Initial plan

Python: Fix bad join in method call order computation

MODULE.bazel

@@ -20,18 +20,18 @@ bazel_dep(name = "rules_go", version = "0.59.0")
 bazel_dep(name = "rules_java", version = "9.0.3")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
-bazel_dep(name = "rules_python", version = "0.40.0")
-bazel_dep(name = "rules_shell", version = "0.5.0")
+bazel_dep(name = "rules_python", version = "1.9.0")
+bazel_dep(name = "rules_shell", version = "0.6.1")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
-bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
+bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
 bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
-bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
+bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
 bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1")
-bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
+bazel_dep(name = "zstd", version = "1.5.7.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.29
+
+No user-facing changes.
+
 ## 0.4.28
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.29.md

@@ -0,0 +1,3 @@
+## 0.4.29
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.28
+lastReleaseVersion: 0.4.29

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.29-dev
+version: 0.4.30-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.21
+
+No user-facing changes.
+
 ## 0.6.20
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.21.md

@@ -0,0 +1,3 @@
+## 0.6.21
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.20
+lastReleaseVersion: 0.6.21

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.21-dev
+version: 0.6.22-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/downgrades/770002bb02322e04fa25345838ce6e82af285a0b/in_trap.ql

@@ -0,0 +1,21 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Trap extends @trap {
+  string toString() { none() }
+}
+
+class Tag extends @tag {
+  string toString() { none() }
+}
+
+from Element e, Trap trap
+where
+  in_trap_or_tag(e, trap)
+  or
+  exists(Tag tag |
+    in_trap_or_tag(e, tag) and
+    trap_uses_tag(trap, tag)
+  )
+select e, trap

cpp/downgrades/770002bb02322e04fa25345838ce6e82af285a0b/source_file_uses_trap.ql

@@ -0,0 +1,13 @@
+class SourceFile extends @source_file {
+  string toString() { none() }
+}
+
+class Trap extends @trap {
+  string toString() { none() }
+}
+
+from SourceFile source_file, string name, Trap trap
+where
+  source_file_uses_trap(source_file, trap) and
+  source_file_name(source_file, name)
+select name, trap

cpp/downgrades/770002bb02322e04fa25345838ce6e82af285a0b/upgrade.properties

@@ -0,0 +1,8 @@
+description: Add source_file_name
+compatibility: backwards
+source_file_uses_trap.rel: run source_file_uses_trap.ql
+source_file_name.rel: delete
+tag_name.rel: delete
+trap_uses_tag.rel: delete
+in_trap.rel: run in_trap.ql
+in_trap_or_tag.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,18 @@
+## 8.0.0
+
+### Breaking Changes
+
+* CodeQL version 2.24.2 accidentally introduced a syntactical breaking change to `BarrierGuard<...>::getAnIndirectBarrierNode` and `InstructionBarrierGuard<...>::getAnIndirectBarrierNode`. These breaking changes have now been reverted so that the original code compiles again.
+* `MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the `MustFlowConfiguration` class, the user should now implement a module with the `MustFlow::ConfigSig` signature, and instantiate the `MustFlow::Global` parameterized module with the implemented module.
+
+### Minor Analysis Improvements
+
+* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.
+
+### Bug Fixes
+
+* The `allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.
+
 ## 7.1.1
 
 ### Minor Analysis Improvements

cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.

cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* The `allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.

cpp/ql/lib/change-notes/2026-02-14-must-flow.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* `MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the `MustFlowConfiguration` class, the user should now implement a module with the `MustFlow::ConfigSig` signature, and instantiate the `MustFlow::Global` parameterized module with the implemented module.

cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.

cpp/ql/lib/change-notes/released/8.0.0.md

@@ -0,0 +1,14 @@
+## 8.0.0
+
+### Breaking Changes
+
+* CodeQL version 2.24.2 accidentally introduced a syntactical breaking change to `BarrierGuard<...>::getAnIndirectBarrierNode` and `InstructionBarrierGuard<...>::getAnIndirectBarrierNode`. These breaking changes have now been reverted so that the original code compiles again.
+* `MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the `MustFlowConfiguration` class, the user should now implement a module with the `MustFlow::ConfigSig` signature, and instantiate the `MustFlow::Global` parameterized module with the implemented module.
+
+### Minor Analysis Improvements
+
+* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.
+
+### Bug Fixes
+
+* The `allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.1
+lastReleaseVersion: 8.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 7.1.2-dev
+version: 8.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -1663,7 +1663,7 @@ private module Cached {
   private predicate compares_ge(
     ValueNumber test, Operand left, Operand right, int k, boolean isGe, GuardValue value
   ) {
-    exists(int onemk | k = 1 - onemk | compares_lt(test, right, left, onemk, isGe, value))
+    compares_lt(test, right, left, 1 - k, isGe, value)
   }
 
   /** Rearrange various simple comparisons into `left < right + k` form. */

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -353,12 +353,26 @@ module CsvValidation {
     )
   }
 
+  private string getIncorrectConstructorSummaryOutput() {
+    exists(string namespace, string type, string name, string output |
+      type = name or
+      type = name + "<" + any(string s)
+    |
+      summaryModel(namespace, type, _, name, _, _, _, output, _, _, _) and
+      output.matches("ReturnValue%") and
+      result =
+        "Constructor model for " + namespace + "." + type +
+          " should use `Argument[this]` in the output, not `ReturnValue`."
+    )
+  }
+
   /** Holds if some row in a CSV-based flow model appears to contain typos. */
   query predicate invalidModelRow(string msg) {
     msg =
       [
         getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
-        getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind()
+        getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind(),
+        getIncorrectConstructorSummaryOutput()
       ]
   }
 }
@@ -555,6 +569,7 @@ private Locatable getSupportedFunctionTemplateArgument(Function templateFunction
  * Normalize the `n`'th parameter of `f` by replacing template names
  * with `func:N` (where `N` is the index of the template).
  */
+pragma[nomagic]
 private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remaining) {
   exists(Function templateFunction |
     templateFunction = getFullyTemplatedFunction(f) and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -201,7 +201,7 @@ module SourceSinkInterpretationInput implements
     string toString() {
       result = this.asElement().toString()
       or
-      result = this.asNode().toString()
+      result = this.asNode().toStringImpl()
       or
       result = this.asCall().toString()
     }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1,5 +1,6 @@
 private import cpp as Cpp
 private import DataFlowUtil
+private import DataFlowNodes
 private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
 private import semmle.code.cpp.ir.internal.IRCppLanguage
@@ -16,28 +17,42 @@ private import semmle.code.cpp.dataflow.ExternalFlow as External
 cached
 private module Cached {
   cached
-  module Nodes0 {
-    cached
-    newtype TIRDataFlowNode0 =
-      TInstructionNode0(Instruction i) {
-        not Ssa::ignoreInstruction(i) and
-        not exists(Operand op |
-          not Ssa::ignoreOperand(op) and i = Ssa::getIRRepresentationOfOperand(op)
-        ) and
-        // We exclude `void`-typed instructions because they cannot contain data.
-        // However, if the instruction is a glvalue, and their type is `void`, then the result
-        // type of the instruction is really `void*`, and thus we still want to have a dataflow
-        // node for it.
-        (not i.getResultType() instanceof VoidType or i.isGLValue())
-      } or
-      TMultipleUseOperandNode0(Operand op) {
-        not Ssa::ignoreOperand(op) and not exists(Ssa::getIRRepresentationOfOperand(op))
-      } or
-      TSingleUseOperandNode0(Operand op) {
-        not Ssa::ignoreOperand(op) and exists(Ssa::getIRRepresentationOfOperand(op))
-      }
+  newtype TIRDataFlowNode0 =
+    TInstructionNode0(Instruction i) {
+      not Ssa::ignoreInstruction(i) and
+      not exists(Operand op |
+        not Ssa::ignoreOperand(op) and i = Ssa::getIRRepresentationOfOperand(op)
+      ) and
+      // We exclude `void`-typed instructions because they cannot contain data.
+      // However, if the instruction is a glvalue, and their type is `void`, then the result
+      // type of the instruction is really `void*`, and thus we still want to have a dataflow
+      // node for it.
+      (not i.getResultType() instanceof VoidType or i.isGLValue())
+    } or
+    TMultipleUseOperandNode0(Operand op) {
+      not Ssa::ignoreOperand(op) and not exists(Ssa::getIRRepresentationOfOperand(op))
+    } or
+    TSingleUseOperandNode0(Operand op) {
+      not Ssa::ignoreOperand(op) and exists(Ssa::getIRRepresentationOfOperand(op))
+    }
+
+  cached
+  string toStringCached(Node n) {
+    result = toExprString(n)
+    or
+    not exists(toExprString(n)) and
+    result = n.toStringImpl()
   }
 
+  cached
+  Location getLocationCached(Node n) { result = n.getLocationImpl() }
+
+  cached
+  newtype TContentApprox =
+    TFieldApproxContent(string s) { fieldHasApproxName(_, s) } or
+    TUnionApproxContent(string s) { unionHasApproxName(_, s) } or
+    TElementApproxContent()
+
   /**
    * Gets an additional term that is added to the `join` and `branch` computations to reflect
    * an additional forward or backwards branching factor that is not taken into account
@@ -59,38 +74,174 @@ private module Cached {
       result = countNumberOfBranchesUsingParameter(switch, p)
     )
   }
-}
 
-import Cached
-private import Nodes0
+  cached
+  newtype TDataFlowCallable =
+    TSourceCallable(Cpp::Declaration decl) or
+    TSummarizedCallable(FlowSummaryImpl::Public::SummarizedCallable c)
 
-/**
- * A module for calculating the number of stars (i.e., `*`s) needed for various
- * dataflow node `toString` predicates.
- */
-module NodeStars {
-  private int getNumberOfIndirections(Node n) {
-    result = n.(RawIndirectOperand).getIndirectionIndex()
+  cached
+  newtype TDataFlowCall =
+    TNormalCall(CallInstruction call) or
+    TSummaryCall(
+      FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
+    ) {
+      FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
+    }
+
+  /**
+   * Holds if data can flow from `node1` to `node2` in a way that loses the
+   * calling context. For example, this would happen with flow through a
+   * global or static variable.
+   */
+  cached
+  predicate jumpStep(Node n1, Node n2) {
+    exists(GlobalLikeVariable v |
+      exists(Ssa::GlobalUse globalUse |
+        v = globalUse.getVariable() and
+        n1.(FinalGlobalValue).getGlobalUse() = globalUse
+      |
+        globalUse.getIndirection() = getMinIndirectionForGlobalUse(globalUse) and
+        v = n2.asVariable()
+        or
+        v = n2.asIndirectVariable(globalUse.getIndirection())
+      )
+      or
+      exists(Ssa::GlobalDef globalDef |
+        v = globalDef.getVariable() and
+        n2.(InitialGlobalValue).getGlobalDef() = globalDef
+      |
+        globalDef.getIndirection() = getMinIndirectionForGlobalDef(globalDef) and
+        v = n1.asVariable()
+        or
+        v = n1.asIndirectVariable(globalDef.getIndirection())
+      )
+    )
     or
-    result = n.(RawIndirectInstruction).getIndirectionIndex()
-    or
-    result = n.(VariableNode).getIndirectionIndex()
-    or
-    result = n.(PostUpdateNodeImpl).getIndirectionIndex()
-    or
-    result = n.(FinalParameterNode).getIndirectionIndex()
-    or
-    result = n.(BodyLessParameterNodeImpl).getIndirectionIndex()
+    // models-as-data summarized flow
+    FlowSummaryImpl::Private::Steps::summaryJumpStep(n1.(FlowSummaryNode).getSummaryNode(),
+      n2.(FlowSummaryNode).getSummaryNode())
   }
 
   /**
-   * Gets the number of stars (i.e., `*`s) needed to produce the `toString`
-   * output for `n`.
+   * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
+   * Thus, `node2` references an object with a field `f` that contains the
+   * value of `node1`.
+   *
+   * The boolean `certain` is true if the destination address does not involve
+   * any pointer arithmetic, and false otherwise.
    */
-  string stars(Node n) { result = repeatStars(getNumberOfIndirections(n)) }
+  cached
+  predicate storeStepImpl(Node node1, Content c, Node node2, boolean certain) {
+    exists(
+      PostFieldUpdateNode postFieldUpdate, int indirectionIndex1, int numberOfLoads,
+      StoreInstruction store, FieldContent fc
+    |
+      postFieldUpdate = node2 and
+      fc = c and
+      nodeHasInstruction(node1, pragma[only_bind_into](store),
+        pragma[only_bind_into](indirectionIndex1)) and
+      postFieldUpdate.getIndirectionIndex() = 1 and
+      numberOfLoadsFromOperand(postFieldUpdate.getFieldAddress(),
+        store.getDestinationAddressOperand(), numberOfLoads, certain) and
+      fc.getAField() = postFieldUpdate.getUpdatedField() and
+      getIndirectionIndexLate(fc) = 1 + indirectionIndex1 + numberOfLoads
+    )
+    or
+    // models-as-data summarized flow
+    FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(), c,
+      node2.(FlowSummaryNode).getSummaryNode()) and
+    certain = true
+  }
+
+  /**
+   * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
+   * Thus, `node2` references an object with a field `f` that contains the
+   * value of `node1`.
+   */
+  cached
+  predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1, c, node2, _) }
+
+  /**
+   * Holds if data can flow from `node1` to `node2` via a read of `f`.
+   * Thus, `node1` references an object with a field `f` whose value ends up in
+   * `node2`.
+   */
+  cached
+  predicate readStep(Node node1, ContentSet c, Node node2) {
+    exists(
+      FieldAddress fa1, Operand operand, int numberOfLoads, int indirectionIndex2, FieldContent fc
+    |
+      fc = c and
+      nodeHasOperand(node2, operand, indirectionIndex2) and
+      // The `1` here matches the `node2.getIndirectionIndex() = 1` conjunct
+      // in `storeStep`.
+      nodeHasOperand(node1, fa1.getObjectAddressOperand(), 1) and
+      numberOfLoadsFromOperand(fa1, operand, numberOfLoads, _) and
+      fc.getAField() = fa1.getField() and
+      getIndirectionIndexLate(fc) = indirectionIndex2 + numberOfLoads
+    )
+    or
+    // models-as-data summarized flow
+    FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
+      node2.(FlowSummaryNode).getSummaryNode())
+  }
+
+  /**
+   * Holds if values stored inside content `c` are cleared at node `n`.
+   */
+  cached
+  predicate clearsContent(Node n, ContentSet c) {
+    n =
+      any(PostUpdateNode pun, Content d |
+        d.impliesClearOf(c) and storeStepImpl(_, d, pun, true)
+      |
+        pun
+      ).getPreUpdateNode() and
+    (
+      not exists(Operand op, Cpp::Operation p |
+        n.(IndirectOperand).hasOperandAndIndirectionIndex(op, _) and
+        (
+          p instanceof Cpp::AssignPointerAddExpr or
+          p instanceof Cpp::AssignPointerSubExpr or
+          p instanceof Cpp::CrementOperation
+        )
+      |
+        p.getAnOperand() = op.getUse().getAst()
+      )
+      or
+      forex(PostUpdateNode pun, Content d |
+        pragma[only_bind_into](d).impliesClearOf(pragma[only_bind_into](c)) and
+        storeStepImpl(_, d, pun, true) and
+        pun.getPreUpdateNode() = n
+      |
+        c.(Content).getIndirectionIndex() = d.getIndirectionIndex()
+      )
+    )
+  }
 }
 
-import NodeStars
+import Cached
+
+private int getNumberOfIndirections(Node n) {
+  result = n.(RawIndirectOperand).getIndirectionIndex()
+  or
+  result = n.(RawIndirectInstruction).getIndirectionIndex()
+  or
+  result = n.(VariableNode).getIndirectionIndex()
+  or
+  result = n.(PostUpdateNodeImpl).getIndirectionIndex()
+  or
+  result = n.(FinalParameterNode).getIndirectionIndex()
+  or
+  result = n.(BodyLessParameterNodeImpl).getIndirectionIndex()
+}
+
+/**
+ * Gets the number of stars (i.e., `*`s) needed to produce the `toString`
+ * output for `n`.
+ */
+string stars(Node n) { result = repeatStars(getNumberOfIndirections(n)) }
 
 /**
  * A cut-down `DataFlow::Node` class that does not depend on the output of SSA.
@@ -828,85 +979,10 @@ private int getMinIndirectionForGlobalDef(Ssa::GlobalDef def) {
   result = getMinIndirectionsForType(def.getUnspecifiedType())
 }
 
-/**
- * Holds if data can flow from `node1` to `node2` in a way that loses the
- * calling context. For example, this would happen with flow through a
- * global or static variable.
- */
-predicate jumpStep(Node n1, Node n2) {
-  exists(GlobalLikeVariable v |
-    exists(Ssa::GlobalUse globalUse |
-      v = globalUse.getVariable() and
-      n1.(FinalGlobalValue).getGlobalUse() = globalUse
-    |
-      globalUse.getIndirection() = getMinIndirectionForGlobalUse(globalUse) and
-      v = n2.asVariable()
-      or
-      v = n2.asIndirectVariable(globalUse.getIndirection())
-    )
-    or
-    exists(Ssa::GlobalDef globalDef |
-      v = globalDef.getVariable() and
-      n2.(InitialGlobalValue).getGlobalDef() = globalDef
-    |
-      globalDef.getIndirection() = getMinIndirectionForGlobalDef(globalDef) and
-      v = n1.asVariable()
-      or
-      v = n1.asIndirectVariable(globalDef.getIndirection())
-    )
-  )
-  or
-  // models-as-data summarized flow
-  FlowSummaryImpl::Private::Steps::summaryJumpStep(n1.(FlowSummaryNode).getSummaryNode(),
-    n2.(FlowSummaryNode).getSummaryNode())
-}
-
 bindingset[c]
 pragma[inline_late]
 private int getIndirectionIndexLate(Content c) { result = c.getIndirectionIndex() }
 
-/**
- * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
- * Thus, `node2` references an object with a field `f` that contains the
- * value of `node1`.
- *
- * The boolean `certain` is true if the destination address does not involve
- * any pointer arithmetic, and false otherwise. This has to do with whether a
- * store step can be used to clear a field (see `clearsContent`).
- */
-predicate storeStepImpl(Node node1, Content c, Node node2, boolean certain) {
-  exists(
-    PostFieldUpdateNode postFieldUpdate, int indirectionIndex1, int numberOfLoads,
-    StoreInstruction store, FieldContent fc
-  |
-    postFieldUpdate = node2 and
-    fc = c and
-    nodeHasInstruction(node1, pragma[only_bind_into](store),
-      pragma[only_bind_into](indirectionIndex1)) and
-    postFieldUpdate.getIndirectionIndex() = 1 and
-    numberOfLoadsFromOperand(postFieldUpdate.getFieldAddress(),
-      store.getDestinationAddressOperand(), numberOfLoads, certain) and
-    fc.getAField() = postFieldUpdate.getUpdatedField() and
-    getIndirectionIndexLate(fc) = 1 + indirectionIndex1 + numberOfLoads
-  )
-  or
-  // models-as-data summarized flow
-  FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(), c,
-    node2.(FlowSummaryNode).getSummaryNode()) and
-  certain = true
-}
-
-/**
- * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
- * Thus, `node2` references an object with a field `f` that contains the
- * value of `node1`.
- */
-predicate storeStep(Node node1, ContentSet c, Node node2) { storeStepImpl(node1, c, node2, _) }
-
-/**
- * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like
- * operations and exactly `n` `LoadInstruction` operations.
- */
 private predicate numberOfLoadsFromOperandRec(
   Operand operandFrom, Operand operandTo, int ind, boolean certain
 ) {
@@ -957,63 +1033,6 @@ predicate nodeHasInstruction(Node node, Instruction instr, int indirectionIndex)
   hasInstructionAndIndex(node, instr, indirectionIndex)
 }
 
-/**
- * Holds if data can flow from `node1` to `node2` via a read of `f`.
- * Thus, `node1` references an object with a field `f` whose value ends up in
- * `node2`.
- */
-predicate readStep(Node node1, ContentSet c, Node node2) {
-  exists(
-    FieldAddress fa1, Operand operand, int numberOfLoads, int indirectionIndex2, FieldContent fc
-  |
-    fc = c and
-    nodeHasOperand(node2, operand, indirectionIndex2) and
-    // The `1` here matches the `node2.getIndirectionIndex() = 1` conjunct
-    // in `storeStep`.
-    nodeHasOperand(node1, fa1.getObjectAddressOperand(), 1) and
-    numberOfLoadsFromOperand(fa1, operand, numberOfLoads, _) and
-    fc.getAField() = fa1.getField() and
-    getIndirectionIndexLate(fc) = indirectionIndex2 + numberOfLoads
-  )
-  or
-  // models-as-data summarized flow
-  FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
-    node2.(FlowSummaryNode).getSummaryNode())
-}
-
-/**
- * Holds if values stored inside content `c` are cleared at node `n`.
- */
-predicate clearsContent(Node n, ContentSet c) {
-  n =
-    any(PostUpdateNode pun, Content d | d.impliesClearOf(c) and storeStepImpl(_, d, pun, true) | pun)
-        .getPreUpdateNode() and
-  (
-    // The crement operations and pointer addition and subtraction self-assign. We do not
-    // want to clear the contents if it is indirectly pointed at by any of these operations,
-    // as part of the contents might still be accessible afterwards. If there is no such
-    // indirection clearing the contents is safe.
-    not exists(Operand op, Cpp::Operation p |
-      n.(IndirectOperand).hasOperandAndIndirectionIndex(op, _) and
-      (
-        p instanceof Cpp::AssignPointerAddExpr or
-        p instanceof Cpp::AssignPointerSubExpr or
-        p instanceof Cpp::CrementOperation
-      )
-    |
-      p.getAnOperand() = op.getUse().getAst()
-    )
-    or
-    forex(PostUpdateNode pun, Content d |
-      pragma[only_bind_into](d).impliesClearOf(pragma[only_bind_into](c)) and
-      storeStepImpl(_, d, pun, true) and
-      pun.getPreUpdateNode() = n
-    |
-      c.(Content).getIndirectionIndex() = d.getIndirectionIndex()
-    )
-  )
-}
-
 /**
  * Holds if the value that is being tracked is expected to be stored inside content `c`
  * at node `n`.
@@ -1046,11 +1065,6 @@ class CastNode extends Node {
   CastNode() { none() } // stub implementation
 }
 
-cached
-private newtype TDataFlowCallable =
-  TSourceCallable(Cpp::Declaration decl) or
-  TSummarizedCallable(FlowSummaryImpl::Public::SummarizedCallable c)
-
 /**
  * A callable, which may be:
  *  - a function (that may contain code)
@@ -1134,15 +1148,6 @@ class DataFlowType extends TypeFinal {
   string toString() { result = "" }
 }
 
-cached
-private newtype TDataFlowCall =
-  TNormalCall(CallInstruction call) or
-  TSummaryCall(
-    FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
-  ) {
-    FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
-  }
-
 private predicate summarizedCallableIsManual(SummarizedCallable sc) {
   sc.asSummarizedCallable().hasManualModel()
 }
@@ -1523,12 +1528,6 @@ private predicate fieldHasApproxName(Field f, string s) {
 
 private predicate unionHasApproxName(Cpp::Union u, string s) { s = u.getName().charAt(0) }
 
-cached
-private newtype TContentApprox =
-  TFieldApproxContent(string s) { fieldHasApproxName(_, s) } or
-  TUnionApproxContent(string s) { unionHasApproxName(_, s) } or
-  TElementApproxContent()
-
 /** An approximated `Content`. */
 class ContentApprox extends TContentApprox {
   string toString() { none() } // overridden in subclasses

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ExprNodes.qll

@@ -6,8 +6,8 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import DataFlowUtil
 private import DataFlowPrivate
-private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
-private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag
+private import DataFlowNodes
+private import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as IRConstruction
 
 cached
 private module Cached {
@@ -73,17 +73,9 @@ private module Cached {
     // a result for `getConvertedResultExpression`. We remap this here so that
     // this `ConvertInstruction` maps to the result of the expression that
     // represents the extent.
-    exists(TranslatedNonConstantAllocationSize tas |
-      result = tas.getExtent().getExpr() and
-      instr = tas.getInstruction(AllocationExtentConvertTag())
-    )
+    result = IRConstruction::Raw::getAllocationExtentConvertExpr(instr)
     or
-    // There's no instruction that returns `ParenthesisExpr`, but some queries
-    // expect this
-    exists(TranslatedTransparentConversion ttc |
-      result = ttc.getExpr().(ParenthesisExpr) and
-      instr = ttc.getResult()
-    )
+    result = IRConstruction::Raw::getTransparentConversionParenthesisExpr(instr)
     or
     // Certain expressions generate `CopyValueInstruction`s only when they
     // are needed. Examples of this include crement operations and compound
@@ -112,10 +104,10 @@ private module Cached {
     // needed, and in that case the only value that will propagate forward in
     // the program is the value that's been updated. So in those cases we just
     // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
-    exists(TranslatedCoreExpr tco |
-      tco.getInstruction(_) = instr and
-      tco.producesExprResult() and
-      result = asDefinitionImpl0(instr)
+    exists(StoreInstruction store |
+      store = instr and
+      IRConstruction::Raw::instructionProducesExprResult(store) and
+      result = asDefinitionImpl0(store)
     )
     or
     // IR construction breaks an array aggregate literal `{1, 2, 3}` into a
@@ -145,18 +137,9 @@ private module Cached {
     // For an expression such as `i += 2` we pretend that the generated
     // `StoreInstruction` contains the result of the expression even though
     // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedAssignOperation tao |
-      store = tao.getInstruction(AssignmentStoreTag()) and
-      result = tao.getExpr()
-    )
+    result = IRConstruction::Raw::getAssignOperationStoreExpr(store)
     or
-    // Similarly for `i++` and `++i` we pretend that the generated
-    // `StoreInstruction` contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedCrementOperation tco |
-      store = tco.getInstruction(CrementStoreTag()) and
-      result = tco.getExpr()
-    )
+    result = IRConstruction::Raw::getCrementOperationStoreExpr(store)
   }
 
   /**
@@ -166,11 +149,7 @@ private module Cached {
    */
   private predicate excludeAsDefinitionResult(StoreInstruction store) {
     // Exclude the store to the temporary generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      store = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      store = tce.getInstruction(ConditionValueTrueStoreTag())
-    )
+    IRConstruction::Raw::isConditionalExprTempStore(store)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ModelUtil.qll

@@ -6,6 +6,7 @@
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
 private import DataFlowUtil
+private import DataFlowNodes
 private import DataFlowPrivate
 private import SsaImpl as Ssa
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRFieldFlowSteps.qll

@@ -6,6 +6,7 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
 private import PrintIRUtilities
 
 /** A property provider for local IR dataflow store steps. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll

@@ -2,6 +2,7 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
 private import SsaImpl as Ssa
 private import PrintIRUtilities
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

@@ -6,6 +6,7 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
 
 private Instruction getInstruction(Node n, string stars) {
   result = [n.asInstruction(), n.(RawIndirectInstruction).getInstruction()] and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll

@@ -10,8 +10,9 @@ private import semmle.code.cpp.models.interfaces.PartialFlow as PartialFlow
 private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as FIO
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
-private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedInitialization
+private import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as IRConstruction
 private import DataFlowPrivate
+private import DataFlowNodes
 import SsaImplCommon
 
 private module SourceVariables {
@@ -438,10 +439,7 @@ private predicate sourceVariableHasBaseAndIndex(SourceVariable v, BaseSourceVari
  * initialize `v`.
  */
 private Instruction getInitializationTargetAddress(IRVariable v) {
-  exists(TranslatedVariableInitialization init |
-    init.getIRVariable() = v and
-    result = init.getTargetAddress()
-  )
+  result = IRConstruction::Raw::getInitializationTargetAddress(v)
 }
 
 /** An initial definition of an SSA variable address. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -4,47 +4,12 @@ import semmle.code.cpp.ir.internal.IRCppLanguage
 private import semmle.code.cpp.ir.implementation.raw.internal.SideEffects as SideEffects
 private import DataFlowImplCommon as DataFlowImplCommon
 private import DataFlowUtil
+private import DataFlowNodes
 private import semmle.code.cpp.models.interfaces.PointerWrapper
 private import DataFlowPrivate
 private import TypeFlow
 private import semmle.code.cpp.ir.ValueNumbering
 
-/**
- * Holds if `operand` is an operand that is not used by the dataflow library.
- * Ignored operands are not recognized as uses by SSA, and they don't have a
- * corresponding `(Indirect)OperandNode`.
- */
-predicate ignoreOperand(Operand operand) {
-  operand = any(Instruction instr | ignoreInstruction(instr)).getAnOperand() or
-  operand = any(Instruction instr | ignoreInstruction(instr)).getAUse() or
-  operand instanceof MemoryOperand
-}
-
-/**
- * Holds if `instr` is an instruction that is not used by the dataflow library.
- * Ignored instructions are not recognized as reads/writes by SSA, and they
- * don't have a corresponding `(Indirect)InstructionNode`.
- */
-predicate ignoreInstruction(Instruction instr) {
-  DataFlowImplCommon::forceCachingInSameStage() and
-  (
-    instr instanceof CallSideEffectInstruction or
-    instr instanceof CallReadSideEffectInstruction or
-    instr instanceof ExitFunctionInstruction or
-    instr instanceof EnterFunctionInstruction or
-    instr instanceof WriteSideEffectInstruction or
-    instr instanceof PhiInstruction or
-    instr instanceof ReadSideEffectInstruction or
-    instr instanceof ChiInstruction or
-    instr instanceof InitializeIndirectionInstruction or
-    instr instanceof AliasedDefinitionInstruction or
-    instr instanceof AliasedUseInstruction or
-    instr instanceof InitializeNonLocalInstruction or
-    instr instanceof ReturnIndirectionInstruction or
-    instr instanceof UninitializedGroupInstruction
-  )
-}
-
 /**
  * Gets the C++ type of `this` in the member function `f`.
  * The result is a glvalue if `isGLValue` is true, and
@@ -55,26 +20,6 @@ private CppType getThisType(Cpp::MemberFunction f, boolean isGLValue) {
   result.hasType(f.getTypeOfThis(), isGLValue)
 }
 
-/**
- * Gets the C++ type of the instruction `i`.
- *
- * This is equivalent to `i.getResultLanguageType()` with the exception
- * of instructions that directly references a `this` IRVariable. In this
- * case, `i.getResultLanguageType()` gives an unknown type, whereas the
- * predicate gives the expected type (i.e., a potentially cv-qualified
- * type `A*` where `A` is the declaring type of the member function that
- * contains `i`).
- */
-cached
-CppType getResultLanguageType(Instruction i) {
-  if i.(VariableAddressInstruction).getIRVariable() instanceof IRThisVariable
-  then
-    if i.isGLValue()
-    then result = getThisType(i.getEnclosingFunction(), true)
-    else result = getThisType(i.getEnclosingFunction(), false)
-  else result = i.getResultLanguageType()
-}
-
 /**
  * Gets the C++ type of the operand `operand`.
  * This is equivalent to the type of the operand's defining instruction.
@@ -347,10 +292,6 @@ predicate isWrite(Node0Impl value, Operand address, boolean certain) {
   )
 }
 
-predicate isAdditionalConversionFlow(Operand opFrom, Instruction instrTo) {
-  any(Indirection ind).isAdditionalConversionFlow(opFrom, instrTo)
-}
-
 newtype TBaseSourceVariable =
   // Each IR variable gets its own source variable
   TBaseIRVariable(IRVariable var) or
@@ -572,6 +513,69 @@ private class BaseCallInstruction extends BaseSourceVariableInstruction, CallIns
 
 cached
 private module Cached {
+  /**
+   * Holds if `operand` is an operand that is not used by the dataflow library.
+   * Ignored operands are not recognized as uses by SSA, and they don't have a
+   * corresponding `(Indirect)OperandNode`.
+   */
+  cached
+  predicate ignoreOperand(Operand operand) {
+    operand = any(Instruction instr | ignoreInstruction(instr)).getAnOperand() or
+    operand = any(Instruction instr | ignoreInstruction(instr)).getAUse() or
+    operand instanceof MemoryOperand
+  }
+
+  /**
+   * Holds if `instr` is an instruction that is not used by the dataflow library.
+   * Ignored instructions are not recognized as reads/writes by SSA, and they
+   * don't have a corresponding `(Indirect)InstructionNode`.
+   */
+  cached
+  predicate ignoreInstruction(Instruction instr) {
+    DataFlowImplCommon::forceCachingInSameStage() and
+    (
+      instr instanceof CallSideEffectInstruction or
+      instr instanceof CallReadSideEffectInstruction or
+      instr instanceof ExitFunctionInstruction or
+      instr instanceof EnterFunctionInstruction or
+      instr instanceof WriteSideEffectInstruction or
+      instr instanceof PhiInstruction or
+      instr instanceof ReadSideEffectInstruction or
+      instr instanceof ChiInstruction or
+      instr instanceof InitializeIndirectionInstruction or
+      instr instanceof AliasedDefinitionInstruction or
+      instr instanceof AliasedUseInstruction or
+      instr instanceof InitializeNonLocalInstruction or
+      instr instanceof ReturnIndirectionInstruction or
+      instr instanceof UninitializedGroupInstruction
+    )
+  }
+
+  cached
+  predicate isAdditionalConversionFlow(Operand opFrom, Instruction instrTo) {
+    any(Indirection ind).isAdditionalConversionFlow(opFrom, instrTo)
+  }
+
+  /**
+   * Gets the C++ type of the instruction `i`.
+   *
+   * This is equivalent to `i.getResultLanguageType()` with the exception
+   * of instructions that directly references a `this` IRVariable. In this
+   * case, `i.getResultLanguageType()` gives an unknown type, whereas the
+   * predicate gives the expected type (i.e., a potentially cv-qualified
+   * type `A*` where `A` is the declaring type of the member function that
+   * contains `i`).
+   */
+  cached
+  CppType getResultLanguageType(Instruction i) {
+    if i.(VariableAddressInstruction).getIRVariable() instanceof IRThisVariable
+    then
+      if i.isGLValue()
+      then result = getThisType(i.getEnclosingFunction(), true)
+      else result = getThisType(i.getEnclosingFunction(), false)
+    else result = i.getResultLanguageType()
+  }
+
   /** Holds if `op` is the only use of its defining instruction, and that op is used in a conversation */
   private predicate isConversion(Operand op) {
     exists(Instruction def, Operand use |

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -5,64 +5,81 @@ private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.models.interfaces.SideEffect
 private import DataFlowUtil
 private import DataFlowPrivate
+private import DataFlowNodes
 private import SsaImpl as Ssa
 private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.cpp.ir.dataflow.FlowSteps
 
-/**
- * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
- * (intra-procedural) step. This relation is only used for local taint flow
- * (for example `TaintTracking::localTaint(source, sink)`) so it may contain
- * special cases that should only apply to local taint flow.
- */
-predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  // dataflow step
-  DataFlow::localFlowStep(nodeFrom, nodeTo)
-  or
-  // taint flow step
-  localAdditionalTaintStep(nodeFrom, nodeTo, _)
-  or
-  // models-as-data summarized flow for local data flow (i.e. special case for flow
-  // through calls to modeled functions, without relying on global dataflow to join
-  // the dots).
-  FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(nodeFrom, nodeTo, _)
+cached
+private module Cached {
+  private import DataFlowImplCommon as DataFlowImplCommon
+
+  /**
+   * This predicate exists to collapse the `cached` predicates in this module with the
+   * `cached` predicates in other C/C++ dataflow files, which is then collapsed
+   * with the `cached` predicates in `DataFlowImplCommon.qll`.
+   */
+  cached
+  predicate forceCachingInSameStage() { DataFlowImplCommon::forceCachingInSameStage() }
+
+  /**
+   * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
+   * (intra-procedural) step. This relation is only used for local taint flow
+   * (for example `TaintTracking::localTaint(source, sink)`) so it may contain
+   * special cases that should only apply to local taint flow.
+   */
+  cached
+  predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    // dataflow step
+    DataFlow::localFlowStep(nodeFrom, nodeTo)
+    or
+    // taint flow step
+    localAdditionalTaintStep(nodeFrom, nodeTo, _)
+    or
+    // models-as-data summarized flow for local data flow (i.e. special case for flow
+    // through calls to modeled functions, without relying on global dataflow to join
+    // the dots).
+    FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(nodeFrom, nodeTo, _)
+  }
+
+  /**
+   * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
+   * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
+   * different objects.
+   */
+  cached
+  predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) {
+    operandToInstructionTaintStep(nodeFrom.asOperand(), nodeTo.asInstruction()) and
+    model = ""
+    or
+    modeledTaintStep(nodeFrom, nodeTo, model)
+    or
+    // Flow from (the indirection of) an operand of a pointer arithmetic instruction to the
+    // indirection of the pointer arithmetic instruction. This provides flow from `source`
+    // in `x[source]` to the result of the associated load instruction.
+    exists(PointerArithmeticInstruction pai, int indirectionIndex |
+      nodeHasOperand(nodeFrom, pai.getAnOperand(), pragma[only_bind_into](indirectionIndex)) and
+      hasInstructionAndIndex(nodeTo, pai, indirectionIndex + 1)
+    ) and
+    model = ""
+    or
+    any(Ssa::Indirection ind).isAdditionalTaintStep(nodeFrom, nodeTo) and
+    model = ""
+    or
+    // models-as-data summarized flow
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
+      nodeTo.(FlowSummaryNode).getSummaryNode(), false, model)
+    or
+    // object->field conflation for content that is a `TaintInheritingContent`.
+    exists(DataFlow::ContentSet f |
+      readStep(nodeFrom, f, nodeTo) and
+      f.getAReadContent() instanceof TaintInheritingContent
+    ) and
+    model = ""
+  }
 }
 
-/**
- * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
- * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
- * different objects.
- */
-cached
-predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) {
-  operandToInstructionTaintStep(nodeFrom.asOperand(), nodeTo.asInstruction()) and
-  model = ""
-  or
-  modeledTaintStep(nodeFrom, nodeTo, model)
-  or
-  // Flow from (the indirection of) an operand of a pointer arithmetic instruction to the
-  // indirection of the pointer arithmetic instruction. This provides flow from `source`
-  // in `x[source]` to the result of the associated load instruction.
-  exists(PointerArithmeticInstruction pai, int indirectionIndex |
-    nodeHasOperand(nodeFrom, pai.getAnOperand(), pragma[only_bind_into](indirectionIndex)) and
-    hasInstructionAndIndex(nodeTo, pai, indirectionIndex + 1)
-  ) and
-  model = ""
-  or
-  any(Ssa::Indirection ind).isAdditionalTaintStep(nodeFrom, nodeTo) and
-  model = ""
-  or
-  // models-as-data summarized flow
-  FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
-    nodeTo.(FlowSummaryNode).getSummaryNode(), false, model)
-  or
-  // object->field conflation for content that is a `TaintInheritingContent`.
-  exists(DataFlow::ContentSet f |
-    readStep(nodeFrom, f, nodeTo) and
-    f.getAReadContent() instanceof TaintInheritingContent
-  ) and
-  model = ""
-}
+import Cached
 
 /**
  * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
@@ -196,7 +213,7 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut, string
   // Taint flow from a pointer argument to an output, when the model specifies flow from the deref
   // to that output, but the deref is not modeled in the IR for the caller.
   exists(
-    CallInstruction call, DataFlow::SideEffectOperandNode indirectArgument, Function func,
+    CallInstruction call, SideEffectOperandNode indirectArgument, Function func,
     FunctionInput modelIn, FunctionOutput modelOut
   |
     indirectArgument = callInput(call, modelIn) and

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -15,6 +15,7 @@ private import TranslatedCall
 private import TranslatedStmt
 private import TranslatedFunction
 private import TranslatedGlobalVar
+private import TranslatedInitialization
 
 TranslatedElement getInstructionTranslatedElement(Instruction instruction) {
   instruction = TRawInstruction(result, _)
@@ -194,6 +195,89 @@ module Raw {
   Expr getInstructionUnconvertedResultExpression(Instruction instruction) {
     result = getInstructionConvertedResultExpression(instruction).getUnconverted()
   }
+
+  /**
+   * Gets the expression associated with the instruction `instr` that computes
+   * the `Convert` instruction on the extent expression of an allocation.
+   */
+  cached
+  Expr getAllocationExtentConvertExpr(Instruction instr) {
+    exists(TranslatedNonConstantAllocationSize tas |
+      instr = tas.getInstruction(AllocationExtentConvertTag()) and
+      result = tas.getExtent().getExpr()
+    )
+  }
+
+  /**
+   * Gets the `ParenthesisExpr` associated with a transparent conversion
+   * instruction, if any.
+   */
+  cached
+  ParenthesisExpr getTransparentConversionParenthesisExpr(Instruction instr) {
+    exists(TranslatedTransparentConversion ttc |
+      result = ttc.getExpr() and
+      instr = ttc.getResult()
+    )
+  }
+
+  /**
+   * Holds if `instr` belongs to a `TranslatedCoreExpr` that produces an
+   * expression result. This indicates that the instruction represents a
+   * definition whose result should be mapped back to the expression.
+   */
+  cached
+  predicate instructionProducesExprResult(Instruction instr) {
+    exists(TranslatedCoreExpr tco |
+      tco.getInstruction(_) = instr and
+      tco.producesExprResult()
+    )
+  }
+
+  /**
+   * Gets the expression associated with a `StoreInstruction` generated
+   * by an `TranslatedAssignOperation`.
+   */
+  cached
+  Expr getAssignOperationStoreExpr(StoreInstruction store) {
+    exists(TranslatedAssignOperation tao |
+      store = tao.getInstruction(AssignmentStoreTag()) and
+      result = tao.getExpr()
+    )
+  }
+
+  /**
+   * Gets the expression associated with a `StoreInstruction` generated
+   * by an `TranslatedCrementOperation`.
+   */
+  cached
+  Expr getCrementOperationStoreExpr(StoreInstruction store) {
+    exists(TranslatedCrementOperation tco |
+      store = tco.getInstruction(CrementStoreTag()) and
+      result = tco.getExpr()
+    )
+  }
+
+  /**
+   * Holds if `store` is a `StoreInstruction` that defines the temporary
+   * `IRVariable` generated as part of the translation of a ternary expression.
+   */
+  cached
+  predicate isConditionalExprTempStore(StoreInstruction store) {
+    exists(TranslatedConditionalExpr tce |
+      store = tce.getInstruction(ConditionValueFalseStoreTag())
+      or
+      store = tce.getInstruction(ConditionValueTrueStoreTag())
+    )
+  }
+
+  /** Gets the instruction that computes the address used to initialize `v`. */
+  cached
+  Instruction getInitializationTargetAddress(IRVariable v) {
+    exists(TranslatedVariableInitialization init |
+      init.getIRVariable() = v and
+      result = init.getTargetAddress()
+    )
+  }
 }
 
 class TStageInstruction = TRawInstruction or TRawUnreachedInstruction;

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -245,6 +245,25 @@ trap_filename(
     string filename: string ref
 );
 
+/**
+ * Gives the tag name for `tag`.
+ * For debugging only.
+ */
+tag_name(
+    int tag: @tag,
+    string name: string ref
+);
+
+@trap_or_tag = @tag | @trap;
+
+/**
+ * Gives the name for the source file.
+ */
+source_file_name(
+    int sf: @source_file,
+    string name: string ref
+);
+
 /**
  * In `build-mode: none` overlay mode, indicates that `source_file`
  * (`/path/to/foo.c`) uses the TRAP file `trap_file`; i.e. it is the
@@ -252,16 +271,25 @@ trap_filename(
  * includes, or a template instantiation it transitively uses.
  */
 source_file_uses_trap(
-    string source_file: string ref,
+    int source_file: @source_file ref,
     int trap_file: @trap ref
 );
 
 /**
- * Holds if there is a definition of `element` in TRAP file `trap_file`.
+ * In `build-mode: none` overlay mode, indicates that the TRAP file
+ * `trap_file` uses tag `tag`.
  */
-in_trap(
+trap_uses_tag(
+    int trap_file: @trap ref,
+    int tag: @tag ref
+);
+
+/**
+ * Holds if there is a definition of `element` in TRAP file or tag `t`.
+ */
+in_trap_or_tag(
     int element: @element ref,
-    int trap_file: @trap ref
+    int t: @trap_or_tag ref
 );
 
 pch_uses(

cpp/ql/lib/upgrades/7e7c2f55670f8123d514cf542ccb1938118ac561/in_trap_or_tag.ql

@@ -0,0 +1,11 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Trap extends @trap {
+  string toString() { none() }
+}
+
+from Element e, Trap trap
+where in_trap(e, trap)
+select e, trap

cpp/ql/lib/upgrades/7e7c2f55670f8123d514cf542ccb1938118ac561/source_files.ql

@@ -0,0 +1,22 @@
+newtype TSourceFile = MkSourceFile(string name) { source_file_uses_trap(name, _) }
+
+module FreshSourceFile = QlBuiltins::NewEntity<TSourceFile>;
+
+class SourceFile extends FreshSourceFile::EntityId {
+  string toString() { none() }
+}
+
+class Trap extends @trap {
+  string toString() { none() }
+}
+
+query predicate mk_source_file_name(SourceFile source_file, string name) {
+  source_file = FreshSourceFile::map(MkSourceFile(name))
+}
+
+query predicate mk_source_file_uses_trap(SourceFile source_file, Trap trap) {
+  exists(string name |
+    source_file_uses_trap(name, trap) and
+    mk_source_file_name(source_file, name)
+  )
+}

cpp/ql/lib/upgrades/7e7c2f55670f8123d514cf542ccb1938118ac561/upgrade.properties

@@ -0,0 +1,6 @@
+description: Add source_file_name
+compatibility: backwards
+source_file_uses_trap.rel: run source_files.ql mk_source_file_uses_trap
+source_file_name.rel: run source_files.ql mk_source_file_name
+in_trap.rel: delete
+in_trap_or_tag.rel: run in_trap_or_tag.ql

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.5.12
+
+No user-facing changes.
+
 ## 1.5.11
 
 No user-facing changes.

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -15,6 +15,7 @@
 import cpp
 import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
 
 /** Gets a loop that contains `e`. */
 Loop getAnEnclosingLoopOfExpr(Expr e) { result = getAnEnclosingLoopOfStmt(e.getEnclosingStmt()) }
@@ -45,9 +46,9 @@ private Expr getExpr(DataFlow::Node node) {
   or
   result = node.asOperand().getUse().getAst()
   or
-  result = node.(DataFlow::RawIndirectInstruction).getInstruction().getAst()
+  result = node.(RawIndirectInstruction).getInstruction().getAst()
   or
-  result = node.(DataFlow::RawIndirectOperand).getOperand().getUse().getAst()
+  result = node.(RawIndirectOperand).getOperand().getUse().getAst()
 }
 
 /**
@@ -208,7 +209,7 @@ class LoopWithAlloca extends Stmt {
       this.conditionRequiresInequality(va, _, _) and
       DataFlow::localFlow(result, DataFlow::exprNode(va)) and
       // Phi nodes will be preceded by nodes that represent actual definitions
-      not result instanceof DataFlow::SsaSynthNode and
+      not result instanceof SsaSynthNode and
       // A source is outside the loop if it's not inside the loop
       not exists(Expr e | e = getExpr(result) | this = getAnEnclosingLoopOfExpr(e))
     )

cpp/ql/src/change-notes/released/1.5.12.md

@@ -0,0 +1,3 @@
+## 1.5.12
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.11
+lastReleaseVersion: 1.5.12

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.12-dev
+version: 1.5.13-dev
 groups:
   - cpp
   - queries

cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -8,6 +8,7 @@ private import semmle.code.cpp.dataflow.ExternalFlow as ExternalFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes as DataFlowNodes
 private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
 private import semmle.code.cpp.dataflow.new.TaintTracking as Tt
@@ -403,7 +404,7 @@ private module SinkModelGeneratorInput implements SinkModelGeneratorInputSig {
   }
 
   predicate apiSource(DataFlow::Node source) {
-    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1)
+    DataFlowPrivate::nodeHasOperand(source, any(DataFlowNodes::FieldAddress fa), 1)
     or
     source instanceof DataFlow::ParameterNode
   }
@@ -416,7 +417,7 @@ private module SinkModelGeneratorInput implements SinkModelGeneratorInputSig {
       result = "Argument[" + DataFlow::repeatStars(indirectionIndex) + argumentIndex + "]"
     )
     or
-    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1) and
+    DataFlowPrivate::nodeHasOperand(source, any(DataFlowNodes::FieldAddress fa), 1) and
     result = qualifierString()
   }
 

cpp/ql/test/library-tests/dataflow/fields/A.cpp

@@ -46,7 +46,7 @@ public:
   {
     C *c = new C();
     B *b = B::make(c);
-    sink(b->c); // $ast,ir
+    sink(b->c); // $ ast,ir
   }
 
   void f2()

cpp/ql/test/library-tests/dataflow/fields/C.cpp

@@ -26,9 +26,9 @@ public:
 
   void func()
   {
-    sink(s1); // $ast,ir
+    sink(s1); // $ ast,ir
     sink(s2); // $ MISSING: ast,ir
-    sink(s3); // $ast,ir
+    sink(s3); // $ ast,ir
     sink(s4); // $ MISSING: ast,ir
   }
 };

cpp/ql/test/library-tests/dataflow/fields/D.cpp

@@ -19,7 +19,7 @@ public:
   };
 
   static void sinkWrap(Box2* b2) {
-    sink(b2->getBox1()->getElem()); // $ast,ir=28:15 ast,ir=35:15 ast,ir=42:15 ast,ir=49:15
+    sink(b2->getBox1()->getElem()); // $ ast,ir=28:15 ast,ir=35:15 ast,ir=42:15 ast,ir=49:15
   }
 
   Box2* boxfield;

cpp/ql/test/library-tests/dataflow/fields/by_reference.cpp

@@ -48,25 +48,25 @@ struct S {
 void test_setDirectly() {
   S s;
   s.setDirectly(user_input());
-  sink(s.getDirectly()); // $ast ir
+  sink(s.getDirectly()); // $ ast ir
 }
 
 void test_setIndirectly() {
   S s;
   s.setIndirectly(user_input());
-  sink(s.getIndirectly()); // $ast ir
+  sink(s.getIndirectly()); // $ ast ir
 }
 
 void test_setThroughNonMember() {
   S s;
   s.setThroughNonMember(user_input());
-  sink(s.getThroughNonMember()); // $ast ir
+  sink(s.getThroughNonMember()); // $ ast ir
 }
 
 void test_nonMemberSetA() {
   S s;
   nonMemberSetA(&s, user_input());
-  sink(nonMemberGetA(&s)); // $ast,ir
+  sink(nonMemberGetA(&s)); // $ ast,ir
 }
 
 ////////////////////
@@ -112,7 +112,7 @@ void test_outer_with_ptr(Outer *pouter) {
   sink(outer.a); // $ ast,ir
 
   sink(pouter->inner_nested.a); // $ ast,ir
-  sink(pouter->inner_ptr->a); // $ast,ir
+  sink(pouter->inner_ptr->a); // $ ast,ir
   sink(pouter->a); // $ ast,ir
 }
 

cpp/ql/test/library-tests/dataflow/fields/simple.cpp

@@ -64,7 +64,7 @@ void single_field_test()
     A a;
     a.i = user_input();
     A a2 = a;
-    sink(a2.i); //$ ast,ir
+    sink(a2.i); // $ ast,ir
 }
 
 struct C {
@@ -81,7 +81,7 @@ struct C2
 
     void m() {
         f2.f1 = user_input();
-        sink(getf2f1()); //$ ast,ir
+        sink(getf2f1()); // $ ast,ir
     }
 };
 
@@ -91,7 +91,7 @@ void single_field_test_typedef(A_typedef a)
 {
     a.i = user_input();
     A_typedef a2 = a;
-    sink(a2.i); //$ ast,ir
+    sink(a2.i); // $ ast,ir
 }
 
 namespace TestAdditionalCallTargets {
@@ -168,4 +168,4 @@ void test_union_with_two_instantiations_of_different_sizes() {
   sink(u_int.y); // $ MISSING: ir
 }
 
-} // namespace Simple
+} // namespace Simple

cpp/ql/test/library-tests/dataflow/fields/struct_init.c

@@ -12,14 +12,14 @@ struct Outer {
 };
 
 void absink(struct AB *ab) {
-  sink(ab->a); //$ ast,ir=20:20 ast,ir=27:7 ast,ir=40:20
+  sink(ab->a); // $ ast,ir=20:20 ast,ir=27:7 ast,ir=40:20
   sink(ab->b); // no flow
 }
 
 int struct_init(void) {
   struct AB ab = { user_input(), 0 };
 
-  sink(ab.a); //$ ast,ir
+  sink(ab.a); // $ ast,ir
   sink(ab.b); // no flow
   absink(&ab);
 
@@ -28,9 +28,9 @@ int struct_init(void) {
     &ab,
   };
 
-  sink(outer.nestedAB.a); //$ ast,ir
+  sink(outer.nestedAB.a); // $ ast,ir
   sink(outer.nestedAB.b); // no flow
-  sink(outer.pointerAB->a); //$ ast,ir
+  sink(outer.pointerAB->a); // $ ast,ir
   sink(outer.pointerAB->b); // no flow
 
   absink(&outer.nestedAB);

cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.ql

@@ -15,7 +15,10 @@ predicate instructionGuardChecks(IRGuardCondition gc, Instruction checked, boole
 module BarrierGuard = DataFlow::InstructionBarrierGuard<instructionGuardChecks/3>;
 
 predicate indirectBarrierGuard(DataFlow::Node node, string s) {
-  node = BarrierGuard::getAnIndirectBarrierNode(_) and
+  // This any(...) could technically be removed, but it helps us verify that we don't
+  // accidentially change the API of this predicate (for instance, by having
+  // the column be a unit parameter).
+  node = BarrierGuard::getAnIndirectBarrierNode(any(int indirectionIndex)) and
   if node.isGLValue()
   then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
   else s = node.getType().toString().replaceAll(" ", "")

cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.ql

@@ -1,6 +1,7 @@
 import testModels
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
 
 string describe(DataFlow::Node n) {
   n instanceof ParameterNode and result = "ParameterNode"

cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp

@@ -75,7 +75,7 @@ void test_sources() {
 	int e = localMadSource();
 	sink(e); // $ ir
 
-	sink(MyNamespace::namespaceLocalMadSource()); // $: ir
+	sink(MyNamespace::namespaceLocalMadSource()); // $ ir
 	sink(MyNamespace::namespaceLocalMadSourceVar); // $ ir
 	sink(MyNamespace::MyNamespace2::namespace2LocalMadSource()); // $ ir
 	sink(MyNamespace::localMadSource()); // $ (the MyNamespace version of this function is not a source)
@@ -475,4 +475,4 @@ void test_receive_array() {
 	int array[10] = {x};
 	int y = receive_array(array);
 	sink(y); // $ ir
-}
+}

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -450,7 +450,7 @@ void test_qualifiers()
 	b.member = source();
 	sink(b); // $ ir MISSING: ast
 	sink(b.member); // $ ast,ir
-	sink(b.getMember()); // $  MISSING: ir ast
+	sink(b.getMember()); // $ MISSING: ir ast
 
 	c = new MyClass2(0);
 
@@ -865,4 +865,4 @@ void test_iconv(size_t size) {
 	size_t size_out;
 	iconv(0, &s, &size, &p, &size_out);
 	sink(*p); // $ ast,ir
-}
+}

cpp/ql/test/library-tests/ir/points_to/points_to.cpp

@@ -24,64 +24,64 @@ struct DerivedVI : virtual Base1 {
 };
 
 void Locals() {
-  Point pt = {  //$ussa=pt
-    1,  //$ussa=pt[0..4)<int>
-    2  //$ussa=pt[4..8)<int>
+  Point pt = {  // $ ussa=pt
+    1,  // $ ussa=pt[0..4)<int>
+    2  // $ ussa=pt[4..8)<int>
   };
-  int i = pt.x;  //$ussa=pt[0..4)<int>
-  i = pt.y;  //$ussa=pt[4..8)<int>
+  int i = pt.x;  // $ ussa=pt[0..4)<int>
+  i = pt.y;  // $ ussa=pt[4..8)<int>
   int* p = &pt.x;
-  i = *p;  //$ussa=pt[0..4)<int>
+  i = *p;  // $ ussa=pt[0..4)<int>
   p = &pt.y;
-  i = *p;  //$ussa=pt[4..8)<int>
+  i = *p;  // $ ussa=pt[4..8)<int>
 }
 
 void PointsTo(
-  int a,         //$raw=a
-  Point& b,      //$raw=b ussa=*b
-  Point* c,      //$raw=c ussa=*c
-  int* d,        //$raw=d ussa=*d
-  DerivedSI* e,  //$raw=e ussa=*e
-  DerivedMI* f,  //$raw=f ussa=*f
-  DerivedVI* g   //$raw=g ussa=*g
+  int a,         // $ raw=a
+  Point& b,      // $ raw=b ussa=*b
+  Point* c,      // $ raw=c ussa=*c
+  int* d,        // $ raw=d ussa=*d
+  DerivedSI* e,  // $ raw=e ussa=*e
+  DerivedMI* f,  // $ raw=f ussa=*f
+  DerivedVI* g   // $ raw=g ussa=*g
 ) {
 
-  int i = a;  //$raw=a
-  i = *&a;  //$raw=a
-  i = *(&a + 0);  //$raw=a
-  i = b.x;  //$raw=b ussa=*b[0..4)<int>
-  i = b.y;  //$raw=b ussa=*b[4..8)<int>
-  i = c->x;  //$raw=c ussa=*c[0..4)<int>
-  i = c->y;  //$raw=c ussa=*c[4..8)<int>
-  i = *d;  //$raw=d ussa=*d[0..4)<int>
-  i = *(d + 0);  //$raw=d ussa=*d[0..4)<int>
-  i = d[5];  //$raw=d ussa=*d[20..24)<int>
-  i = 5[d];  //$raw=d ussa=*d[20..24)<int>
-  i = d[a];  //$raw=d raw=a ussa=*d[?..?)<int>
-  i = a[d];  //$raw=d raw=a ussa=*d[?..?)<int>
+  int i = a;  // $ raw=a
+  i = *&a;  // $ raw=a
+  i = *(&a + 0);  // $ raw=a
+  i = b.x;  // $ raw=b ussa=*b[0..4)<int>
+  i = b.y;  // $ raw=b ussa=*b[4..8)<int>
+  i = c->x;  // $ raw=c ussa=*c[0..4)<int>
+  i = c->y;  // $ raw=c ussa=*c[4..8)<int>
+  i = *d;  // $ raw=d ussa=*d[0..4)<int>
+  i = *(d + 0);  // $ raw=d ussa=*d[0..4)<int>
+  i = d[5];  // $ raw=d ussa=*d[20..24)<int>
+  i = 5[d];  // $ raw=d ussa=*d[20..24)<int>
+  i = d[a];  // $ raw=d raw=a ussa=*d[?..?)<int>
+  i = a[d];  // $ raw=d raw=a ussa=*d[?..?)<int>
 
-  int* p = &b.x;  //$raw=b
-  i = *p;  //$ussa=*b[0..4)<int>
-  p = &b.y;  //$raw=b
-  i = *p;  //$ussa=*b[4..8)<int>
-  p = &c->x;  //$raw=c
-  i = *p;  //$ussa=*c[0..4)<int>
-  p = &c->y;  //$raw=c
-  i = *p;  //$ussa=*c[4..8)<int>
-  p = &d[5];  //$raw=d
-  i = *p;  //$ussa=*d[20..24)<int>
-  p = &d[a];  //$raw=d raw=a
-  i = *p;  //$ussa=*d[?..?)<int>
+  int* p = &b.x;  // $ raw=b
+  i = *p;  // $ ussa=*b[0..4)<int>
+  p = &b.y;  // $ raw=b
+  i = *p;  // $ ussa=*b[4..8)<int>
+  p = &c->x;  // $ raw=c
+  i = *p;  // $ ussa=*c[0..4)<int>
+  p = &c->y;  // $ raw=c
+  i = *p;  // $ ussa=*c[4..8)<int>
+  p = &d[5];  // $ raw=d
+  i = *p;  // $ ussa=*d[20..24)<int>
+  p = &d[a];  // $ raw=d raw=a
+  i = *p;  // $ ussa=*d[?..?)<int>
 
-  Point* q = &c[a];  //$raw=c raw=a
-  i = q->x;  //$ussa=*c[?..?)<int>
-  i = q->y;  //$ussa=*c[?..?)<int>
+  Point* q = &c[a];  // $ raw=c raw=a
+  i = q->x;  // $ ussa=*c[?..?)<int>
+  i = q->y;  // $ ussa=*c[?..?)<int>
 
-  i = e->b1;  //$raw=e ussa=*e[0..4)<int>
-  i = e->dsi;  //$raw=e ussa=*e[4..8)<int>
-  i = f->b1;  //$raw=f ussa=*f[0..4)<int>
-  i = f->b2;  //$raw=f ussa=*f[4..8)<int>
-  i = f->dmi;  //$raw=f ussa=*f[8..12)<int>
-  i = g->b1;  //$raw=g ussa=*g[?..?)<int>
-  i = g->dvi;  //$raw=g ussa=*g[8..12)<int>
-}
+  i = e->b1;  // $ raw=e ussa=*e[0..4)<int>
+  i = e->dsi;  // $ raw=e ussa=*e[4..8)<int>
+  i = f->b1;  // $ raw=f ussa=*f[0..4)<int>
+  i = f->b2;  // $ raw=f ussa=*f[4..8)<int>
+  i = f->dmi;  // $ raw=f ussa=*f[8..12)<int>
+  i = g->b1;  // $ raw=g ussa=*g[?..?)<int>
+  i = g->dvi;  // $ raw=g ussa=*g[8..12)<int>
+}

cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp

@@ -10,24 +10,24 @@ struct S {
 
 void unique_ptr_init(S s) {
     unique_ptr<S> p(new S); // MISSING: $ussa=dynamic{1}
-    int i = (*p).x; //$ MISSING: ussa=dynamic{1}[0..4)<int>
-    *p = s;  //$ MISSING: ussa=dynamic{1}[0..4)<S>
+    int i = (*p).x; // $ MISSING: ussa=dynamic{1}[0..4)<int>
+    *p = s;  // $ MISSING: ussa=dynamic{1}[0..4)<S>
     unique_ptr<S> q = std::move(p);
-    *(q.get()) = s;  //$ MISSING: ussa=dynamic{1}[0..4)<S>
+    *(q.get()) = s;  // $ MISSING: ussa=dynamic{1}[0..4)<S>
     shared_ptr<S> t(std::move(q));
-    t->x = 5; //$ MISSING: ussa=dynamic{1}[0..4)<int>
-    *t = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
-    *(t.get()) = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
+    t->x = 5; // $ MISSING: ussa=dynamic{1}[0..4)<int>
+    *t = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
+    *(t.get()) = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
 }
 
 void shared_ptr_init(S s) {
-    shared_ptr<S> p(new S); //$ MISSING: ussa=dynamic{1}
-    int i = (*p).x; //$ MISSING: ussa=dynamic{1}[0..4)<int>
-    *p = s;  //$ MISSING: ussa=dynamic{1}[0..4)<S>
+    shared_ptr<S> p(new S); // $ MISSING: ussa=dynamic{1}
+    int i = (*p).x; // $ MISSING: ussa=dynamic{1}[0..4)<int>
+    *p = s;  // $ MISSING: ussa=dynamic{1}[0..4)<S>
     shared_ptr<S> q = std::move(p);
-    *(q.get()) = s;  //$ MISSING: ussa=dynamic{1}[0..4)<S>
+    *(q.get()) = s;  // $ MISSING: ussa=dynamic{1}[0..4)<S>
     shared_ptr<S> t(q);
-    t->x = 5; //$ MISSING: ussa=dynamic{1}[0..4)<int>
-    *t = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
-    *(t.get()) = s; //$ MISSING: ussa=dynamic{1}[0..4)<S>
+    t->x = 5; // $ MISSING: ussa=dynamic{1}[0..4)<int>
+    *t = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
+    *(t.get()) = s; // $ MISSING: ussa=dynamic{1}[0..4)<S>
 }

cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp

@@ -46,7 +46,7 @@ int test4() {
   }
   range(total); // $ MISSING: range=>=0
   range(i); // $ range===2
-  range(total + i); // $ range="<=Phi: i+2" MISSING: range===i+2 range=>=2 range=>=i+0 
+  range(total + i); // $ range="<=Phi: i+2" MISSING: range===i+2 range=>=2 range=>=i+0
   return total + i;
 }
 
@@ -210,7 +210,7 @@ int test14(int x) {
   int x3 = (int)(unsigned int)x;
   range(x3);
   char c0 = x;
-  range(c0); 
+  range(c0);
   unsigned short s0 = x;
   range(s0);
   range(x0 + x1 + x2 + x3 + c0 + s0); // $ overflow=+ overflow=+-
@@ -218,7 +218,7 @@ int test14(int x) {
 }
 
 long long test15(long long x) {
-  return (x > 0 && (range(x), x == (int)x)) ? // $ range=>=1 
+  return (x > 0 && (range(x), x == (int)x)) ? // $ range=>=1
     (range(x), x) : // $ range=>=1
     (range(x), -1);
 }
@@ -228,7 +228,7 @@ int test_unary(int a) {
   int total = 0;
 
   if (3 <= a && a <= 11) {
-    range(a); // $ range=<=11 range=>=3 
+    range(a); // $ range=<=11 range=>=3
     int b = +a;
     range(b); // $ range=<=11 range=>=3
     int c = -a;
@@ -384,7 +384,7 @@ int test_mult02(int a, int b) {
     total += r;
     range(total); // $ range=">=Phi: 0-143" range=">=Phi: 0-286"
   }
-  range(total); // $range=">=Phi: 0-143" range=">=Phi: 0-286"
+  range(total); // $ range=">=Phi: 0-143" range=">=Phi: 0-286"
   return total;
 }
 
@@ -467,7 +467,7 @@ int test_mult04(int a, int b) {
     range(a); // $ range=<=0 range=>=-17
     range(b); // $ range=<=0 range=>=-13
     int r = a*b;  // 0 .. 221
-    range(r); // $ range=<=221 range=>=0 
+    range(r); // $ range=<=221 range=>=0
     total += r;
     range(total); // $ range="<=Phi: - ...+221"
   }
@@ -1030,7 +1030,7 @@ void test_negate_signed(int s) {
   }
 }
 
-// By setting the guard after the use in another guard we 
+// By setting the guard after the use in another guard we
 // don't get the useful information
 void test_guard_after_use(int pos, int size, int offset) {
   if (pos + offset >= size) { // $ overflow=+-
@@ -1040,12 +1040,12 @@ void test_guard_after_use(int pos, int size, int offset) {
     return;
   }
   range(pos + 1); // $ overflow=+ range="==InitializeParameter: pos+1" MISSING: range="<=InitializeParameter: size-1"
-} 
+}
 
 int cond();
 
 
-// This is basically what we get when we have a loop that calls 
+// This is basically what we get when we have a loop that calls
 // realloc in some iterations
 void alloc_in_loop(int origLen) {
   if (origLen <= 10) {
@@ -1066,12 +1066,12 @@ void alloc_in_loop(int origLen) {
   }
 }
 
-// This came from a case where it handled the leftovers before an unrolled loop 
+// This came from a case where it handled the leftovers before an unrolled loop
 void mask_at_start(int len) {
   if (len < 0) {
     return;
   }
-  int leftOver = len & 63; 
+  int leftOver = len & 63;
   for (int i = 0; i < leftOver; i++) {
     range(i); // $ range=<=62 range=>=0  range="<=Store: ... & ... | Store: leftOver-1" range="<=InitializeParameter: len-1"
   }

cpp/ql/test/library-tests/ir/types/complex.c

@@ -1,14 +1,14 @@
 void Complex(void) {
-  _Complex float cf;  //$irtype=cfloat8
-  _Complex double cd;  //$irtype=cfloat16
-  _Complex long double cld;  //$irtype=cfloat32
+  _Complex float cf;  // $ irtype=cfloat8
+  _Complex double cd;  // $ irtype=cfloat16
+  _Complex long double cld;  // $ irtype=cfloat32
   // _Complex __float128 cf128;
 }
 
 void Imaginary(void) {
-  _Imaginary float jf;  //$irtype=ifloat4
-  _Imaginary double jd;  //$irtype=ifloat8
-  _Imaginary long double jld;  //$irtype=ifloat16
+  _Imaginary float jf;  // $ irtype=ifloat4
+  _Imaginary double jd;  // $ irtype=ifloat8
+  _Imaginary long double jld;  // $ irtype=ifloat16
   // _Imaginary __float128 jf128;
 }
 

cpp/ql/test/library-tests/ir/types/irtypes.cpp

@@ -22,44 +22,44 @@ enum class ScopedE {
 };
 
 void IRTypes() {
-  char c;  //$irtype=int1
-  signed char sc;  //$irtype=int1
-  unsigned char uc;  //$irtype=uint1
-  short s;  //$irtype=int2
-  signed short ss;  //$irtype=int2
-  unsigned short us;  //$irtype=uint2
-  int i;  //$irtype=int4
-  signed int si;  //$irtype=int4
-  unsigned int ui;  //$irtype=uint4
-  long l;  //$irtype=int8
-  signed long sl;  //$irtype=int8
-  unsigned long ul;  //$irtype=uint8
-  long long ll;  //$irtype=int8
-  signed long long sll;  //$irtype=int8
-  unsigned long long ull;  //$irtype=uint8
-  bool b;  //$irtype=bool1
-  float f;  //$irtype=float4
-  double d;  //$irtype=float8
-  long double ld;  //$irtype=float16
-  __float128 f128;  //$irtype=float16
+  char c;  // $ irtype=int1
+  signed char sc;  // $ irtype=int1
+  unsigned char uc;  // $ irtype=uint1
+  short s;  // $ irtype=int2
+  signed short ss;  // $ irtype=int2
+  unsigned short us;  // $ irtype=uint2
+  int i;  // $ irtype=int4
+  signed int si;  // $ irtype=int4
+  unsigned int ui;  // $ irtype=uint4
+  long l;  // $ irtype=int8
+  signed long sl;  // $ irtype=int8
+  unsigned long ul;  // $ irtype=uint8
+  long long ll;  // $ irtype=int8
+  signed long long sll;  // $ irtype=int8
+  unsigned long long ull;  // $ irtype=uint8
+  bool b;  // $ irtype=bool1
+  float f;  // $ irtype=float4
+  double d;  // $ irtype=float8
+  long double ld;  // $ irtype=float16
+  __float128 f128;  // $ irtype=float16
 
-  wchar_t wc;  //$irtype=uint4
-//  char8_t c8;  //$irtype=uint1
-  char16_t c16;  //$irtype=uint2
-  char32_t c32;  //$irtype=uint4
+  wchar_t wc;  // $ irtype=uint4
+//  char8_t c8;  // $ irtype=uint1
+  char16_t c16;  // $ irtype=uint2
+  char32_t c32;  // $ irtype=uint4
 
-  int* pi;  //$irtype=addr8
-  int& ri = i;  //$irtype=addr8
-  void (*pfn)() = nullptr;  //$irtype=func8
-  void (&rfn)() = IRTypes;  //$irtype=func8
+  int* pi;  // $ irtype=addr8
+  int& ri = i;  // $ irtype=addr8
+  void (*pfn)() = nullptr;  // $ irtype=func8
+  void (&rfn)() = IRTypes;  // $ irtype=func8
 
-  A s_a;  //$irtype=opaque4{A}
-  B s_b;  //$irtype=opaque16{B}
+  A s_a;  // $ irtype=opaque4{A}
+  B s_b;  // $ irtype=opaque16{B}
 
-  E e;  //$irtype=uint4
-  ScopedE se;  //$irtype=uint4
+  E e;  // $ irtype=uint4
+  ScopedE se;  // $ irtype=uint4
 
-  B a_b[10];  //$irtype=opaque160{B[10]}
+  B a_b[10];  // $ irtype=opaque160{B[10]}
 }
 
 // semmle-extractor-options: -std=c++17 --clang

cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp

@@ -1338,7 +1338,7 @@ void indirect_time_conversion_check(WORD year, WORD offset){
 void set_time(WORD year, WORD month, WORD day){
 	SYSTEMTIME tmp;
 
-	tmp.wYear = year; //$ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification]
+	tmp.wYear = year; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification]
 	tmp.wMonth = month;
 	tmp.wDay = day;
 }

csharp/documentation/library-coverage/coverage.csv

@@ -44,5 +44,5 @@ NHibernate,3,,,,,,,,,,,,3,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,59,47,12495,,6,5,12,,,4,1,,31,2,,6,15,17,4,3,,6382,6113
+System,59,48,12495,,6,5,12,,,4,1,,31,2,,6,15,17,5,3,,6382,6113
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,12495,59,5
+   System,"``System.*``, ``System``",48,12495,59,5
    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Data.SqlClient``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``NHibernate``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2406,162,4
-   Totals,,107,14908,415,9
+   Totals,,108,14908,415,9
 

csharp/downgrades/e73ca2c93df8aae162f1704edc4817a5cb330529/upgrade.properties

@@ -0,0 +1,2 @@
+description: Remove inclusion of @assign_expr in @bin_op
+compatibility: full

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -728,6 +728,15 @@ namespace Semmle.Extraction.CSharp
         public static INamedTypeSymbol? GetNonObjectBaseType(this ITypeSymbol symbol, Context cx) =>
             symbol is ITypeParameterSymbol || SymbolEqualityComparer.Default.Equals(symbol.BaseType, cx.Compilation.ObjectType) ? null : symbol.BaseType;
 
+        public static IMethodSymbol GetBodyDeclaringSymbol(this IMethodSymbol method) =>
+            method.PartialImplementationPart ?? method;
+
+        public static IPropertySymbol GetBodyDeclaringSymbol(this IPropertySymbol property) =>
+            property.PartialImplementationPart ?? property;
+
+        public static IEventSymbol GetBodyDeclaringSymbol(this IEventSymbol symbol) =>
+            symbol.PartialImplementationPart ?? symbol;
+
         [return: NotNullIfNotNull(nameof(symbol))]
         public static IEntity? CreateEntity(this Context cx, ISymbol symbol)
         {

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -70,7 +70,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             Overrides(trapFile);
 
-            if (Symbol.FromSource() && Block is null)
+            if (Symbol.FromSource() && !HasBody)
             {
                 trapFile.compiler_generated(this);
             }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Base/CachedSymbol.cs

@@ -9,9 +9,14 @@ namespace Semmle.Extraction.CSharp.Entities
 {
     internal abstract class CachedSymbol<T> : CachedEntity<T> where T : class, ISymbol
     {
+        private readonly Lazy<BlockSyntax?> blockLazy;
+        private readonly Lazy<ExpressionSyntax?> expressionBodyLazy;
+
         protected CachedSymbol(Context cx, T init)
             : base(cx, init)
         {
+            blockLazy = new Lazy<BlockSyntax?>(() => GetBlock(Symbol));
+            expressionBodyLazy = new Lazy<ExpressionSyntax?>(() => GetExpressionBody(Symbol));
         }
 
         public virtual Type? ContainingType => Symbol.ContainingType is not null
@@ -87,31 +92,29 @@ namespace Semmle.Extraction.CSharp.Entities
                 Context.BindComments(this, FullLocation);
         }
 
-        protected virtual T BodyDeclaringSymbol => Symbol;
-
-        public BlockSyntax? Block
+        private static BlockSyntax? GetBlock(T symbol)
         {
-            get
-            {
-                return BodyDeclaringSymbol.DeclaringSyntaxReferences
+            return symbol.DeclaringSyntaxReferences
                     .SelectMany(r => r.GetSyntax().ChildNodes())
                     .OfType<BlockSyntax>()
                     .FirstOrDefault();
-            }
         }
 
-        public ExpressionSyntax? ExpressionBody
+        private static ExpressionSyntax? GetExpressionBody(T symbol)
         {
-            get
-            {
-                return BodyDeclaringSymbol.DeclaringSyntaxReferences
+            return symbol.DeclaringSyntaxReferences
                     .SelectMany(r => r.GetSyntax().ChildNodes())
                     .OfType<ArrowExpressionClauseSyntax>()
                     .Select(arrow => arrow.Expression)
                     .FirstOrDefault();
-            }
         }
 
+        public BlockSyntax? Block => blockLazy.Value;
+
+        public ExpressionSyntax? ExpressionBody => expressionBodyLazy.Value;
+
+        public bool HasBody => Block is not null || ExpressionBody is not null;
+
         public virtual bool IsSourceDeclaration => Symbol.IsSourceDeclaration();
 
         public override bool NeedsPopulation => Context.Defines(Symbol);

csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs

@@ -1,3 +1,4 @@
+using System;
 using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
 using System.IO;
@@ -12,7 +13,9 @@ namespace Semmle.Extraction.CSharp.Entities
     internal class Constructor : Method
     {
         private readonly List<SyntaxNode> declaringReferenceSyntax;
-
+        private readonly Lazy<ConstructorDeclarationSyntax?> ordinaryConstructorSyntaxLazy;
+        private readonly Lazy<TypeDeclarationSyntax?> primaryConstructorSyntaxLazy;
+        private readonly Lazy<PrimaryConstructorBaseTypeSyntax?> primaryBaseLazy;
         private Constructor(Context cx, IMethodSymbol init)
             : base(cx, init)
         {
@@ -20,8 +23,28 @@ namespace Semmle.Extraction.CSharp.Entities
                 Symbol.DeclaringSyntaxReferences
                     .Select(r => r.GetSyntax())
                     .ToList();
+            ordinaryConstructorSyntaxLazy = new Lazy<ConstructorDeclarationSyntax?>(() =>
+                declaringReferenceSyntax
+                .OfType<ConstructorDeclarationSyntax>()
+                .FirstOrDefault());
+            primaryConstructorSyntaxLazy = new Lazy<TypeDeclarationSyntax?>(() =>
+                declaringReferenceSyntax
+                    .OfType<TypeDeclarationSyntax>()
+                    .FirstOrDefault(t => t is ClassDeclarationSyntax or StructDeclarationSyntax or RecordDeclarationSyntax));
+            primaryBaseLazy = new Lazy<PrimaryConstructorBaseTypeSyntax?>(() =>
+                PrimaryConstructorSyntax?
+                    .BaseList?
+                    .Types
+                    .OfType<PrimaryConstructorBaseTypeSyntax>()
+                    .FirstOrDefault());
         }
 
+        private ConstructorDeclarationSyntax? OrdinaryConstructorSyntax => ordinaryConstructorSyntaxLazy.Value;
+
+        private TypeDeclarationSyntax? PrimaryConstructorSyntax => primaryConstructorSyntaxLazy.Value;
+
+        private PrimaryConstructorBaseTypeSyntax? PrimaryBase => primaryBaseLazy.Value;
+
         public override void Populate(TextWriter trapFile)
         {
             PopulateMethod(trapFile);
@@ -42,7 +65,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 return;
             }
 
-            if (MakeSynthetic)
+            if (MakeSyntheticBody)
             {
                 // Create a synthetic empty body for primary and default constructors.
                 Statements.SyntheticEmptyBlock.Create(Context, this, 0, Location);
@@ -60,7 +83,7 @@ namespace Semmle.Extraction.CSharp.Entities
             // Do not extract initializers for constructed types.
             // Extract initializers for constructors with a body, primary constructors
             // and default constructors for classes and structs declared in source code.
-            if (Block is null && ExpressionBody is null && !MakeSynthetic || Context.OnlyScaffold)
+            if (!HasBody && !MakeSyntheticBody || Context.OnlyScaffold)
             {
                 return;
             }
@@ -176,23 +199,6 @@ namespace Semmle.Extraction.CSharp.Entities
             init.PopulateArguments(trapFile, arguments, 0);
         }
 
-        private ConstructorDeclarationSyntax? OrdinaryConstructorSyntax =>
-            declaringReferenceSyntax
-                .OfType<ConstructorDeclarationSyntax>()
-                .FirstOrDefault();
-
-        private TypeDeclarationSyntax? PrimaryConstructorSyntax =>
-            declaringReferenceSyntax
-                    .OfType<TypeDeclarationSyntax>()
-                    .FirstOrDefault(t => t is ClassDeclarationSyntax or StructDeclarationSyntax or RecordDeclarationSyntax);
-
-        private PrimaryConstructorBaseTypeSyntax? PrimaryBase =>
-            PrimaryConstructorSyntax?
-                .BaseList?
-                .Types
-                .OfType<PrimaryConstructorBaseTypeSyntax>()
-                .FirstOrDefault();
-
         private bool IsPrimary => PrimaryConstructorSyntax is not null;
 
         // This is a default constructor in a class or struct declared in source.
@@ -211,7 +217,7 @@ namespace Semmle.Extraction.CSharp.Entities
         /// </summary>
         private bool IsBestSourceLocation => ReportingLocation is not null && Context.IsLocationInContext(ReportingLocation);
 
-        private bool MakeSynthetic => (IsPrimary || (IsDefault && IsBestSourceLocation)) && !Context.OnlyScaffold;
+        private bool MakeSyntheticBody => (IsPrimary || (IsDefault && IsBestSourceLocation)) && !Context.OnlyScaffold;
 
         [return: NotNullIfNotNull(nameof(constructor))]
         public static new Constructor? Create(Context cx, IMethodSymbol? constructor)
@@ -223,7 +229,7 @@ namespace Semmle.Extraction.CSharp.Entities
             {
                 case MethodKind.StaticConstructor:
                 case MethodKind.Constructor:
-                    return ConstructorFactory.Instance.CreateEntityFromSymbol(cx, constructor);
+                    return ConstructorFactory.Instance.CreateEntityFromSymbol(cx, constructor.GetBodyDeclaringSymbol());
                 default:
                     throw new InternalError(constructor, "Attempt to create a Constructor from a symbol that isn't a constructor");
             }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs

@@ -11,10 +11,6 @@ namespace Semmle.Extraction.CSharp.Entities
         private Event(Context cx, IEventSymbol init)
             : base(cx, init) { }
 
-        protected override IEventSymbol BodyDeclaringSymbol => Symbol.PartialImplementationPart ?? Symbol;
-
-        public override Microsoft.CodeAnalysis.Location? ReportingLocation => BodyDeclaringSymbol.Locations.BestOrDefault();
-
         public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(ContainingType!);
@@ -31,8 +27,8 @@ namespace Semmle.Extraction.CSharp.Entities
             var type = Type.Create(Context, Symbol.Type);
             trapFile.events(this, Symbol.GetName(), ContainingType!, type.TypeRef, Create(Context, Symbol.OriginalDefinition));
 
-            var adder = BodyDeclaringSymbol.AddMethod;
-            var remover = BodyDeclaringSymbol.RemoveMethod;
+            var adder = Symbol.AddMethod;
+            var remover = Symbol.RemoveMethod;
 
             if (adder is not null)
                 Method.Create(Context, adder);
@@ -76,7 +72,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public static Event Create(Context cx, IEventSymbol symbol) => EventFactory.Instance.CreateEntityFromSymbol(cx, symbol);
+        public static Event Create(Context cx, IEventSymbol symbol) => EventFactory.Instance.CreateEntityFromSymbol(cx, symbol.GetBodyDeclaringSymbol());
 
         private class EventFactory : CachedEntityFactory<IEventSymbol, Event>
         {

csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs

@@ -59,7 +59,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
             Overrides(trapFile);
 
-            if (Symbol.FromSource() && Block is null)
+            if (Symbol.FromSource() && !HasBody)
             {
                 trapFile.compiler_generated(this);
             }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs

@@ -20,8 +20,8 @@ namespace Semmle.Extraction.CSharp.Entities
             var type = Type.Create(Context, Symbol.Type);
             trapFile.indexers(this, Symbol.GetName(useMetadataName: true), ContainingType!, type.TypeRef, OriginalDefinition);
 
-            var getter = BodyDeclaringSymbol.GetMethod;
-            var setter = BodyDeclaringSymbol.SetMethod;
+            var getter = Symbol.GetMethod;
+            var setter = Symbol.SetMethod;
 
             if (getter is null && setter is null)
                 Context.ModelError(Symbol, "No indexer accessor defined");
@@ -81,7 +81,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 TypeMention.Create(Context, syntax.Type, this, type);
         }
 
-        public static new Indexer Create(Context cx, IPropertySymbol prop) => IndexerFactory.Instance.CreateEntityFromSymbol(cx, prop);
+        public static new Indexer Create(Context cx, IPropertySymbol prop) => IndexerFactory.Instance.CreateEntityFromSymbol(cx, prop.GetBodyDeclaringSymbol());
 
         public override void WriteId(EscapingTextWriter trapFile)
         {

csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs

@@ -85,7 +85,7 @@ namespace Semmle.Extraction.CSharp.Entities
                        else
                            Expression.Create(Context, expr!, this, 0);
 
-                       NumberOfLines(trapFile, BodyDeclaringSymbol, this);
+                       NumberOfLines(trapFile, Symbol, this);
                    });
             }
         }

csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs

@@ -14,14 +14,12 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override string Name => Symbol.GetName();
 
-        protected override IMethodSymbol BodyDeclaringSymbol => Symbol.PartialImplementationPart ?? Symbol;
-
         public IMethodSymbol SourceDeclaration => Symbol.OriginalDefinition;
 
         public override Microsoft.CodeAnalysis.Location ReportingLocation =>
             IsCompilerGeneratedDelegate()
                 ? Symbol.ContainingType.GetSymbolLocation()
-                : BodyDeclaringSymbol.GetSymbolLocation();
+                : Symbol.GetSymbolLocation();
 
         public override bool NeedsPopulation =>
             (base.NeedsPopulation || IsCompilerGeneratedDelegate()) &&
@@ -77,7 +75,7 @@ namespace Semmle.Extraction.CSharp.Entities
                 cx.ExtractionContext.Logger.LogWarning("Reduced extension method symbols should not be directly extracted.");
             }
 
-            return OrdinaryMethodFactory.Instance.CreateEntityFromSymbol(cx, method);
+            return OrdinaryMethodFactory.Instance.CreateEntityFromSymbol(cx, method.GetBodyDeclaringSymbol());
         }
 
         private class OrdinaryMethodFactory : CachedEntityFactory<IMethodSymbol, OrdinaryMethod>

csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs

@@ -21,10 +21,6 @@ namespace Semmle.Extraction.CSharp.Entities
 
         private Type Type => type.Value;
 
-        protected override IPropertySymbol BodyDeclaringSymbol => Symbol.PartialImplementationPart ?? Symbol;
-
-        public override Microsoft.CodeAnalysis.Location? ReportingLocation => BodyDeclaringSymbol.Locations.BestOrDefault();
-
         public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(Type);
@@ -46,8 +42,8 @@ namespace Semmle.Extraction.CSharp.Entities
             var type = Type;
             trapFile.properties(this, Symbol.GetName(), ContainingType!, type.TypeRef, Create(Context, Symbol.OriginalDefinition));
 
-            var getter = BodyDeclaringSymbol.GetMethod;
-            var setter = BodyDeclaringSymbol.SetMethod;
+            var getter = Symbol.GetMethod;
+            var setter = Symbol.SetMethod;
 
             if (getter is not null)
                 Method.Create(Context, getter);
@@ -132,7 +128,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             var isIndexer = prop.IsIndexer || prop.Parameters.Any();
 
-            return isIndexer ? Indexer.Create(cx, prop) : PropertyFactory.Instance.CreateEntityFromSymbol(cx, prop);
+            return isIndexer ? Indexer.Create(cx, prop) : PropertyFactory.Instance.CreateEntityFromSymbol(cx, prop.GetBodyDeclaringSymbol());
         }
 
         private class PropertyFactory : CachedEntityFactory<IPropertySymbol, Property>

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.60
+
+No user-facing changes.
+
 ## 1.7.59
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.60.md

@@ -0,0 +1,3 @@
+## 1.7.60
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.59
+lastReleaseVersion: 1.7.60

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.60-dev
+version: 1.7.61-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.60
+
+No user-facing changes.
+
 ## 1.7.59
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.60.md

@@ -0,0 +1,3 @@
+## 1.7.60
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.59
+lastReleaseVersion: 1.7.60

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.60-dev
+version: 1.7.61-dev
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 5.4.8
+
+### Minor Analysis Improvements
+
+* C# 14: Added support for partial events.
+* C# 14: Added support for the `field` keyword in properties.
+
+### Bug Fixes
+
+* Fixed an issue where the body of a partial member could be extracted twice. When both a *defining* and an *implementing* declaration exist, only the *implementing* declaration is now extracted.
+
 ## 5.4.7
 
 ### Minor Analysis Improvements

csharp/ql/lib/change-notes/2026-02-12-field-keyword.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* C# 14: Added support for the `field` keyword in properties.

csharp/ql/lib/change-notes/2026-02-16-partial-events.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* C# 14: Added support for partial events.

csharp/ql/lib/change-notes/2026-02-24-partial-constructors.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 14: Added support for partial constructors.

csharp/ql/lib/change-notes/2026-03-02-post-update-nodes.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.

csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added reverse taint flow from implicit conversion operator calls to their arguments.

csharp/ql/lib/change-notes/2026-03-04-websocket-receiveasync.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `System.Net.WebSockets::ReceiveAsync` as a remote flow source.

csharp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.

csharp/ql/lib/change-notes/released/5.4.8.md

@@ -0,0 +1,10 @@
+## 5.4.8
+
+### Minor Analysis Improvements
+
+* C# 14: Added support for partial events.
+* C# 14: Added support for the `field` keyword in properties.
+
+### Bug Fixes
+
+* Fixed an issue where the body of a partial member could be extracted twice. When both a *defining* and an *implementing* declaration exist, only the *implementing* declaration is now extracted.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.7
+lastReleaseVersion: 5.4.8

csharp/ql/lib/ext/System.Net.WebSockets.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["System.Net.WebSockets", "WebSocket", True, "ReceiveAsync", "", "", "Argument[0]", "remote", "manual"]