Merge pull request #6745 from andersfugmann/handle_overflow_for_upperbound

C++: Handle overflow for upperbound
Merge pull request #6753 from github/aibaars/fix-typo
2026-05-16 12:17:07 +02:00 · 2021-09-27 10:32:49 +02:00 · 2021-09-24 17:21:14 +01:00 · 2021-09-24 18:11:08 +02:00 · 2021-09-24 16:11:27 +02:00 · 2021-09-24 15:47:09 +02:00
4154 changed files with 195291 additions and 50931 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -1,4 +1,5 @@
 { "provide": [ "*/ql/src/qlpack.yml",
+               "*/ql/lib/qlpack.yml",
               "*/ql/test/qlpack.yml",
               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
               "*/ql/examples/qlpack.yml",
--- a/.gitattributes
+++ b/.gitattributes
@@ -48,3 +48,6 @@
 *.gif -text
 *.dll -text
 *.pdb -text
+
+java/ql/test/stubs/**/*.java linguist-generated=true
+java/ql/test/experimental/stubs/**/*.java linguist-generated=true
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -11,6 +11,8 @@ on:
      - 'rc/*'
    paths:
      - 'csharp/**'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql-analysis.yml'
  schedule:
    - cron: '0 9 * * 1'

@@ -38,8 +40,8 @@ jobs:

    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@main
+    #- name: Autobuild
+    #  uses: github/codeql-action/autobuild@main

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -48,9 +50,8 @@ jobs:
    #    and modify them (or add more) to build your code if your project
    #    uses a compiled language

-    #- run: |
-    #   make bootstrap
-    #   make release
+    - run: |
+       dotnet build csharp

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@main
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -8,7 +8,7 @@ on:
 jobs:
  update:
    name: Update framework coverage report
-    if: github.event.repository.fork == false
+    if: github.repository == 'github/codeql'
    runs-on: ubuntu-latest

    steps:
--- a/6
+++ b/6
@@ -17,3 +17,9 @@
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
+
+# CodeQL tools and associated docs
+/docs/codeql-cli/ @github/codeql-cli-reviewers
+/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
+/docs/ql-language-reference/ @github/codeql-frontend-reviewers
+/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -1,332 +1,333 @@
 {
  "DataFlow Java/C++/C#/Python": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
  ],
  "DataFlow Java/C++/C#/Python Common": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
  ],
  "TaintTracking::Configuration Java/C++/C#/Python": [
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
  ],
  "DataFlow Java/C++/C#/Python Consistency checks": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
  ],
  "DataFlow Java/C# Flow Summaries": [
-    "java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
  ],
  "SsaReadPosition Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
  ],
  "Sign Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
  ],
  "SignAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
  ],
  "Bound Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
+    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
  ],
  "ModulusAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+    "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
  ],
  "C++ SubBasicBlocks": [
-    "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
+    "cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
  ],
  "IR Instruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
  ],
  "IR IRBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
  ],
  "IR IRVariable": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
  ],
  "IR IRFunction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
  ],
  "IR Operand": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
  ],
  "IR IRType": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll",
    "csharp/ql/src/experimental/ir/implementation/IRType.qll"
  ],
  "IR IRConfiguration": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
    "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
  ],
  "IR UseSoundEscapeAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
    "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
  ],
  "IR IRFunctionBase": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
    "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
  ],
  "IR Operand Tag": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
    "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
  ],
  "IR TInstruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
    "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
  ],
  "IR TIRVariable": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
    "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
  ],
  "IR IR": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
  ],
  "IR IRConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
  ],
  "IR PrintIR": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
  ],
  "IR IntegerConstant": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerConstant.qll",
    "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
  ],
  "IR IntegerInteval": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerInterval.qll",
    "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
  ],
  "IR IntegerPartial": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll",
    "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
  ],
  "IR Overlap": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll",
    "csharp/ql/src/experimental/ir/internal/Overlap.qll"
  ],
  "IR EdgeKind": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll",
    "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
  ],
  "IR MemoryAccessKind": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
    "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
  ],
  "IR TempVariableTag": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
    "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
  ],
  "IR Opcode": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll",
    "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
  ],
  "IR SSAConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
  ],
  "C++ IR InstructionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
  ],
  "C++ IR IRImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
  ],
  "C++ IR IRBlockImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
  ],
  "C++ IR IRFunctionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
  ],
  "C++ IR IRVariableImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
  ],
  "C++ IR OperandImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
  ],
  "C++ IR PrintIRImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
  ],
  "C++ SSA SSAConstructionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
  ],
  "SSA AliasAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
  ],
  "SSA PrintAliasAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
  ],
  "C++ SSA AliasAnalysisImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
  ],
  "C++ IR ValueNumberingImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
  ],
  "IR SSA SimpleSSA": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
  ],
  "IR AliasConfiguration (unaliased_ssa)": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
  ],
  "IR SSA SSAConstruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
  ],
  "IR SSA PrintSSA": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
  ],
  "IR ValueNumberInternal": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
  ],
  "C++ IR ValueNumber": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
  ],
  "C++ IR PrintValueNumbering": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
    "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
  ],
  "C++ IR ConstantAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
  ],
  "C++ IR PrintConstantAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
  ],
  "C++ IR ReachableBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
  ],
  "C++ IR PrintReachableBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
  ],
  "C++ IR Dominance": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
  ],
  "C++ IR PrintDominance": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
  ],
  "C# IR InstructionImports": [
    "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
@@ -361,8 +362,8 @@
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
  ],
  "C# ControlFlowReachability": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
  ],
  "Inline Test Expectations": [
    "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
@@ -378,11 +379,11 @@
    "cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
  ],
  "XML": [
-    "cpp/ql/src/semmle/code/cpp/XML.qll",
-    "csharp/ql/src/semmle/code/csharp/XML.qll",
-    "java/ql/src/semmle/code/xml/XML.qll",
-    "javascript/ql/src/semmle/javascript/XML.qll",
-    "python/ql/src/semmle/python/xml/XML.qll"
+    "cpp/ql/lib/semmle/code/cpp/XML.qll",
+    "csharp/ql/lib/semmle/code/csharp/XML.qll",
+    "java/ql/lib/semmle/code/xml/XML.qll",
+    "javascript/ql/lib/semmle/javascript/XML.qll",
+    "python/ql/lib/semmle/python/xml/XML.qll"
  ],
  "DuplicationProblems.inc.qhelp": [
    "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
@@ -436,29 +437,29 @@
    "python/ql/src/analysis/IDEContextual.qll"
  ],
  "SSA C#": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll"
  ],
  "CryptoAlgorithms Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
+    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
+    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll"
  ],
  "SensitiveDataHeuristics Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
-    "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
+    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
+    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll"
  ],
  "ReDoS Util Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll",
-    "python/ql/src/semmle/python/security/performance/ReDoSUtil.qll"
+    "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
+    "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll"
  ],
  "ReDoS Exponential Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/performance/ExponentialBackTracking.qll",
-    "python/ql/src/semmle/python/security/performance/ExponentialBackTracking.qll"
+    "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
+    "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll"
  ],
  "ReDoS Polynomial Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
-    "python/ql/src/semmle/python/security/performance/SuperlinearBackTracking.qll"
+    "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
+    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll"
  ]
-}
+}
--- a/cpp/change-notes/2021-06-22-sql-tainted.md
+++ b/cpp/change-notes/2021-06-22-sql-tainted.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Uncontrolled data in SQL query' (cpp/sql-injection) query now supports the `libpqxx` library.
--- a/cpp/change-notes/2021-07-13-cleartext-storage-file.md
+++ b/cpp/change-notes/2021-07-13-cleartext-storage-file.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file) query now uses dataflow to produce additional results.
+* Heuristics in the SensitiveExprs.qll library have been improved, making the "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file), "Cleartext storage of sensitive information in buffer" (cpp/cleartext-storage-buffer) and "Cleartext storage of sensitive information in an SQLite" (cpp/cleartext-storage-database) queries more accurate.
--- a/cpp/change-notes/2021-07-20-toctou-race-condition.md
+++ b/cpp/change-notes/2021-07-20-toctou-race-condition.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Improvements have been made to the `cpp/toctou-race-condition` query, both to find more correct results and fewer false positive results.
--- a/cpp/change-notes/2021-07-27-uncontrolled-arithmetic.md
+++ b/cpp/change-notes/2021-07-27-uncontrolled-arithmetic.md
@@ -0,0 +1,2 @@
+lgtm
+* Improvements made to the (`cpp/uncontrolled-arithmetic`) query, reducing the frequency of false positive results.
--- a/cpp/change-notes/2021-07-29-virtual-function-declaration-specifiers.md
+++ b/cpp/change-notes/2021-07-29-virtual-function-declaration-specifiers.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Virtual function specifiers are now accessible via the new predicates on `Function` (`.isDeclaredVirtual`, `.isOverride`, and `.isFinal`).
--- a/cpp/change-notes/2021-08-10-has-trailing-return-type.md
+++ b/cpp/change-notes/2021-08-10-has-trailing-return-type.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `Function.hasTrailingReturnType` predicate to check whether a function was declared with a trailing return type.
--- a/cpp/change-notes/2021-08-17-has-c-linkage.md
+++ b/cpp/change-notes/2021-08-17-has-c-linkage.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `RoutineType.hasCLinkage` predicate to check whether a function type has "C" language linkage.
--- a/cpp/change-notes/2021-08-23-ctime-weaken-claims.md
+++ b/cpp/change-notes/2021-08-23-ctime-weaken-claims.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Lowered the precision of `cpp/potentially-dangerous-function` so it is run but not displayed on LGTM by default and so it's only run and displayed on Code Scanning if a broader suite like `cpp-security-extended` is opted into.
--- a/cpp/change-notes/2021-08-23-getPrimaryQlClasses.md
+++ b/cpp/change-notes/2021-08-23-getPrimaryQlClasses.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `Element.getPrimaryQlClasses()` predicate, which gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
--- a/cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md
+++ b/cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query `cpp/implicit-bitfield-downcast` now accounts for C++ reference types, which leads to more true positive results.
--- a/cpp/change-notes/2021-08-31-range-analysis-upper-bound.md
+++ b/cpp/change-notes/2021-08-31-range-analysis-upper-bound.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `SimpleRangeAnalysis` library includes information from the
+  immediate guard for determining the upper bound of a stack
+  variable for improved accuracy.
--- a/cpp/change-notes/2021-09-13-overflow-static.md
+++ b/cpp/change-notes/2021-09-13-overflow-static.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `memberMayBeVarSize` predicate considers more fields to be variable size.
+  As a result, the "Static buffer overflow" query (cpp/static-buffer-overflow)
+  produces fewer false positives.
--- a/cpp/ql/examples/qlpack.lock.yml
+++ b/cpp/ql/examples/qlpack.lock.yml
@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0
--- a/cpp/ql/examples/qlpack.yml
+++ b/cpp/ql/examples/qlpack.yml
@@ -1,3 +1,4 @@
-name: codeql-cpp-examples
-version: 0.0.0
-libraryPathDependencies: codeql-cpp
+name: codeql/cpp-examples
+version: 0.0.2
+dependencies:
+  codeql/cpp-all: "*"
--- a/cpp/ql/lib/DefaultOptions.qll
+++ b/cpp/ql/lib/DefaultOptions.qll
--- a/cpp/ql/lib/Options.qll
+++ b/cpp/ql/lib/Options.qll
--- a/cpp/ql/lib/cpp.qll
+++ b/cpp/ql/lib/cpp.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisDefinition.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisDefinition.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisExpr.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisExpr.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ArrayLengthAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ArrayLengthAnalysis.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/Bound.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/Bound.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ExtendedRangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ExtendedRangeAnalysis.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/InBoundsPointerDeref.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/InBoundsPointerDeref.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/RangeUtils.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/SignAnalysis.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/SignAnalysis.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/ConstantBitwiseAndExprRange.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/SubtractSelf.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/SubtractSelf.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
--- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateData.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateData.qll
--- a/cpp/ql/lib/external/ExternalArtifact.qll
+++ b/cpp/ql/lib/external/ExternalArtifact.qll
--- a/cpp/ql/lib/qlpack.lock.yml
+++ b/cpp/ql/lib/qlpack.lock.yml
@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -0,0 +1,7 @@
+name: codeql/cpp-all
+version: 0.0.2
+dbscheme: semmlecode.cpp.dbscheme
+extractor: cpp
+library: true
+dependencies:
+  codeql/cpp-upgrades: 0.0.2
--- a/cpp/ql/lib/semmle/code/cpp/ASTConsistency.ql
+++ b/cpp/ql/lib/semmle/code/cpp/ASTConsistency.ql
--- a/cpp/ql/lib/semmle/code/cpp/AutogeneratedFile.qll
+++ b/cpp/ql/lib/semmle/code/cpp/AutogeneratedFile.qll
--- a/cpp/ql/lib/semmle/code/cpp/Class.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Class.qll
--- a/cpp/ql/lib/semmle/code/cpp/Comments.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Comments.qll
--- a/cpp/ql/lib/semmle/code/cpp/Compilation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Compilation.qll
--- a/cpp/ql/lib/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Declaration.qll
--- a/cpp/ql/lib/semmle/code/cpp/Diagnostics.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Diagnostics.qll
--- a/cpp/ql/lib/semmle/code/cpp/Element.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Element.qll
@@ -58,6 +58,11 @@ class ElementBase extends @element {
  /** DEPRECATED: use `getAPrimaryQlClass` instead. */
  deprecated string getCanonicalQLClass() { result = this.getAPrimaryQlClass() }

+  /**
+   * Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
+   */
+  final string getPrimaryQlClasses() { result = concat(getAPrimaryQlClass(), ",") }
+
  /**
   * Gets the name of a primary CodeQL class to which this element belongs.
   *
--- a/cpp/ql/lib/semmle/code/cpp/Enclosing.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Enclosing.qll
--- a/cpp/ql/lib/semmle/code/cpp/Enum.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Enum.qll
--- a/cpp/ql/lib/semmle/code/cpp/Field.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Field.qll
--- a/cpp/ql/lib/semmle/code/cpp/File.qll
+++ b/cpp/ql/lib/semmle/code/cpp/File.qll
@@ -171,7 +171,7 @@ class Container extends Locatable, @container {
 * To get the full path, use `getAbsolutePath`.
 */
 class Folder extends Container, @folder {
-  override string getAbsolutePath() { folders(underlyingElement(this), result, _) }
+  override string getAbsolutePath() { folders(underlyingElement(this), result) }

  override Location getLocation() {
    result.getContainer() = this and
@@ -190,7 +190,7 @@ class Folder extends Container, @folder {
   * DEPRECATED: use `getAbsolutePath` instead.
   * Gets the name of this folder.
   */
-  deprecated string getName() { folders(underlyingElement(this), result, _) }
+  deprecated string getName() { folders(underlyingElement(this), result) }

  /**
   * DEPRECATED: use `getAbsolutePath` instead.
@@ -208,17 +208,7 @@ class Folder extends Container, @folder {
   * DEPRECATED: use `getBaseName` instead.
   * Gets the last part of the folder name.
   */
-  deprecated string getShortName() {
-    exists(string longnameRaw, string longname |
-      folders(underlyingElement(this), _, longnameRaw) and
-      longname = longnameRaw.replaceAll("\\", "/")
-    |
-      exists(int index |
-        result = longname.splitAt("/", index) and
-        not exists(longname.splitAt("/", index + 1))
-      )
-    )
-  }
+  deprecated string getShortName() { result = this.getBaseName() }

  /**
   * DEPRECATED: use `getParentContainer` instead.
@@ -242,7 +232,7 @@ class Folder extends Container, @folder {
 * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
 */
 class File extends Container, @file {
-  override string getAbsolutePath() { files(underlyingElement(this), result, _, _, _) }
+  override string getAbsolutePath() { files(underlyingElement(this), result) }

  override string toString() { result = Container.super.toString() }

@@ -336,7 +326,13 @@ class File extends Container, @file {
   * for example, for "file.tar.gz", this predicate will have the result
   * "tar.gz", while `getExtension` will have the result "gz".
   */
-  string getExtensions() { files(underlyingElement(this), _, _, result, _) }
+  string getExtensions() {
+    exists(string name, int firstDotPos |
+      name = this.getBaseName() and
+      firstDotPos = min([name.indexOf("."), name.length() - 1]) and
+      result = name.suffix(firstDotPos + 1)
+    )
+  }

  /**
   * Gets the short name of this file, that is, the prefix of its base name up
@@ -351,7 +347,16 @@ class File extends Container, @file {
   * for example, for "file.tar.gz", this predicate will have the result
   * "file", while `getStem` will have the result "file.tar".
   */
-  string getShortName() { files(underlyingElement(this), _, result, _, _) }
+  string getShortName() {
+    exists(string name, int firstDotPos |
+      name = this.getBaseName() and
+      firstDotPos = min([name.indexOf("."), name.length()]) and
+      result = name.prefix(firstDotPos)
+    )
+    or
+    this.getAbsolutePath() = "" and
+    result = ""
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/FriendDecl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/FriendDecl.qll
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -82,9 +82,23 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
  /** Holds if this function is inline. */
  predicate isInline() { this.hasSpecifier("inline") }

-  /** Holds if this function is virtual. */
+  /**
+   * Holds if this function is virtual.
+   *
+   * Unlike `isDeclaredVirtual()`, `isVirtual()` holds even if the function
+   * is not explicitly declared with the `virtual` specifier.
+   */
  predicate isVirtual() { this.hasSpecifier("virtual") }

+  /** Holds if this function is declared with the `virtual` specifier. */
+  predicate isDeclaredVirtual() { this.hasSpecifier("declared_virtual") }
+
+  /** Holds if this function is declared with the `override` specifier. */
+  predicate isOverride() { this.hasSpecifier("override") }
+
+  /** Holds if this function is declared with the `final` specifier. */
+  predicate isFinal() { this.hasSpecifier("final") }
+
  /**
   * Holds if this function is deleted.
   * This may be because it was explicitly deleted with an `= delete`
@@ -137,6 +151,20 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
   */
  predicate isNaked() { getAnAttribute().hasName("naked") }

+  /**
+   * Holds if this function has a trailing return type.
+   *
+   * Note that this is true whether or not deduction took place. For example,
+   * this holds for both `e` and `f`, but not `g` or `h`:
+   * ```
+   * auto e() -> int { return 0; }
+   * auto f() -> auto { return 0; }
+   * auto g() { return 0; }
+   * int h() { return 0; }
+   * ```
+   */
+  predicate hasTrailingReturnType() { this.hasSpecifier("has_trailing_return_type") }
+
  /** Gets the return type of this function. */
  Type getType() { function_return_type(underlyingElement(this), unresolveElement(result)) }

--- a/cpp/ql/lib/semmle/code/cpp/Include.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Include.qll
--- a/cpp/ql/lib/semmle/code/cpp/Initializer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Initializer.qll
@@ -18,6 +18,12 @@ import semmle.code.cpp.controlflow.ControlFlowGraph
 *   ...
 * }
 * ```
+ * But _not_ `4` in the following code:
+ * ```
+ * int myUninitializedVariable;
+ * myUninitializedVariable = 4;
+ * ```
+ * Instead, this is an `Assignment`.
 */
 class Initializer extends ControlFlowNode, @initialiser {
  override Location getLocation() { initialisers(underlyingElement(this), _, _, result) }
--- a/cpp/ql/lib/semmle/code/cpp/Iteration.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Iteration.qll
--- a/cpp/ql/lib/semmle/code/cpp/Linkage.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Linkage.qll
--- a/cpp/ql/lib/semmle/code/cpp/Location.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Location.qll
--- a/cpp/ql/lib/semmle/code/cpp/Macro.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Macro.qll
--- a/cpp/ql/lib/semmle/code/cpp/Member.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Member.qll
--- a/cpp/ql/lib/semmle/code/cpp/MemberFunction.qll
+++ b/cpp/ql/lib/semmle/code/cpp/MemberFunction.qll
--- a/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll
+++ b/cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll
--- a/cpp/ql/lib/semmle/code/cpp/Namespace.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Namespace.qll
--- a/cpp/ql/lib/semmle/code/cpp/NestedFields.qll
+++ b/cpp/ql/lib/semmle/code/cpp/NestedFields.qll
--- a/cpp/ql/lib/semmle/code/cpp/ObjectiveC.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ObjectiveC.qll
--- a/cpp/ql/lib/semmle/code/cpp/PODType03.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PODType03.qll
--- a/cpp/ql/lib/semmle/code/cpp/Parameter.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Parameter.qll
--- a/cpp/ql/lib/semmle/code/cpp/Preprocessor.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Preprocessor.qll
--- a/cpp/ql/lib/semmle/code/cpp/Print.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Print.qll
--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.ql
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.ql
--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
@@ -46,7 +46,7 @@ private string escapeString(string s) {
 * string representation comes first in lexicographical order.
 */
 private Location getRepresentativeLocation(Locatable ast) {
-  result = rank[1](Location loc | loc = ast.getLocation() | loc order by loc.toString())
+  result = min(Location loc | loc = ast.getLocation() | loc order by loc.toString())
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Specifier.qll
--- a/cpp/ql/lib/semmle/code/cpp/Struct.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Struct.qll
--- a/cpp/ql/lib/semmle/code/cpp/TestFile.qll
+++ b/cpp/ql/lib/semmle/code/cpp/TestFile.qll
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -1621,6 +1621,19 @@ class RoutineType extends Type, @routinetype {
   */
  Type getReturnType() { routinetypes(underlyingElement(this), unresolveElement(result)) }

+  /**
+   * Holds if this function type has "C" language linkage.
+   *
+   * This includes any function declared in a C source file, or explicitly marked as having "C" linkage:
+   * ```
+   * extern "C" void f();
+   * extern "C" {
+   * void g();
+   * }
+   * ```
+   */
+  predicate hasCLinkage() { this.hasSpecifier("c_linkage") }
+
  override string explain() {
    result =
      "function returning {" + this.getReturnType().explain() + "} with arguments (" +
--- a/cpp/ql/lib/semmle/code/cpp/TypedefType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/TypedefType.qll
--- a/cpp/ql/lib/semmle/code/cpp/Union.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Union.qll
--- a/cpp/ql/lib/semmle/code/cpp/UserType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/UserType.qll
--- a/cpp/ql/lib/semmle/code/cpp/Variable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Variable.qll
@@ -136,6 +136,12 @@ class Variable extends Declaration, @variable {
  /**
   * Gets an assignment expression that assigns to this variable.
   * For example: `x=...` or `x+=...`.
+   *
+   * This does _not_ include the initialization of the variable. Use
+   * `Variable.getInitializer()` to get the variable's initializer,
+   * or use `Variable.getAnAssignedValue()` to get an expression that
+   * is the right-hand side of an assignment or an initialization of
+   * the varible.
   */
  Assignment getAnAssignment() { result.getLValue() = this.getAnAccess() }

--- a/cpp/ql/lib/semmle/code/cpp/XML.qll
+++ b/cpp/ql/lib/semmle/code/cpp/XML.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Alloc.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Assertions.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Assertions.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -2,17 +2,18 @@ import cpp
 import semmle.code.cpp.dataflow.DataFlow

 /**
- * Holds if `v` is a member variable of `c` that looks like it might be variable sized in practice.  For
- * example:
+ * Holds if `v` is a member variable of `c` that looks like it might be variable sized
+ * in practice. For example:
 * ```
 * struct myStruct { // c
 *   int amount;
 *   char data[1]; // v
 * };
 * ```
- * This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.  In addition,
- * there must be at least one instance where a `c` pointer is allocated with additional space.  For
- * example, holds for `c` if it occurs as
+ * This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.
+ * In addition, if the size of the structure is taken, there must be at least one instance
+ * where a `c` pointer is allocated with additional space.
+ * For example, holds for `c` if it occurs as
 * ```
 * malloc(sizeof(c) + 100 * sizeof(char))
 * ```
@@ -27,27 +28,25 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {
    i = max(int j | c.getCanonicalMember(j) instanceof Field | j) and
    v = c.getCanonicalMember(i) and
    // v is an array of size at most 1
-    v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
+    v.getUnspecifiedType().(ArrayType).getArraySize() <= 1 and
+    not c instanceof Union
  ) and
+  // If the size is taken, then arithmetic is performed on the result at least once
  (
+    // `sizeof(c)` is not taken
+    not exists(SizeofOperator so |
+      so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
+      so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
+    )
+    or
+    // or `sizeof(c)` is taken
    exists(SizeofOperator so |
-      // `sizeof(c)` is taken
      so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
      so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
    |
-      // arithmetic is performed on the result
+      // and arithmetic is performed on the result
      so.getParent*() instanceof AddExpr
    )
-    or
-    exists(AddressOfExpr aoe |
-      // `&(c.v)` is taken
-      aoe.getAddressable() = v
-    )
-    or
-    exists(BuiltInOperationBuiltInOffsetOf oo |
-      // `offsetof(c, v)` using a builtin
-      oo.getAChild().(VariableAccess).getTarget() = v
-    )
  )
 }

@@ -61,6 +60,10 @@ int getBufferSize(Expr bufferExpr, Element why) {
    result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
    why = bufferVar and
    not memberMayBeVarSize(_, bufferVar) and
+    not exists(Union bufferType |
+      bufferType.getAMemberVariable() = why and
+      bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1
+    ) and
    not result = 0 // zero sized arrays are likely to have special usage, for example
    or
    // behaving a bit like a 'union' overlapping other fields.
@@ -82,6 +85,13 @@ int getBufferSize(Expr bufferExpr, Element why) {
      parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
      result = getBufferSize(parentPtr, _) + bufferVar.getType().getSize() - parentClass.getSize()
    )
+    or
+    exists(Union bufferType |
+      bufferType.getAMemberVariable() = why and
+      why = bufferVar and
+      bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1 and
+      result = bufferType.getSize()
+    )
  )
  or
  // buffer is a fixed size dynamic allocation
--- a/cpp/ql/lib/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/CommonType.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/DateTime.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/DateTime.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Dependency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Dependency.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Environment.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Environment.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Exclusions.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Exclusions.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/File.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/File.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/NULL.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/NULL.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/PolymorphicClass.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/PolymorphicClass.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Strcat.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/StringAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/StringAnalysis.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/StructLikeClass.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/StructLikeClass.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/Synchronization.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Synchronization.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/VoidContext.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/VoidContext.qll
--- a/cpp/ql/lib/semmle/code/cpp/commons/unix/Constants.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/unix/Constants.qll
--- a/Show More
+++ b/Show More