import implementations.StdPair
 private import implementations.StdMap
@@ -35,7 +34,6 @@ private import implementations.Accept
 private import implementations.Poll
 private import implementations.Select
 private import implementations.MySql
-private import implementations.ODBC
 private import implementations.SqLite3
 private import implementations.PostgreSql
 private import implementations.System

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -5,7 +5,6 @@
  */
 
 import semmle.code.cpp.models.interfaces.Allocation
-import semmle.code.cpp.models.interfaces.Taint
 
 /**
  * An allocation function (such as `malloc`) that has an argument for the size
@@ -122,7 +121,7 @@ private class CallocAllocationFunction extends AllocationFunction {
  * An allocation function (such as `realloc`) that has an argument for the size
  * in bytes, and an argument for an existing pointer that is to be reallocated.
  */
-private class ReallocAllocationFunction extends AllocationFunction, TaintFunction {
+private class ReallocAllocationFunction extends AllocationFunction {
   int sizeArg;
   int reallocArg;
 
@@ -152,10 +151,6 @@ private class ReallocAllocationFunction extends AllocationFunction, TaintFunctio
   override int getSizeArg() { result = sizeArg }
 
   override int getReallocPtrArg() { result = reallocArg }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(this.getReallocPtrArg()) and output.isReturnValueDeref()
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

@@ -49,11 +49,10 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
   }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    (
-      output.isParameterDeref(0) or
-      output.isReturnValue() or
-      output.isReturnValueDeref()
-    ) and
+    output.isParameterDeref(0) and
+    description = "string read by " + this.getName()
+    or
+    output.isReturnValue() and
     description = "string read by " + this.getName()
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll

@@ -157,7 +157,7 @@ private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSource
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(3, 2) and
+    output.isParameterDeref(3) and
     description = "address returned by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll

@@ -9,17 +9,18 @@ import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
-private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,
+/**
+ * The standard function `memset` and its assorted variants
+ */
+private class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction,
   SideEffectFunction
 {
-  MemsetFunctionModel() {
+  MemsetFunction() {
     this.hasGlobalOrStdOrBslName("memset")
     or
     this.hasGlobalOrStdName("wmemset")
     or
-    this.hasGlobalName([
-        bzero(), "__builtin_memset", "__builtin_memset_chk", "RtlZeroMemory", "RtlSecureZeroMemory"
-      ])
+    this.hasGlobalName([bzero(), "__builtin_memset", "__builtin_memset_chk"])
   }
 
   override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
@@ -59,8 +60,3 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
 }
 
 private string bzero() { result = ["bzero", "explicit_bzero"] }
-
-/**
- * The standard function `memset` and its assorted variants
- */
-class MemsetFunction extends Function instanceof MemsetFunctionModel { }

cpp/ql/lib/semmle/code/cpp/models/implementations/ODBC.qll

@@ -1,28 +0,0 @@
-/**
- * Provides implementation classes modeling the ODBC C/C++ API.
- * See `semmle.code.cpp.models.Models` for usage information.
- */
-
-private import semmle.code.cpp.models.interfaces.Sql
-private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
-
-/**
- * The `SQLExecDirect`, and `SQLPrepare` from the ODBC C/C++ API:
- * https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlexecdirect-function?view=sql-server-ver16
- * https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlprepare-function?view=sql-server-ver16
- *
- * Note, `SQLExecute` is not included because it operates on a SQLHSTMT type, not a string.
- * The SQLHSTMT parameter for `SQLExecute` is set through a `SQLPrepare`, which is modeled.
- * The other source of input to a `SQLExecute` is via a `SQLBindParameter`, which sanitizes user input,
- * and would be considered a barrier to SQL injection.
- */
-private class ODBCExecutionFunction extends SqlExecutionFunction {
-  ODBCExecutionFunction() { this.hasGlobalName(["SQLExecDirect", "SQLPrepare"]) }
-
-  override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
-}
-// NOTE: no need to define a barrier explicitly.
-// `SQLBindParameter` is the typical means for sanitizing user input.
-//       https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlbindparameter-function?view=sql-server-ver16
-// First a query is establisehed via `SQLPrepare`, then parameters are bound via `SQLBindParameter`, before
-// the query is executed via `SQLExecute`. We are not modeling SQLExecute, so we do not need to model SQLBindParameter.

cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll

@@ -147,32 +147,19 @@ private class SnprintfImpl extends Snprintf {
 
 /**
  * The Microsoft `StringCchPrintf` function and variants.
- * See: https://learn.microsoft.com/en-us/windows/win32/api/strsafe/
- *      and
- *      https://learn.microsoft.com/en-us/previous-versions/windows/embedded/ms860435(v=msdn.10)
  */
 private class StringCchPrintf extends FormattingFunction {
   StringCchPrintf() {
     this instanceof TopLevelFunction and
-    exists(string baseName |
-      baseName in [
-          "StringCchPrintf", //StringCchPrintf(pszDest, cchDest, pszFormat, ...)
-          "StringCchPrintfEx", //StringCchPrintfEx(pszDest,cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, ...)
-          "StringCchPrintf_l", //StringCchPrintf_l(pszDest, cbDest, pszFormat, locale, ...)
-          "StringCchPrintf_lEx", //StringCchPrintf_lEx(pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, locale, ...)
-          "StringCbPrintf", //StringCbPrintf(pszDest, cbDest, pszFormat, ...)
-          "StringCbPrintfEx", //StringCbPrintfEx(pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, ...)
-          "StringCbPrintf_l", //StringCbPrintf_l(pszDest, cbDest, pszFormat, locale, ...)
-          "StringCbPrintf_lEx" //StringCbPrintf_lEx(pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, locale, ...)
-        ]
-    |
-      this.hasGlobalName(baseName + ["", "A", "W"])
-    ) and
+    this.hasGlobalName([
+        "StringCchPrintf", "StringCchPrintfEx", "StringCchPrintf_l", "StringCchPrintf_lEx",
+        "StringCbPrintf", "StringCbPrintfEx", "StringCbPrintf_l", "StringCbPrintf_lEx"
+      ]) and
     not exists(this.getDefinition().getFile().getRelativePath())
   }
 
   override int getFormatParameterIndex() {
-    if this.getName().matches("%Ex" + ["", "A", "W"]) then result = 5 else result = 2
+    if this.getName().matches("%Ex") then result = 5 else result = 2
   }
 
   override int getOutputParameterIndex(boolean isStream) { result = 0 and isStream = false }

cpp/ql/lib/semmle/code/cpp/models/implementations/Pure.qll

@@ -13,7 +13,7 @@ private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunctio
   PureStrFunction() {
     this.hasGlobalOrStdOrBslName([
         atoi(), "strcasestr", "strchnul", "strchr", "strchrnul", "strstr", "strpbrk", "strrchr",
-        "strspn", strrev(), strcmp(), strlwr(), strupr()
+        "strspn", strtol(), strrev(), strcmp(), strlwr(), strupr()
       ])
   }
 
@@ -70,6 +70,8 @@ private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunctio
 
 private string atoi() { result = ["atof", "atoi", "atol", "atoll"] }
 
+private string strtol() { result = ["strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"] }
+
 private string strlwr() {
   result = ["_strlwr", "_wcslwr", "_mbslwr", "_strlwr_l", "_wcslwr_l", "_mbslwr_l"]
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll

@@ -58,7 +58,7 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
 
   override predicate hasRemoteFlowSink(FunctionInput input, string description) {
-    input.isParameterDeref(1, 1) and description = "buffer sent by " + this.getName()
+    input.isParameterDeref(1) and description = "buffer sent by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll

@@ -10,8 +10,6 @@ import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
  * The standard function `strcat` and its wide, sized, and Microsoft variants.
- *
- * Does not include `strlcat`, which is covered by `StrlcatFunction`
  */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
   StrcatFunction() {
@@ -92,64 +90,3 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
     buffer = true
   }
 }
-
-/**
- * The `strlcat` function.
- */
-class StrlcatFunction extends TaintFunction, ArrayFunction, SideEffectFunction {
-  StrlcatFunction() {
-    this.hasGlobalName("strlcat") // strlcat(dst, src, dst_size)
-  }
-
-  /**
-   * Gets the index of the parameter that is the size of the copy (in characters).
-   */
-  int getParamSize() { result = 2 }
-
-  /**
-   * Gets the index of the parameter that is the source of the copy.
-   */
-  int getParamSrc() { result = 1 }
-
-  /**
-   * Gets the index of the parameter that is the destination to be appended to.
-   */
-  int getParamDest() { result = 0 }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    (
-      input.isParameter(2)
-      or
-      input.isParameterDeref(0)
-      or
-      input.isParameterDeref(1)
-    ) and
-    output.isParameterDeref(0)
-  }
-
-  override predicate hasArrayInput(int param) {
-    param = 0 or
-    param = 1
-  }
-
-  override predicate hasArrayOutput(int param) { param = 0 }
-
-  override predicate hasArrayWithNullTerminator(int param) { param = 1 }
-
-  override predicate hasArrayWithUnknownSize(int param) { param = 0 }
-
-  override predicate hasOnlySpecificReadSideEffects() { any() }
-
-  override predicate hasOnlySpecificWriteSideEffects() { any() }
-
-  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
-    i = 0 and
-    buffer = true and
-    mustWrite = false
-  }
-
-  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
-    (i = 0 or i = 1) and
-    buffer = true
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll

@@ -32,8 +32,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
         "wcsxfrm_l", // _strxfrm_l(dest, src, max_amount, locale)
         "_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount)
         "stpcpy", // stpcpy(dest, src)
-        "stpncpy", // stpncpy(dest, src, max_amount)
-        "strlcpy" // strlcpy(dst, src, dst_size)
+        "stpncpy" // stpcpy(dest, src, max_amount)
       ])
     or
     (
@@ -54,11 +53,6 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    */
   private predicate isSVariant() { this.getName().matches("%\\_s") }
 
-  /**
-   * Holds if the function returns the total length the string would have had if the size was unlimited.
-   */
-  private predicate returnsTotalLength() { this.getName() = "strlcpy" }
-
   /**
    * Gets the index of the parameter that is the maximum size of the copy (in characters).
    */
@@ -66,7 +60,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
     if this.isSVariant()
     then result = 1
     else (
-      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and
+      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%"]) and
       result = 2
     )
   }
@@ -106,7 +100,6 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
     input.isParameterDeref(this.getParamSrc()) and
     output.isReturnValueDeref()
     or
-    not this.returnsTotalLength() and
     input.isParameter(this.getParamDest()) and
     output.isReturnValue()
   }
@@ -117,9 +110,8 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
     exists(this.getParamSize()) and
     input.isParameterDeref(this.getParamSrc()) and
     (
-      output.isParameterDeref(this.getParamDest())
-      or
-      not this.returnsTotalLength() and output.isReturnValueDeref()
+      output.isParameterDeref(this.getParamDest()) or
+      output.isReturnValueDeref()
     )
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll

@@ -32,8 +32,6 @@ private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEf
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and output.isReturnValue()
-    or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 
   override predicate hasOnlySpecificReadSideEffects() { none() }

cpp/ql/lib/semmle/code/cpp/models/implementations/Strtol.qll

@@ -1,54 +0,0 @@
-import semmle.code.cpp.models.interfaces.ArrayFunction
-import semmle.code.cpp.models.interfaces.Taint
-import semmle.code.cpp.models.interfaces.Alias
-import semmle.code.cpp.models.interfaces.SideEffect
-
-private string strtol() { result = ["strtod", "strtof", "strtol", "strtoll", "strtoq", "strtoul"] }
-
-/**
- * The standard function `strtol` and its assorted variants
- */
-private class Strtol extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
-  Strtol() { this.hasGlobalOrStdOrBslName(strtol()) }
-
-  override predicate hasArrayInput(int bufParam) {
-    // All the functions given by `strtol()` takes a `const char*` input as the first parameter
-    bufParam = 0
-  }
-
-  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    (
-      input.isParameter(0)
-      or
-      input.isParameterDeref(0)
-    ) and
-    output.isReturnValue()
-    or
-    input.isParameter(0) and
-    output.isParameterDeref(1)
-  }
-
-  override predicate parameterNeverEscapes(int i) {
-    // Parameter 0 does escape into parameter 1.
-    i = 1
-  }
-
-  override predicate parameterEscapesOnlyViaReturn(int i) { none() }
-
-  override predicate parameterIsAlwaysReturned(int i) { none() }
-
-  override predicate hasOnlySpecificReadSideEffects() { any() }
-
-  override predicate hasOnlySpecificWriteSideEffects() { any() }
-
-  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
-    i = 0 and
-    buffer = true
-  }
-
-  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
-    i = 1 and buffer = false and mustWrite = false
-  }
-}

cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll

@@ -8,7 +8,7 @@ import semmle.code.cpp.Parameter
 
 private newtype TFunctionInput =
   TInParameter(ParameterIndex i) or
-  TInParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or
+  TInParameterDeref(ParameterIndex i) or
   TInQualifierObject() or
   TInQualifierAddress() or
   TInReturnValueDeref()
@@ -245,18 +245,15 @@ class InParameter extends FunctionInput, TInParameter {
  */
 class InParameterDeref extends FunctionInput, TInParameterDeref {
   ParameterIndex index;
-  int indirectionIndex;
 
-  InParameterDeref() { this = TInParameterDeref(index, indirectionIndex) }
+  InParameterDeref() { this = TInParameterDeref(index) }
 
   override string toString() { result = "InParameterDeref " + index.toString() }
 
   /** Gets the zero-based index of the parameter. */
   ParameterIndex getIndex() { result = index }
 
-  override predicate isParameterDeref(ParameterIndex i, int indirection) {
-    i = index and indirectionIndex = indirection
-  }
+  override predicate isParameterDeref(ParameterIndex i) { i = index }
 }
 
 /**
@@ -324,10 +321,10 @@ class InReturnValueDeref extends FunctionInput, TInReturnValueDeref {
 }
 
 private newtype TFunctionOutput =
-  TOutParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or
+  TOutParameterDeref(ParameterIndex i) or
   TOutQualifierObject() or
   TOutReturnValue() or
-  TOutReturnValueDeref(int indirections) { indirections = [1, 2] }
+  TOutReturnValueDeref()
 
 /**
  * An output from a function. This can be:
@@ -501,16 +498,17 @@ class FunctionOutput extends TFunctionOutput {
  */
 class OutParameterDeref extends FunctionOutput, TOutParameterDeref {
   ParameterIndex index;
-  int indirectionIndex;
 
-  OutParameterDeref() { this = TOutParameterDeref(index, indirectionIndex) }
+  OutParameterDeref() { this = TOutParameterDeref(index) }
 
   override string toString() { result = "OutParameterDeref " + index.toString() }
 
   ParameterIndex getIndex() { result = index }
 
+  override predicate isParameterDeref(ParameterIndex i) { i = index }
+
   override predicate isParameterDeref(ParameterIndex i, int ind) {
-    i = index and ind = indirectionIndex
+    this.isParameterDeref(i) and ind = 1
   }
 }
 
@@ -574,8 +572,4 @@ class OutReturnValueDeref extends FunctionOutput, TOutReturnValueDeref {
   override string toString() { result = "OutReturnValueDeref" }
 
   override predicate isReturnValueDeref() { any() }
-
-  override predicate isReturnValueDeref(int indirectionIndex) {
-    this = TOutReturnValueDeref(indirectionIndex)
-  }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/RangeAnalysis.qll

@@ -17,7 +17,9 @@ private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
  * `upper` is true, and can be traced back to a guard represented by `reason`.
  */
 predicate bounded(Expr e, Bound b, float delta, boolean upper, Reason reason) {
-  exists(SemanticExprConfig::Expr semExpr | semExpr.getUnconvertedResultExpression() = e |
+  exists(SemanticExprConfig::Expr semExpr |
+    semExpr.getUnconverted().getUnconvertedResultExpression() = e
+  |
     semBounded(semExpr, b, delta, upper, reason)
   )
 }
@@ -28,7 +30,9 @@ predicate bounded(Expr e, Bound b, float delta, boolean upper, Reason reason) {
  * The `Expr` may be a conversion.
  */
 predicate convertedBounded(Expr e, Bound b, float delta, boolean upper, Reason reason) {
-  exists(SemanticExprConfig::Expr semExpr | semExpr.getConvertedResultExpression() = e |
+  exists(SemanticExprConfig::Expr semExpr |
+    semExpr.getConverted().getConvertedResultExpression() = e
+  |
     semBounded(semExpr, b, delta, upper, reason)
   )
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/SimpleRangeAnalysis.qll

@@ -100,7 +100,7 @@ predicate exprMightOverflowNegatively(Expr expr) {
   lowerBound(expr) < exprMinVal(expr)
   or
   exists(SemanticExprConfig::Expr semExpr |
-    semExpr.getAst() = expr and
+    semExpr.getUnconverted().getAst() = expr and
     ConstantStage::potentiallyOverflowingExpr(false, semExpr) and
     not ConstantStage::initialBounded(semExpr, _, _, false, _, _, _)
   )
@@ -126,7 +126,7 @@ predicate exprMightOverflowPositively(Expr expr) {
   upperBound(expr) > exprMaxVal(expr)
   or
   exists(SemanticExprConfig::Expr semExpr |
-    semExpr.getAst() = expr and
+    semExpr.getUnconverted().getAst() = expr and
     ConstantStage::potentiallyOverflowingExpr(true, semExpr) and
     not ConstantStage::initialBounded(semExpr, _, _, true, _, _, _)
   )

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticCFG.qll

@@ -12,6 +12,9 @@ class SemBasicBlock extends Specific::BasicBlock {
   /** Holds if this block (transitively) dominates `otherblock`. */
   final predicate bbDominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
 
+  /** Holds if this block has dominance information. */
+  final predicate hasDominanceInformation() { Specific::hasDominanceInformation(this) }
+
   /** Gets an expression that is evaluated in this basic block. */
   final SemExpr getAnExpr() { result.getBasicBlock() = this }
 

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll

@@ -4,7 +4,6 @@
 
 private import Semantic
 private import SemanticExprSpecific::SemanticExprConfig as Specific
-private import SemanticType
 
 /**
  * An language-neutral expression.
@@ -242,21 +241,8 @@ class SemConvertExpr extends SemUnaryExpr {
   SemConvertExpr() { opcode instanceof Opcode::Convert }
 }
 
-private import semmle.code.cpp.ir.IR as IR
-
-/** A conversion instruction which is guaranteed to not overflow. */
-private class SafeConversion extends IR::ConvertInstruction {
-  SafeConversion() {
-    exists(SemType tFrom, SemType tTo |
-      tFrom = getSemanticType(super.getUnary().getResultIRType()) and
-      tTo = getSemanticType(super.getResultIRType()) and
-      conversionCannotOverflow(tFrom, tTo)
-    )
-  }
-}
-
 class SemCopyValueExpr extends SemUnaryExpr {
-  SemCopyValueExpr() { opcode instanceof Opcode::CopyValue or this instanceof SafeConversion }
+  SemCopyValueExpr() { opcode instanceof Opcode::CopyValue }
 }
 
 class SemNegateExpr extends SemUnaryExpr {

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll

@@ -12,10 +12,87 @@ private import semmle.code.cpp.ir.ValueNumbering
 module SemanticExprConfig {
   class Location = Cpp::Location;
 
+  /** A `ConvertInstruction` or a `CopyValueInstruction`. */
+  private class Conversion extends IR::UnaryInstruction {
+    Conversion() {
+      this instanceof IR::CopyValueInstruction
+      or
+      this instanceof IR::ConvertInstruction
+    }
+
+    /** Holds if this instruction converts a value of type `tFrom` to a value of type `tTo`. */
+    predicate converts(SemType tFrom, SemType tTo) {
+      tFrom = getSemanticType(this.getUnary().getResultIRType()) and
+      tTo = getSemanticType(this.getResultIRType())
+    }
+  }
+
+  /**
+   * Gets a conversion-like instruction that consumes `op`, and
+   * which is guaranteed to not overflow.
+   */
+  private IR::Instruction safeConversion(IR::Operand op) {
+    exists(Conversion conv, SemType tFrom, SemType tTo |
+      conv.converts(tFrom, tTo) and
+      conversionCannotOverflow(tFrom, tTo) and
+      conv.getUnaryOperand() = op and
+      result = conv
+    )
+  }
+
+  /** Holds if `i1 = i2` or if `i2` is a safe conversion that consumes `i1`. */
+  private predicate idOrSafeConversion(IR::Instruction i1, IR::Instruction i2) {
+    not i1.getResultIRType() instanceof IR::IRVoidType and
+    (
+      i1 = i2
+      or
+      i2 = safeConversion(i1.getAUse()) and
+      i1.getBlock() = i2.getBlock()
+    )
+  }
+
+  module Equiv = QlBuiltins::EquivalenceRelation<IR::Instruction, idOrSafeConversion/2>;
+
   /**
    * The expressions on which we perform range analysis.
    */
-  class Expr = IR::Instruction;
+  class Expr extends Equiv::EquivalenceClass {
+    /** Gets the n'th instruction in this equivalence class. */
+    private IR::Instruction getInstruction(int n) {
+      result =
+        rank[n + 1](IR::Instruction instr, int i, IR::IRBlock block |
+          this = Equiv::getEquivalenceClass(instr) and block.getInstruction(i) = instr
+        |
+          instr order by i
+        )
+    }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = this.getUnconverted().toString() }
+
+    /** Gets the basic block of this expression. */
+    IR::IRBlock getBlock() { result = this.getUnconverted().getBlock() }
+
+    /** Gets the unconverted instruction associated with this expression. */
+    IR::Instruction getUnconverted() { result = this.getInstruction(0) }
+
+    /**
+     * Gets the final instruction associated with this expression. This
+     * represents the result after applying all the safe conversions.
+     */
+    IR::Instruction getConverted() {
+      exists(int n |
+        result = this.getInstruction(n) and
+        not exists(this.getInstruction(n + 1))
+      )
+    }
+
+    /** Gets the type of the result produced by this instruction. */
+    IR::IRType getResultIRType() { result = this.getConverted().getResultIRType() }
+
+    /** Gets the location of the source code for this expression. */
+    Location getLocation() { result = this.getUnconverted().getLocation() }
+  }
 
   SemBasicBlock getExprBasicBlock(Expr e) { result = getSemanticBasicBlock(e.getBlock()) }
 
@@ -62,12 +139,12 @@ module SemanticExprConfig {
 
   predicate stringLiteral(Expr expr, SemType type, string value) {
     anyConstantExpr(expr, type, value) and
-    expr instanceof IR::StringConstantInstruction
+    expr.getUnconverted() instanceof IR::StringConstantInstruction
   }
 
   predicate binaryExpr(Expr expr, Opcode opcode, SemType type, Expr leftOperand, Expr rightOperand) {
     exists(IR::BinaryInstruction instr |
-      instr = expr and
+      instr = expr.getUnconverted() and
       type = getSemanticType(instr.getResultIRType()) and
       leftOperand = getSemanticExpr(instr.getLeft()) and
       rightOperand = getSemanticExpr(instr.getRight()) and
@@ -77,14 +154,14 @@ module SemanticExprConfig {
   }
 
   predicate unaryExpr(Expr expr, Opcode opcode, SemType type, Expr operand) {
-    exists(IR::UnaryInstruction instr | instr = expr |
+    exists(IR::UnaryInstruction instr | instr = expr.getUnconverted() |
       type = getSemanticType(instr.getResultIRType()) and
       operand = getSemanticExpr(instr.getUnary()) and
       // REVIEW: Merge the two operand types.
       opcode.toString() = instr.getOpcode().toString()
     )
     or
-    exists(IR::StoreInstruction instr | instr = expr |
+    exists(IR::StoreInstruction instr | instr = expr.getUnconverted() |
       type = getSemanticType(instr.getResultIRType()) and
       operand = getSemanticExpr(instr.getSourceValue()) and
       opcode instanceof Opcode::Store
@@ -93,13 +170,13 @@ module SemanticExprConfig {
 
   predicate nullaryExpr(Expr expr, Opcode opcode, SemType type) {
     exists(IR::LoadInstruction load |
-      load = expr and
+      load = expr.getUnconverted() and
       type = getSemanticType(load.getResultIRType()) and
       opcode instanceof Opcode::Load
     )
     or
     exists(IR::InitializeParameterInstruction init |
-      init = expr and
+      init = expr.getUnconverted() and
       type = getSemanticType(init.getResultIRType()) and
       opcode instanceof Opcode::InitializeParameter
     )
@@ -122,6 +199,8 @@ module SemanticExprConfig {
     dominator.dominates(dominated)
   }
 
+  predicate hasDominanceInformation(BasicBlock block) { any() }
+
   private predicate id(Cpp::Locatable x, Cpp::Locatable y) { x = y }
 
   private predicate idOf(Cpp::Locatable x, int y) = equivalenceRelation(id/2)(x, y)
@@ -130,7 +209,17 @@ module SemanticExprConfig {
 
   newtype TSsaVariable =
     TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
-    TSsaOperand(IR::PhiInputOperand op) { op.isDefinitionInexact() }
+    TSsaOperand(IR::Operand op) { op.isDefinitionInexact() } or
+    TSsaPointerArithmeticGuard(ValueNumber instr) {
+      exists(Guard g, IR::Operand use |
+        use = instr.getAUse() and use.getIRType() instanceof IR::IRAddressType
+      |
+        g.comparesLt(use, _, _, _, _) or
+        g.comparesLt(_, use, _, _, _) or
+        g.comparesEq(use, _, _, _, _) or
+        g.comparesEq(_, use, _, _, _)
+      )
+    }
 
   class SsaVariable extends TSsaVariable {
     string toString() { none() }
@@ -139,7 +228,9 @@ module SemanticExprConfig {
 
     IR::Instruction asInstruction() { none() }
 
-    IR::PhiInputOperand asOperand() { none() }
+    ValueNumber asPointerArithGuard() { none() }
+
+    IR::Operand asOperand() { none() }
   }
 
   class SsaInstructionVariable extends SsaVariable, TSsaInstruction {
@@ -154,8 +245,20 @@ module SemanticExprConfig {
     final override IR::Instruction asInstruction() { result = instr }
   }
 
+  class SsaPointerArithmeticGuard extends SsaVariable, TSsaPointerArithmeticGuard {
+    ValueNumber vn;
+
+    SsaPointerArithmeticGuard() { this = TSsaPointerArithmeticGuard(vn) }
+
+    final override string toString() { result = vn.toString() }
+
+    final override Location getLocation() { result = vn.getLocation() }
+
+    final override ValueNumber asPointerArithGuard() { result = vn }
+  }
+
   class SsaOperand extends SsaVariable, TSsaOperand {
-    IR::PhiInputOperand op;
+    IR::Operand op;
 
     SsaOperand() { this = TSsaOperand(op) }
 
@@ -163,7 +266,7 @@ module SemanticExprConfig {
 
     final override Location getLocation() { result = op.getLocation() }
 
-    final override IR::PhiInputOperand asOperand() { result = op }
+    final override IR::Operand asOperand() { result = op }
   }
 
   predicate explicitUpdate(SsaVariable v, Expr sourceExpr) {
@@ -186,29 +289,97 @@ module SemanticExprConfig {
     )
   }
 
-  Expr getAUse(SsaVariable v) { result.(IR::LoadInstruction).getSourceValue() = v.asInstruction() }
+  Expr getAUse(SsaVariable v) {
+    result.getUnconverted().(IR::LoadInstruction).getSourceValue() = v.asInstruction()
+    or
+    result.getUnconverted() = v.asPointerArithGuard().getAnInstruction()
+  }
 
   SemType getSsaVariableType(SsaVariable v) {
     result = getSemanticType(v.asInstruction().getResultIRType())
-    or
-    result = getSemanticType(v.asOperand().getUse().getResultIRType())
   }
 
   BasicBlock getSsaVariableBasicBlock(SsaVariable v) {
     result = v.asInstruction().getBlock()
     or
-    result = v.asOperand().getAnyDef().getBlock()
+    result = v.asOperand().getUse().getBlock()
   }
 
-  /** Holds if `inp` is an input to the phi node along the edge originating in `bb`. */
-  predicate phiInputFromBlock(SsaVariable phi, SsaVariable inp, BasicBlock bb) {
+  private newtype TReadPosition =
+    TReadPositionBlock(IR::IRBlock block) or
+    TReadPositionPhiInputEdge(IR::IRBlock pred, IR::IRBlock succ) {
+      exists(IR::PhiInputOperand input |
+        pred = input.getPredecessorBlock() and
+        succ = input.getUse().getBlock()
+      )
+    }
+
+  class SsaReadPosition extends TReadPosition {
+    string toString() { none() }
+
+    Location getLocation() { none() }
+
+    predicate hasRead(SsaVariable v) { none() }
+  }
+
+  private class SsaReadPositionBlock extends SsaReadPosition, TReadPositionBlock {
+    IR::IRBlock block;
+
+    SsaReadPositionBlock() { this = TReadPositionBlock(block) }
+
+    final override string toString() { result = block.toString() }
+
+    final override Location getLocation() { result = block.getLocation() }
+
+    final override predicate hasRead(SsaVariable v) {
+      exists(IR::Operand operand |
+        operand.getDef() = v.asInstruction() or
+        operand.getDef() = v.asPointerArithGuard().getAnInstruction()
+      |
+        not operand instanceof IR::PhiInputOperand and
+        operand.getUse().getBlock() = block
+      )
+    }
+  }
+
+  private class SsaReadPositionPhiInputEdge extends SsaReadPosition, TReadPositionPhiInputEdge {
+    IR::IRBlock pred;
+    IR::IRBlock succ;
+
+    SsaReadPositionPhiInputEdge() { this = TReadPositionPhiInputEdge(pred, succ) }
+
+    final override string toString() { result = pred.toString() + "->" + succ.toString() }
+
+    final override Location getLocation() { result = succ.getLocation() }
+
+    final override predicate hasRead(SsaVariable v) {
+      exists(IR::PhiInputOperand operand |
+        operand.getDef() = v.asInstruction() or
+        operand.getDef() = v.asPointerArithGuard().getAnInstruction()
+      |
+        operand.getPredecessorBlock() = pred and
+        operand.getUse().getBlock() = succ
+      )
+    }
+  }
+
+  predicate hasReadOfSsaVariable(SsaReadPosition pos, SsaVariable v) { pos.hasRead(v) }
+
+  predicate readBlock(SsaReadPosition pos, BasicBlock block) { pos = TReadPositionBlock(block) }
+
+  predicate phiInputEdge(SsaReadPosition pos, BasicBlock origBlock, BasicBlock phiBlock) {
+    pos = TReadPositionPhiInputEdge(origBlock, phiBlock)
+  }
+
+  predicate phiInput(SsaReadPosition pos, SsaVariable phi, SsaVariable input) {
     exists(IR::PhiInputOperand operand |
-      bb = operand.getPredecessorBlock() and
+      pos = TReadPositionPhiInputEdge(operand.getPredecessorBlock(), operand.getUse().getBlock())
+    |
       phi.asInstruction() = operand.getUse() and
       (
-        inp.asInstruction() = operand.getDef()
+        input.asInstruction() = operand.getDef()
         or
-        inp.asOperand() = operand
+        input.asOperand() = operand
       )
     )
   }
@@ -262,7 +433,7 @@ module SemanticExprConfig {
   }
 
   /** Gets the expression associated with `instr`. */
-  SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
+  SemExpr getSemanticExpr(IR::Instruction instr) { result = Equiv::getEquivalenceClass(instr) }
 }
 
 predicate getSemanticExpr = SemanticExprConfig::getSemanticExpr/1;

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticGuard.qll

@@ -35,4 +35,32 @@ predicate semImplies_v2(SemGuard g1, boolean b1, SemGuard g2, boolean b2) {
   Specific::implies_v2(g1, b1, g2, b2)
 }
 
+/**
+ * Holds if `guard` directly controls the position `controlled` with the
+ * value `testIsTrue`.
+ */
+pragma[nomagic]
+predicate semGuardDirectlyControlsSsaRead(
+  SemGuard guard, SemSsaReadPosition controlled, boolean testIsTrue
+) {
+  guard.directlyControls(controlled.(SemSsaReadPositionBlock).getBlock(), testIsTrue)
+  or
+  exists(SemSsaReadPositionPhiInputEdge controlledEdge | controlledEdge = controlled |
+    guard.directlyControls(controlledEdge.getOrigBlock(), testIsTrue) or
+    guard.hasBranchEdge(controlledEdge.getOrigBlock(), controlledEdge.getPhiBlock(), testIsTrue)
+  )
+}
+
+/**
+ * Holds if `guard` controls the position `controlled` with the value `testIsTrue`.
+ */
+predicate semGuardControlsSsaRead(SemGuard guard, SemSsaReadPosition controlled, boolean testIsTrue) {
+  semGuardDirectlyControlsSsaRead(guard, controlled, testIsTrue)
+  or
+  exists(SemGuard guard0, boolean testIsTrue0 |
+    semImplies_v2(guard0, testIsTrue0, guard, testIsTrue) and
+    semGuardControlsSsaRead(guard0, controlled, testIsTrue0)
+  )
+}
+
 SemGuard semGetComparisonGuard(SemRelationalExpr e) { result = Specific::comparisonGuard(e) }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticLocation.qll

@@ -8,18 +8,6 @@ class SemLocation instanceof Location {
    */
   string toString() { result = super.toString() }
 
-  /** Gets the 1-based line number (inclusive) where this location starts. */
-  int getStartLine() { result = super.getStartLine() }
-
-  /** Gets the 1-based column number (inclusive) where this location starts. */
-  int getStartColumn() { result = super.getStartColumn() }
-
-  /** Gets the 1-based line number (inclusive) where this location ends. */
-  int getEndLine() { result = super.getEndLine() }
-
-  /** Gets the 1-based column number (inclusive) where this location ends. */
-  int getEndColumn() { result = super.getEndColumn() }
-
   /**
    * Holds if this element is at the specified location.
    * The location spans column `startcolumn` of line `startline` to

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll

@@ -22,15 +22,75 @@ class SemSsaExplicitUpdate extends SemSsaVariable {
 
   SemSsaExplicitUpdate() { Specific::explicitUpdate(this, sourceExpr) }
 
-  final SemExpr getDefiningExpr() { result = sourceExpr }
+  final SemExpr getSourceExpr() { result = sourceExpr }
 }
 
 class SemSsaPhiNode extends SemSsaVariable {
   SemSsaPhiNode() { Specific::phi(this) }
 
   final SemSsaVariable getAPhiInput() { result = Specific::getAPhiInput(this) }
-
-  final predicate hasInputFromBlock(SemSsaVariable inp, SemBasicBlock bb) {
-    Specific::phiInputFromBlock(this, inp, bb)
-  }
+}
+
+class SemSsaReadPosition instanceof Specific::SsaReadPosition {
+  final string toString() { result = super.toString() }
+
+  final Specific::Location getLocation() { result = super.getLocation() }
+
+  final predicate hasReadOfVar(SemSsaVariable var) { Specific::hasReadOfSsaVariable(this, var) }
+}
+
+class SemSsaReadPositionPhiInputEdge extends SemSsaReadPosition {
+  SemBasicBlock origBlock;
+  SemBasicBlock phiBlock;
+
+  SemSsaReadPositionPhiInputEdge() { Specific::phiInputEdge(this, origBlock, phiBlock) }
+
+  predicate phiInput(SemSsaPhiNode phi, SemSsaVariable inp) { Specific::phiInput(this, phi, inp) }
+
+  SemBasicBlock getOrigBlock() { result = origBlock }
+
+  SemBasicBlock getPhiBlock() { result = phiBlock }
+}
+
+class SemSsaReadPositionBlock extends SemSsaReadPosition {
+  SemBasicBlock block;
+
+  SemSsaReadPositionBlock() { Specific::readBlock(this, block) }
+
+  SemBasicBlock getBlock() { result = block }
+
+  SemExpr getAnExpr() { result = this.getBlock().getAnExpr() }
+}
+
+/**
+ * Holds if `inp` is an input to `phi` along a back edge.
+ */
+predicate semBackEdge(SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge) {
+  edge.phiInput(phi, inp) and
+  // Conservatively assume that every edge is a back edge if we don't have dominance information.
+  (
+    phi.getBasicBlock().bbDominates(edge.getOrigBlock()) or
+    irreducibleSccEdge(edge.getOrigBlock(), phi.getBasicBlock()) or
+    not edge.getOrigBlock().hasDominanceInformation()
+  )
+}
+
+/**
+ * Holds if the edge from b1 to b2 is part of a multiple-entry cycle in an irreducible control flow
+ * graph.
+ *
+ * An ireducible control flow graph is one where the usual dominance-based back edge detection does
+ * not work, because there is a cycle with multiple entry points, meaning there are
+ * mutually-reachable basic blocks where neither dominates the other. For such a graph, we first
+ * remove all detectable back-edges using the normal condition that the predecessor block is
+ * dominated by the successor block, then mark all edges in a cycle in the resulting graph as back
+ * edges.
+ */
+private predicate irreducibleSccEdge(SemBasicBlock b1, SemBasicBlock b2) {
+  trimmedEdge(b1, b2) and trimmedEdge+(b2, b1)
+}
+
+private predicate trimmedEdge(SemBasicBlock pred, SemBasicBlock succ) {
+  pred.getASuccessor() = succ and
+  not succ.bbDominates(pred)
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ConstantAnalysis.qll

@@ -14,7 +14,7 @@ private predicate constantIntegerExpr(SemExpr e, int val) {
   // Copy of another constant
   exists(SemSsaExplicitUpdate v, SemExpr src |
     e = v.getAUse() and
-    src = v.getDefiningExpr() and
+    src = v.getSourceExpr() and
     constantIntegerExpr(src, val)
   )
   or

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/FloatDelta.qll

@@ -1,7 +1,5 @@
+private import RangeAnalysisStage
 private import RangeAnalysisImpl
-private import codeql.rangeanalysis.RangeAnalysis
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticType
 
 module FloatDelta implements DeltaSig {
   class Delta = float;
@@ -22,7 +20,7 @@ module FloatDelta implements DeltaSig {
   Delta fromFloat(float f) { result = f }
 }
 
-module FloatOverflow implements OverflowSig<Sem, FloatDelta> {
+module FloatOverflow implements OverflowSig<FloatDelta> {
   predicate semExprDoesNotOverflow(boolean positively, SemExpr expr) {
     exists(float lb, float ub, float delta |
       typeBounds(expr.getSemType(), lb, ub) and

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/IntDelta.qll

@@ -0,0 +1,29 @@
+private import RangeAnalysisStage
+
+module IntDelta implements DeltaSig {
+  class Delta = int;
+
+  bindingset[d]
+  bindingset[result]
+  float toFloat(Delta d) { result = d }
+
+  bindingset[d]
+  bindingset[result]
+  int toInt(Delta d) { result = d }
+
+  bindingset[n]
+  bindingset[result]
+  Delta fromInt(int n) { result = n }
+
+  bindingset[f]
+  Delta fromFloat(float f) {
+    result =
+      min(float diff, float res |
+        diff = (res - f) and res = f.ceil()
+        or
+        diff = (f - res) and res = f.floor()
+      |
+        res order by diff
+      )
+  }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysis.qll

@@ -0,0 +1,326 @@
+/**
+ * Provides inferences of the form: `e` equals `b + v` modulo `m` where `e` is
+ * an expression, `b` is a `Bound` (typically zero or the value of an SSA
+ * variable), and `v` is an integer in the range `[0 .. m-1]`.
+ */
+
+/*
+ * The main recursion has base cases in both `ssaModulus` (for guarded reads) and `semExprModulus`
+ * (for constant values). The most interesting recursive case is `phiModulusRankStep`, which
+ * handles phi inputs.
+ */
+
+private import ModulusAnalysisSpecific::Private
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import ConstantAnalysis
+private import RangeUtils
+private import RangeAnalysisStage
+
+module ModulusAnalysis<DeltaSig D, BoundSig<D> Bounds, UtilSig<D> U> {
+  pragma[nomagic]
+  private predicate valueFlowStepSsaEqFlowCond(
+    SemSsaReadPosition pos, SemSsaVariable v, SemExpr e, int delta
+  ) {
+    exists(SemGuard guard, boolean testIsTrue |
+      guard = U::semEqFlowCond(v, e, D::fromInt(delta), true, testIsTrue) and
+      semGuardDirectlyControlsSsaRead(guard, pos, testIsTrue)
+    )
+  }
+
+  /**
+   * Holds if `e + delta` equals `v` at `pos`.
+   */
+  pragma[nomagic]
+  private predicate valueFlowStepSsa(SemSsaVariable v, SemSsaReadPosition pos, SemExpr e, int delta) {
+    U::semSsaUpdateStep(v, e, D::fromInt(delta)) and pos.hasReadOfVar(v)
+    or
+    pos.hasReadOfVar(v) and
+    valueFlowStepSsaEqFlowCond(pos, v, e, delta)
+  }
+
+  /**
+   * Holds if `add` is the addition of `larg` and `rarg`, neither of which are
+   * `ConstantIntegerExpr`s.
+   */
+  private predicate nonConstAddition(SemExpr add, SemExpr larg, SemExpr rarg) {
+    exists(SemAddExpr a | a = add |
+      larg = a.getLeftOperand() and
+      rarg = a.getRightOperand()
+    ) and
+    not larg instanceof SemConstantIntegerExpr and
+    not rarg instanceof SemConstantIntegerExpr
+  }
+
+  /**
+   * Holds if `sub` is the subtraction of `larg` and `rarg`, where `rarg` is not
+   * a `ConstantIntegerExpr`.
+   */
+  private predicate nonConstSubtraction(SemExpr sub, SemExpr larg, SemExpr rarg) {
+    exists(SemSubExpr s | s = sub |
+      larg = s.getLeftOperand() and
+      rarg = s.getRightOperand()
+    ) and
+    not rarg instanceof SemConstantIntegerExpr
+  }
+
+  /** Gets an expression that is the remainder modulo `mod` of `arg`. */
+  private SemExpr modExpr(SemExpr arg, int mod) {
+    exists(SemRemExpr rem |
+      result = rem and
+      arg = rem.getLeftOperand() and
+      rem.getRightOperand().(SemConstantIntegerExpr).getIntValue() = mod and
+      mod >= 2
+    )
+    or
+    exists(SemConstantIntegerExpr c |
+      mod = 2.pow([1 .. 30]) and
+      c.getIntValue() = mod - 1 and
+      result.(SemBitAndExpr).hasOperands(arg, c)
+    )
+  }
+
+  /**
+   * Gets a guard that tests whether `v` is congruent with `val` modulo `mod` on
+   * its `testIsTrue` branch.
+   */
+  private SemGuard moduloCheck(SemSsaVariable v, int val, int mod, boolean testIsTrue) {
+    exists(SemExpr rem, SemConstantIntegerExpr c, int r, boolean polarity |
+      result.isEquality(rem, c, polarity) and
+      c.getIntValue() = r and
+      rem = modExpr(v.getAUse(), mod) and
+      (
+        testIsTrue = polarity and val = r
+        or
+        testIsTrue = polarity.booleanNot() and
+        mod = 2 and
+        val = 1 - r and
+        (r = 0 or r = 1)
+      )
+    )
+  }
+
+  /**
+   * Holds if a guard ensures that `v` at `pos` is congruent with `val` modulo `mod`.
+   */
+  private predicate moduloGuardedRead(SemSsaVariable v, SemSsaReadPosition pos, int val, int mod) {
+    exists(SemGuard guard, boolean testIsTrue |
+      pos.hasReadOfVar(v) and
+      guard = moduloCheck(v, val, mod, testIsTrue) and
+      semGuardControlsSsaRead(guard, pos, testIsTrue)
+    )
+  }
+
+  /** Holds if `factor` is a power of 2 that divides `mask`. */
+  bindingset[mask]
+  private predicate andmaskFactor(int mask, int factor) {
+    mask % factor = 0 and
+    factor = 2.pow([1 .. 30])
+  }
+
+  /** Holds if `e` is evenly divisible by `factor`. */
+  private predicate evenlyDivisibleExpr(SemExpr e, int factor) {
+    exists(SemConstantIntegerExpr c, int k | k = c.getIntValue() |
+      e.(SemMulExpr).getAnOperand() = c and factor = k.abs() and factor >= 2
+      or
+      e.(SemShiftLeftExpr).getRightOperand() = c and factor = 2.pow(k) and k > 0
+      or
+      e.(SemBitAndExpr).getAnOperand() = c and factor = max(int f | andmaskFactor(k, f))
+    )
+  }
+
+  /**
+   * Gets the remainder of `val` modulo `mod`.
+   *
+   * For `mod = 0` the result equals `val` and for `mod > 1` the result is within
+   * the range `[0 .. mod-1]`.
+   */
+  bindingset[val, mod]
+  private int remainder(int val, int mod) {
+    mod = 0 and result = val
+    or
+    mod > 1 and result = ((val % mod) + mod) % mod
+  }
+
+  /**
+   * Holds if `inp` is an input to `phi` and equals `phi` modulo `mod` along `edge`.
+   */
+  private predicate phiSelfModulus(
+    SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int mod
+  ) {
+    exists(Bounds::SemSsaBound phibound, int v, int m |
+      edge.phiInput(phi, inp) and
+      phibound.getAVariable() = phi and
+      ssaModulus(inp, edge, phibound, v, m) and
+      mod = m.gcd(v) and
+      mod != 1
+    )
+  }
+
+  /**
+   * Holds if `b + val` modulo `mod` is a candidate congruence class for `phi`.
+   */
+  private predicate phiModulusInit(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
+      edge.phiInput(phi, inp) and
+      ssaModulus(inp, edge, b, val, mod)
+    )
+  }
+
+  /**
+   * Holds if all inputs to `phi` numbered `1` to `rix` are equal to `b + val` modulo `mod`.
+   */
+  pragma[nomagic]
+  private predicate phiModulusRankStep(
+    SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod, int rix
+  ) {
+    /*
+     * base case. If any phi input is equal to `b + val` modulo `mod`, that's a potential congruence
+     * class for the phi node.
+     */
+
+    rix = 0 and
+    phiModulusInit(phi, b, val, mod)
+    or
+    exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int v1, int m1 |
+      mod != 1 and
+      val = remainder(v1, mod)
+    |
+      /*
+       * Recursive case. If `inp` = `b + v2` mod `m2`, we combine that with the preceding potential
+       * congruence class `b + v1` mod `m1`. The result will be the congruence class of `v1` modulo
+       * the greatest common denominator of `m1`, `m2`, and `v1 - v2`.
+       */
+
+      exists(int v2, int m2 |
+        rankedPhiInput(pragma[only_bind_out](phi), inp, edge, rix) and
+        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+        ssaModulus(inp, edge, b, v2, m2) and
+        mod = m1.gcd(m2).gcd(v1 - v2)
+      )
+      or
+      /*
+       * Recursive case. If `inp` = `phi` mod `m2`, we combine that with the preceding potential
+       * congruence class `b + v1` mod `m1`. The result will be a congruence class modulo the greatest
+       * common denominator of `m1` and `m2`.
+       */
+
+      exists(int m2 |
+        rankedPhiInput(phi, inp, edge, rix) and
+        phiModulusRankStep(phi, b, v1, m1, rix - 1) and
+        phiSelfModulus(phi, inp, edge, m2) and
+        mod = m1.gcd(m2)
+      )
+    )
+  }
+
+  /**
+   * Holds if `phi` is equal to `b + val` modulo `mod`.
+   */
+  private predicate phiModulus(SemSsaPhiNode phi, Bounds::SemBound b, int val, int mod) {
+    exists(int r |
+      maxPhiInputRank(phi, r) and
+      phiModulusRankStep(phi, b, val, mod, r)
+    )
+  }
+
+  /**
+   * Holds if `v` at `pos` is equal to `b + val` modulo `mod`.
+   */
+  private predicate ssaModulus(
+    SemSsaVariable v, SemSsaReadPosition pos, Bounds::SemBound b, int val, int mod
+  ) {
+    phiModulus(v, b, val, mod) and pos.hasReadOfVar(v)
+    or
+    b.(Bounds::SemSsaBound).getAVariable() = v and pos.hasReadOfVar(v) and val = 0 and mod = 0
+    or
+    exists(SemExpr e, int val0, int delta |
+      semExprModulus(e, b, val0, mod) and
+      valueFlowStepSsa(v, pos, e, delta) and
+      val = remainder(val0 + delta, mod)
+    )
+    or
+    moduloGuardedRead(v, pos, val, mod) and b instanceof Bounds::SemZeroBound
+  }
+
+  /**
+   * Holds if `e` is equal to `b + val` modulo `mod`.
+   *
+   * There are two cases for the modulus:
+   * - `mod = 0`: The equality `e = b + val` is an ordinary equality.
+   * - `mod > 1`: `val` lies within the range `[0 .. mod-1]`.
+   */
+  cached
+  predicate semExprModulus(SemExpr e, Bounds::SemBound b, int val, int mod) {
+    not ignoreExprModulus(e) and
+    (
+      e = b.getExpr(D::fromInt(val)) and mod = 0
+      or
+      evenlyDivisibleExpr(e, mod) and
+      val = 0 and
+      b instanceof Bounds::SemZeroBound
+      or
+      exists(SemSsaVariable v, SemSsaReadPositionBlock bb |
+        ssaModulus(v, bb, b, val, mod) and
+        e = v.getAUse() and
+        bb.getAnExpr() = e
+      )
+      or
+      exists(SemExpr mid, int val0, int delta |
+        semExprModulus(mid, b, val0, mod) and
+        U::semValueFlowStep(e, mid, D::fromInt(delta)) and
+        val = remainder(val0 + delta, mod)
+      )
+      or
+      exists(SemConditionalExpr cond, int v1, int v2, int m1, int m2 |
+        cond = e and
+        condExprBranchModulus(cond, true, b, v1, m1) and
+        condExprBranchModulus(cond, false, b, v2, m2) and
+        mod = m1.gcd(m2).gcd(v1 - v2) and
+        mod != 1 and
+        val = remainder(v1, mod)
+      )
+      or
+      exists(Bounds::SemBound b1, Bounds::SemBound b2, int v1, int v2, int m1, int m2 |
+        addModulus(e, true, b1, v1, m1) and
+        addModulus(e, false, b2, v2, m2) and
+        mod = m1.gcd(m2) and
+        mod != 1 and
+        val = remainder(v1 + v2, mod)
+      |
+        b = b1 and b2 instanceof Bounds::SemZeroBound
+        or
+        b = b2 and b1 instanceof Bounds::SemZeroBound
+      )
+      or
+      exists(int v1, int v2, int m1, int m2 |
+        subModulus(e, true, b, v1, m1) and
+        subModulus(e, false, any(Bounds::SemZeroBound zb), v2, m2) and
+        mod = m1.gcd(m2) and
+        mod != 1 and
+        val = remainder(v1 - v2, mod)
+      )
+    )
+  }
+
+  private predicate condExprBranchModulus(
+    SemConditionalExpr cond, boolean branch, Bounds::SemBound b, int val, int mod
+  ) {
+    semExprModulus(cond.getBranchExpr(branch), b, val, mod)
+  }
+
+  private predicate addModulus(SemExpr add, boolean isLeft, Bounds::SemBound b, int val, int mod) {
+    exists(SemExpr larg, SemExpr rarg | nonConstAddition(add, larg, rarg) |
+      semExprModulus(larg, b, val, mod) and isLeft = true
+      or
+      semExprModulus(rarg, b, val, mod) and isLeft = false
+    )
+  }
+
+  private predicate subModulus(SemExpr sub, boolean isLeft, Bounds::SemBound b, int val, int mod) {
+    exists(SemExpr larg, SemExpr rarg | nonConstSubtraction(sub, larg, rarg) |
+      semExprModulus(larg, b, val, mod) and isLeft = true
+      or
+      semExprModulus(rarg, b, val, mod) and isLeft = false
+    )
+  }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysisSpecific.qll

@@ -0,0 +1,8 @@
+/**
+ * C++-specific implementation of modulus analysis.
+ */
+module Private {
+  private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+
+  predicate ignoreExprModulus(SemExpr e) { none() }
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll

@@ -3,11 +3,18 @@
  */
 
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import RangeAnalysisStage
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
-private import RangeAnalysisImpl
-private import codeql.rangeanalysis.RangeAnalysis
 
-module CppLangImplConstant implements LangSig<Sem, FloatDelta> {
+module CppLangImplConstant implements LangSig<FloatDelta> {
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadCopy(SemExpr e) { none() }
+
   /**
    * Ignore the bound on this expression.
    *
@@ -16,13 +23,70 @@ module CppLangImplConstant implements LangSig<Sem, FloatDelta> {
    */
   predicate ignoreExprBound(SemExpr e) { none() }
 
+  /**
+   * Ignore any inferred zero lower bound on this expression.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreZeroLowerBound(SemExpr e) { none() }
+
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
+
+  /**
+   * Holds if the specified variable should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
+
+  /**
+   * Adds additional results to `ssaRead()` that are specific to Java.
+   *
+   * This predicate handles propagation of offsets for post-increment and post-decrement expressions
+   * in exactly the same way as the old Java implementation. Once the new implementation matches the
+   * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
+   * or not they come from a post-increment/decrement expression.
+   */
+  SemExpr specificSsaRead(SemSsaVariable v, float delta) { none() }
+
   /**
    * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
    */
   predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
 
   /**
-   * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
+   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
    */
-  predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }
+  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
+
+  /**
+   * Holds if the value of `dest` is known to be `src + delta`.
+   */
+  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
+
+  /**
+   * Gets the type that range analysis should use to track the result of the specified expression,
+   * if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateType(SemExpr e) { none() }
+
+  /**
+   * Gets the type that range analysis should use to track the result of the specified source
+   * variable, if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll

@@ -1,115 +1,13 @@
+private import RangeAnalysisStage
 private import RangeAnalysisConstantSpecific
 private import RangeAnalysisRelativeSpecific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticCFG
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticGuard
+private import RangeUtils
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticBound as SemanticBound
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticSSA
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticType as SemanticType
-private import SemanticType
-private import codeql.rangeanalysis.RangeAnalysis
-private import ConstantAnalysis as ConstantAnalysis
 
-module Sem implements Semantic {
-  class Expr = SemExpr;
-
-  class ConstantIntegerExpr = ConstantAnalysis::SemConstantIntegerExpr;
-
-  class BinaryExpr = SemBinaryExpr;
-
-  class AddExpr = SemAddExpr;
-
-  class SubExpr = SemSubExpr;
-
-  class MulExpr = SemMulExpr;
-
-  class DivExpr = SemDivExpr;
-
-  class RemExpr = SemRemExpr;
-
-  class BitAndExpr = SemBitAndExpr;
-
-  class BitOrExpr = SemBitOrExpr;
-
-  class ShiftLeftExpr = SemShiftLeftExpr;
-
-  class ShiftRightExpr = SemShiftRightExpr;
-
-  class ShiftRightUnsignedExpr = SemShiftRightUnsignedExpr;
-
-  class RelationalExpr = SemRelationalExpr;
-
-  class UnaryExpr = SemUnaryExpr;
-
-  class ConvertExpr = SemConvertExpr;
-
-  class BoxExpr = SemBoxExpr;
-
-  class UnboxExpr = SemUnboxExpr;
-
-  class NegateExpr = SemNegateExpr;
-
-  class PreIncExpr = SemAddOneExpr;
-
-  class PreDecExpr = SemSubOneExpr;
-
-  class PostIncExpr extends SemUnaryExpr {
-    PostIncExpr() { none() }
-  }
-
-  class PostDecExpr extends SemUnaryExpr {
-    PostDecExpr() { none() }
-  }
-
-  class CopyValueExpr extends SemUnaryExpr {
-    CopyValueExpr() { this instanceof SemCopyValueExpr or this instanceof SemStoreExpr }
-  }
-
-  class ConditionalExpr = SemConditionalExpr;
-
-  class BasicBlock = SemBasicBlock;
-
-  BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
-
-  int getBlockId1(BasicBlock bb) { result = bb.getUniqueId() }
-
-  class Guard = SemGuard;
-
-  predicate implies_v2 = semImplies_v2/4;
-
-  class Type = SemType;
-
-  class IntegerType = SemIntegerType;
-
-  class FloatingPointType = SemFloatingPointType;
-
-  class AddressType = SemAddressType;
-
-  SemType getExprType(SemExpr e) { result = e.getSemType() }
-
-  SemType getSsaType(SemSsaVariable var) { result = var.getType() }
-
-  class SsaVariable = SemSsaVariable;
-
-  class SsaPhiNode = SemSsaPhiNode;
-
-  class SsaExplicitUpdate = SemSsaExplicitUpdate;
-
-  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, int delta) { none() }
-
-  predicate conversionCannotOverflow(Type fromType, Type toType) {
-    SemanticType::conversionCannotOverflow(fromType, toType)
-  }
-}
-
-module SignAnalysis implements SignAnalysisSig<Sem> {
-  private import SignAnalysisCommon as SA
-  import SA::SignAnalysis<FloatDelta>
-}
-
-module ConstantBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
+module ConstantBounds implements BoundSig<FloatDelta> {
   class SemBound instanceof SemanticBound::SemBound {
     SemBound() {
       this instanceof SemanticBound::SemZeroBound
@@ -127,11 +25,11 @@ module ConstantBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
   class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
 
   class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
+    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
   }
 }
 
-module RelativeBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
+module RelativeBounds implements BoundSig<FloatDelta> {
   class SemBound instanceof SemanticBound::SemBound {
     SemBound() { not this instanceof SemanticBound::SemZeroBound }
 
@@ -145,40 +43,17 @@ module RelativeBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
   class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
 
   class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
+    SemSsaVariable getAVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
   }
 }
 
-module AllBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
-  class SemBound instanceof SemanticBound::SemBound {
-    string toString() { result = super.toString() }
-
-    SemLocation getLocation() { result = super.getLocation() }
-
-    SemExpr getExpr(float delta) { result = super.getExpr(delta) }
-  }
-
-  class SemZeroBound extends SemBound instanceof SemanticBound::SemZeroBound { }
-
-  class SemSsaBound extends SemBound instanceof SemanticBound::SemSsaBound {
-    SemSsaVariable getVariable() { result = this.(SemanticBound::SemSsaBound).getAVariable() }
-  }
-}
-
-private module ModulusAnalysisInstantiated implements ModulusAnalysisSig<Sem> {
-  class ModBound = AllBounds::SemBound;
-
-  private import codeql.rangeanalysis.ModulusAnalysis as MA
-  import MA::ModulusAnalysis<SemLocation, Sem, FloatDelta, AllBounds>
-}
-
 module ConstantStage =
-  RangeStage<SemLocation, Sem, FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
-    SignAnalysis, ModulusAnalysisInstantiated>;
+  RangeStage<FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
+    RangeUtil<FloatDelta, CppLangImplConstant>>;
 
 module RelativeStage =
-  RangeStage<SemLocation, Sem, FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
-    SignAnalysis, ModulusAnalysisInstantiated>;
+  RangeStage<FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
+    RangeUtil<FloatDelta, CppLangImplRelative>>;
 
 private newtype TSemReason =
   TSemNoReason() or

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll

@@ -3,12 +3,21 @@
  */
 
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import RangeAnalysisStage
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.IntDelta
 private import RangeAnalysisImpl
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
-private import codeql.rangeanalysis.RangeAnalysis
 
-module CppLangImplRelative implements LangSig<Sem, FloatDelta> {
+module CppLangImplRelative implements LangSig<FloatDelta> {
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadCopy(SemExpr e) { none() }
+
   /**
    * Ignore the bound on this expression.
    *
@@ -48,13 +57,70 @@ module CppLangImplRelative implements LangSig<Sem, FloatDelta> {
     t instanceof SemFloatingPointType and lb = -(1.0 / 0.0) and ub = 1.0 / 0.0
   }
 
+  /**
+   * Ignore any inferred zero lower bound on this expression.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreZeroLowerBound(SemExpr e) { none() }
+
+  /**
+   * Holds if the specified expression should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadArithmeticExpr(SemExpr e) { none() }
+
+  /**
+   * Holds if the specified variable should be excluded from the result of `ssaRead()`.
+   *
+   * This predicate is to keep the results identical to the original Java implementation. It should be
+   * removed once we have the new implementation matching the old results exactly.
+   */
+  predicate ignoreSsaReadAssignment(SemSsaVariable v) { none() }
+
+  /**
+   * Adds additional results to `ssaRead()` that are specific to Java.
+   *
+   * This predicate handles propagation of offsets for post-increment and post-decrement expressions
+   * in exactly the same way as the old Java implementation. Once the new implementation matches the
+   * old one, we should remove this predicate and propagate deltas for all similar patterns, whether
+   * or not they come from a post-increment/decrement expression.
+   */
+  SemExpr specificSsaRead(SemSsaVariable v, float delta) { none() }
+
   /**
    * Holds if `e >= bound` (if `upper = false`) or `e <= bound` (if `upper = true`).
    */
   predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }
 
   /**
-   * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
+   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
    */
-  predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }
+  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
+
+  /**
+   * Holds if the value of `dest` is known to be `src + delta`.
+   */
+  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
+
+  /**
+   * Gets the type that range analysis should use to track the result of the specified expression,
+   * if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateType(SemExpr e) { none() }
+
+  /**
+   * Gets the type that range analysis should use to track the result of the specified source
+   * variable, if a type other than the original type of the expression is to be used.
+   *
+   * This predicate is commonly used in languages that support immutable "boxed" types that are
+   * actually references but whose values can be tracked as the type contained in the box.
+   */
+  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeUtils.qll

@@ -0,0 +1,164 @@
+/**
+ * Provides utility predicates for range analysis.
+ */
+
+private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
+private import RangeAnalysisRelativeSpecific
+private import RangeAnalysisStage as Range
+private import ConstantAnalysis
+
+module RangeUtil<Range::DeltaSig D, Range::LangSig<D> Lang> implements Range::UtilSig<D> {
+  /**
+   * Gets an expression that equals `v - d`.
+   */
+  SemExpr semSsaRead(SemSsaVariable v, D::Delta delta) {
+    // There are various language-specific extension points that can be removed once we no longer
+    // expect to match the original Java implementation's results exactly.
+    result = v.getAUse() and delta = D::fromInt(0)
+    or
+    exists(D::Delta d1, SemConstantIntegerExpr c |
+      result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
+      delta = D::fromFloat(D::toFloat(d1) - c.getIntValue()) and
+      not Lang::ignoreSsaReadArithmeticExpr(result)
+    )
+    or
+    exists(SemSubExpr sub, D::Delta d1, SemConstantIntegerExpr c |
+      result = sub and
+      sub.getLeftOperand() = semSsaRead(v, d1) and
+      sub.getRightOperand() = c and
+      delta = D::fromFloat(D::toFloat(d1) + c.getIntValue()) and
+      not Lang::ignoreSsaReadArithmeticExpr(result)
+    )
+    or
+    result = v.(SemSsaExplicitUpdate).getSourceExpr() and
+    delta = D::fromFloat(0) and
+    not Lang::ignoreSsaReadAssignment(v)
+    or
+    result = Lang::specificSsaRead(v, delta)
+    or
+    result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta) and
+    not Lang::ignoreSsaReadCopy(result)
+    or
+    result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
+  }
+
+  /**
+   * Gets a condition that tests whether `v` equals `e + delta`.
+   *
+   * If the condition evaluates to `testIsTrue`:
+   * - `isEq = true`  : `v == e + delta`
+   * - `isEq = false` : `v != e + delta`
+   */
+  pragma[nomagic]
+  SemGuard semEqFlowCond(
+    SemSsaVariable v, SemExpr e, D::Delta delta, boolean isEq, boolean testIsTrue
+  ) {
+    exists(boolean eqpolarity |
+      result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
+      (testIsTrue = true or testIsTrue = false) and
+      eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
+    )
+    or
+    exists(boolean testIsTrue0 |
+      semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
+    )
+  }
+
+  /**
+   * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
+   */
+  predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, D::Delta delta) {
+    exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
+      defExpr.(SemCopyValueExpr).getOperand() = e and delta = D::fromFloat(0)
+      or
+      defExpr.(SemStoreExpr).getOperand() = e and delta = D::fromFloat(0)
+      or
+      defExpr.(SemAddOneExpr).getOperand() = e and delta = D::fromFloat(1)
+      or
+      defExpr.(SemSubOneExpr).getOperand() = e and delta = D::fromFloat(-1)
+      or
+      e = defExpr and
+      not (
+        defExpr instanceof SemCopyValueExpr or
+        defExpr instanceof SemStoreExpr or
+        defExpr instanceof SemAddOneExpr or
+        defExpr instanceof SemSubOneExpr
+      ) and
+      delta = D::fromFloat(0)
+    )
+  }
+
+  /**
+   * Holds if `e1 + delta` equals `e2`.
+   */
+  predicate semValueFlowStep(SemExpr e2, SemExpr e1, D::Delta delta) {
+    e2.(SemCopyValueExpr).getOperand() = e1 and delta = D::fromFloat(0)
+    or
+    e2.(SemStoreExpr).getOperand() = e1 and delta = D::fromFloat(0)
+    or
+    e2.(SemAddOneExpr).getOperand() = e1 and delta = D::fromFloat(1)
+    or
+    e2.(SemSubOneExpr).getOperand() = e1 and delta = D::fromFloat(-1)
+    or
+    Lang::additionalValueFlowStep(e2, e1, delta)
+    or
+    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
+      D::fromInt(x.(SemConstantIntegerExpr).getIntValue()) = delta
+    )
+    or
+    exists(SemExpr x, SemSubExpr sub |
+      e2 = sub and
+      sub.getLeftOperand() = e1 and
+      sub.getRightOperand() = x
+    |
+      D::fromInt(-x.(SemConstantIntegerExpr).getIntValue()) = delta
+    )
+  }
+
+  /**
+   * Gets the type used to track the specified expression's range information.
+   *
+   * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
+   * primitive types as the underlying primitive type.
+   */
+  SemType getTrackedType(SemExpr e) {
+    result = Lang::getAlternateType(e)
+    or
+    not exists(Lang::getAlternateType(e)) and result = e.getSemType()
+  }
+
+  /**
+   * Gets the type used to track the specified source variable's range information.
+   *
+   * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
+   * primitive types as the underlying primitive type.
+   */
+  SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
+    result = Lang::getAlternateTypeForSsaVariable(var)
+    or
+    not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
+  }
+}
+
+/**
+ * Holds if `rix` is the number of input edges to `phi`.
+ */
+predicate maxPhiInputRank(SemSsaPhiNode phi, int rix) {
+  rix = max(int r | rankedPhiInput(phi, _, _, r))
+}
+
+/**
+ * Holds if `inp` is an input to `phi` along `edge` and this input has index `r`
+ * in an arbitrary 1-based numbering of the input edges to `phi`.
+ */
+predicate rankedPhiInput(
+  SemSsaPhiNode phi, SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge, int r
+) {
+  edge.phiInput(phi, inp) and
+  edge =
+    rank[r](SemSsaReadPositionPhiInputEdge e |
+      e.phiInput(phi, _)
+    |
+      e order by e.getOrigBlock().getUniqueId()
+    )
+}

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll

@@ -6,16 +6,14 @@
  * three-valued domain `{negative, zero, positive}`.
  */
 
-private import codeql.rangeanalysis.RangeAnalysis
-private import RangeAnalysisImpl
+private import RangeAnalysisStage
 private import SignAnalysisSpecific as Specific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 private import ConstantAnalysis
+private import RangeUtils
 private import Sign
 
-module SignAnalysis<DeltaSig D> {
-  private import codeql.rangeanalysis.internal.RangeUtils::MakeUtils<Sem, D>
-
+module SignAnalysis<DeltaSig D, UtilSig<D> Utils> {
   /**
    * An SSA definition for which the analysis can compute the sign.
    *
@@ -38,13 +36,13 @@ module SignAnalysis<DeltaSig D> {
 
   /** An SSA definition whose sign is determined by the sign of that definitions source expression. */
   private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
-    final override Sign getSign() { result = semExprSign(super.getDefiningExpr()) }
+    final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
   }
 
   /** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
   private class PhiSignDef extends FlowSignDef instanceof SemSsaPhiNode {
     final override Sign getSign() {
-      exists(SemSsaVariable inp, SsaReadPositionPhiInputEdge edge |
+      exists(SemSsaVariable inp, SemSsaReadPositionPhiInputEdge edge |
         edge.phiInput(this, inp) and
         result = semSsaSign(inp, edge)
       )
@@ -147,7 +145,7 @@ module SignAnalysis<DeltaSig D> {
       not this instanceof ConstantSignExpr and
       (
         // Only track numeric types.
-        Sem::getExprType(this) instanceof SemNumericType
+        Utils::getTrackedType(this) instanceof SemNumericType
         or
         // Unless the language says to track this expression anyway.
         Specific::trackUnknownNonNumericExpr(this)
@@ -169,11 +167,11 @@ module SignAnalysis<DeltaSig D> {
     override Sign getSignRestriction() {
       // Propagate via SSA
       // Propagate the sign from the def of `v`, incorporating any inference from guards.
-      result = semSsaSign(v, any(SsaReadPositionBlock bb | bb.getBlock().getAnExpr() = this))
+      result = semSsaSign(v, any(SemSsaReadPositionBlock bb | bb.getAnExpr() = this))
       or
       // No block for this read. Just use the sign of the def.
       // REVIEW: How can this happen?
-      not exists(SsaReadPositionBlock bb | bb.getBlock().getAnExpr() = this) and
+      not exists(SemSsaReadPositionBlock bb | bb.getAnExpr() = this) and
       result = semSsaDefSign(v)
     }
   }
@@ -202,7 +200,7 @@ module SignAnalysis<DeltaSig D> {
 
   /** An expression of an unsigned type. */
   private class UnsignedExpr extends FlowSignExpr {
-    UnsignedExpr() { Sem::getExprType(this) instanceof SemUnsignedIntegerType }
+    UnsignedExpr() { Utils::getTrackedType(this) instanceof SemUnsignedIntegerType }
 
     override Sign getSignRestriction() {
       result = TPos() or
@@ -275,7 +273,7 @@ module SignAnalysis<DeltaSig D> {
     override SemUnboxExpr cast;
 
     UnboxSignExpr() {
-      exists(SemType fromType | fromType = Sem::getExprType(cast.getOperand()) |
+      exists(SemType fromType | fromType = Utils::getTrackedType(cast.getOperand()) |
         // Only numeric source types are handled here.
         fromType instanceof SemNumericType
       )
@@ -289,21 +287,21 @@ module SignAnalysis<DeltaSig D> {
    * to only include bounds for which we might determine a sign.
    */
   private predicate lowerBound(
-    SemExpr lowerbound, SemSsaVariable v, SsaReadPosition pos, boolean isStrict
+    SemExpr lowerbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
   ) {
     exists(boolean testIsTrue, SemRelationalExpr comp |
       pos.hasReadOfVar(v) and
-      guardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
       not unknownSign(lowerbound)
     |
       testIsTrue = true and
       comp.getLesserOperand() = lowerbound and
-      comp.getGreaterOperand() = ssaRead(v, D::fromInt(0)) and
+      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
       (if comp.isStrict() then isStrict = true else isStrict = false)
       or
       testIsTrue = false and
       comp.getGreaterOperand() = lowerbound and
-      comp.getLesserOperand() = ssaRead(v, D::fromInt(0)) and
+      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
       (if comp.isStrict() then isStrict = false else isStrict = true)
     )
   }
@@ -313,21 +311,21 @@ module SignAnalysis<DeltaSig D> {
    * to only include bounds for which we might determine a sign.
    */
   private predicate upperBound(
-    SemExpr upperbound, SemSsaVariable v, SsaReadPosition pos, boolean isStrict
+    SemExpr upperbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isStrict
   ) {
     exists(boolean testIsTrue, SemRelationalExpr comp |
       pos.hasReadOfVar(v) and
-      guardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
+      semGuardControlsSsaRead(semGetComparisonGuard(comp), pos, testIsTrue) and
       not unknownSign(upperbound)
     |
       testIsTrue = true and
       comp.getGreaterOperand() = upperbound and
-      comp.getLesserOperand() = ssaRead(v, D::fromInt(0)) and
+      comp.getLesserOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
       (if comp.isStrict() then isStrict = true else isStrict = false)
       or
       testIsTrue = false and
       comp.getLesserOperand() = upperbound and
-      comp.getGreaterOperand() = ssaRead(v, D::fromInt(0)) and
+      comp.getGreaterOperand() = Utils::semSsaRead(v, D::fromInt(0)) and
       (if comp.isStrict() then isStrict = false else isStrict = true)
     )
   }
@@ -339,11 +337,11 @@ module SignAnalysis<DeltaSig D> {
    *  - `isEq = true` : `v = eqbound`
    *  - `isEq = false` : `v != eqbound`
    */
-  private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SsaReadPosition pos, boolean isEq) {
+  private predicate eqBound(SemExpr eqbound, SemSsaVariable v, SemSsaReadPosition pos, boolean isEq) {
     exists(SemGuard guard, boolean testIsTrue, boolean polarity, SemExpr e |
       pos.hasReadOfVar(pragma[only_bind_into](v)) and
-      guardControlsSsaRead(guard, pragma[only_bind_into](pos), testIsTrue) and
-      e = ssaRead(pragma[only_bind_into](v), D::fromInt(0)) and
+      semGuardControlsSsaRead(guard, pragma[only_bind_into](pos), testIsTrue) and
+      e = Utils::semSsaRead(pragma[only_bind_into](v), D::fromInt(0)) and
       guard.isEquality(eqbound, e, polarity) and
       isEq = polarity.booleanXor(testIsTrue).booleanNot() and
       not unknownSign(eqbound)
@@ -354,7 +352,7 @@ module SignAnalysis<DeltaSig D> {
    * Holds if `bound` is a bound for `v` at `pos` that needs to be positive in
    * order for `v` to be positive.
    */
-  private predicate posBound(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate posBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     upperBound(bound, v, pos, _) or
     eqBound(bound, v, pos, true)
   }
@@ -363,7 +361,7 @@ module SignAnalysis<DeltaSig D> {
    * Holds if `bound` is a bound for `v` at `pos` that needs to be negative in
    * order for `v` to be negative.
    */
-  private predicate negBound(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate negBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     lowerBound(bound, v, pos, _) or
     eqBound(bound, v, pos, true)
   }
@@ -372,24 +370,24 @@ module SignAnalysis<DeltaSig D> {
    * Holds if `bound` is a bound for `v` at `pos` that can restrict whether `v`
    * can be zero.
    */
-  private predicate zeroBound(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate zeroBound(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     lowerBound(bound, v, pos, _) or
     upperBound(bound, v, pos, _) or
     eqBound(bound, v, pos, _)
   }
 
   /** Holds if `bound` allows `v` to be positive at `pos`. */
-  private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate posBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     posBound(bound, v, pos) and TPos() = semExprSign(bound)
   }
 
   /** Holds if `bound` allows `v` to be negative at `pos`. */
-  private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate negBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     negBound(bound, v, pos) and TNeg() = semExprSign(bound)
   }
 
   /** Holds if `bound` allows `v` to be zero at `pos`. */
-  private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SsaReadPosition pos) {
+  private predicate zeroBoundOk(SemExpr bound, SemSsaVariable v, SemSsaReadPosition pos) {
     lowerBound(bound, v, pos, _) and TNeg() = semExprSign(bound)
     or
     lowerBound(bound, v, pos, false) and TZero() = semExprSign(bound)
@@ -407,7 +405,7 @@ module SignAnalysis<DeltaSig D> {
    * Holds if there is a bound that might restrict whether `v` has the sign `s`
    * at `pos`.
    */
-  private predicate hasGuard(SemSsaVariable v, SsaReadPosition pos, Sign s) {
+  private predicate hasGuard(SemSsaVariable v, SemSsaReadPosition pos, Sign s) {
     s = TPos() and posBound(_, v, pos)
     or
     s = TNeg() and negBound(_, v, pos)
@@ -420,7 +418,7 @@ module SignAnalysis<DeltaSig D> {
    * might be ruled out by a guard.
    */
   pragma[noinline]
-  private Sign guardedSsaSign(SemSsaVariable v, SsaReadPosition pos) {
+  private Sign guardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
     result = semSsaDefSign(v) and
     pos.hasReadOfVar(v) and
     hasGuard(v, pos, result)
@@ -431,7 +429,7 @@ module SignAnalysis<DeltaSig D> {
    * can rule it out.
    */
   pragma[noinline]
-  private Sign unguardedSsaSign(SemSsaVariable v, SsaReadPosition pos) {
+  private Sign unguardedSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
     result = semSsaDefSign(v) and
     pos.hasReadOfVar(v) and
     not hasGuard(v, pos, result)
@@ -442,7 +440,7 @@ module SignAnalysis<DeltaSig D> {
    * ruled out the sign but does not.
    * This does not check that the definition of `v` also allows the sign.
    */
-  private Sign guardedSsaSignOk(SemSsaVariable v, SsaReadPosition pos) {
+  private Sign guardedSsaSignOk(SemSsaVariable v, SemSsaReadPosition pos) {
     result = TPos() and
     forex(SemExpr bound | posBound(bound, v, pos) | posBoundOk(bound, v, pos))
     or
@@ -454,7 +452,7 @@ module SignAnalysis<DeltaSig D> {
   }
 
   /** Gets a possible sign for `v` at `pos`. */
-  private Sign semSsaSign(SemSsaVariable v, SsaReadPosition pos) {
+  private Sign semSsaSign(SemSsaVariable v, SemSsaReadPosition pos) {
     result = unguardedSsaSign(v, pos)
     or
     result = guardedSsaSign(v, pos) and
@@ -470,7 +468,7 @@ module SignAnalysis<DeltaSig D> {
   Sign semExprSign(SemExpr e) {
     exists(Sign s | s = e.(SignExpr).getSign() |
       if
-        Sem::getExprType(e) instanceof SemUnsignedIntegerType and
+        Utils::getTrackedType(e) instanceof SemUnsignedIntegerType and
         s = TNeg() and
         not Specific::ignoreTypeRestrictions(e)
       then result = TPos()
@@ -509,16 +507,4 @@ module SignAnalysis<DeltaSig D> {
     not semExprSign(e) = TPos() and
     not semExprSign(e) = TZero()
   }
-
-  /**
-   * Holds if `e` may have positive values. This does not rule out the
-   * possibility for negative values.
-   */
-  predicate semMayBePositive(SemExpr e) { semExprSign(e) = TPos() }
-
-  /**
-   * Holds if `e` may have negative values. This does not rule out the
-   * possibility for positive values.
-   */
-  predicate semMayBeNegative(SemExpr e) { semExprSign(e) = TNeg() }
 }

cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll

@@ -23,7 +23,9 @@
  * configuration (see `InvalidPointerToDerefConfig`).
  *
  * The dataflow traversal defines the set of sources as any dataflow node `n` such that there exists a pointer-arithmetic
- * instruction `pai` found by `AllocationToInvalidPointer.qll` and a `n.asInstruction() = pai`.
+ * instruction `pai` found by `AllocationToInvalidPointer.qll` and a `n.asInstruction() >= pai + deltaDerefSourceAndPai`.
+ * Here, `deltaDerefSourceAndPai` is the constant difference between the source we track for finding a dereference and the
+ * pointer-arithmetic instruction.
  *
  * The set of sinks is defined as any dataflow node `n` such that `addr <= n.asInstruction() + deltaDerefSinkAndDerefAddress`
  * for some address operand `addr` and constant difference `deltaDerefSinkAndDerefAddress`. Since an address operand is
@@ -35,8 +37,9 @@
  * `deltaDerefSinkAndDerefAddress >= 0`. The load attached to `*p` is the "operation". To ensure that the path makes
  * intuitive sense, we only pick operations that are control-flow reachable from the dereference sink.
  *
- * We use the `deltaDerefSinkAndDerefAddress` to compute how many elements the dereference is beyond the end position of
- * the allocation. This is done in the `operationIsOffBy` predicate (which is the only predicate exposed by this file).
+ * To compute how many elements the dereference is beyond the end position of the allocation, we sum the two deltas
+ * `deltaDerefSourceAndPai` and `deltaDerefSinkAndDerefAddress`. This is done in the `operationIsOffBy` predicate
+ * (which is the only predicate exposed by this file).
  *
  * Handling false positives:
  *
@@ -93,7 +96,7 @@ int invalidPointerToDereferenceFieldFlowBranchLimit() { result = 0 }
 private module InvalidPointerToDerefBarrier {
   private module BarrierConfig implements DataFlow::ConfigSig {
     additional predicate isSource(DataFlow::Node source, PointerArithmeticInstruction pai) {
-      invalidPointerToDerefSource(_, pai, _) and
+      invalidPointerToDerefSource(_, pai, _, _) and
       // source <= pai
       bounded2(source.asInstruction(), pai, any(int d | d <= 0))
     }
@@ -166,11 +169,11 @@ private module InvalidPointerToDerefBarrier {
  */
 private module InvalidPointerToDerefConfig implements DataFlow::StateConfigSig {
   class FlowState extends PointerArithmeticInstruction {
-    FlowState() { invalidPointerToDerefSource(_, this, _) }
+    FlowState() { invalidPointerToDerefSource(_, this, _, _) }
   }
 
   predicate isSource(DataFlow::Node source, FlowState pai) {
-    invalidPointerToDerefSource(_, pai, source)
+    invalidPointerToDerefSource(_, pai, source, _)
   }
 
   pragma[inline]
@@ -195,17 +198,24 @@ private import DataFlow::GlobalWithState<InvalidPointerToDerefConfig>
 
 /**
  * Holds if `allocSource` is dataflow node that represents an allocation that flows to the
- * left-hand side of the pointer-arithmetic instruction represented by `derefSource`.
+ * left-hand side of the pointer-arithmetic `pai`, and `derefSource <= pai + derefSourcePaiDelta`.
+ *
+ * For example, if `pai` is a pointer-arithmetic operation `p + size` in an expression such
+ * as `(p + size) + 1` and `derefSource` is the node representing `(p + size) + 1`. In this
+ * case `derefSourcePaiDelta` is 1.
  */
 private predicate invalidPointerToDerefSource(
-  DataFlow::Node allocSource, PointerArithmeticInstruction pai, DataFlow::Node derefSource
+  DataFlow::Node allocSource, PointerArithmeticInstruction pai, DataFlow::Node derefSource,
+  int deltaDerefSourceAndPai
 ) {
   // Note that `deltaDerefSourceAndPai` is not necessarily equal to `rhsSizeDelta`:
   // `rhsSizeDelta` is the constant offset added to the size of the allocation, and
   // `deltaDerefSourceAndPai` is the constant difference between the pointer-arithmetic instruction
   // and the instruction computing the address for which we will search for a dereference.
   AllocToInvalidPointer::pointerAddInstructionHasBounds(allocSource, pai, _, _) and
-  derefSource.asInstruction() = pai
+  // derefSource <= pai + deltaDerefSourceAndPai
+  bounded2(derefSource.asInstruction(), pai, deltaDerefSourceAndPai) and
+  deltaDerefSourceAndPai >= 0
 }
 
 /**
@@ -248,9 +258,11 @@ private Instruction getASuccessor(Instruction instr) {
   instr.getBlock().getASuccessor+() = result.getBlock()
 }
 
-private predicate paiForDereferenceSink(PointerArithmeticInstruction pai, DataFlow::Node derefSink) {
+private predicate paiForDereferenceSink(
+  PointerArithmeticInstruction pai, DataFlow::Node derefSink, int deltaDerefSourceAndPai
+) {
   exists(DataFlow::Node derefSource |
-    invalidPointerToDerefSource(_, pai, derefSource) and
+    invalidPointerToDerefSource(_, pai, derefSource, deltaDerefSourceAndPai) and
     flow(derefSource, derefSink)
   )
 }
@@ -262,10 +274,10 @@ private predicate paiForDereferenceSink(PointerArithmeticInstruction pai, DataFl
  */
 private predicate derefSinkToOperation(
   DataFlow::Node derefSink, PointerArithmeticInstruction pai, DataFlow::Node operation,
-  string description, int deltaDerefSinkAndDerefAddress
+  string description, int deltaDerefSourceAndPai, int deltaDerefSinkAndDerefAddress
 ) {
   exists(Instruction operationInstr, AddressOperand addr |
-    paiForDereferenceSink(pai, pragma[only_bind_into](derefSink)) and
+    paiForDereferenceSink(pai, pragma[only_bind_into](derefSink), deltaDerefSourceAndPai) and
     isInvalidPointerDerefSink(derefSink, addr, operationInstr, description,
       deltaDerefSinkAndDerefAddress) and
     operationInstr = getASuccessor(derefSink.asInstruction()) and
@@ -286,7 +298,11 @@ predicate operationIsOffBy(
   DataFlow::Node allocation, PointerArithmeticInstruction pai, DataFlow::Node derefSource,
   DataFlow::Node derefSink, string description, DataFlow::Node operation, int delta
 ) {
-  invalidPointerToDerefSource(allocation, pai, derefSource) and
-  flow(derefSource, derefSink) and
-  derefSinkToOperation(derefSink, pai, operation, description, delta)
+  exists(int deltaDerefSourceAndPai, int deltaDerefSinkAndDerefAddress |
+    invalidPointerToDerefSource(allocation, pai, derefSource, deltaDerefSourceAndPai) and
+    flow(derefSource, derefSink) and
+    derefSinkToOperation(derefSink, pai, operation, description, deltaDerefSourceAndPai,
+      deltaDerefSinkAndDerefAddress) and
+    delta = deltaDerefSourceAndPai + deltaDerefSinkAndDerefAddress
+  )
 }

cpp/ql/lib/semmle/code/cpp/valuenumbering/HashCons.qll

@@ -372,8 +372,7 @@ private predicate analyzablePointerFieldAccess(PointerFieldAccess access) {
 private predicate mk_PointerFieldAccess(HashCons qualifier, Field target, PointerFieldAccess access) {
   analyzablePointerFieldAccess(access) and
   target = access.getTarget() and
-  qualifier = hashCons(access.getQualifier().getFullyConverted()) and
-  not access instanceof ImplicitThisFieldAccess
+  qualifier = hashCons(access.getQualifier().getFullyConverted())
 }
 
 private predicate analyzableImplicitThisFieldAccess(ImplicitThisFieldAccess access) {

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -197,11 +197,6 @@ svnchurn(
  * C++ dbscheme
  */
 
-extractor_version(
-    string codeql_version: string ref,
-    string frontend_version: string ref
-)
-
 @location = @location_stmt | @location_expr | @location_default ;
 
 /**
@@ -617,14 +612,6 @@ case @builtintype.kind of
 | 51 = @char8_t
 | 52 = @float16               // _Float16
 | 53 = @complex_float16       // _Complex _Float16
-| 54 = @fp16                  // __fp16
-| 55 = @std_bfloat16          // __bf16
-| 56 = @std_float16           // std::float16_t
-| 57 = @complex_std_float32   // _Complex _Float32
-| 58 = @complex_float32x      // _Complex _Float32x
-| 59 = @complex_std_float64   // _Complex _Float64
-| 60 = @complex_float64x      // _Complex _Float64x
-| 61 = @complex_std_float128  // _Complex _Float128
 ;
 
 builtintypes(
@@ -1334,16 +1321,11 @@ funbind(
                      | @assignxorexpr
                      | @assignlshiftexpr
                      | @assignrshiftexpr
-                     ;
-
-@assign_pointer_expr = @assignpaddexpr
+                     | @assignpaddexpr
                      | @assignpsubexpr
                      ;
 
-@assign_op_expr = @assign_arith_expr
-                | @assign_bitwise_expr
-                | @assign_pointer_expr
-                ;
+@assign_op_expr = @assign_arith_expr | @assign_bitwise_expr
 
 @assign_expr = @assignexpr | @assign_op_expr | @blockassignexpr
 

cpp/ql/lib/upgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties

@@ -1,2 +0,0 @@
-description: Introduce extractor version numbers
-compatibility: full

cpp/ql/lib/upgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/upgrade.properties

@@ -1,2 +0,0 @@
-description: Introduce new floating-point types from C23 and C++23
-compatibility: full

cpp/ql/lib/upgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/upgrade.properties

@@ -1,2 +0,0 @@
-description: Removed @assignpaddexpr and @assignpsubexpr from @assign_bitwise_expr
-compatibility: full

cpp/ql/src/CHANGELOG.md

@@ -1,15 +1,3 @@
-## 0.8.2
-
-No user-facing changes.
-
-## 0.8.1
-
-### New Queries
-
-* The query `cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
-
-  Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.
-
 ## 0.8.0
 
 ### Query Metadata Changes

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -27,26 +27,16 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
   ReturnStackAllocatedMemoryConfig() { this = "ReturnStackAllocatedMemoryConfig" }
 
   override predicate isSource(Instruction source) {
-    exists(Function func |
+    // Holds if `source` is a node that represents the use of a stack variable
+    exists(VariableAddressInstruction var, Function func |
+      var = source and
+      func = source.getEnclosingFunction() and
+      var.getAstVariable() instanceof StackVariable and
+      // Pointer-to-member types aren't properly handled in the dbscheme.
+      not var.getResultType() instanceof PointerToMemberType and
       // Rule out FPs caused by extraction errors.
       not any(ErrorExpr e).getEnclosingFunction() = func and
-      not intentionallyReturnsStackPointer(func) and
-      func = source.getEnclosingFunction()
-    |
-      // `source` is an instruction that represents the use of a stack variable
-      exists(VariableAddressInstruction var |
-        var = source and
-        var.getAstVariable() instanceof StackVariable and
-        // Pointer-to-member types aren't properly handled in the dbscheme.
-        not var.getResultType() instanceof PointerToMemberType
-      )
-      or
-      // `source` is an instruction that represents the return value of a
-      // function that is known to return stack-allocated memory.
-      exists(Call call |
-        call.getTarget().hasGlobalName(["alloca", "strdupa", "strndupa", "_alloca", "_malloca"]) and
-        source.getUnconvertedResultExpression() = call
-      )
+      not intentionallyReturnsStackPointer(func)
     )
   }
 
@@ -95,10 +85,10 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
 }
 
 from
-  MustFlowPathNode source, MustFlowPathNode sink, Instruction instr,
+  MustFlowPathNode source, MustFlowPathNode sink, VariableAddressInstruction var,
   ReturnStackAllocatedMemoryConfig conf
 where
   conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
-  source.getInstruction() = instr
+  source.getInstruction() = var
 select sink.getInstruction(), source, sink, "May return stack-allocated memory from $@.",
-  instr.getAst(), instr.getAst().toString()
+  var.getAst(), var.getAst().toString()

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -13,8 +13,7 @@
  */
 
 import cpp
-import semmle.code.cpp.ir.IR
-import semmle.code.cpp.ir.dataflow.MustFlow
+import semmle.code.cpp.controlflow.StackVariableReachability
 
 /**
  * Auxiliary predicate: Types that don't require initialization
@@ -34,6 +33,31 @@ predicate allocatedType(Type t) {
   allocatedType(t.getUnspecifiedType())
 }
 
+/**
+ * A declaration of a local variable that leaves the
+ * variable uninitialized.
+ */
+DeclStmt declWithNoInit(LocalVariable v) {
+  result.getADeclaration() = v and
+  not exists(v.getInitializer()) and
+  /* The type of the variable is not stack-allocated. */
+  exists(Type t | t = v.getType() | not allocatedType(t))
+}
+
+class UninitialisedLocalReachability extends StackVariableReachability {
+  UninitialisedLocalReachability() { this = "UninitialisedLocal" }
+
+  override predicate isSource(ControlFlowNode node, StackVariable v) { node = declWithNoInit(v) }
+
+  override predicate isSink(ControlFlowNode node, StackVariable v) { useOfVarActual(v, node) }
+
+  override predicate isBarrier(ControlFlowNode node, StackVariable v) {
+    // only report the _first_ possibly uninitialized use
+    useOfVarActual(v, node) or
+    definitionBarrier(v, node)
+  }
+}
+
 pragma[noinline]
 predicate containsInlineAssembly(Function f) { exists(AsmStmt s | s.getEnclosingFunction() = f) }
 
@@ -58,33 +82,8 @@ VariableAccess commonException() {
   containsInlineAssembly(result.getEnclosingFunction())
 }
 
-predicate isSinkImpl(Instruction sink, VariableAccess va) {
-  exists(LoadInstruction load |
-    va = load.getUnconvertedResultExpression() and
-    not va = commonException() and
-    sink = load.getSourceValue()
-  )
-}
-
-class MustFlow extends MustFlowConfiguration {
-  MustFlow() { this = "MustFlow" }
-
-  override predicate isSource(Instruction source) {
-    source instanceof UninitializedInstruction and
-    exists(Type t | t = source.getResultType() | not allocatedType(t))
-  }
-
-  override predicate isSink(Operand sink) { isSinkImpl(sink.getDef(), _) }
-
-  override predicate allowInterproceduralFlow() { none() }
-
-  override predicate isBarrier(Instruction instr) { instr instanceof ChiInstruction }
-}
-
-from
-  VariableAccess va, LocalVariable v, MustFlow conf, MustFlowPathNode source, MustFlowPathNode sink
+from UninitialisedLocalReachability r, LocalVariable v, VariableAccess va
 where
-  conf.hasFlowPath(source, sink) and
-  isSinkImpl(sink.getInstruction(), va) and
-  v = va.getTarget()
+  r.reaches(_, v, va) and
+  not va = commonException()
 select va, "The variable $@ may not be initialized at this access.", v, v.getName()

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -14,47 +14,25 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.FlowSources
-import semmle.code.cpp.ir.dataflow.TaintTracking
-import semmle.code.cpp.ir.IR
-import Flow::PathGraph
+import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import TaintedWithPath
 
-predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperation) {
+predicate isProcessOperationExplanation(Expr arg, string processOperation) {
   exists(int processOperationArg, FunctionCall call |
     isProcessOperationArgument(processOperation, processOperationArg) and
     call.getTarget().getName() = processOperation and
-    call.getArgument(processOperationArg) = [arg.asExpr(), arg.asIndirectExpr()]
+    call.getArgument(processOperationArg) = arg
   )
 }
 
-predicate isSource(FlowSource source, string sourceType) {
-  not source instanceof DataFlow::ExprNode and
-  sourceType = source.getSourceType()
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
 }
 
-module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { isSource(node, _) }
-
-  predicate isSink(DataFlow::Node node) { isProcessOperationExplanation(node, _) }
-
-  predicate isBarrier(DataFlow::Node node) {
-    isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
-    or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
-  }
-}
-
-module Flow = TaintTracking::Global<Config>;
-
-from
-  string processOperation, string sourceType, DataFlow::Node source, DataFlow::Node sink,
-  Flow::PathNode sourceNode, Flow::PathNode sinkNode
+from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
 where
-  source = sourceNode.getNode() and
-  sink = sinkNode.getNode() and
-  isSource(source, sourceType) and
-  isProcessOperationExplanation(sink, processOperation) and
-  Flow::flowPath(sourceNode, sinkNode)
-select sink, sourceNode, sinkNode,
+  isProcessOperationExplanation(arg, processOperation) and
+  taintedWithPath(source, arg, sourceNode, sinkNode)
+select arg, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being passed to " + processOperation + ".",
-  source, sourceType
+  source, source.toString()

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -15,10 +15,9 @@
  */
 
 import semmle.code.cpp.security.BufferWrite
-import semmle.code.cpp.security.FlowSources as FS
-import semmle.code.cpp.dataflow.new.TaintTracking
-import semmle.code.cpp.controlflow.IRGuards
-import Flow::PathGraph
+import semmle.code.cpp.security.Security
+import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import TaintedWithPath
 
 /*
  * --- Summary of CWE-120 alerts ---
@@ -48,54 +47,38 @@ predicate isUnboundedWrite(BufferWrite bw) {
   not exists(bw.getMaxData(_)) // and we can't deduce an upper bound to the amount copied
 }
 
+/*
+ * predicate isMaybeUnboundedWrite(BufferWrite bw)
+ * {
+ *   not bw.hasExplicitLimit()                           // has no explicit size limit
+ *   and exists(bw.getMaxData())                         // and we can deduce an upper bound to the amount copied
+ *   and (not exists(getBufferSize(bw.getDest(), _)))    // but we can't work out the size of the destination to be sure
+ * }
+ */
+
 /**
  * Holds if `e` is a source buffer going into an unbounded write `bw` or a
  * qualifier of (a qualifier of ...) such a source.
  */
-predicate unboundedWriteSource(Expr e, BufferWrite bw, boolean qualifier) {
-  isUnboundedWrite(bw) and e = bw.getASource() and qualifier = false
+predicate unboundedWriteSource(Expr e, BufferWrite bw) {
+  isUnboundedWrite(bw) and e = bw.getASource()
   or
-  exists(FieldAccess fa | unboundedWriteSource(fa, bw, _) and e = fa.getQualifier()) and
-  qualifier = true
+  exists(FieldAccess fa | unboundedWriteSource(fa, bw) and e = fa.getQualifier())
 }
 
-predicate isSource(FS::FlowSource source, string sourceType) { source.getSourceType() = sourceType }
+/*
+ * --- user input reach ---
+ */
 
-predicate isSink(DataFlow::Node sink, BufferWrite bw, boolean qualifier) {
-  unboundedWriteSource(sink.asIndirectExpr(), bw, qualifier)
-  or
-  // `gets` and `scanf` reads from stdin so there's no real input.
-  // The `BufferWrite` library models this as the call itself being
-  // the source. In this case we mark the output argument as being
-  // the sink so that we report a path where source = sink (because
-  // the same output argument is also included in `isSource`).
-  bw.getASource() = bw and
-  unboundedWriteSource(sink.asDefiningArgument(), bw, qualifier)
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) { unboundedWriteSource(tainted, _) }
+
+  override predicate taintThroughGlobals() { any() }
 }
 
-predicate lessThanOrEqual(IRGuardCondition g, Expr e, boolean branch) {
-  exists(Operand left |
-    g.comparesLt(left, _, _, true, branch) or
-    g.comparesEq(left, _, _, true, branch)
-  |
-    left.getDef().getUnconvertedResultExpression() = e
-  )
-}
-
-module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { isSource(source, _) }
-
-  predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
-
-  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _, false) }
-
-  predicate isBarrier(DataFlow::Node node) {
-    // Block flow if the node is guarded by any <, <= or = operations.
-    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
-  }
-}
-
-module Flow = TaintTracking::Global<Config>;
+/*
+ * --- put it together ---
+ */
 
 /*
  * An unbounded write is, for example `strcpy(..., tainted)`. We're looking
@@ -104,20 +87,17 @@ module Flow = TaintTracking::Global<Config>;
  *
  * In the case of `gets` and `scanf`, where the source buffer is implicit, the
  * `BufferWrite` library reports the source buffer to be the same as the
- * destination buffer. So to report an alert on a pattern like:
- * ```
- * char s[32];
- * gets(s);
- * ```
- * we define the sink as the node corresponding to the output argument of `gets`.
- * This gives us a path where the source is equal to the sink.
+ * destination buffer. Since those destination-buffer arguments are also
+ * modeled in the taint-tracking library as being _sources_ of taint, they are
+ * in practice reported as being tainted because the `security.TaintTracking`
+ * library does not distinguish between taint going into an argument and out of
+ * an argument. Thus, we get the desired alerts.
  */
 
-from BufferWrite bw, Flow::PathNode source, Flow::PathNode sink, string sourceType
+from BufferWrite bw, Expr inputSource, Expr tainted, PathNode sourceNode, PathNode sinkNode
 where
-  Flow::flowPath(source, sink) and
-  isSource(source.getNode(), sourceType) and
-  isSink(sink.getNode(), bw, _)
-select bw, source, sink,
-  "This '" + bw.getBWDesc() + "' with input from $@ may overflow the destination.",
-  source.getNode(), sourceType
+  taintedWithPath(inputSource, tainted, sourceNode, sinkNode) and
+  unboundedWriteSource(tainted, bw)
+select bw, sourceNode, sinkNode,
+  "This '" + bw.getBWDesc() + "' with input from $@ may overflow the destination.", inputSource,
+  inputSource.toString()

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.c

@@ -0,0 +1,24 @@
+#include <stdio.h>
+
+char *copy;
+
+void copyArgv(char **argv) {
+	copy = argv[1];
+}
+
+void printWrapper(char *str) {
+	printf(str);
+}
+
+int main(int argc, char **argv) {
+	copyArgv(argv);
+
+	// This should be avoided
+	printf(copy);
+
+	// This should be avoided too, because it has the same effect
+	printWrapper(copy);
+
+	// This is fine
+	printf("%s", copy);
+}

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.qhelp

@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The program uses input from the user, propagated via a global variable, as a format string for <code>printf</code> style functions. 
+This can lead to buffer overflows or data representation problems. An attacker can exploit this weakness to crash the program, 
+disclose information or even execute arbitrary code.</p>
+
+<p>This rule only identifies inputs from the user that are transferred through global variables before being used in <code>printf</code> style functions.
+Analyzing the flow of data through global variables is more prone to errors and so this rule may identify some examples of code where 
+the input is not really from the user. For example, when a global variable is set in two places, one that comes from the user and one that does not.
+In this case we would mark all usages of the global variable as input from the user, but the input from the user may always came after the call to the
+<code>printf</code> style functions.</p>
+
+<p>The results of this rule should be considered alongside the related rule "Uncontrolled format string" which tracks the flow of the 
+values input by a user, excluding global variables, until the values are used as the format argument for a <code>printf</code> like function call.</p>
+
+</overview>
+<recommendation>
+<p>Use constant expressions as the format strings. If you need to print a value from the user, use <code>printf("%s", value_from_user)</code>.</p>
+
+</recommendation>
+<example>
+<sample src="UncontrolledFormatStringThroughGlobalVar.c" />
+
+</example>
+<references>
+
+<li>CERT C Coding
+Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings">FIO30-C. Exclude
+user input from format strings</a>.</li>
+
+
+</references>
+</qhelp>

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql

@@ -0,0 +1,40 @@
+/**
+ * @name Uncontrolled format string (through global variable)
+ * @description Using externally-controlled format strings in
+ *              printf-style functions can lead to buffer overflows
+ *              or data representation problems.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 9.3
+ * @precision high
+ * @id cpp/tainted-format-string-through-global
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-134
+ */
+
+import cpp
+import semmle.code.cpp.security.FunctionWithWrappers
+import semmle.code.cpp.security.Security
+import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import TaintedWithPath
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(PrintfLikeFunction printf | printf.outermostWrapperFunctionCall(tainted, _))
+  }
+
+  override predicate taintThroughGlobals() { any() }
+}
+
+from
+  PrintfLikeFunction printf, Expr arg, PathNode sourceNode, PathNode sinkNode,
+  string printfFunction, Expr userValue, string cause
+where
+  printf.outermostWrapperFunctionCall(arg, printfFunction) and
+  not taintedWithoutGlobals(arg) and
+  taintedWithPath(userValue, arg, sourceNode, sinkNode) and
+  isUserInput(userValue, cause)
+select arg, sourceNode, sinkNode,
+  "The value of this argument may come from $@ and is being used as a formatting argument to " +
+    printfFunction + ".", userValue, cause

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -14,13 +14,10 @@
 
 import cpp
 import semmle.code.cpp.security.Overflow
-import semmle.code.cpp.dataflow.new.TaintTracking
-import semmle.code.cpp.dataflow.new.DataFlow
-import semmle.code.cpp.ir.IR
-import semmle.code.cpp.controlflow.IRGuards as IRGuards
-import semmle.code.cpp.security.FlowSources as FS
+import semmle.code.cpp.security.Security
+import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
+import TaintedWithPath
 import Bounded
-import Flow::PathGraph
 
 bindingset[op]
 predicate missingGuard(Operation op, Expr e, string effect) {
@@ -31,90 +28,28 @@ predicate missingGuard(Operation op, Expr e, string effect) {
   not e instanceof VariableAccess and effect = "overflow"
 }
 
-predicate isSource(FS::FlowSource source, string sourceType) { sourceType = source.getSourceType() }
-
-predicate isSink(DataFlow::Node sink, Operation op, Expr e) {
-  e = sink.asExpr() and
-  missingGuard(op, e, _) and
-  op.getAnOperand() = e and
-  (
-    op instanceof UnaryArithmeticOperation or
-    op instanceof BinaryArithmeticOperation or
-    op instanceof AssignArithmeticOperation
-  )
-}
-
-predicate hasUpperBoundsCheck(Variable var) {
-  exists(RelationalOperation oper, VariableAccess access |
-    oper.getAnOperand() = access and
-    access.getTarget() = var and
-    // Comparing to 0 is not an upper bound check
-    not oper.getAnOperand().getValue() = "0"
-  )
-}
-
-predicate constantInstruction(Instruction instr) {
-  instr instanceof ConstantInstruction or
-  constantInstruction(instr.(UnaryInstruction).getUnary())
-}
-
-predicate readsVariable(LoadInstruction load, Variable var) {
-  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
-}
-
-predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
-  exists(Instruction instr | instr = node.asInstruction() |
-    readsVariable(instr, checkedVar) and
-    any(IRGuards::IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
-  )
-}
-
-module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { isSource(source, _) }
-
-  predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
-
-  predicate isBarrier(DataFlow::Node node) {
-    exists(StoreInstruction store | store = node.asInstruction() |
-      // Block flow to "likely small expressions"
-      bounded(store.getSourceValue().getUnconvertedResultExpression())
-      or
-      // Block flow to "small types"
-      store.getResultType().getUnspecifiedType().(IntegralType).getSize() <= 1
-    )
-    or
-    // Block flow if there's an upper bound check of the variable anywhere in the program
-    exists(Variable checkedVar, Instruction instr | instr = node.asInstruction() |
-      readsVariable(instr, checkedVar) and
-      hasUpperBoundsCheck(checkedVar)
-    )
-    or
-    // Block flow if the node is guarded by an equality check
-    exists(Variable checkedVar, Operand access |
-      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
-      readsVariable(access.getDef(), checkedVar)
-    )
-    or
-    // Block flow to any binary instruction whose operands are both non-constants.
-    exists(BinaryInstruction iTo |
-      iTo = node.asInstruction() and
-      not constantInstruction(iTo.getLeft()) and
-      not constantInstruction(iTo.getRight()) and
-      // propagate taint from either the pointer or the offset, regardless of constantness
-      not iTo instanceof PointerArithmeticInstruction
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element e) {
+    exists(Operation op |
+      missingGuard(op, e, _) and
+      op.getAnOperand() = e
+    |
+      op instanceof UnaryArithmeticOperation or
+      op instanceof BinaryArithmeticOperation or
+      op instanceof AssignArithmeticOperation
     )
   }
+
+  override predicate isBarrier(Expr e) {
+    super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
+  }
 }
 
-module Flow = TaintTracking::Global<Config>;
-
-from
-  Expr e, string effect, Flow::PathNode source, Flow::PathNode sink, Operation op, string sourceType
+from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
 where
-  Flow::flowPath(source, sink) and
-  isSource(source.getNode(), sourceType) and
-  isSink(sink.getNode(), op, e) and
+  taintedWithPath(origin, e, sourceNode, sinkNode) and
+  op.getAnOperand() = e and
   missingGuard(op, e, effect)
-select e, source, sink,
+select e, sourceNode, sinkNode,
   "$@ flows to an operand of an arithmetic expression, potentially causing an " + effect + ".",
-  source, sourceType
+  origin, "User-provided value"

cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql

@@ -8,6 +8,7 @@
  * @id cpp/invalid-pointer-deref
  * @tags reliability
  *       security
+ *       experimental
  *       external/cwe/cwe-119
  *       external/cwe/cwe-125
  *       external/cwe/cwe-193

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -15,7 +15,6 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.models.interfaces.FlowSource
-import semmle.code.cpp.models.implementations.Memset
 import ExposedSystemData::PathGraph
 import SystemData
 
@@ -29,10 +28,6 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {
       fc.getArgument(arg).getAChild*() = sink.asIndirectExpr()
     )
   }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
-  }
 }
 
 module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;

cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql

@@ -28,7 +28,6 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.models.interfaces.FlowSource
 import semmle.code.cpp.security.OutputWrite
-import semmle.code.cpp.models.implementations.Memset
 import PotentiallyExposedSystemData::PathGraph
 import SystemData
 
@@ -50,10 +49,6 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig {
       else child = sink.asExpr()
     )
   }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
-  }
 }
 
 module PotentiallyExposedSystemData = TaintTracking::Global<PotentiallyExposedSystemDataConfig>;

cpp/ql/src/Summary/LinesOfCode.ql

@@ -4,7 +4,6 @@
  * @description The total number of lines of C/C++ code across all files, including system headers, libraries, and auto-generated files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
  * @kind metric
  * @tags summary
- *       telemetry
  */
 
 import cpp

cpp/ql/src/change-notes/2023-10-16-redundant-null-check-simple.md

@@ -1,7 +1,6 @@
-## 0.8.1
-
-### New Queries
-
+---
+category: newQuery
+---
 * The query `cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
 
   Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.