Revert to using workflow_call

.bazelrc

@@ -24,7 +24,5 @@ common --registry=file:///%workspace%/misc/bazel/registry
 common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-common --experimental_isolated_extension_usages
-common --incompatible_use_plus_in_repo_names
 
 try-import %workspace%/local.bazelrc

.bazelrc.internal

@@ -8,4 +8,3 @@ common --registry=https://bcr.bazel.build
 # its implementation packages without providing any code itself.
 # We either can depend on internal implementation details, or turn of strict deps.
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-common --experimental_isolated_extension_usages

.bazelversion

@@ -1 +1 @@
-5f5d70b6c4d2fb1a889479569107f1692239e8a7
+7.2.1

.github/labeler.yml

@@ -30,10 +30,6 @@ Ruby:
   - ruby/**/*
   - change-notes/**/*ruby*
 
-Rust:
-  - rust/**/*
-  - change-notes/**/*rust*
-
 Swift:
   - swift/**/*
   - change-notes/**/*swift*

.github/pull_request_template.md

@@ -1,14 +0,0 @@
-### Pull Request checklist
-
-#### All query authors
-
-- [ ] A change note is added if necessary. See [the documentation](https://github.com/github/codeql/blob/main/docs/change-notes.md) in this repository.
-- [ ] All new queries have appropriate `.qhelp`. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md) in this repository.
-- [ ] QL tests are added if necessary. See [Testing custom queries](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/testing-custom-queries) in the GitHub documentation.
-- [ ] New and changed queries have correct query metadata. See [the documentation](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md) in this repository.
-
-#### Internal query authors only
-
-- [ ] Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to `.ql`, `.qll`, or `.qhelp` files. See [the documentation](https://github.com/github/codeql-team/blob/main/docs/best-practices/validating-autofix-for-query-changes.md) (internal access required).
-- [ ] Changes are validated [at scale](https://github.com/github/codeql-dca/) (internal access required).
-- [ ] Adding a new query? Consider also [adding the query to autofix](https://github.com/github/codeml-autofix/blob/main/docs/updating-query-support.md#adding-a-new-query-to-the-query-suite).

.github/workflows/buildifier.yml

@@ -24,5 +24,5 @@ jobs:
           extra_args: >
             buildifier --all-files 2>&1 ||
             (
-              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel/buildifier"; exit 1
+              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel:buildifier"; exit 1
             )

.github/workflows/check-change-note.yml

@@ -16,12 +16,11 @@ on:
       - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
-      - "!rust/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:
-    env:
+    env: 
       REPO: ${{ github.repository }}
       PULL_REQUEST_NUMBER: ${{ github.event.number }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -34,7 +33,7 @@ jobs:
           !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
         run: |
           change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
-
+          
           if [ -z "$change_note_files" ]; then
             echo "No change note found. Either add one, or add the 'no-change-note-required' label."
             exit 1

.github/workflows/cpp-swift-analysis.yml

@@ -37,7 +37,7 @@ jobs:
       with:
         languages: cpp
         config-file: ./.github/codeql/codeql-config.yml
-
+  
     - name: "[Ubuntu] Remove GCC 13 from runner image"
       shell: bash
       run: |
@@ -48,7 +48,7 @@ jobs:
     - name: "Build Swift extractor using Bazel"
       run: |
         bazel clean --expunge
-        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local
+        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
         bazel shutdown
 
     - name: Perform CodeQL Analysis

.github/workflows/csharp-qltest.yml

@@ -29,6 +29,45 @@ permissions:
   contents: read
 
 jobs:
+  qlupgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check DB upgrade scripts
+        run: |
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
+      - name: Check DB downgrade scripts
+        run: |
+          echo >empty.trap
+          rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
+           --dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
+           xargs codeql execute upgrades testdb
+          diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
+  qltest:
+    if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        slice: ["1/2", "2/2"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: csharp-qltest-${{ matrix.slice }}
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
     strategy:
       matrix:

.github/workflows/go-tests-linux.yml

@@ -0,0 +1,26 @@
+name: "Go: Run Tests"
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  test-linux:
+    if: github.repository_owner == 'github'
+    name: Test Linux (Ubuntu)
+    runs-on: ubuntu-latest-xl
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+      - name: Run tests
+        uses: ./go/actions/test
+        with:
+          run-code-checks: true

.github/workflows/go-tests-other-os.yml

@@ -1,15 +1,11 @@
 name: "Go: Run Tests - Other OS"
 on:
-  pull_request:
-    paths:
-      - "go/**"
-      - "!go/ql/**" # don't run other-os if only ql/ files changed
-      - .github/workflows/go-tests-other-os.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - MODULE.bazel
-      - .bazelrc
-      - misc/bazel/**
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -21,6 +17,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
       - name: Run tests
         uses: ./go/actions/test
 
@@ -31,5 +29,7 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
       - name: Run tests
         uses: ./go/actions/test

.github/workflows/go-tests.yml

@@ -1,10 +1,11 @@
-name: "Go: Run Tests"
+name: "Go: Prepare Tests"
 on:
   push:
     paths:
       - "go/**"
-      - "shared/**"
       - .github/workflows/go-tests.yml
+      - .github/workflows/go-tests-linux.yml
+      - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
     branches:
@@ -13,26 +14,129 @@ on:
   pull_request:
     paths:
       - "go/**"
-      - "shared/**"
       - .github/workflows/go-tests.yml
+      - .github/workflows/go-tests-linux.yml
+      - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
       - MODULE.bazel
       - .bazelrc
       - misc/bazel/**
 
-permissions:
-  contents: read
-
 jobs:
-  test-linux:
+  prepare-go-tests:
     if: github.repository_owner == 'github'
-    name: Test Linux (Ubuntu)
-    runs-on: ubuntu-latest-xl
+    name: "Prepare tests"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      # Skip tests for this workflow run if we just created a new commit/PR to run the
+      # tests on.
+      skipTests: ${{ steps.push-bazel-files.outputs.SKIP_TESTS }}
+      # We don't want to run macOS/Windows workflows if only .ql files have changed
+      onlyQL: ${{ steps.only-ql-check.outputs.ONLY_QL_CHANGES }}
     steps:
+      - name: Print information about the workflow
+        shell: bash
+        run: |
+          echo $GITHUB_CONTEXT
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+
       - name: Check out code
         uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
         with:
-          run-code-checks: true
+          # For PRs, this ensures that we do not end up in a detached HEAD state;
+          # For pushes, this does not change anything.
+          # We require this to be able to easily push changes, if needed.
+          ref: ${{ github.event.pull_request.head.ref || '' }}
+          # We need HEAD^ to determine the list of changed files
+          fetch-depth: 2
+
+      # Determine whether only .ql files changed: if so, we won't run the macOS and Windows workflows
+      - name: Determine whether only .ql files changed
+        id: only-ql-check
+        shell: bash
+        run: |
+          CHANGES=$(git diff --name-only HEAD^)
+          echo $CHANGES
+
+          ONLY_QL_CHANGES=true
+          for change in $(git diff --name-only HEAD^)
+          do
+            if [[ $change != go/ql/* ]];
+            then
+              ONLY_QL_CHANGES=false
+              echo "Files other than .ql files have changed"
+              break
+            fi
+          done
+
+          echo "Setting ONLY_QL_CHANGES to $ONLY_QL_CHANGES"
+          echo "ONLY_QL_CHANGES=$ONLY_QL_CHANGES" >> $GITHUB_OUTPUT
+
+      # Dependabot will nuke Bazel build files when it updates Go dependencies;
+      # this will restore them
+      - name: Regenerate Bazel files for Dependabot PR
+        if: github.event.pull_request.user.login == 'dependabot[bot]'
+        shell: bash
+        run: |
+          bazel run //go:gazelle
+          bazel run //go:gen
+
+      # And this will push the Bazel files to the PR branch
+      - name: Push Bazel files for Dependabot PR
+        id: push-bazel-files
+        if: github.event.pull_request.user.login == 'dependabot[bot]'
+        shell: bash
+        run: |
+          git add go/extractor/vendor/**
+
+          if git diff --exit-code HEAD;
+          then
+            echo "Regenerate Bazel files resulted in no changes"
+          else
+            BAZEL_BRANCH_NAME="${{ github.head_ref }}/bazel"
+
+            echo "Pushing regenerated Bazel files to $BAZEL_BRANCH_NAME"
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git commit -m 'Regenerate Bazel build files for Dependabot PR'
+
+            git checkout -b "$BAZEL_BRANCH_NAME"
+            git push -u origin "$BAZEL_BRANCH_NAME"
+
+            echo "Creating PR for $BAZEL_BRANCH_NAME"
+            gh pr create -B "${{ github.head_ref }}" -H "$BAZEL_BRANCH_NAME" \
+                --title "Go: Regenerate Bazel files for Dependabot PR" \
+                --body "Created automatically to update Bazel build files for a Dependabot PR"
+
+            echo "Merging PR by pushing to ${{ github.head_ref }}"
+            git checkout "${{ github.head_ref }}"
+            git push
+          fi
+
+          echo "SKIP_TESTS=true" >> $GITHUB_OUTPUT
+
+  run-linux-tests:
+    name: "Run Linux tests"
+    if: needs.prepare-go-tests.outputs.skipTests != 'true'
+    needs:
+      - prepare-go-tests
+    uses: ./.github/workflows/go-tests-linux.yml
+    secrets: inherit
+    with:
+      ref: ${{ github.head_ref || github.ref_name }}
+
+  run-other-os-tests:
+    name: "Run other OS tests"
+    # Only run this workflow for PRs and only if something other than .ql files changed
+    if: github.event_name == 'pull_request' && needs.prepare-go-tests.outputs.skipTests != 'true' && !(needs.prepare-go-tests.outputs.onlyQL == 'true')
+    needs:
+      - prepare-go-tests
+    uses: ./.github/workflows/go-tests-other-os.yml
+    secrets: inherit
+    with:
+      ref: ${{ github.head_ref }}

.github/workflows/ruby-build.yml

@@ -65,8 +65,8 @@ jobs:
         id: cache-extractor
         with:
           path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
+            ruby/extractor/target/release/codeql-extractor-ruby
+            ruby/extractor/target/release/codeql-extractor-ruby.exe
             ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
       - uses: actions/cache@v3
@@ -75,7 +75,7 @@ jobs:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
-            target
+            ruby/target
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
       - name: Check formatting
         if: steps.cache-extractor.outputs.cache-hit != 'true'
@@ -91,7 +91,7 @@ jobs:
         run: cd extractor && cargo build --release
       - name: Generate dbscheme
         if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
-        run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+        run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
       - uses: actions/upload-artifact@v3
         if: ${{ matrix.os == 'ubuntu-latest' }}
         with:
@@ -106,8 +106,8 @@ jobs:
         with:
           name: extractor-${{ matrix.os }}
           path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
+            ruby/extractor/target/release/codeql-extractor-ruby
+            ruby/extractor/target/release/codeql-extractor-ruby.exe
           retention-days: 1
   compile-queries:
     if: github.repository_owner == 'github'
@@ -140,7 +140,6 @@ jobs:
           path: |
             ${{ runner.temp }}/query-packs/*
           retention-days: 1
-          include-hidden-files: true
 
   package:
     runs-on: ubuntu-latest
@@ -177,7 +176,6 @@ jobs:
           name: codeql-ruby-pack
           path: ruby/codeql-ruby.zip
           retention-days: 1
-          include-hidden-files: true
       - uses: actions/download-artifact@v3
         with:
           name: codeql-ruby-queries
@@ -195,7 +193,6 @@ jobs:
           name: codeql-ruby-bundle
           path: ruby/codeql-ruby-bundle.zip
           retention-days: 1
-          include-hidden-files: true
 
   test:
     defaults:

.github/workflows/rust.yml

@@ -1,58 +0,0 @@
-name: "Rust"
-
-on:
-  pull_request:
-    paths:
-      - "rust/**"
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "shared/**"
-      - "MODULE.bazel"
-      - .github/workflows/rust.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - "!**/*.md"
-      - "!**/*.qhelp"
-    branches:
-      - rust-experiment
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  rust-code:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Format
-        working-directory: rust/extractor
-        shell: bash
-        run: |
-          cargo fmt --check
-      - name: Compilation
-        working-directory: rust/extractor
-        shell: bash
-        run: cargo check
-      - name: Clippy
-        working-directory: rust/extractor
-        shell: bash
-        run: |
-          cargo clippy --fix
-          git diff --exit-code
-  rust-codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install CodeQL
-        uses: ./.github/actions/fetch-codeql
-      - name: Code generation
-        shell: bash
-        run: |
-          bazel run //rust/codegen
-          git add .
-          git diff --exit-code HEAD

.gitignore

@@ -7,8 +7,8 @@
 .cache
 
 # qltest projects and artifacts
-*.actual
 */ql/test/**/*.testproj
+*/ql/test/**/*.actual
 */ql/test/**/go.sum
 
 # Visual studio temporaries, except a file used by QL4VS
@@ -65,9 +65,3 @@ node_modules/
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
-
-# Jetbrains IDE files
-.idea
-
-# cargo build directory
-/target

.pre-commit-config.yaml

@@ -5,9 +5,9 @@ repos:
     rev: v3.2.0
     hooks:
       - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
       - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6
@@ -15,7 +15,7 @@ repos:
       - id: clang-format
 
   - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v2.0.4
+    rev: v1.6.0
     hooks:
       - id: autopep8
         files: ^misc/codegen/.*\.py
@@ -26,7 +26,7 @@ repos:
         name: Format bazel files
         files: \.(bazel|bzl)
         language: system
-        entry: bazel run //misc/bazel/buildifier
+        entry: bazel run //misc/bazel:buildifier
         pass_filenames: false
 
 #      DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
@@ -45,7 +45,7 @@ repos:
 
       - id: sync-files
         name: Fix files required to be identical
-        files: \.(qll?|qhelp|swift|toml)$|^config/identical-files\.json$
+        files: \.(qll?|qhelp|swift)$|^config/identical-files\.json$
         language: system
         entry: python3 config/sync-files.py --latest
         pass_filenames: false
@@ -58,7 +58,7 @@ repos:
 
       - id: swift-codegen
         name: Run Swift checked in code generation
-        files: ^misc/codegen/|^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
+        files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
         language: system
         entry: bazel run //swift/codegen -- --quiet
         pass_filenames: false
@@ -69,17 +69,3 @@ repos:
         language: system
         entry: bazel test //misc/codegen/test
         pass_filenames: false
-
-      - id: rust-codegen
-        name: Run Rust checked in code generation
-        files: ^misc/codegen/|^rust/(schema.py$|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
-        language: system
-        entry: bazel run //rust/codegen -- --quiet
-        pass_filenames: false
-
-      - id: rust-lint
-        name: Run fmt and clippy on Rust code
-        files: ^rust/extractor/(.*rs|Cargo.toml)$
-        language: system
-        entry: python3 rust/lint.py
-        pass_filenames: false

Cargo.toml

@@ -1,16 +0,0 @@
-# This is the shared workspace file for extractor using shared/tree-sitter/extractor
-[workspace]
-
-resolver = "2"
-members = [
-    "shared/tree-sitter-extractor",
-    "ruby/extractor",
-    "rust/extractor",
-    "rust/extractor/macros",
-    "rust/ast-generator",
-]
-
-[patch.crates-io]
-# patch for build script bug preventing bazel build
-# see https://github.com/rust-lang/rustc_apfloat/pull/17
-rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }

MODULE.bazel

@@ -1,7 +1,6 @@
 module(
-    name = "ql",
+    name = "codeql",
     version = "0.0",
-    repo_name = "codeql",
 )
 
 # this points to our internal repository when `codeql` is checked out as a submodule thereof
@@ -15,29 +14,27 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.50.0")
-bazel_dep(name = "rules_pkg", version = "1.0.1")
+bazel_dep(name = "rules_go", version = "0.48.0")
+bazel_dep(name = "rules_pkg", version = "0.10.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.35.0")
+bazel_dep(name = "rules_python", version = "0.32.2")
 bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
-bazel_dep(name = "gazelle", version = "0.38.0")
+bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
+bazel_dep(name = "gazelle", version = "0.37.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.52.2")
+bazel_dep(name = "rules_rust", version = "0.46.0")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 
-# crate_py but shortened due to Windows file path considerations
-cp = use_extension(
+crate = use_extension(
     "@rules_rust//crate_universe:extension.bzl",
     "crate",
-    isolate = True,
 )
-cp.from_cargo(
+crate.from_cargo(
     name = "py_deps",
     cargo_lockfile = "//python/extractor/tsg-python:Cargo.lock",
     manifests = [
@@ -45,27 +42,15 @@ cp.from_cargo(
         "//python/extractor/tsg-python/tsp:Cargo.toml",
     ],
 )
-use_repo(cp, "py_deps")
-
-# deps for ruby+rust, but shortened due to windows file paths
-r = use_extension(
-    "@rules_rust//crate_universe:extension.bzl",
-    "crate",
-    isolate = True,
-)
-r.from_cargo(
-    name = "r",
-    cargo_lockfile = "//:Cargo.lock",
+crate.from_cargo(
+    name = "ruby_deps",
+    cargo_lockfile = "//ruby/extractor:Cargo.lock",
     manifests = [
-        "//:Cargo.toml",
         "//ruby/extractor:Cargo.toml",
-        "//rust/extractor:Cargo.toml",
-        "//rust/extractor/macros:Cargo.toml",
-        "//rust/ast-generator:Cargo.toml",
-        "//shared/tree-sitter-extractor:Cargo.toml",
+        "//ruby/extractor/codeql-extractor-fake-crate:Cargo.toml",
     ],
 )
-use_repo(r, tree_sitter_extractors_deps = "r")
+use_repo(crate, "py_deps", "ruby_deps")
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
 dotnet.toolchain(dotnet_version = "8.0.101")
@@ -127,8 +112,6 @@ use_repo(
     "kotlin-compiler-1.9.0-Beta",
     "kotlin-compiler-1.9.20-Beta",
     "kotlin-compiler-2.0.0-RC1",
-    "kotlin-compiler-2.0.20-Beta2",
-    "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-embeddable-1.5.0",
     "kotlin-compiler-embeddable-1.5.10",
     "kotlin-compiler-embeddable-1.5.20",
@@ -141,8 +124,6 @@ use_repo(
     "kotlin-compiler-embeddable-1.9.0-Beta",
     "kotlin-compiler-embeddable-1.9.20-Beta",
     "kotlin-compiler-embeddable-2.0.0-RC1",
-    "kotlin-compiler-embeddable-2.0.20-Beta2",
-    "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-stdlib-1.5.0",
     "kotlin-stdlib-1.5.10",
     "kotlin-stdlib-1.5.20",
@@ -155,16 +136,10 @@ use_repo(
     "kotlin-stdlib-1.9.0-Beta",
     "kotlin-stdlib-1.9.20-Beta",
     "kotlin-stdlib-2.0.0-RC1",
-    "kotlin-stdlib-2.0.20-Beta2",
-    "kotlin-stdlib-2.1.0-Beta1",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.23.1")
-
-go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
-go_deps.from_file(go_mod = "//go/extractor:go.mod")
-use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
+go_sdk.download(version = "1.22.2")
 
 lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
 

config/identical-files.json

@@ -57,6 +57,10 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
+  "Model as Data Generation Java/C# - CaptureModels": [
+    "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
+    "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
+  ],
   "Sign Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
@@ -352,8 +356,8 @@
     "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
   ],
-  "Diagnostics.qll": [
-    "ruby/ql/lib/codeql/ruby/Diagnostics.qll",
-    "rust/ql/lib/codeql/rust/Diagnostics.qll"
+  "shared tree-sitter extractor cargo.toml": [
+    "shared/tree-sitter-extractor/Cargo.toml",
+    "ruby/extractor/codeql-extractor-fake-crate/Cargo.toml"
   ]
 }

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/exprs.ql

@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 385 <= kind and kind <= 388)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/sizeof_bind.ql

@@ -1,14 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-from Expr expr, Type type, int kind
-where
-  sizeof_bind(expr, type) and
-  exprs(expr, kind, _) and
-  (kind = 93 or kind = 94)
-select expr, type

cpp/downgrades/02a123a1a681f98cf502f189a2a79b0dfb398e59/upgrade.properties

@@ -1,4 +0,0 @@
-description: Add new builtin operations
-compatibility: partial
-exprs.rel: run exprs.qlo
-sizeof_bind.rel: run sizeof_bind.qlo

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/downgrades.ql

@@ -1,32 +0,0 @@
-/*
- * Approach: replace conversion expressions of kind 389 (= @c11_generic) by
- * conversion expressions of kind 12 (= @parexpr), i.e., a `ParenthesisExpr`,
- * and drop the relation which its child expressions, which are just syntactic
- * sugar. Parenthesis expressions are equally benign as C11 _Generic expressions,
- * and behave similarly in the context of the IR.
- */
-
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location {
-  string toString() { none() }
-}
-
-class ExprParent extends @exprparent {
-  string toString() { none() }
-}
-
-query predicate new_exprs(Expr expr, int new_kind, Location loc) {
-  exists(int kind | exprs(expr, kind, loc) | if kind = 389 then new_kind = 12 else new_kind = kind)
-}
-
-query predicate new_exprparents(Expr expr, int index, ExprParent expr_parent) {
-  exprparents(expr, index, expr_parent) and
-  (
-    not expr_parent instanceof @expr
-    or
-    exists(int kind | exprs(expr_parent.(Expr), kind, _) | kind != 389)
-  )
-}

cpp/downgrades/0fea0ee7026c7c3f7d6faef4df4bf67847b67d71/upgrade.properties

@@ -1,4 +0,0 @@
-description: Expose C11 _Generics
-compatibility: partial
-exprs.rel: run downgrades.ql new_exprs
-exprparents.rel: run downgrades.ql new_exprparents

cpp/downgrades/25e365d1e8147df0f759b604f96eb4bffea48271/upgrade.properties

@@ -1,4 +0,0 @@
-description: Revert support for using-enum declarations.
-compatibility: partial
-usings.rel: run usings.qlo
-using_container.rel: run using_container.qlo

cpp/downgrades/25e365d1e8147df0f759b604f96eb4bffea48271/using_container.ql

@@ -1,14 +0,0 @@
-class UsingEntry extends @using {
-  string toString() { none() }
-}
-
-class Element extends @element {
-  string toString() { none() }
-}
-
-from UsingEntry u, Element parent, int kind
-where
-  usings(u, _, _, kind) and
-  using_container(parent, u) and
-  kind != 3
-select parent, u

cpp/downgrades/25e365d1e8147df0f759b604f96eb4bffea48271/usings.ql

@@ -1,17 +0,0 @@
-class UsingEntry extends @using {
-  string toString() { none() }
-}
-
-class Element extends @element {
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-from UsingEntry u, Element target, Location loc, int kind
-where
-  usings(u, target, loc, kind) and
-  kind != 3
-select u, target, loc

cpp/downgrades/3d35dd6b50edfc540c14c6757e0c7b3c5b7b04dd/exprs.ql

@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 364 <= kind and kind <= 384)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location

cpp/downgrades/3d35dd6b50edfc540c14c6757e0c7b3c5b7b04dd/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add new builtin operations
-compatibility: partial
-exprs.rel: run exprs.qlo

cpp/downgrades/68930f3b81bbe3fdbb91c850deca1fec8072d62a/upgrade.properties

@@ -1,3 +0,0 @@
-description: description: Support explicit(bool) specifiers
-compatibility: full
-explicit_specifier_exprs.rel: delete

cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/exprs.ql

@@ -1,15 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_expr {
-  string toString() { none() }
-}
-
-predicate isExprRequires(Expr expr) { exists(int kind | exprs(expr, kind, _) | kind = 390) }
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprRequires(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location

cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add requires expr
-compatibility: partial
-exprs.rel: run exprs.qlo

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/coroutine.ql

@@ -1,18 +0,0 @@
-class Function extends @function {
-  string toString() { none() }
-}
-
-class Type extends @type {
-  string toString() { none() }
-}
-
-class Variable extends @variable {
-  string toString() { none() }
-}
-
-from Function func, Type traits, Variable handle, Variable promise
-where
-  coroutine(func, traits) and
-  coroutine_placeholder_variable(handle, 1, func) and
-  coroutine_placeholder_variable(promise, 2, func)
-select func, traits, handle, promise

cpp/downgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties

@@ -1,4 +0,0 @@
-description: Improve handling of coroutine placeholder variables
-compatibility: full
-coroutine.rel: run coroutine.qlo
-coroutine_placeholder_variable.rel: delete

cpp/downgrades/9629fc87dab7dbed0771bf5ce22bce4d7f943b52/upgrade.properties

@@ -1,2 +0,0 @@
-description: Support destroying deletes
-compatibility: full

cpp/downgrades/e197626a6ebccd052d5c891975fccf8aebcc9803/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add relation between deduction guides and class templates
-compatibility: full
-deduction_guide_for_class.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,74 +1,3 @@
-## 2.0.1
-
-No user-facing changes.
-
-## 2.0.0
-
-### Breaking Changes
-
-* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
-* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
-* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
-* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
-* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
-* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
-* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
-
-### New Features
-
-* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
-* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
-* Added a subclass of `Expr` for `__datasizeof` expressions.
-
-### Minor Analysis Improvements
-
-* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
-* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.
-
-## 1.4.2
-
-No user-facing changes.
-
-## 1.4.1
-
-No user-facing changes.
-
-## 1.4.0
-
-### New Features
-
-* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
-* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
-* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
-* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
-
-### Minor Analysis Improvements
-
-* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
-* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
-* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.
-
-## 1.3.0
-
-### New Features
-
-* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
-* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
-* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.
-
-## 1.2.0
-
-### New Features
-
-* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
-* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
-
-### Minor Analysis Improvements
-
-* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
-* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.
-
 ## 1.1.1
 
 No user-facing changes.

cpp/ql/lib/change-notes/2024-06-10-builtin-expect.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.

cpp/ql/lib/change-notes/2024-06-13-double-free.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.

cpp/ql/lib/change-notes/2024-06-20-extensible-allocation-deallocation.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.

cpp/ql/lib/change-notes/2024-07-03-extended-mad-syntax.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.

cpp/ql/lib/change-notes/2024-10-07-range-analysis-of-getc.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.

cpp/ql/lib/change-notes/2024-10-09-fopen-taint.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added taint flow model for `fopen` and related functions.

cpp/ql/lib/change-notes/released/1.2.0.md

@@ -1,11 +0,0 @@
-## 1.2.0
-
-### New Features
-
-* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
-* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
-
-### Minor Analysis Improvements
-
-* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
-* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.

cpp/ql/lib/change-notes/released/1.3.0.md

@@ -1,7 +0,0 @@
-## 1.3.0
-
-### New Features
-
-* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
-* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
-* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.

cpp/ql/lib/change-notes/released/1.4.0.md

@@ -1,14 +0,0 @@
-## 1.4.0
-
-### New Features
-
-* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
-* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
-* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
-* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete. 
-
-### Minor Analysis Improvements
-
-* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
-* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
-* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.

cpp/ql/lib/change-notes/released/1.4.1.md

@@ -1,3 +0,0 @@
-## 1.4.1
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/1.4.2.md

@@ -1,3 +0,0 @@
-## 1.4.2
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/2.0.0.md

@@ -1,23 +0,0 @@
-## 2.0.0
-
-### Breaking Changes
-
-* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`. 
-* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`. 
-* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
-* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
-* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
-* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
-* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
-* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
-
-### New Features
-
-* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
-* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
-* Added a subclass of `Expr` for `__datasizeof` expressions.
-
-### Minor Analysis Improvements
-
-* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
-* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.

cpp/ql/lib/change-notes/released/2.0.1.md

@@ -1,3 +0,0 @@
-## 2.0.1
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.0.1
+lastReleaseVersion: 1.1.1

cpp/ql/lib/cpp.qll

@@ -17,7 +17,6 @@ import semmle.code.cpp.File
 import semmle.code.cpp.Linkage
 import semmle.code.cpp.Location
 import semmle.code.cpp.Compilation
-import semmle.code.cpp.Concept
 import semmle.code.cpp.Element
 import semmle.code.cpp.Namespace
 import semmle.code.cpp.Specifier

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -36,6 +36,16 @@ module PrivateCleartextWrite {
     }
   }
 
+  deprecated class WriteConfig extends TaintTracking::Configuration {
+    WriteConfig() { this = "Write configuration" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+  }
+
   private module WriteConfig implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) { source instanceof Source }
 

cpp/ql/lib/ext/std.format.model.yml

@@ -1,14 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*1]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*2]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*3]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*4]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*5]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*6]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*7]", "ReturnValue", "taint", "manual"]
-      - ["std", "", False, "format<Args>", "(format_string,Args &&)", "", "Argument[*8]", "ReturnValue", "taint", "manual"]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 2.0.2-dev
+version: 1.1.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Concept.qll

@@ -1,14 +0,0 @@
-/**
- * Provides classes for working with C++ concepts.
- */
-
-import semmle.code.cpp.exprs.Expr
-
-/**
- * A C++ requires expression.
- */
-class RequiresExpr extends Expr, @requires_expr {
-  override string toString() { result = "requires ..." }
-
-  override string getAPrimaryQlClass() { result = "RequiresExpr" }
-}

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -60,6 +60,18 @@ class Declaration extends Locatable, @declaration {
    */
   string getQualifiedName() { result = underlyingElement(this).(Q::Declaration).getQualifiedName() }
 
+  /**
+   * DEPRECATED: Prefer `hasGlobalName` or the 2-argument or 3-argument
+   * `hasQualifiedName` predicates. To get the exact same results as this
+   * predicate in all edge cases, use `getQualifiedName()`.
+   *
+   * Holds if this declaration has the fully-qualified name `qualifiedName`.
+   * See `getQualifiedName`.
+   */
+  deprecated predicate hasQualifiedName(string qualifiedName) {
+    this.getQualifiedName() = qualifiedName
+  }
+
   /**
    * Holds if this declaration has a fully-qualified name with a name-space
    * component of `namespaceQualifier`, a declaring type of `typeQualifier`,
@@ -173,6 +185,9 @@ class Declaration extends Locatable, @declaration {
   /** Holds if the declaration has a definition. */
   predicate hasDefinition() { exists(this.getDefinition()) }
 
+  /** DEPRECATED: Use `hasDefinition` instead. */
+  deprecated predicate isDefined() { this.hasDefinition() }
+
   /** Gets the preferred location of this declaration, if any. */
   override Location getLocation() { none() }
 

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -30,6 +30,46 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
 
   override string getName() { functions(underlyingElement(this), result, _) }
 
+  /**
+   * DEPRECATED: Use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+   * Gets the full signature of this function, including return type, parameter
+   * types, and template arguments.
+   *
+   * For example, in the following code:
+   * ```
+   * template<typename T> T min(T x, T y);
+   * int z = min(5, 7);
+   * ```
+   * The full signature of the function called on the last line would be
+   * `min<int>(int, int) -> int`, and the full signature of the uninstantiated
+   * template on the first line would be `min<T>(T, T) -> T`.
+   */
+  deprecated string getFullSignature() {
+    exists(string name, string templateArgs, string args |
+      result = name + templateArgs + args + " -> " + this.getType().toString() and
+      name = this.getQualifiedName() and
+      (
+        if exists(this.getATemplateArgument())
+        then
+          templateArgs =
+            "<" +
+              concat(int i |
+                exists(this.getTemplateArgument(i))
+              |
+                this.getTemplateArgument(i).toString(), ", " order by i
+              ) + ">"
+        else templateArgs = ""
+      ) and
+      args =
+        "(" +
+          concat(int i |
+            exists(this.getParameter(i))
+          |
+            this.getParameter(i).getType().toString(), ", " order by i
+          ) + ")"
+    )
+  }
+
   /** Gets a specifier of this function. */
   override Specifier getASpecifier() {
     funspecifiers(underlyingElement(this), unresolveElement(result)) or
@@ -118,26 +158,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   predicate isConsteval() { this.hasSpecifier("is_consteval") }
 
-  /**
-   * Holds if this function is declared to be `explicit`.
-   */
-  predicate isExplicit() { this.hasSpecifier("explicit") }
-
-  /**
-   * Gets the constant expression that determines whether the function is explicit.
-   *
-   * For example, for the following code the result is the expression `sizeof(T) == 1`:
-   * ```
-   * template<typename T> struct C {
-   *   explicit(sizeof(T) == 1)
-   *   C(const T);
-   * };
-   * ```
-   */
-  Expr getExplicitExpr() {
-    explicit_specifier_exprs(underlyingElement(this), unresolveElement(result))
-  }
-
   /**
    * Holds if this function is declared with `__attribute__((naked))` or
    * `__declspec(naked)`.
@@ -500,17 +520,6 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    * Gets the nearest enclosing AccessHolder.
    */
   override AccessHolder getEnclosingAccessHolder() { result = this.getDeclaringType() }
-
-  /**
-   * Holds if this function has extraction errors that create an `ErrorExpr`.
-   */
-  predicate hasErrors() {
-    exists(ErrorExpr e |
-      e.getEnclosingFunction() = this and
-      // Exclude the first allocator call argument because it is always extracted as `ErrorExpr`.
-      not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
-    )
-  }
 }
 
 pragma[noinline]
@@ -662,8 +671,7 @@ class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
 
   /**
    * Holds if this declaration is an implicit function declaration, that is,
-   * where a function is used before it is declared (under older C standards,
-   * or when there were parse errors).
+   * where a function is used before it is declared (under older C standards).
    */
   predicate isImplicit() { fun_implicit(underlyingElement(this)) }
 
@@ -890,11 +898,4 @@ class UserDefinedLiteral extends Function {
  */
 class DeductionGuide extends Function {
   DeductionGuide() { functions(underlyingElement(this), _, 8) }
-
-  /**
-   * Gets the class template for which this is a deduction guide.
-   */
-  TemplateClass getTemplateClass() {
-    deduction_guide_for_class(underlyingElement(this), unresolveElement(result))
-  }
 }

cpp/ql/lib/semmle/code/cpp/Namespace.qll

@@ -156,7 +156,7 @@ class NamespaceDeclarationEntry extends Locatable, @namespace_decl {
  * A C++ `using` directive or `using` declaration.
  */
 class UsingEntry extends Locatable, @using {
-  override Location getLocation() { usings(underlyingElement(this), _, result, _) }
+  override Location getLocation() { usings(underlyingElement(this), _, result) }
 }
 
 /**
@@ -166,13 +166,15 @@ class UsingEntry extends Locatable, @using {
  * ```
  */
 class UsingDeclarationEntry extends UsingEntry {
-  UsingDeclarationEntry() { usings(underlyingElement(this), _, _, 1) }
+  UsingDeclarationEntry() {
+    not exists(Namespace n | usings(underlyingElement(this), unresolveElement(n), _))
+  }
 
   /**
    * Gets the declaration that is referenced by this using declaration. For
    * example, `std::string` in `using std::string`.
    */
-  Declaration getDeclaration() { usings(underlyingElement(this), unresolveElement(result), _, _) }
+  Declaration getDeclaration() { usings(underlyingElement(this), unresolveElement(result), _) }
 
   override string toString() { result = "using " + this.getDeclaration().getDescription() }
 }
@@ -184,36 +186,19 @@ class UsingDeclarationEntry extends UsingEntry {
  * ```
  */
 class UsingDirectiveEntry extends UsingEntry {
-  UsingDirectiveEntry() { usings(underlyingElement(this), _, _, 2) }
+  UsingDirectiveEntry() {
+    exists(Namespace n | usings(underlyingElement(this), unresolveElement(n), _))
+  }
 
   /**
    * Gets the namespace that is referenced by this using directive. For
    * example, `std` in `using namespace std`.
    */
-  Namespace getNamespace() { usings(underlyingElement(this), unresolveElement(result), _, _) }
+  Namespace getNamespace() { usings(underlyingElement(this), unresolveElement(result), _) }
 
   override string toString() { result = "using namespace " + this.getNamespace().getFriendlyName() }
 }
 
-/**
- * A C++ `using enum` declaration. For example:
- * ```
- * enum class Foo { a, b };
- * using enum Foo;
- * ```
- */
-class UsingEnumDeclarationEntry extends UsingEntry {
-  UsingEnumDeclarationEntry() { usings(underlyingElement(this), _, _, 3) }
-
-  /**
-   * Gets the enumeration that is referenced by this using directive. For
-   * example, `Foo` in `using enum Foo`.
-   */
-  Enum getEnum() { usings(underlyingElement(this), unresolveElement(result), _, _) }
-
-  override string toString() { result = "using enum " + this.getEnum().getQualifiedName() }
-}
-
 /**
  * Holds if `g` is an instance of `GlobalNamespace`. This predicate
  * is used suppress a warning in `GlobalNamespace.getADeclaration()`

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -80,8 +80,6 @@ private Declaration getAnEnclosingDeclaration(Locatable ast) {
   or
   result = ast.(Parameter).getFunction()
   or
-  result = ast.(Parameter).getCatchBlock().getEnclosingFunction()
-  or
   result = ast.(Expr).getEnclosingDeclaration()
   or
   result = ast.(Initializer).getDeclaration()
@@ -288,6 +286,9 @@ abstract class BaseAstNode extends PrintAstNode {
    * Gets the AST represented by this node.
    */
   final Locatable getAst() { result = ast }
+
+  /** DEPRECATED: Alias for getAst */
+  deprecated Locatable getAST() { result = this.getAst() }
 }
 
 /**
@@ -384,21 +385,6 @@ class CastNode extends ConversionNode {
   }
 }
 
-/**
- * A node representing a `C11GenericExpr`.
- */
-class C11GenericNode extends ConversionNode {
-  C11GenericExpr generic;
-
-  C11GenericNode() { generic = conv }
-
-  override AstNode getChildInternal(int childIndex) {
-    result = super.getChildInternal(childIndex - count(generic.getAChild()))
-    or
-    result.getAst() = generic.getChild(childIndex)
-  }
-}
-
 /**
  * A node representing a `StmtExpr`.
  */
@@ -512,22 +498,6 @@ class DeclStmtNode extends StmtNode {
   }
 }
 
-/**
- * A node representing a `Handler`.
- */
-class HandlerNode extends ChildStmtNode {
-  Handler handler;
-
-  HandlerNode() { handler = stmt }
-
-  override BaseAstNode getChildInternal(int childIndex) {
-    result = super.getChildInternal(childIndex)
-    or
-    childIndex = -1 and
-    result.getAst() = handler.getParameter()
-  }
-}
-
 /**
  * A node representing a `Parameter`.
  */
@@ -772,8 +742,6 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
     or
     s.(ConstexprIfStmt).getElse() = e and pred = "getElse()"
     or
-    s.(Handler).getParameter() = e and pred = "getParameter()"
-    or
     s.(IfStmt).getInitialization() = e and pred = "getInitialization()"
     or
     s.(IfStmt).getCondition() = e and pred = "getCondition()"
@@ -892,15 +860,6 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(BuiltInVarArgsStart).getLastNamedParameter() = ele and pred = "getLastNamedParameter()"
     or
-    expr.(C11GenericExpr).getControllingExpr() = ele and pred = "getControllingExpr()"
-    or
-    exists(int n |
-      expr.(C11GenericExpr).getAssociationType(n) = ele.(TypeName).getType() and
-      pred = "getAssociationType(" + n + ")"
-      or
-      expr.(C11GenericExpr).getAssociationExpr(n) = ele and pred = "getAssociationExpr(" + n + ")"
-    )
-    or
     expr.(Call).getQualifier() = ele and pred = "getQualifier()"
     or
     exists(int n | expr.(Call).getArgument(n) = ele and pred = "getArgument(" + n.toString() + ")")

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -39,8 +39,8 @@ class Type extends Locatable, @type {
 
   /**
    * Gets a specifier of this type, recursively looking through `typedef` and
-   * `decltype`. For example, in the context of `typedef const int *restrict t`,
-   * the type `volatile t` has specifiers `volatile` and `restrict` but not
+   * `decltype`. For example, in the context of `typedef const int *restrict
+   * t`, the type `volatile t` has specifiers `volatile` and `restrict` but not
    * `const` since the `const` is attached to the type being pointed to rather
    * than the pointer itself.
    */

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -409,18 +409,11 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
     exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
     or
     orphaned_variables(underlyingElement(this), unresolveElement(result))
-    or
-    coroutine_placeholder_variable(underlyingElement(this), _, unresolveElement(result))
   }
 
   override predicate isStatic() {
     super.isStatic() or orphaned_variables(underlyingElement(this), _)
   }
-
-  override predicate isCompilerGenerated() {
-    super.isCompilerGenerated() or
-    coroutine_placeholder_variable(underlyingElement(this), _, _)
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll

@@ -7,6 +7,15 @@ import semmle.code.cpp.models.interfaces.Deallocation
  */
 predicate freeFunction(Function f, int argNum) { argNum = f.(DeallocationFunction).getFreedArg() }
 
+/**
+ * A call to a library routine that frees memory.
+ *
+ * DEPRECATED: Use `DeallocationExpr` instead (this also includes `delete` expressions).
+ */
+deprecated predicate freeCall(FunctionCall fc, Expr arg) {
+  arg = fc.(DeallocationExpr).getFreedExpr()
+}
+
 /**
  * Is e some kind of allocation or deallocation (`new`, `alloc`, `realloc`, `delete`, `free` etc)?
  */

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -57,7 +57,7 @@ private int isSource(Expr bufferExpr, Element why) {
   exists(Type bufferType |
     // buffer is the address of a variable
     why = bufferExpr.(AddressOfExpr).getAddressable() and
-    bufferType = why.(Variable).getUnspecifiedType() and
+    bufferType = why.(Variable).getType() and
     result = bufferType.getSize() and
     not bufferType instanceof ReferenceType and
     not any(Union u).getAMemberVariable() = why

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -146,7 +146,7 @@ predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance, string model
+  string output, string kind, string provenance
 ) {
   exists(string row |
     sourceModel(row) and
@@ -160,20 +160,16 @@ predicate sourceModel(
     row.splitAt(";", 6) = output and
     row.splitAt(";", 7) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
-      provenance, madId) and
-    model = "MaD:" + madId.toString()
-  )
+  Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance,
+    _)
 }
 
 /** Holds if a sink model exists for the given parameters. */
 predicate sinkModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance, string model
+  string input, string kind, string provenance
 ) {
   exists(string row |
     sinkModel(row) and
@@ -187,14 +183,9 @@ predicate sinkModel(
     row.splitAt(";", 6) = input and
     row.splitAt(";", 7) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
-      madId) and
-    model = "MaD:" + madId.toString()
-  )
+  Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance, _)
 }
 
 /**
@@ -204,7 +195,7 @@ predicate sinkModel(
  */
 private predicate summaryModel0(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, string model
+  string input, string output, string kind, string provenance
 ) {
   exists(string row |
     summaryModel(row) and
@@ -219,14 +210,10 @@ private predicate summaryModel0(
     row.splitAt(";", 7) = output and
     row.splitAt(";", 8) = kind
   ) and
-  provenance = "manual" and
-  model = ""
+  provenance = "manual"
   or
-  exists(QlBuiltins::ExtensionId madId |
-    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-      provenance, madId) and
-    model = "MaD:" + madId.toString()
-  )
+  Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
+    provenance, _)
 }
 
 /**
@@ -247,20 +234,19 @@ private predicate expandInputAndOutput(
  */
 predicate summaryModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, string model
+  string input, string output, string kind, string provenance
 ) {
   exists(string input0, string output0 |
-    summaryModel0(namespace, type, subtypes, name, signature, ext, input0, output0, kind,
-      provenance, model) and
+    summaryModel0(namespace, type, subtypes, name, signature, ext, input0, output0, kind, provenance) and
     expandInputAndOutput(input0, input, output0, output,
       [0 .. Private::getMaxElementContentIndirectionIndex() - 1])
   )
 }
 
 private predicate relevantNamespace(string namespace) {
-  sourceModel(namespace, _, _, _, _, _, _, _, _, _) or
-  sinkModel(namespace, _, _, _, _, _, _, _, _, _) or
-  summaryModel(namespace, _, _, _, _, _, _, _, _, _, _)
+  sourceModel(namespace, _, _, _, _, _, _, _, _) or
+  sinkModel(namespace, _, _, _, _, _, _, _, _) or
+  summaryModel(namespace, _, _, _, _, _, _, _, _, _)
 }
 
 private predicate namespaceLink(string shortns, string longns) {
@@ -290,17 +276,17 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
     part = "source" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string output, string provenance, string model |
+        string ext, string output, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance, model)
+        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance)
       )
     or
     part = "sink" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string provenance, string model |
+        string ext, string input, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance, model)
+        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance)
       )
     or
     part = "summary" and
@@ -308,7 +294,7 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
         string ext, string input, string output, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance, _)
+        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance)
       )
   )
 }
@@ -317,9 +303,9 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
 module CsvValidation {
   private string getInvalidModelInput() {
     exists(string pred, AccessPath input, string part |
-      sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
+      sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
       or
-      summaryModel(_, _, _, _, _, _, input, _, _, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
     |
       (
         invalidSpecComponent(input, part) and
@@ -336,9 +322,9 @@ module CsvValidation {
 
   private string getInvalidModelOutput() {
     exists(string pred, string output, string part |
-      sourceModel(_, _, _, _, _, _, output, _, _, _) and pred = "source"
+      sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
       or
-      summaryModel(_, _, _, _, _, _, _, output, _, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
     |
       invalidSpecComponent(output, part) and
       not part = "" and
@@ -348,11 +334,11 @@ module CsvValidation {
   }
 
   private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
-    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _, _) }
+    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _) }
 
-    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _, _) }
+    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _) }
 
-    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _, _) }
+    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _) }
   }
 
   private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
@@ -393,11 +379,11 @@ module CsvValidation {
 
   private string getInvalidModelSignature() {
     exists(string pred, string namespace, string type, string name, string signature, string ext |
-      sourceModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "source"
+      sourceModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "source"
       or
-      sinkModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "sink"
+      sinkModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "sink"
       or
-      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _, _) and pred = "summary"
+      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
     |
       not namespace.regexpMatch("[a-zA-Z0-9_\\.:]*") and
       result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
@@ -429,23 +415,18 @@ module CsvValidation {
 private predicate elementSpec(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
-  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _, _) or
-  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _, _) or
-  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _, _)
+  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
 }
 
 /** Gets the fully templated version of `f`. */
-private Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedMemberFunction(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
-  (
-    exists(Class c, Class templateClass, int i |
-      c.isConstructedFrom(templateClass) and
-      f = c.getAMember(i) and
-      result = templateClass.getCanonicalMember(i)
-    )
-    or
-    not exists(f.getDeclaringType()) and
-    f.isConstructedFrom(result)
+  exists(Class c, Class templateClass, int i |
+    c.isConstructedFrom(templateClass) and
+    f = c.getAMember(i) and
+    result = templateClass.getCanonicalMember(i)
   )
 }
 
@@ -469,14 +450,14 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n) {
  */
 private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remaining) {
   exists(Function templateFunction |
-    templateFunction = getFullyTemplatedFunction(f) and
+    templateFunction = getFullyTemplatedMemberFunction(f) and
     remaining = templateFunction.getNumberOfTemplateArguments() and
     result = getParameterTypeWithoutTemplateArguments(templateFunction, n)
   )
   or
   exists(string mid, TemplateParameter tp, Function templateFunction |
     mid = getTypeNameWithoutFunctionTemplates(f, n, remaining + 1) and
-    templateFunction = getFullyTemplatedFunction(f) and
+    templateFunction = getFullyTemplatedMemberFunction(f) and
     tp = templateFunction.getTemplateArgument(remaining) and
     result = mid.replaceAll(tp.getName(), "func:" + remaining.toString())
   )
@@ -487,18 +468,12 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain
  * with `class:N` (where `N` is the index of the template).
  */
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
-  // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
     f.getDeclaringType().isConstructedFrom(template) and
     remaining = template.getNumberOfTemplateArguments() and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
   or
-  // If there is no declaring type we're done after expanding the function templates
-  not exists(f.getDeclaringType()) and
-  remaining = 0 and
-  result = getTypeNameWithoutFunctionTemplates(f, n, 0)
-  or
   exists(string mid, TemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
     f.getDeclaringType().isConstructedFrom(template) and
@@ -581,6 +556,38 @@ private string getSignatureWithoutFunctionTemplateNames(
   )
 }
 
+private string paramsStringPart(Function c, int i) {
+  not c.isFromUninstantiatedTemplate(_) and
+  (
+    i = -1 and result = "(" and exists(c)
+    or
+    exists(int n, string p | getParameterTypeName(c, n) = p |
+      i = 2 * n and result = p
+      or
+      i = 2 * n - 1 and result = "," and n != 0
+    )
+    or
+    i = 2 * c.getNumberOfParameters() and result = ")"
+  )
+}
+
+/**
+ * Gets a parenthesized string containing all parameter types of this callable, separated by a comma.
+ *
+ * Returns the empty string if the callable has no parameters.
+ * Parameter types are represented by their type erasure.
+ */
+cached
+private string paramsString(Function c) {
+  result = concat(int i | | paramsStringPart(c, i) order by i)
+}
+
+bindingset[func]
+private predicate matchesSignature(Function func, string signature) {
+  signature = "" or
+  paramsString(func) = signature
+}
+
 /**
  * Holds if `elementSpec(_, type, _, name, signature, _)` holds and
  * - `typeArgs` represents the named template parameters supplied to `type`, and
@@ -729,17 +736,17 @@ private predicate elementSpecWithArguments0(
 
 /**
  * Holds if `elementSpec(namespace, type, subtypes, name, signature, _)` and
- * `func`'s signature matches `signature`.
+ * `method`'s signature matches `signature`.
  *
  * `signature` may contain template parameter names that are bound by `type` and `name`.
  */
 pragma[nomagic]
 private predicate elementSpecMatchesSignature(
-  Function func, string namespace, string type, boolean subtypes, string name, string signature
+  Function method, string namespace, string type, boolean subtypes, string name, string signature
 ) {
   elementSpec(namespace, pragma[only_bind_into](type), subtypes, pragma[only_bind_into](name),
     pragma[only_bind_into](signature), _) and
-  signatureMatches(func, signature, type, name, 0)
+  signatureMatches(method, signature, type, name, 0)
 }
 
 /**
@@ -755,22 +762,13 @@ private predicate hasClassAndName(Class classWithMethod, Function method, string
   )
 }
 
-bindingset[name]
-pragma[inline_late]
-private predicate funcHasQualifiedName(Function func, string namespace, string name) {
-  exists(string nameWithoutArgs |
-    parseAngles(name, nameWithoutArgs, _, "") and
-    func.hasQualifiedName(namespace, nameWithoutArgs)
-  )
-}
-
 /**
  * Holds if `namedClass` is in namespace `namespace` and has
  * name `type` (excluding any template parameters).
  */
 bindingset[type, namespace]
 pragma[inline_late]
-private predicate classHasQualifiedName(Class namedClass, string namespace, string type) {
+private predicate hasQualifiedName(Class namedClass, string namespace, string type) {
   exists(string typeWithoutArgs |
     parseAngles(type, typeWithoutArgs, _, "") and
     namedClass.hasQualifiedName(namespace, typeWithoutArgs)
@@ -792,16 +790,15 @@ private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
   (
-    // Non-member functions
     elementSpec(namespace, type, subtypes, name, signature, _) and
-    subtypes = false and
-    type = "" and
-    (
-      elementSpecMatchesSignature(result, namespace, type, subtypes, name, signature)
-      or
-      signature = "" and
-      elementSpec(namespace, type, subtypes, name, "", _) and
-      funcHasQualifiedName(result, namespace, name)
+    // Non-member functions
+    exists(Function func |
+      func.hasQualifiedName(namespace, name) and
+      type = "" and
+      matchesSignature(func, signature) and
+      subtypes = false and
+      not exists(func.getDeclaringType()) and
+      result = func
     )
     or
     // Member functions
@@ -814,7 +811,7 @@ private Element interpretElement0(
         elementSpec(namespace, type, subtypes, name, "", _) and
         hasClassAndName(classWithMethod, result, name)
       ) and
-      classHasQualifiedName(namedClass, namespace, type) and
+      hasQualifiedName(namedClass, namespace, type) and
       (
         // member declared in the named type or a subtype of it
         subtypes = true and
@@ -870,9 +867,9 @@ private module Cached {
    * model.
    */
   cached
-  predicate sourceNode(DataFlow::Node node, string kind, string model) {
+  predicate sourceNode(DataFlow::Node node, string kind) {
     exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSourceNode(n, kind, model) and n.asNode() = node
+      isSourceNode(n, kind, _) and n.asNode() = node // TODO
     )
   }
 
@@ -881,57 +878,40 @@ private module Cached {
    * model.
    */
   cached
-  predicate sinkNode(DataFlow::Node node, string kind, string model) {
+  predicate sinkNode(DataFlow::Node node, string kind) {
     exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSinkNode(n, kind, model) and n.asNode() = node
+      isSinkNode(n, kind, _) and n.asNode() = node // TODO
     )
   }
 }
 
 import Cached
 
-/**
- * Holds if `node` is specified as a source with the given kind in a MaD flow
- * model.
- */
-predicate sourceNode(DataFlow::Node node, string kind) { sourceNode(node, kind, _) }
-
-/**
- * Holds if `node` is specified as a sink with the given kind in a MaD flow
- * model.
- */
-predicate sinkNode(DataFlow::Node node, string kind) { sinkNode(node, kind, _) }
-
 private predicate interpretSummary(
-  Function f, string input, string output, string kind, string provenance, string model
+  Function f, string input, string output, string kind, string provenance
 ) {
   exists(
     string namespace, string type, boolean subtypes, string name, string signature, string ext
   |
-    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance,
-      model) and
+    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and
     f = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }
 
 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends SummarizedCallable {
-  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _, _) }
+  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _) }
 
-  private predicate relevantSummaryElementManual(
-    string input, string output, string kind, string model
-  ) {
+  private predicate relevantSummaryElementManual(string input, string output, string kind) {
     exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
+      interpretSummary(this, input, output, kind, provenance) and
       provenance.isManual()
     )
   }
 
-  private predicate relevantSummaryElementGenerated(
-    string input, string output, string kind, string model
-  ) {
+  private predicate relevantSummaryElementGenerated(string input, string output, string kind) {
     exists(Provenance provenance |
-      interpretSummary(this, input, output, kind, provenance, model) and
+      interpretSummary(this, input, output, kind, provenance) and
       provenance.isGenerated()
     )
   }
@@ -940,16 +920,35 @@ private class SummarizedCallableAdapter extends SummarizedCallable {
     string input, string output, boolean preservesValue, string model
   ) {
     exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind, model)
+      this.relevantSummaryElementManual(input, output, kind)
       or
-      not this.relevantSummaryElementManual(_, _, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind, model)
+      not this.relevantSummaryElementManual(_, _, _) and
+      this.relevantSummaryElementGenerated(input, output, kind)
     |
       if kind = "value" then preservesValue = true else preservesValue = false
-    )
+    ) and
+    model = "" // TODO
   }
 
   override predicate hasProvenance(Provenance provenance) {
-    interpretSummary(this, _, _, _, provenance, _)
+    interpretSummary(this, _, _, _, provenance)
   }
 }
+
+// adapter class for converting Mad neutrals to `NeutralCallable`s
+private class NeutralCallableAdapter extends NeutralCallable {
+  string kind;
+  string provenance_;
+
+  NeutralCallableAdapter() {
+    // Neutral models have not been implemented for CPP.
+    none() and
+    exists(this) and
+    exists(kind) and
+    exists(provenance_)
+  }
+
+  override string getKind() { result = kind }
+
+  override predicate hasProvenance(Provenance provenance) { provenance = provenance_ }
+}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll

@@ -215,16 +215,19 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
 predicate localMustFlowStep(Node node1, Node node2) { none() }
 
 /** Gets the type of `n` used for type pruning. */
-DataFlowType getNodeType(Node n) {
+Type getNodeType(Node n) {
   exists(n) and
   result instanceof VoidType // stub implementation
 }
 
+/** Gets a string representation of a type returned by `getNodeType`. */
+string ppReprType(Type t) { none() } // stub implementation
+
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
  */
-predicate compatibleTypes(DataFlowType t1, DataFlowType t2) {
+predicate compatibleTypes(Type t1, Type t2) {
   t1 instanceof VoidType and t2 instanceof VoidType // stub implementation
 }
 
@@ -236,15 +239,21 @@ class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
-class DataFlowCallable extends Function { }
+class DataFlowCallable extends Function {
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCallable c, string file, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(file, startline, startcolumn, _, _)
+      |
+        c order by file, startline, startcolumn
+      )
+  }
+}
 
 class DataFlowExpr = Expr;
 
-final private class TypeFinal = Type;
-
-class DataFlowType extends TypeFinal {
-  string toString() { result = "" }
-}
+class DataFlowType = Type;
 
 /** A function call relevant for data flow. */
 class DataFlowCall extends Expr instanceof Call {
@@ -260,12 +269,24 @@ class DataFlowCall extends Expr instanceof Call {
 
   /** Gets the enclosing callable of this call. */
   DataFlowCallable getEnclosingCallable() { result = this.getEnclosingFunction() }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCall c, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+      |
+        c order by startline, startcolumn
+      )
+  }
 }
 
 class NodeRegion instanceof Unit {
   string toString() { result = "NodeRegion" }
 
   predicate contains(Node n) { none() }
+
+  int totalOrder() { result = 1 }
 }
 
 predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() } // stub implementation

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -112,8 +112,9 @@ module SourceSinkInterpretationInput implements
     exists(
       string namespace, string type, boolean subtypes, string name, string signature, string ext
     |
-      sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance, model) and
-      e = interpretElement(namespace, type, subtypes, name, signature, ext)
+      sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance) and
+      e = interpretElement(namespace, type, subtypes, name, signature, ext) and
+      model = "" // TODO
     )
   }
 
@@ -127,8 +128,9 @@ module SourceSinkInterpretationInput implements
     exists(
       string package, string type, boolean subtypes, string name, string signature, string ext
     |
-      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, model) and
-      e = interpretElement(package, type, subtypes, name, signature, ext)
+      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance) and
+      e = interpretElement(package, type, subtypes, name, signature, ext) and
+      model = "" // TODO
     )
   }
 

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -383,37 +383,6 @@ class BuiltInOperationIsConvertibleTo extends BuiltInOperation, @isconvtoexpr {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsConvertibleTo" }
 }
 
-/**
- * A C++ `__is_convertible` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if the first type can be converted to the second type.
- * ```
- * bool v = __is_convertible(MyType, OtherType);
- * ```
- */
-class BuiltInOperationIsConvertible extends BuiltInOperation, @isconvertible {
-  override string toString() { result = "__is_convertible" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsConvertible" }
-}
-
-/**
- * A C++ `__is_nothrow_convertible` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if the first type can be converted to the second type and the
- * conversion operator has an empty exception specification.
- * ```
- * bool v = __is_nothrow_convertible(MyType, OtherType);
- * ```
- */
-class BuiltInOperationIsNothrowConvertible extends BuiltInOperation, @isnothrowconvertible {
-  override string toString() { result = "__is_nothrow_convertible" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowConvertible" }
-}
-
 /**
  * A C++ `__is_empty` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -678,7 +647,8 @@ class BuiltInOperationIsTriviallyAssignable extends BuiltInOperation, @istrivial
  * The `__is_nothrow_assignable` built-in operation (used by some
  * implementations of the `<type_traits>` header).
  *
- * Returns true if there exists an assignment operator with an empty exception specification.
+ * Returns true if there exists a `C::operator =(const D& d) nothrow`
+ * assignment operator (i.e, with an empty exception specification).
  * ```
  * bool v = __is_nothrow_assignable(MyType1, MyType2);
  * ```
@@ -693,7 +663,8 @@ class BuiltInOperationIsNothrowAssignable extends BuiltInOperation, @isnothrowas
  * The `__is_assignable` built-in operation (used by some implementations
  * of the `<type_traits>` header).
  *
- * Returns true if there exists an assignment operator.
+ * Returns true if there exists a `C::operator =(const D& d)` assignment
+ * operator.
  * ```
  * bool v = __is_assignable(MyType1, MyType2);
  * ```
@@ -704,25 +675,6 @@ class BuiltInOperationIsAssignable extends BuiltInOperation, @isassignable {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsAssignable" }
 }
 
-/**
- * The `__is_assignable_no_precondition_check` built-in operation (used by some
- * implementations of the `<type_traits>` header).
- *
- * Returns true if there exists an assignment operator.
- * ```
- * bool v = __is_assignable_no_precondition_check(MyType1, MyType2);
- * ```
- */
-class BuiltInOperationIsAssignableNoPreconditionCheck extends BuiltInOperation,
-  @isassignablenopreconditioncheck
-{
-  override string toString() { result = "__is_assignable_no_precondition_check" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationIsAssignableNoPreconditionCheck"
-  }
-}
-
 /**
  * The `__is_standard_layout` built-in operation (used by some implementations
  * of the `<type_traits>` header).
@@ -756,20 +708,6 @@ class BuiltInOperationIsTriviallyCopyable extends BuiltInOperation, @istrivially
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyCopyable" }
 }
 
-/**
- * The `__is_trivially_copy_assignable` built-in operation (used by some
- * implementations of the `<type_traits>` header).
- *
- * Returns `true` if instances of this type can be copied using a trivial
- * copy operator.
- */
-class BuiltInOperationIsTriviallyCopyAssignable extends BuiltInOperation, @istriviallycopyassignable
-{
-  override string toString() { result = "__is_trivially_copy_assignable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyCopyAssignable" }
-}
-
 /**
  * The `__is_literal_type` built-in operation (used by some implementations of
  * the `<type_traits>` header).
@@ -1124,24 +1062,6 @@ class BuiltInOperationIsSame extends BuiltInOperation, @issame {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsSame" }
 }
 
-/**
- * A C++ `__is_same_as` built-in operation (used by some implementations of the
- * `<type_traits>` header).
- *
- * Returns `true` if two types are the same.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct is_same
- *   : public integral_constant<bool, __is_same_as(_Tp, _Up)>
- *   { };
- * ```
- */
-class BuiltInOperationIsSameAs extends BuiltInOperation, @issameas {
-  override string toString() { result = "__is_same_as" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsSameAs" }
-}
-
 /**
  * A C++ `__is_function` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1200,87 +1120,6 @@ class BuiltInOperationIsPointerInterconvertibleBaseOf extends BuiltInOperation,
   }
 }
 
-/**
- * A C++ `__is_pointer_interconvertible_with_class` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a member pointer is pointer-interconvertible with a
- * class type.
- * ```
- * template<typename _Tp, typename _Up>
- * constexpr bool is_pointer_interconvertible_with_class(_Up _Tp::*mp) noexcept
- *   = __is_pointer_interconvertible_with_class(_Tp, mp);
- * ```
- */
-class BuiltInOperationIsPointerInterconvertibleWithClass extends BuiltInOperation,
-  @ispointerinterconvertiblewithclass
-{
-  override string toString() { result = "__is_pointer_interconvertible_with_class" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationIsPointerInterconvertibleWithClass"
-  }
-}
-
-/**
- * A C++ `__builtin_is_pointer_interconvertible_with_class` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a member pointer is pointer-interconvertible with a class type.
- * ```
- * template<typename _Tp, typename _Up>
- * constexpr bool is_pointer_interconvertible_with_class(_Up _Tp::*mp) noexcept
- *   = __builtin_is_pointer_interconvertible_with_class(mp);
- * ```
- */
-class BuiltInOperationBuiltInIsPointerInterconvertible extends BuiltInOperation,
-  @builtinispointerinterconvertiblewithclass
-{
-  override string toString() { result = "__builtin_is_pointer_interconvertible_with_class" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationBuiltInIsPointerInterconvertible"
-  }
-}
-
-/**
- * A C++ `__is_corresponding_member` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if two member pointers refer to corresponding
- * members in the initial sequences of two class types.
- * ```
- * template<typename _Tp1, typename _Tp2, typename _Up1, typename _Up2>
- * constexpr bool is_corresponding_member(_Up1 _Tp1::*mp1, _Up2 _Tp2::*mp2 ) noexcept
- *   = __is_corresponding_member(_Tp1, _Tp2, mp1, mp2);
- * ```
- */
-class BuiltInOperationIsCorrespondingMember extends BuiltInOperation, @iscorrespondingmember {
-  override string toString() { result = "__is_corresponding_member" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsCorrespondingMember" }
-}
-
-/**
- * A C++ `__builtin_is_corresponding_member` built-in operation (used
- * by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if two member pointers refer to corresponding
- * members in the initial sequences of two class types.
- * ```
- * template<typename _Tp1, typename _Tp2, typename _Up1, typename _Up2>
- * constexpr bool is_corresponding_member(_Up1 _Tp1::*mp1, _Up2 _Tp2::*mp2 ) noexcept
- *   = __builtin_is_corresponding_member(mp1, mp2);
- * ```
- */
-class BuiltInOperationBuiltInIsCorrespondingMember extends BuiltInOperation,
-  @builtiniscorrespondingmember
-{
-  override string toString() { result = "__builtin_is_corresponding_member" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationBuiltInIsCorrespondingMember" }
-}
-
 /**
  * A C++ `__is_array` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1299,42 +1138,6 @@ class BuiltInOperationIsArray extends BuiltInOperation, @isarray {
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsArray" }
 }
 
-/**
- * A C++ `__is_bounded_array` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is a bounded array type.
- * ```
- * template<typename _Tp>
- *   struct is_bounded_array
- *   : public integral_constant<bool, __is_bounded_array(_Tp)>
- *   { };
- * ```
- */
-class BuiltInOperationIsBoundedArray extends BuiltInOperation, @isboundedarray {
-  override string toString() { result = "__is_bounded_array" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsBoundedArray" }
-}
-
-/**
- * A C++ `__is_unbounded_array` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is an unbounded array type.
- * ```
- * template<typename _Tp>
- *   struct is_bounded_array
- *   : public integral_constant<bool, __is_unbounded_array(_Tp)>
- *   { };
- * ```
- */
-class BuiltInOperationIsUnboundedArray extends BuiltInOperation, @isunboundedarray {
-  override string toString() { result = "__is_unbounded_array" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsUnboundedArray" }
-}
-
 /**
  * A C++ `__array_rank` built-in operation (used by some implementations of the
  * `<type_traits>` header).
@@ -1751,10 +1554,10 @@ class BuiltInBitCast extends BuiltInOperation, @builtinbitcast {
  *
  * Returns `true` if a type is a trivial type.
  * ```
- * template<typename _Tp>
- *   struct is_trivial
- *   : public integral_constant<bool, __is_trivial(_Tp)>
- *   {};
+ *  template<typename _Tp>
+ *    struct is_trivial
+ *    : public integral_constant<bool, __is_trivial(_Tp)>
+ *    {};
  * ```
  */
 class BuiltInIsTrivial extends BuiltInOperation, @istrivialexpr {
@@ -1762,182 +1565,3 @@ class BuiltInIsTrivial extends BuiltInOperation, @istrivialexpr {
 
   override string getAPrimaryQlClass() { result = "BuiltInIsTrivial" }
 }
-
-/**
- * A C++ `__reference_constructs_from_temporary` built-in operation
- * (used by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a reference type `_Tp` is bound to an expression of
- * type `_Up` in direct-initialization, and a temporary object is bound.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct reference_constructs_from_temporary
- *   : public integral_constant<bool, __reference_constructs_from_temporary(_Tp, _Up)>
- *   {};
- * ```
- */
-class BuiltInOperationReferenceConstructsFromTemporary extends BuiltInOperation,
-  @referenceconstructsfromtemporary
-{
-  override string toString() { result = "__reference_constructs_from_temporary" }
-
-  override string getAPrimaryQlClass() {
-    result = "BuiltInOperationReferenceConstructsFromTemporary"
-  }
-}
-
-/**
- * A C++ `__reference_converts_from_temporary` built-in operation
- * (used by some implementations of the `<type_traits>` header).
- *
- * Returns `true` if a reference type `_Tp` is bound to an expression of
- * type `_Up` in copy-initialization, and a temporary object is bound.
- * ```
- * template<typename _Tp, typename _Up>
- *   struct reference_converts_from_temporary
- *   : public integral_constant<bool, __reference_converts_from_temporary(_Tp, _Up)>
- *   {};
- * ```
- */
-class BuiltInOperationReferenceCovertsFromTemporary extends BuiltInOperation,
-  @referenceconvertsfromtemporary
-{
-  override string toString() { result = "__reference_converts_from_temporary" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationReferenceCovertsFromTemporary" }
-}
-
-/**
- * A C++ `__reference_binds_to_temporary` built-in operation (used by some
- * implementations of the `<tuple>` header).
- *
- * Returns `true` if a reference of type `Type1` is bound to an expression of
- * type `Type1`, and a temporary object is bound.
- * ```
- * __reference_binds_to_temporary(Type1, Type2)
- */
-class BuiltInOperationReferenceBindsToTemporary extends BuiltInOperation, @referencebindstotemporary
-{
-  override string toString() { result = "__reference_binds_to_temporary" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationReferenceBindsToTemporary" }
-}
-
-/**
- * A C++ `__builtin_has_attribute` built-in operation.
- *
- * Returns `true` if a type or expression has been declared with the
- * specified attribute.
- * ```
- * __attribute__ ((aligned(8))) int v;
- * bool has_attribute = __builtin_has_attribute(v, aligned);
- * ```
- */
-class BuiltInOperationHasAttribute extends BuiltInOperation, @builtinhasattribute {
-  override string toString() { result = "__builtin_has_attribute" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationHasAttribute" }
-}
-
-/**
- * A C++ `__is_referenceable` built-in operation.
- *
- * Returns `true` if a type can be referenced.
- * ```
- * bool is_referenceable = __is_referenceable(int);
- * ```
- */
-class BuiltInOperationIsReferenceable extends BuiltInOperation, @isreferenceable {
-  override string toString() { result = "__is_referenceable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsReferenceable" }
-}
-
-/**
- * The `__is_valid_winrt_type` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the type is a valid WinRT type.
- */
-class BuiltInOperationIsValidWinRtType extends BuiltInOperation, @isvalidwinrttype {
-  override string toString() { result = "__is_valid_winrt_type" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsValidWinRtType" }
-}
-
-/**
- * The `__is_win_class` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the class is a ref class.
- */
-class BuiltInOperationIsWinClass extends BuiltInOperation, @iswinclass {
-  override string toString() { result = "__is_win_class" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinClass" }
-}
-
-/**
- * The `__is_win_class` built-in operation. This is a Microsoft extension.
- *
- * Returns `true` if the class is an interface class.
- */
-class BuiltInOperationIsWinInterface extends BuiltInOperation, @iswininterface {
-  override string toString() { result = "__is_win_interface" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsWinInterface" }
-}
-
-/**
- * A C++ `__is_trivially_equality_comparable` built-in operation.
- *
- * Returns `true` if comparing two objects of type `_Tp` is equivalent to
- * comparing their object representations.
- *
- * ```
- * template<typename _Tp>
- *   struct is_trivially_equality_comparable
- *   : public integral_constant<bool, __is_trivially_equality_comparable(_Tp)>
- *   {};
- * ```
- */
-class BuiltInOperationIsTriviallyEqualityComparable extends BuiltInOperation,
-  @istriviallyequalitycomparable
-{
-  override string toString() { result = "__is_trivially_equality_comparable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyEqualityComparable" }
-}
-
-/**
- * A C++ `__is_scoped_enum` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a type is a scoped enum.
- * ```
- * template<typename _Tp>
- * constexpr bool is_scoped_enum = __is_scoped_enum(_Tp);
- * ```
- */
-class BuiltInOperationIsScopedEnum extends BuiltInOperation, @isscopedenum {
-  override string toString() { result = "__is_scoped_enum" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsScopedEnum" }
-}
-
-/**
- * A C++ `__is_trivially_relocatable` built-in operation.
- *
- * Returns `true` if moving an object of type `_Tp` is equivalent to
- * copying the underlying bytes.
- *
- * ```
- * template<typename _Tp>
- *   struct is_trivially_relocatable
- *   : public integral_constant<bool, __is_trivially_relocatable(_Tp)>
- *   {};
- * ```
- */
-class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istriviallyrelocatable {
-  override string toString() { result = "__is_trivially_relocatable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
-}

cpp/ql/lib/semmle/code/cpp/exprs/Cast.qll

@@ -791,53 +791,6 @@ class AlignofTypeOperator extends AlignofOperator {
   override string toString() { result = "alignof(" + this.getTypeOperand().getName() + ")" }
 }
 
-/**
- * A C++ `__datasizeof` expression (used by some implementations
- * of the `<type_traits>` header).
- *
- * The `__datasizeof` expression behaves identically to `sizeof` except
- * that the result ignores tail padding.
- */
-class DatasizeofOperator extends Expr, @datasizeof {
-  override int getPrecedence() { result = 16 }
-}
-
-/**
- * A C++ `__datasizeof` expression whose operand is an expression.
- */
-class DatasizeofExprOperator extends DatasizeofOperator {
-  DatasizeofExprOperator() { exists(this.getChild(0)) }
-
-  override string getAPrimaryQlClass() { result = "DatasizeofExprOperator" }
-
-  /** Gets the contained expression. */
-  Expr getExprOperand() { result = this.getChild(0) }
-
-  override string toString() { result = "__datasizeof(<expr>)" }
-
-  override predicate mayBeImpure() { this.getExprOperand().mayBeImpure() }
-
-  override predicate mayBeGloballyImpure() { this.getExprOperand().mayBeGloballyImpure() }
-}
-
-/**
- * A C++ `__datasizeof` expression whose operand is a type name.
- */
-class DatasizeofTypeOperator extends DatasizeofOperator {
-  DatasizeofTypeOperator() { sizeof_bind(underlyingElement(this), _) }
-
-  override string getAPrimaryQlClass() { result = "DatasizeofTypeOperator" }
-
-  /** Gets the contained type. */
-  Type getTypeOperand() { sizeof_bind(underlyingElement(this), unresolveElement(result)) }
-
-  override string toString() { result = "__datasizeof(" + this.getTypeOperand().getName() + ")" }
-
-  override predicate mayBeImpure() { none() }
-
-  override predicate mayBeGloballyImpure() { none() }
-}
-
 /**
  * A C/C++ array to pointer conversion.
  *

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -304,15 +304,9 @@ class Expr extends StmtParent, @expr {
       e instanceof NoExceptExpr
       or
       e instanceof AlignofOperator
-      or
-      e instanceof DatasizeofOperator
     )
     or
     exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
-    or
-    exists(ConstexprIfStmt constIf |
-      constIf.getControllingExpr() = this.getParentWithConversions*()
-    )
   }
 
   /**
@@ -632,106 +626,6 @@ class ParenthesisExpr extends Conversion, @parexpr {
   override string getAPrimaryQlClass() { result = "ParenthesisExpr" }
 }
 
-/**
- * A node representing a C11 `_Generic` selection expression.
- *
- * For example:
- * ```
- * _Generic(e, int: "int", default: "unknown")
- * ```
- */
-class C11GenericExpr extends Conversion, @c11_generic {
-  int associationCount;
-
-  C11GenericExpr() { associationCount = (count(this.getAChild()) - 1) / 2 }
-
-  override string toString() { result = "_Generic" }
-
-  override string getAPrimaryQlClass() { result = "C11GenericExpr" }
-
-  /**
-   * Gets the controlling expression of the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the result is `e`.
-   */
-  Expr getControllingExpr() { result = this.getChild(0) }
-
-  /**
-   * Gets the type of the `n`th element in the association list of the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the type of the 0th element is `int`. In the case of the default element the
-   * type will an instance of `VoidType`.
-   */
-  Type getAssociationType(int n) {
-    n in [0 .. associationCount - 1] and
-    result = this.getChild(n * 2 + 1).(TypeName).getType()
-  }
-
-  /**
-   * Gets the type of an element in the association list of the generic selection.
-   */
-  Type getAnAssociationType() { result = this.getAssociationType(_) }
-
-  /**
-   * Gets the expression of the `n`th element in the association list of
-   * the generic selection.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * the expression for 0th element is `"a"`, and the expression for the
-   * 1st element is `"b"`. For the selected expression, this predicate
-   * will yield a `ReuseExpr`, such that
-   * ```
-   * this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
-   * ```
-   */
-  Expr getAssociationExpr(int n) {
-    n in [0 .. associationCount - 1] and
-    result = this.getChild(n * 2 + 2)
-  }
-
-  /**
-   * Gets the expression of an element in the association list of the generic selection.
-   */
-  Expr getAnAssociationExpr() { result = this.getAssociationExpr(_) }
-
-  /**
-   * Holds if the `n`th element of the association list of the generic selection is the
-   * default element.
-   *
-   * For example, for
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * this holds for 1.
-   */
-  predicate isDefaultAssociation(int n) { this.getAssociationType(n) instanceof VoidType }
-
-  /**
-   * Holds if the `n`th element of the association list of the generic selection is the
-   * one whose expression was selected.
-   *
-   * For example, with `e` of type `int` and
-   * ```
-   * _Generic(e, int: "a", default: "b")
-   * ```
-   * this holds for 0.
-   */
-  predicate isSelectedAssociation(int n) {
-    this.getAssociationExpr(n).(ReuseExpr).getReusedExpr() = this.getExpr()
-  }
-}
-
 /**
  * A C/C++ expression that could not be resolved, or that can no longer be
  * represented due to a database upgrade or downgrade.
@@ -768,8 +662,6 @@ class AssumeExpr extends Expr, @assume {
 
 /**
  * A C/C++ comma expression.
- *
- * For example:
  * ```
  * int c = compute1(), compute2(), resulting_value;
  * ```
@@ -963,16 +855,6 @@ class NewOrNewArrayExpr extends Expr, @any_new_expr {
     )
   }
 
-  /**
-   * Holds if the deallocation function is a destroying delete.
-   */
-  predicate isDestroyingDeleteDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(4) != 0 // Bit two is the "destroying delete" bit
-    )
-  }
-
   /**
    * Gets the type that is being allocated.
    *
@@ -1067,16 +949,6 @@ class NewArrayExpr extends NewOrNewArrayExpr, @new_array_expr {
    * gives nothing, as the 10 is considered part of the type.
    */
   Expr getExtent() { result = this.getChild(2) }
-
-  /**
-   * Gets the number of elements in the array, if available.
-   *
-   * For example, `new int[]{1,2,3}` has an array size of 3.
-   */
-  int getArraySize() {
-    result = this.getAllocatedType().(ArrayType).getArraySize() or
-    result = this.getInitializer().(ArrayAggregateLiteral).getArraySize()
-  }
 }
 
 private class TDeleteOrDeleteArrayExpr = @delete_expr or @delete_array_expr;
@@ -1143,16 +1015,6 @@ class DeleteOrDeleteArrayExpr extends Expr, TDeleteOrDeleteArrayExpr {
     )
   }
 
-  /**
-   * Holds if the deallocation function is a destroying delete.
-   */
-  predicate isDestroyingDeleteDeallocation() {
-    exists(int form |
-      expr_deallocator(underlyingElement(this), _, form) and
-      form.bitAnd(4) != 0 // Bit two is the "destroying delete" bit
-    )
-  }
-
   /**
    * Gets the object or array being deleted.
    */

cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll

@@ -195,6 +195,17 @@ class ClassAggregateLiteral extends AggregateLiteral {
    */
   Expr getAFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
 
+  /**
+   * DEPRECATED: Use `getAFieldExpr` instead.
+   *
+   * Gets the expression within the aggregate literal that is used to initialize
+   * field `field`, if present.
+   *
+   * This predicate may have multiple results since a field can be initialized
+   * multiple times in the same initializer.
+   */
+  deprecated Expr getFieldExpr(Field field) { result = this.getFieldExpr(field, _) }
+
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * field `field`, if present. The expression is the `position`'th entry in the
@@ -289,6 +300,17 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
    */
   Expr getAnElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
 
+  /**
+   * DEPRECATED: Use `getAnElementExpr` instead.
+   *
+   * Gets the expression within the aggregate literal that is used to initialize
+   * element `elementIndex`, if present.
+   *
+   * This predicate may have multiple results since an element can be initialized
+   * multiple times in the same initializer.
+   */
+  deprecated Expr getElementExpr(int elementIndex) { result = this.getElementExpr(elementIndex, _) }
+
   /**
    * Gets the expression within the aggregate literal that is used to initialize
    * element `elementIndex`, if present. The expression is the `position`'th entry

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -168,6 +168,14 @@ abstract deprecated class Configuration extends string {
    */
   predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
 
+  /**
+   * DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
+   *
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  deprecated int explorationLimit() { none() }
+
   /**
    * Holds if hidden nodes should be included in the data flow graph.
    *
@@ -282,9 +290,15 @@ deprecated private module Config implements FullStateConfigSig {
 
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
-  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+  predicate sourceGrouping(Node source, string sourceGroup) {
+    any(Configuration config).sourceGrouping(source, sourceGroup)
+  }
 
-  predicate observeDiffInformedIncrementalMode() { none() }
+  predicate sinkGrouping(Node sink, string sinkGroup) {
+    any(Configuration config).sinkGrouping(sink, sinkGroup)
+  }
+
+  predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
 }
 
 deprecated private import Impl<Config> as I

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -11,7 +11,6 @@ private import Node0ToString
 private import ModelUtil
 private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as IO
 private import semmle.code.cpp.models.interfaces.DataFlow as DF
-private import semmle.code.cpp.dataflow.ExternalFlow as External
 
 cached
 private module Cached {
@@ -994,6 +993,9 @@ DataFlowType getNodeType(Node n) {
   result instanceof VoidType // stub implementation
 }
 
+/** Gets a string representation of a type returned by `getNodeType`. */
+string ppReprType(DataFlowType t) { none() } // stub implementation
+
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
@@ -1058,6 +1060,16 @@ class DataFlowCallable extends TDataFlowCallable {
     result = this.asSummarizedCallable() or // SummarizedCallable = Function (in CPP)
     result = this.asSourceCallable()
   }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCallable c, string file, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(file, startline, startcolumn, _, _)
+      |
+        c order by file, startline, startcolumn
+      )
+  }
 }
 
 /**
@@ -1094,11 +1106,7 @@ class SummarizedCallable extends DataFlowCallable, TSummarizedCallable {
 
 class DataFlowExpr = Expr;
 
-final private class TypeFinal = Type;
-
-class DataFlowType extends TypeFinal {
-  string toString() { result = "" }
-}
+class DataFlowType = Type;
 
 cached
 private newtype TDataFlowCall =
@@ -1159,6 +1167,16 @@ class DataFlowCall extends TDataFlowCall {
    * Gets the location of this call.
    */
   Location getLocation() { none() }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() {
+    this =
+      rank[result](DataFlowCall c, int startline, int startcolumn |
+        c.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+      |
+        c order by startline, startcolumn
+      )
+  }
 }
 
 /**
@@ -1251,6 +1269,15 @@ module IsUnreachableInCall {
     string toString() { result = "NodeRegion" }
 
     predicate contains(Node n) { this = n.getBasicBlock() }
+
+    int totalOrder() {
+      this =
+        rank[result](IRBlock b, int startline, int startcolumn |
+          b.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
+        |
+          b order by startline, startcolumn
+        )
+    }
   }
 
   predicate isUnreachableInCall(NodeRegion block, DataFlowCall call) {
@@ -1335,9 +1362,9 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
 
-predicate knownSourceModel(Node source, string model) { External::sourceNode(source, _, model) }
+predicate knownSourceModel(Node source, string model) { none() }
 
-predicate knownSinkModel(Node sink, string model) { External::sinkNode(sink, _, model) }
+predicate knownSinkModel(Node sink, string model) { none() }
 
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a