Merge pull request #7551 from MathiasVP/fix-join-orders-in-unsigned-difference-expr-query

C++: Fix join orders in `cpp/unsigned-difference-expression-compared-zero`
C++: Fix join orders in 'exprIsSubLeftOrLess'.
2026-05-21 06:37:10 +02:00 · 2022-01-12 08:29:03 +00:00 · 2022-01-10 17:28:14 +00:00 · 2022-01-10 17:03:40 +00:00 · 2022-01-04 18:57:43 +01:00 · 2022-01-04 14:44:56 +00:00
1573 changed files with 96829 additions and 10141 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -11,7 +11,9 @@
        "misc/legacy-support/*/qlpack.yml",
        "misc/suite-helpers/qlpack.yml",
        "ruby/extractor-pack/codeql-extractor.yml",
-        "ruby/ql/consistency-queries/qlpack.yml"
+        "ruby/ql/consistency-queries/qlpack.yml",
+        "ql/ql/consistency-queries/qlpack.yml",
+        "ql/extractor-pack/codeql-extractor.yml"
    ],
    "versionPolicies": {
      "default": {
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -26,3 +26,6 @@ documentation:
  - "**/*.qhelp"
  - "**/*.md"
  - docs/**/*
+
+"QL-for-QL": 
+  - ql/**/*
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -7,6 +7,7 @@ on:
      - "*/ql/src/**/*.ql"
      - "*/ql/src/**/*.qll"
      - "!**/experimental/**"
+      - "!ql/**"

 jobs:
  check-change-note:
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -0,0 +1,192 @@
+name: Run QL for QL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  queries:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Find codeql
+        id: find-codeql
+        uses: github/codeql-action/init@erik-krogh/ql
+        with:
+          languages: javascript # does not matter
+      - name: Get CodeQL version
+        id: get-codeql-version
+        run: |
+          echo "::set-output name=version::$("${CODEQL}" --version | head -n 1 | rev | cut -d " " -f 1 | rev)"
+        shell: bash
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Cache queries
+        id: cache-queries
+        uses: actions/cache@v2
+        with:
+          path: ${{ runner.temp }}/query-pack.zip
+          key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}
+      - name: Build query pack
+        if: steps.cache-queries.outputs.cache-hit != 'true'
+        run: |
+          cd ql/ql/src
+          "${CODEQL}" pack create
+          cd .codeql/pack/codeql/ql-all/0.0.0
+          zip "${PACKZIP}" -r .
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+          PACKZIP: ${{ runner.temp }}/query-pack.zip
+      - name: Upload query pack
+        uses: actions/upload-artifact@v2
+        with:
+          name: query-pack-zip
+          path: ${{ runner.temp }}/query-pack.zip
+
+  extractors:
+    strategy:
+      fail-fast: false
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Cache entire extractor
+        id: cache-extractor
+        uses: actions/cache@v2
+        with:
+          path: |
+            ql/target/release/ql-autobuilder
+            ql/target/release/ql-autobuilder.exe
+            ql/target/release/ql-extractor
+            ql/target/release/ql-extractor.exe
+          key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
+      - name: Cache cargo
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ql/target
+          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+      - name: Check formatting
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: cd ql; cargo fmt --all -- --check
+      - name: Build
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: cd ql; cargo build --verbose
+      - name: Run tests
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: cd ql; cargo test --verbose
+      - name: Release build
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: cd ql; cargo build --release
+      - name: Generate dbscheme
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        run: ql/target/release/ql-generator --dbscheme ql/ql/src/ql.dbscheme --library ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v2
+        with:
+          name: extractor-ubuntu-latest
+          path: |
+            ql/target/release/ql-autobuilder
+            ql/target/release/ql-autobuilder.exe
+            ql/target/release/ql-extractor
+            ql/target/release/ql-extractor.exe
+          retention-days: 1
+  package:
+    runs-on: ubuntu-latest
+
+    needs:
+      - extractors
+      - queries
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: query-pack-zip
+          path: query-pack-zip
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-ubuntu-latest
+          path: linux64
+      - run: |
+          unzip query-pack-zip/*.zip -d pack
+          cp -r ql/codeql-extractor.yml ql/tools ql/ql/src/ql.dbscheme.stats pack/
+          mkdir -p pack/tools/linux64
+          if [[ -f linux64/ql-autobuilder ]]; then
+            cp linux64/ql-autobuilder pack/tools/linux64/autobuilder
+            chmod +x pack/tools/linux64/autobuilder
+          fi
+          if [[ -f linux64/ql-extractor ]]; then
+            cp linux64/ql-extractor pack/tools/linux64/extractor
+            chmod +x pack/tools/linux64/extractor
+          fi
+          cd pack
+          zip -rq ../codeql-ql.zip .
+      - uses: actions/upload-artifact@v2
+        with:
+          name: codeql-ql-pack
+          path: codeql-ql.zip
+          retention-days: 1
+  analyze:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        folder: [cpp, csharp, java, javascript, python, ql, ruby]
+
+    needs:
+      - package
+
+    steps:
+      - name: Download pack
+        uses: actions/download-artifact@v2
+        with:
+          name: codeql-ql-pack
+          path: ${{ runner.temp }}/codeql-ql-pack-artifact
+
+      - name: Prepare pack
+        run: |
+          unzip "${PACK_ARTIFACT}/*.zip" -d "${PACK}"
+        env:
+          PACK_ARTIFACT: ${{ runner.temp }}/codeql-ql-pack-artifact
+          PACK: ${{ runner.temp }}/pack
+      - name: Hack codeql-action options
+        run: |
+          JSON=$(jq -nc --arg pack "${PACK}" '.resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]')
+          echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
+        env:
+          PACK: ${{ runner.temp }}/pack
+
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Create CodeQL config file
+        run: |
+          echo "paths:" > ${CONF}
+          echo "  - ${FOLDER}" >> ${CONF}
+          echo "paths-ignore:" >> ${CONF}
+          echo "  - ql/ql/test" >> ${CONF}
+          echo "Config file: "
+          cat ${CONF}
+        env: 
+          CONF: ./ql-for-ql-config.yml
+          FOLDER: ${{ matrix.folder }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@erik-krogh/ql
+        with:
+          languages: ql
+          db-location: ${{ runner.temp }}/db
+          config-file: ./ql-for-ql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@erik-krogh/ql
+        with: 
+          category: "ql-for-ql-${{ matrix.folder }}"
+
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -0,0 +1,84 @@
+name: Collect database stats for QL for QL
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ql/ql/src/ql.dbscheme
+  pull_request:
+    branches: [main]
+    paths:
+      - ql/ql/src/ql.dbscheme
+  workflow_dispatch:
+
+jobs:
+  measure:
+    env:
+      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
+    strategy:
+      matrix:
+        repo: 
+          - github/codeql
+          - github/codeql-go
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Find codeql
+        id: find-codeql
+        uses: github/codeql-action/init@erik-krogh/ql
+        with:
+          languages: javascript # does not matter
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ql/target
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Build Extractor
+        run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./create-extractor-pack.sh
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Checkout ${{ matrix.repo }}
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ matrix.repo }}
+          path: ${{ github.workspace }}/repo
+      - name: Create database
+        run: |
+          "${CODEQL}" database create \
+            --search-path "ql/extractor-pack" \
+            --threads 4 \
+            --language ql --source-root "${{ github.workspace }}/repo" \
+            "${{ runner.temp }}/database"
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Measure database
+        run: |
+          mkdir -p "stats/${{ matrix.repo }}"
+          "${CODEQL}" dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ql"
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - uses: actions/upload-artifact@v2
+        with:
+          name: measurements
+          path: stats
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs: measure
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: measurements
+          path: stats
+      - run: |
+          python -m pip install --user lxml
+          find stats -name 'stats.xml' -print0 | sort -z | xargs -0 python ql/scripts/merge_stats.py --output ql/ql/src/ql.dbscheme.stats --normalise ql_tokeninfo
+      - uses: actions/upload-artifact@v2
+        with:
+          name: ql.dbscheme.stats
+          path: ql/ql/src/ql.dbscheme.stats
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -0,0 +1,52 @@
+name: Run QL for QL Tests
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "ql/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "ql/**"
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  qltest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Find codeql
+        id: find-codeql
+        uses: github/codeql-action/init@erik-krogh/ql
+        with:
+          languages: javascript # does not matter
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ql/target
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Build extractor
+        run: |
+          cd ql;
+          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
+          env "PATH=$PATH:$codeqlpath" ./create-extractor-pack.sh
+      - name: Run QL tests
+        run: | 
+          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Check QL formatting
+        run: | 
+          find ql/ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Check QL compilation
+        run: | 
+          "${CODEQL}" query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ql/extractor-pack" "ql/ql/src" "ql/ql/examples"
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -24,7 +24,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        repo: [rails/rails, discourse/discourse, spree/spree]
+        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
--- a/3
+++ b/3
@@ -25,3 +25,6 @@
 /docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
 /docs/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
+
+# QL for QL reviewers
+/ql/ @erik-krogh @tausbn
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -452,9 +452,15 @@
    "ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll",
    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll"
  ],
-  "CryptoAlgorithms Python/JS": [
+  "CryptoAlgorithms Python/JS/Ruby": [
    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll"
+    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
+    "ruby/ql/lib/codeql/ruby/security/CryptoAlgorithms.qll"
+  ],
+  "CryptoAlgorithmNames Python/JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll",
+    "python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll",
+    "ruby/ql/lib/codeql/ruby/security/internal/CryptoAlgorithmNames.qll"
  ],
  "SensitiveDataHeuristics Python/JS": [
    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
@@ -17,7 +17,7 @@
  </ItemGroup>

  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
+    <PackageReference Include="Microsoft.Build" Version="16.11.0" />
  </ItemGroup>

  <ItemGroup>
--- a/cpp/change-notes/2021-11-01-isFromSystemMacroDefinition.md
+++ b/cpp/change-notes/2021-11-01-isFromSystemMacroDefinition.md
@@ -1,4 +0,0 @@
-lgtm,codescanning
-* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
-  `isFromSystemMacroDefinition` for identifying code that originates from a
-  macro outside the project being analyzed.
--- a/cpp/change-notes/2021-11-09-use-of-http.md
+++ b/cpp/change-notes/2021-11-09-use-of-http.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.
--- a/cpp/old-change-notes/2020-09-29-range-analysis-rollup.md
+++ b/cpp/old-change-notes/2020-09-29-range-analysis-rollup.md
--- a/cpp/old-change-notes/2020-10-21-erroneous-types.md
+++ b/cpp/old-change-notes/2020-10-21-erroneous-types.md
--- a/cpp/old-change-notes/2020-10-21-size-check-queries.md
+++ b/cpp/old-change-notes/2020-10-21-size-check-queries.md
--- a/cpp/old-change-notes/2020-11-02-unused-local-variable.md
+++ b/cpp/old-change-notes/2020-11-02-unused-local-variable.md
--- a/cpp/old-change-notes/2020-11-05-formatting-function.md
+++ b/cpp/old-change-notes/2020-11-05-formatting-function.md
--- a/cpp/old-change-notes/2020-11-05-private-models.md
+++ b/cpp/old-change-notes/2020-11-05-private-models.md
--- a/cpp/old-change-notes/2020-11-12-unsafe-use-of-this.md
+++ b/cpp/old-change-notes/2020-11-12-unsafe-use-of-this.md
--- a/cpp/old-change-notes/2020-11-27-downgrade-to-recommendation.md
+++ b/cpp/old-change-notes/2020-11-27-downgrade-to-recommendation.md
--- a/cpp/old-change-notes/2021-02-04-unsigned-difference-expression-compared-zero.md
+++ b/cpp/old-change-notes/2021-02-04-unsigned-difference-expression-compared-zero.md
--- a/cpp/old-change-notes/2021-02-24-memset-may-be-deleted.md
+++ b/cpp/old-change-notes/2021-02-24-memset-may-be-deleted.md
--- a/cpp/old-change-notes/2021-03-01-fluent-interface-data-flow.md
+++ b/cpp/old-change-notes/2021-03-01-fluent-interface-data-flow.md
--- a/cpp/old-change-notes/2021-03-11-failed-extractions.md
+++ b/cpp/old-change-notes/2021-03-11-failed-extractions.md
--- a/cpp/old-change-notes/2021-03-11-overflow-abs.md
+++ b/cpp/old-change-notes/2021-03-11-overflow-abs.md
--- a/cpp/old-change-notes/2021-03-17-av-rule-79.md
+++ b/cpp/old-change-notes/2021-03-17-av-rule-79.md
--- a/cpp/old-change-notes/2021-04-06-assign-where-compare-meant.md
+++ b/cpp/old-change-notes/2021-04-06-assign-where-compare-meant.md
--- a/cpp/old-change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md
+++ b/cpp/old-change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md
--- a/cpp/old-change-notes/2021-04-13-arithmetic-queries.md
+++ b/cpp/old-change-notes/2021-04-13-arithmetic-queries.md
--- a/cpp/old-change-notes/2021-04-21-return-stack-allocated-object.md
+++ b/cpp/old-change-notes/2021-04-21-return-stack-allocated-object.md
--- a/cpp/old-change-notes/2021-04-26-more-sound-expr-might-overflow.md
+++ b/cpp/old-change-notes/2021-04-26-more-sound-expr-might-overflow.md
--- a/cpp/old-change-notes/2021-05-10-comparison-with-wider-type.md
+++ b/cpp/old-change-notes/2021-05-10-comparison-with-wider-type.md
--- a/cpp/old-change-notes/2021-05-12-uncontrolled-arithmetic.md
+++ b/cpp/old-change-notes/2021-05-12-uncontrolled-arithmetic.md
--- a/cpp/old-change-notes/2021-05-14-uncontrolled-allocation-size.md
+++ b/cpp/old-change-notes/2021-05-14-uncontrolled-allocation-size.md
--- a/cpp/old-change-notes/2021-05-18-static-buffer-overflow.md
+++ b/cpp/old-change-notes/2021-05-18-static-buffer-overflow.md
--- a/cpp/old-change-notes/2021-05-19-weak-cryptographic-algorithm.md
+++ b/cpp/old-change-notes/2021-05-19-weak-cryptographic-algorithm.md
--- a/cpp/old-change-notes/2021-05-20-incorrect-allocation-error-handling.md
+++ b/cpp/old-change-notes/2021-05-20-incorrect-allocation-error-handling.md
--- a/cpp/old-change-notes/2021-05-20-ref-qualifiers.md
+++ b/cpp/old-change-notes/2021-05-20-ref-qualifiers.md
--- a/cpp/old-change-notes/2021-05-21-unsafe-strncat.md
+++ b/cpp/old-change-notes/2021-05-21-unsafe-strncat.md
--- a/cpp/old-change-notes/2021-06-10-cleartext-transmission.md
+++ b/cpp/old-change-notes/2021-06-10-cleartext-transmission.md
--- a/cpp/old-change-notes/2021-06-10-std-types.md
+++ b/cpp/old-change-notes/2021-06-10-std-types.md
--- a/cpp/old-change-notes/2021-06-21-weak-cryptographic-algorithm.md
+++ b/cpp/old-change-notes/2021-06-21-weak-cryptographic-algorithm.md
--- a/cpp/old-change-notes/2021-06-22-sql-tainted.md
+++ b/cpp/old-change-notes/2021-06-22-sql-tainted.md
--- a/cpp/old-change-notes/2021-06-24-dataflow-implicit-reads.md
+++ b/cpp/old-change-notes/2021-06-24-dataflow-implicit-reads.md
--- a/cpp/old-change-notes/2021-06-24-uncontrolled-arithmetic.md
+++ b/cpp/old-change-notes/2021-06-24-uncontrolled-arithmetic.md
--- a/cpp/old-change-notes/2021-06-30-wrong-type-format-argument.md
+++ b/cpp/old-change-notes/2021-06-30-wrong-type-format-argument.md
--- a/cpp/old-change-notes/2021-07-13-cleartext-storage-file.md
+++ b/cpp/old-change-notes/2021-07-13-cleartext-storage-file.md
--- a/cpp/old-change-notes/2021-07-20-toctou-race-condition.md
+++ b/cpp/old-change-notes/2021-07-20-toctou-race-condition.md
--- a/cpp/old-change-notes/2021-07-27-uncontrolled-arithmetic.md
+++ b/cpp/old-change-notes/2021-07-27-uncontrolled-arithmetic.md
--- a/cpp/old-change-notes/2021-07-29-virtual-function-declaration-specifiers.md
+++ b/cpp/old-change-notes/2021-07-29-virtual-function-declaration-specifiers.md
--- a/cpp/old-change-notes/2021-08-10-has-trailing-return-type.md
+++ b/cpp/old-change-notes/2021-08-10-has-trailing-return-type.md
--- a/cpp/old-change-notes/2021-08-17-has-c-linkage.md
+++ b/cpp/old-change-notes/2021-08-17-has-c-linkage.md
--- a/cpp/old-change-notes/2021-08-23-ctime-weaken-claims.md
+++ b/cpp/old-change-notes/2021-08-23-ctime-weaken-claims.md
--- a/cpp/old-change-notes/2021-08-23-getPrimaryQlClasses.md
+++ b/cpp/old-change-notes/2021-08-23-getPrimaryQlClasses.md
--- a/cpp/old-change-notes/2021-08-24-implicit-downcast-from-bitfield.md
+++ b/cpp/old-change-notes/2021-08-24-implicit-downcast-from-bitfield.md
--- a/cpp/old-change-notes/2021-08-31-range-analysis-upper-bound.md
+++ b/cpp/old-change-notes/2021-08-31-range-analysis-upper-bound.md
--- a/cpp/old-change-notes/2021-09-13-overflow-static.md
+++ b/cpp/old-change-notes/2021-09-13-overflow-static.md
--- a/cpp/old-change-notes/2021-09-27-command-line-injection.md
+++ b/cpp/old-change-notes/2021-09-27-command-line-injection.md
--- a/cpp/old-change-notes/2021-09-27-overflow-static.md
+++ b/cpp/old-change-notes/2021-09-27-overflow-static.md
--- a/cpp/old-change-notes/2021-10-01-improper-null-termination.md
+++ b/cpp/old-change-notes/2021-10-01-improper-null-termination.md
--- a/cpp/old-change-notes/2021-10-07-cleartext-transmission.md
+++ b/cpp/old-change-notes/2021-10-07-cleartext-transmission.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Cleartext transmission of sensitive information" (`cpp/cleartext-transmission`) query has been improved, reducing the number of false positive results when encryption is present.
--- a/cpp/old-change-notes/2021-10-07-extraction-errors.md
+++ b/cpp/old-change-notes/2021-10-07-extraction-errors.md
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.0.6
+
+## 0.0.5
+
 ## 0.0.4

 ### New Features
--- a/cpp/ql/lib/DefaultOptions.qll
+++ b/cpp/ql/lib/DefaultOptions.qll
@@ -73,7 +73,7 @@ class Options extends string {
   *   __assume(0);
   * ```
   * (note that in this case if the hint is wrong and the expression is reached at
-   * runtime, the program's behaviour is undefined)
+   * runtime, the program's behavior is undefined)
   */
  predicate exprExits(Expr e) {
    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
--- a/cpp/ql/lib/Options.qll
+++ b/cpp/ql/lib/Options.qll
@@ -50,7 +50,7 @@ class CustomOptions extends Options {
   *   __assume(0);
   * ```
   * (note that in this case if the hint is wrong and the expression is reached at
-   * runtime, the program's behaviour is undefined)
+   * runtime, the program's behavior is undefined)
   */
  override predicate exprExits(Expr e) { Options.super.exprExits(e) }

--- a/cpp/ql/lib/change-notes/released/0.0.5.md
+++ b/cpp/ql/lib/change-notes/released/0.0.5.md
@@ -0,0 +1 @@
+## 0.0.5
--- a/cpp/ql/lib/change-notes/released/0.0.6.md
+++ b/cpp/ql/lib/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.4
+lastReleaseVersion: 0.0.6
--- a/cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisDefinition.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisDefinition.qll
@@ -37,7 +37,7 @@ abstract class SimpleRangeAnalysisDefinition extends RangeSsaDefinition {
   * dependencies. Without this information, range analysis might work for
   * simple cases but will go into infinite loops on complex code.
   *
-   * For example, when modelling the definition by reference in a call to an
+   * For example, when modeling the definition by reference in a call to an
   * overloaded `operator=`, written as `v = e`, the definition of `(this, v)`
   * depends on `e`.
   */
--- a/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/InBoundsPointerDeref.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/InBoundsPointerDeref.qll
@@ -5,7 +5,7 @@
 * `Instruction` level), and then using the array length analysis and the range
 * analysis together to prove that some of these pointer dereferences are safe.
 *
- * The analysis is soundy, i.e. it is sound if no undefined behaviour is present
+ * The analysis is soundy, i.e. it is sound if no undefined behavior is present
 * in the program.
 * Furthermore, it crucially depends on the soundiness of the range analysis and
 * the array length analysis.
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,8 +1,8 @@
 name: codeql/cpp-all
-version: 0.0.5-dev
+version: 0.0.6
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
 dependencies:
-  codeql/cpp-upgrades: 0.0.3
+  codeql/cpp-upgrades: ^0.0.3
--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -9,6 +9,83 @@ import semmle.code.cpp.models.interfaces.FormattingFunction
 private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils

+private newtype TBufferWriteEstimationReason =
+  TNoSpecifiedEstimateReason() or
+  TTypeBoundsAnalysis() or
+  TValueFlowAnalysis()
+
+/**
+ * A reason for a specific buffer write size estimate.
+ */
+abstract class BufferWriteEstimationReason extends TBufferWriteEstimationReason {
+  /**
+   * Returns the name of the concrete class.
+   */
+  abstract string toString();
+
+  /**
+   * Returns a human readable representation of this reason.
+   */
+  abstract string getDescription();
+
+  /**
+   * Combine estimate reasons. Used to give a reason for the size of a format string
+   * conversion given reasons coming from its individual specifiers.
+   */
+  abstract BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other);
+}
+
+/**
+ * No particular reason given. This is currently used for backward compatibility so that
+ * classes derived from BufferWrite and overriding `getMaxData/0` still work with the
+ * queries as intended.
+ */
+class NoSpecifiedEstimateReason extends BufferWriteEstimationReason, TNoSpecifiedEstimateReason {
+  override string toString() { result = "NoSpecifiedEstimateReason" }
+
+  override string getDescription() { result = "no reason specified" }
+
+  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
+    // this reason should not be used in format specifiers, so it should not be combined
+    // with other reasons
+    none()
+  }
+}
+
+/**
+ * The estimation comes from rough bounds just based on the type (e.g.
+ * `0 <= x < 2^32` for an unsigned 32 bit integer).
+ */
+class TypeBoundsAnalysis extends BufferWriteEstimationReason, TTypeBoundsAnalysis {
+  override string toString() { result = "TypeBoundsAnalysis" }
+
+  override string getDescription() { result = "based on type bounds" }
+
+  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
+    other != TNoSpecifiedEstimateReason() and result = TTypeBoundsAnalysis()
+  }
+}
+
+/**
+ * The estimation comes from non trivial bounds found via actual flow analysis.
+ * For example
+ * ```
+ * unsigned u = x;
+ * if (u < 1000) {
+ *    //...  <- estimation done here based on u
+ * }
+ * ```
+ */
+class ValueFlowAnalysis extends BufferWriteEstimationReason, TValueFlowAnalysis {
+  override string toString() { result = "ValueFlowAnalysis" }
+
+  override string getDescription() { result = "based on flow analysis of value bounds" }
+
+  override BufferWriteEstimationReason combineWith(BufferWriteEstimationReason other) {
+    other != TNoSpecifiedEstimateReason() and result = other
+  }
+}
+
 class PrintfFormatAttribute extends FormatAttribute {
  PrintfFormatAttribute() { this.getArchetype() = ["printf", "__printf__"] }
 }
@@ -990,7 +1067,14 @@ class FormatLiteral extends Literal {
   * conversion specifier of this format string; has no result if this cannot
   * be determined.
   */
-  int getMaxConvertedLength(int n) {
+  int getMaxConvertedLength(int n) { result = max(getMaxConvertedLength(n, _)) }
+
+  /**
+   * Gets the maximum length of the string that can be produced by the nth
+   * conversion specifier of this format string, specifying the estimation reason;
+   * has no result if this cannot be determined.
+   */
+  int getMaxConvertedLength(int n, BufferWriteEstimationReason reason) {
    exists(int len |
      (
        (
@@ -1002,10 +1086,12 @@ class FormatLiteral extends Literal {
      ) and
      (
        this.getConversionChar(n) = "%" and
-        len = 1
+        len = 1 and
+        reason = TValueFlowAnalysis()
        or
        this.getConversionChar(n).toLowerCase() = "c" and
-        len = 1 // e.g. 'a'
+        len = 1 and
+        reason = TValueFlowAnalysis() // e.g. 'a'
        or
        this.getConversionChar(n).toLowerCase() = "f" and
        exists(int dot, int afterdot |
@@ -1019,7 +1105,8 @@ class FormatLiteral extends Literal {
            afterdot = 6
          ) and
          len = 1 + 309 + dot + afterdot
-        ) // e.g. -1e308="-100000"...
+        ) and
+        reason = TTypeBoundsAnalysis() // e.g. -1e308="-100000"...
        or
        this.getConversionChar(n).toLowerCase() = "e" and
        exists(int dot, int afterdot |
@@ -1033,7 +1120,8 @@ class FormatLiteral extends Literal {
            afterdot = 6
          ) and
          len = 1 + 1 + dot + afterdot + 1 + 1 + 3
-        ) // -1e308="-1.000000e+308"
+        ) and
+        reason = TTypeBoundsAnalysis() // -1e308="-1.000000e+308"
        or
        this.getConversionChar(n).toLowerCase() = "g" and
        exists(int dot, int afterdot |
@@ -1056,67 +1144,80 @@ class FormatLiteral extends Literal {
          //       (e.g. 123456, 0.000123456 are just OK)
          //       so case %f can be at most P characters + 4 zeroes, sign, dot = P + 6
          len = (afterdot.maximum(1) + 6).maximum(1 + 1 + dot + afterdot + 1 + 1 + 3)
-        ) // (e.g. "-1.59203e-319")
+        ) and
+        reason = TTypeBoundsAnalysis() // (e.g. "-1.59203e-319")
        or
        this.getConversionChar(n).toLowerCase() = ["d", "i"] and
        // e.g. -2^31 = "-2147483648"
-        len =
-          min(float cand |
-            // The first case handles length sub-specifiers
-            // Subtract one in the exponent because one bit is for the sign.
-            // Add 1 to account for the possible sign in the output.
-            cand = 1 + lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8 - 1))
-            or
-            // The second case uses range analysis to deduce a length that's shorter than the length
-            // of the number -2^31.
-            exists(Expr arg, float lower, float upper |
-              arg = this.getUse().getConversionArgument(n) and
-              lower = lowerBound(arg.getFullyConverted()) and
-              upper = upperBound(arg.getFullyConverted())
-            |
-              cand =
-                max(int cand0 |
-                  // Include the sign bit in the length if it can be negative
-                  (
-                    if lower < 0
-                    then cand0 = 1 + lengthInBase10(lower.abs())
-                    else cand0 = lengthInBase10(lower)
-                  )
-                  or
-                  (
-                    if upper < 0
-                    then cand0 = 1 + lengthInBase10(upper.abs())
-                    else cand0 = lengthInBase10(upper)
-                  )
+        exists(float typeBasedBound, float valueBasedBound |
+          // The first case handles length sub-specifiers
+          // Subtract one in the exponent because one bit is for the sign.
+          // Add 1 to account for the possible sign in the output.
+          typeBasedBound =
+            1 + lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8 - 1)) and
+          // The second case uses range analysis to deduce a length that's shorter than the length
+          // of the number -2^31.
+          exists(Expr arg, float lower, float upper, float typeLower, float typeUpper |
+            arg = this.getUse().getConversionArgument(n) and
+            lower = lowerBound(arg.getFullyConverted()) and
+            upper = upperBound(arg.getFullyConverted()) and
+            typeLower = exprMinVal(arg.getFullyConverted()) and
+            typeUpper = exprMaxVal(arg.getFullyConverted())
+          |
+            valueBasedBound =
+              max(int cand |
+                // Include the sign bit in the length if it can be negative
+                (
+                  if lower < 0
+                  then cand = 1 + lengthInBase10(lower.abs())
+                  else cand = lengthInBase10(lower)
                )
+                or
+                (
+                  if upper < 0
+                  then cand = 1 + lengthInBase10(upper.abs())
+                  else cand = lengthInBase10(upper)
+                )
+              ) and
+            (
+              if lower > typeLower or upper < typeUpper
+              then reason = TValueFlowAnalysis()
+              else reason = TTypeBoundsAnalysis()
            )
-          )
+          ) and
+          len = valueBasedBound.minimum(typeBasedBound)
+        )
        or
        this.getConversionChar(n).toLowerCase() = "u" and
        // e.g. 2^32 - 1 = "4294967295"
-        len =
-          min(float cand |
-            // The first case handles length sub-specifiers
-            cand = 2.pow(this.getIntegralDisplayType(n).getSize() * 8)
-            or
-            // The second case uses range analysis to deduce a length that's shorter than
-            // the length of the number 2^31 - 1.
-            exists(Expr arg, float lower |
-              arg = this.getUse().getConversionArgument(n) and
-              lower = lowerBound(arg.getFullyConverted())
-            |
-              cand =
-                max(float cand0 |
+        exists(float typeBasedBound, float valueBasedBound |
+          // The first case handles length sub-specifiers
+          typeBasedBound = lengthInBase10(2.pow(this.getIntegralDisplayType(n).getSize() * 8) - 1) and
+          // The second case uses range analysis to deduce a length that's shorter than
+          // the length of the number 2^31 - 1.
+          exists(Expr arg, float lower, float upper, float typeLower, float typeUpper |
+            arg = this.getUse().getConversionArgument(n) and
+            lower = lowerBound(arg.getFullyConverted()) and
+            upper = upperBound(arg.getFullyConverted()) and
+            typeLower = exprMinVal(arg.getFullyConverted()) and
+            typeUpper = exprMaxVal(arg.getFullyConverted())
+          |
+            valueBasedBound =
+              lengthInBase10(max(float cand |
                  // If lower can be negative we use `(unsigned)-1` as the candidate value.
                  lower < 0 and
-                  cand0 = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
+                  cand = 2.pow(any(IntType t | t.isUnsigned()).getSize() * 8)
                  or
-                  cand0 = upperBound(arg.getFullyConverted())
-                )
+                  cand = upper
+                )) and
+            (
+              if lower > typeLower or upper < typeUpper
+              then reason = TValueFlowAnalysis()
+              else reason = TTypeBoundsAnalysis()
            )
-          |
-            lengthInBase10(cand)
-          )
+          ) and
+          len = valueBasedBound.minimum(typeBasedBound)
+        )
        or
        this.getConversionChar(n).toLowerCase() = "x" and
        // e.g. "12345678"
@@ -1135,7 +1236,8 @@ class FormatLiteral extends Literal {
          (
            if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
          )
-        )
+        ) and
+        reason = TTypeBoundsAnalysis()
        or
        this.getConversionChar(n).toLowerCase() = "p" and
        exists(PointerType ptrType, int baseLen |
@@ -1144,7 +1246,8 @@ class FormatLiteral extends Literal {
          (
            if this.hasAlternateFlag(n) then len = 2 + baseLen else len = baseLen // "0x"
          )
-        )
+        ) and
+        reason = TValueFlowAnalysis()
        or
        this.getConversionChar(n).toLowerCase() = "o" and
        // e.g. 2^32 - 1 = "37777777777"
@@ -1163,14 +1266,16 @@ class FormatLiteral extends Literal {
          (
            if this.hasAlternateFlag(n) then len = 1 + baseLen else len = baseLen // "0"
          )
-        )
+        ) and
+        reason = TTypeBoundsAnalysis()
        or
        this.getConversionChar(n).toLowerCase() = "s" and
        len =
          min(int v |
            v = this.getPrecision(n) or
            v = this.getUse().getFormatArgument(n).(AnalysedString).getMaxLength() - 1 // (don't count null terminator)
-          )
+          ) and
+        reason = TValueFlowAnalysis()
      )
    )
  }
@@ -1182,10 +1287,19 @@ class FormatLiteral extends Literal {
   * determining whether a buffer overflow is caused by long float to string
   * conversions.
   */
-  int getMaxConvertedLengthLimited(int n) {
+  int getMaxConvertedLengthLimited(int n) { result = max(getMaxConvertedLengthLimited(n, _)) }
+
+  /**
+   * Gets the maximum length of the string that can be produced by the nth
+   * conversion specifier of this format string, specifying the reason for the
+   * estimation, except that float to string conversions are assumed to be 8
+   * characters.  This is helpful for determining whether a buffer overflow is
+   * caused by long float to string conversions.
+   */
+  int getMaxConvertedLengthLimited(int n, BufferWriteEstimationReason reason) {
    if this.getConversionChar(n).toLowerCase() = "f"
-    then result = this.getMaxConvertedLength(n).minimum(8)
-    else result = this.getMaxConvertedLength(n)
+    then result = this.getMaxConvertedLength(n, reason).minimum(8)
+    else result = this.getMaxConvertedLength(n, reason)
  }

  /**
@@ -1225,29 +1339,35 @@ class FormatLiteral extends Literal {
    )
  }

-  private int getMaxConvertedLengthAfter(int n) {
+  private int getMaxConvertedLengthAfter(int n, BufferWriteEstimationReason reason) {
    if n = this.getNumConvSpec()
-    then result = this.getConstantSuffix().length() + 1
+    then result = this.getConstantSuffix().length() + 1 and reason = TValueFlowAnalysis()
    else
-      result =
-        this.getConstantPart(n).length() + this.getMaxConvertedLength(n) +
-          this.getMaxConvertedLengthAfter(n + 1)
+      exists(BufferWriteEstimationReason headReason, BufferWriteEstimationReason tailReason |
+        result =
+          this.getConstantPart(n).length() + this.getMaxConvertedLength(n, headReason) +
+            this.getMaxConvertedLengthAfter(n + 1, tailReason) and
+        reason = headReason.combineWith(tailReason)
+      )
  }

-  private int getMaxConvertedLengthAfterLimited(int n) {
+  private int getMaxConvertedLengthAfterLimited(int n, BufferWriteEstimationReason reason) {
    if n = this.getNumConvSpec()
-    then result = this.getConstantSuffix().length() + 1
+    then result = this.getConstantSuffix().length() + 1 and reason = TValueFlowAnalysis()
    else
-      result =
-        this.getConstantPart(n).length() + this.getMaxConvertedLengthLimited(n) +
-          this.getMaxConvertedLengthAfterLimited(n + 1)
+      exists(BufferWriteEstimationReason headReason, BufferWriteEstimationReason tailReason |
+        result =
+          this.getConstantPart(n).length() + this.getMaxConvertedLengthLimited(n, headReason) +
+            this.getMaxConvertedLengthAfterLimited(n + 1, tailReason) and
+        reason = headReason.combineWith(tailReason)
+      )
  }

  /**
   * Gets the maximum length of the string that can be produced by this format
   * string.  Has no result if this cannot be determined.
   */
-  int getMaxConvertedLength() { result = this.getMaxConvertedLengthAfter(0) }
+  int getMaxConvertedLength() { result = this.getMaxConvertedLengthAfter(0, _) }

  /**
   * Gets the maximum length of the string that can be produced by this format
@@ -1255,5 +1375,24 @@ class FormatLiteral extends Literal {
   * characters.  This is helpful for determining whether a buffer overflow
   * is caused by long float to string conversions.
   */
-  int getMaxConvertedLengthLimited() { result = this.getMaxConvertedLengthAfterLimited(0) }
+  int getMaxConvertedLengthLimited() { result = this.getMaxConvertedLengthAfterLimited(0, _) }
+
+  /**
+   * Gets the maximum length of the string that can be produced by this format
+   * string, specifying the reason for the estimate. Has no result if no estimate
+   * can be found.
+   */
+  int getMaxConvertedLengthWithReason(BufferWriteEstimationReason reason) {
+    result = this.getMaxConvertedLengthAfter(0, reason)
+  }
+
+  /**
+   * Gets the maximum length of the string that can be produced by this format
+   * string, specifying the reason for the estimate, except that float to string
+   * conversions are assumed to be 8 characters.  This is helpful for determining
+   * whether a buffer overflow is caused by long float to string conversions.
+   */
+  int getMaxConvertedLengthLimitedWithReason(BufferWriteEstimationReason reason) {
+    result = this.getMaxConvertedLengthAfterLimited(0, reason)
+  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll
@@ -153,9 +153,11 @@ library class SSAHelper extends int {
   * Modern Compiler Implementation by Andrew Appel.
   */
  private predicate frontier_phi_node(StackVariable v, BasicBlock b) {
-    exists(BasicBlock x | dominanceFrontier(x, b) and ssa_defn_rec(v, x)) and
+    exists(BasicBlock x |
+      dominanceFrontier(x, b) and ssa_defn_rec(pragma[only_bind_into](v), pragma[only_bind_into](x))
+    ) and
    /* We can also eliminate those nodes where the variable is not live on any incoming edge */
-    live_at_start_of_bb(v, b)
+    live_at_start_of_bb(pragma[only_bind_into](v), b)
  }

  private predicate ssa_defn_rec(StackVariable v, BasicBlock b) {
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -626,9 +626,9 @@ library class ExprEvaluator extends int {
      // All assignments must have the same int value
      result =
        unique(Expr value |
-          value = v.getAnAssignedValue() and not ignoreVariableAssignment(e, v, value)
+          value = v.getAnAssignedValue() and not this.ignoreVariableAssignment(e, v, value)
        |
-          getValueInternalNonSubExpr(value)
+          this.getValueInternalNonSubExpr(value)
        )
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
@@ -1,4 +1,6 @@
 private import cpp
+private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.dataflow.internal.DataFlowUtil

 /**
 * Gets a function that might be called by `call`.
@@ -63,3 +65,17 @@ predicate mayBenefitFromCallContext(Call call, Function f) { none() }
 * restricted to those `call`s for which a context might make a difference.
 */
 Function viableImplInCallContext(Call call, Call ctx) { none() }
+
+/** A parameter position represented by an integer. */
+class ParameterPosition extends int {
+  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
+}
+
+/** An argument position represented by an integer. */
+class ArgumentPosition extends int {
+  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
+}
+
+/** Holds if arguments at position `apos` match parameters at position `ppos`. */
+pragma[inline]
+predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -62,6 +62,18 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  tupleLimit = 1000
 }

+/**
+ * Holds if `arg` is an argument of `call` with an argument position that matches
+ * parameter position `ppos`.
+ */
+pragma[noinline]
+predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
+  exists(ArgumentPosition apos |
+    arg.argumentOf(call, apos) and
+    parameterMatch(ppos, apos)
+  )
+}
+
 /**
 * Provides a simple data-flow analysis for resolving lambda calls. The analysis
 * currently excludes read-steps, store-steps, and flow-through.
@@ -71,25 +83,27 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
 * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
 */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallable(call), i)
+  pragma[noinline]
+  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallable(call), ppos)
  }

-  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), i)
+  pragma[noinline]
+  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), ppos)
  }

  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParamNonLambda(call, i, p) and
-      arg.argumentOf(call, i)
+    exists(ParameterPosition ppos |
+      viableParamNonLambda(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos)
    )
  }

  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParamLambda(call, i, p) and
-      arg.argumentOf(call, i)
+    exists(ParameterPosition ppos |
+      viableParamLambda(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos)
    )
  }

@@ -322,7 +336,7 @@ private module Cached {
    or
    exists(ArgNode arg |
      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
    )
  }

@@ -330,7 +344,7 @@ private module Cached {
  predicate returnNodeExt(Node n, ReturnKindExt k) {
    k = TValueReturn(n.(ReturnNode).getKind())
    or
-    exists(ParamNode p, int pos |
+    exists(ParamNode p, ParameterPosition pos |
      parameterValueFlowsToPreUpdate(p, n) and
      p.isParameterOf(_, pos) and
      k = TParamUpdate(pos)
@@ -352,11 +366,13 @@ private module Cached {
  }

  cached
-  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }
+  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
+    isParameterNode(p, c, pos)
+  }

  cached
-  predicate argumentNode(Node n, DataFlowCall call, int pos) {
-    n.(ArgumentNode).argumentOf(call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
+    isArgumentNode(n, call, pos)
  }

  /**
@@ -374,12 +390,12 @@ private module Cached {
  }

  /**
-   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
-   * The instance parameter is considered to have index `-1`.
+   * Holds if `p` is the parameter of a viable dispatch target of `call`,
+   * and `p` has position `ppos`.
   */
  pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), i)
+  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), ppos)
  }

  /**
@@ -388,9 +404,9 @@ private module Cached {
   */
  cached
  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParam(call, i, p) and
-      arg.argumentOf(call, i) and
+    exists(ParameterPosition ppos |
+      viableParam(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos) and
      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
    )
  }
@@ -862,7 +878,7 @@ private module Cached {
  cached
  newtype TReturnKindExt =
    TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }

  cached
  newtype TBooleanOption =
@@ -1054,9 +1070,9 @@ class ParamNode extends Node {

  /**
   * Holds if this node is the parameter of callable `c` at the specified
-   * (zero-based) position.
+   * position.
   */
-  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
 }

 /** A data-flow node that represents a call argument. */
@@ -1064,7 +1080,9 @@ class ArgNode extends Node {
  ArgNode() { argumentNode(this, _, _) }

  /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+    argumentNode(this, call, pos)
+  }
 }

 /**
@@ -1110,11 +1128,14 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }

 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private int pos;
+  private ParameterPosition pos;

  ParamUpdateReturnKind() { this = TParamUpdate(pos) }

-  int getPosition() { result = pos }
+  ParameterPosition getPosition() { result = pos }
+
+  pragma[nomagic]
+  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }

  override string toString() { result = "param update " + pos }
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -15,11 +15,23 @@ module Consistency {
  class ConsistencyConfiguration extends TConsistencyConfiguration {
    string toString() { none() }

+    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
+    predicate uniqueEnclosingCallableExclude(Node n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
+    predicate uniqueNodeLocationExclude(Node n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
+    predicate missingLocationExclude(Node n) { none() }
+
    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
    predicate postWithInFlowExclude(Node n) { none() }

    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
+    predicate reverseReadExclude(Node n) { none() }
  }

  private class RelevantNode extends Node {
@@ -46,6 +58,7 @@ module Consistency {
      n instanceof RelevantNode and
      c = count(nodeGetEnclosingCallable(n)) and
      c != 1 and
+      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
      msg = "Node should have one enclosing callable but has " + c + "."
    )
  }
@@ -66,6 +79,7 @@ module Consistency {
          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
        ) and
      c != 1 and
+      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
      msg = "Node should have one location but has " + c + "."
    )
  }
@@ -76,7 +90,8 @@ module Consistency {
        strictcount(Node n |
          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          )
+          ) and
+          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
        ) and
      msg = "Nodes without location: " + c
    )
@@ -172,6 +187,7 @@ module Consistency {

  query predicate reverseRead(Node n, string msg) {
    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
+    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
    msg = "Origin of readStep is missing a PostUpdateNode."
  }

--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -8,7 +8,14 @@ private import DataFlowImplConsistency
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+  p.isParameterOf(c, pos)
+}
+
+/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
+predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
+  arg.argumentOf(c, pos)
+}

 /** Gets the instance argument of a non-static call. */
 private Node getInstanceArgument(Call call) {
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Lambda.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Lambda.qll
@@ -118,7 +118,7 @@ class LambdaCapture extends Locatable, @lambdacapture {
   * An identifier is captured by reference if:
   *   - It is explicitly captured by reference.
   *   - It is implicitly captured, and the lambda's default capture mode is by-reference.
-   *   - The identifier is "this". [Said behaviour is dictated by the C++11 standard, but it
+   *   - The identifier is "this". [Said behavior is dictated by the C++11 standard, but it
   *                                is actually "*this" being captured rather than "this".]
   */
  predicate isCapturedByReference() { lambda_capture(this, _, _, _, true, _, _) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -2,6 +2,7 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon

 /**
@@ -266,3 +267,17 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
    result = ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget()
  )
 }
+
+/** A parameter position represented by an integer. */
+class ParameterPosition extends int {
+  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
+}
+
+/** An argument position represented by an integer. */
+class ArgumentPosition extends int {
+  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
+}
+
+/** Holds if arguments at position `apos` match parameters at position `ppos`. */
+pragma[inline]
+predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, int i) {
-    this.asNode().(ParamNode).isParameterOf(c, i)
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    this.asNode().(ParamNode).isParameterOf(c, pos)
  }

-  int getPosition() { this.isParameterOf(_, result) }
+  ParameterPosition getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -1012,6 +1012,9 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1020,6 +1023,13 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1189,7 +1206,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
    )
  }

@@ -1430,7 +1447,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2125,7 +2142,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2891,7 +2908,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2975,7 +2992,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  int getParameterPos() { p.isParameterOf(_, result) }
+  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3622,39 +3639,40 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
-  Configuration config
+  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
+  AccessPathApprox apa, Configuration config
 ) {
-  exists(ArgNode arg |
+  exists(ArgNode arg, ArgumentPosition apos |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, i) and
+    arg.argumentOf(call, apos) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration()
+    config = mid.getConfiguration() and
+    parameterMatch(ppos, apos)
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, i)
+    p.isParameterOf(callable, pos)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
-  AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+  DataFlowCall call, AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3669,9 +3687,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(int i, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-    p.isParameterOf(callable, i) and
+  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+    p.isParameterOf(callable, pos) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3695,7 +3713,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, int pos |
+  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4424,24 +4442,25 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
-    Configuration config
+    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
+    PartialAccessPath ap, Configuration config
  ) {
-    exists(ArgNode arg |
+    exists(ArgNode arg, ArgumentPosition apos |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, i) and
+      arg.argumentOf(call, apos) and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4450,9 +4469,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(int i, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
-      p.isParameterOf(callable, i) and
+    exists(ParameterPosition pos, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
+      p.isParameterOf(callable, pos) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4616,22 +4635,23 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
-    Configuration config
+    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    RevPartialAccessPath ap, Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p |
+    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
      mid.getNodeEx() = p and
-      p.getPosition() = pos and
+      p.getPosition() = ppos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration()
+      config = mid.getConfiguration() and
+      parameterMatch(ppos, apos)
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4644,7 +4664,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, int pos |
+    exists(DataFlowCall call, ArgumentPosition pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -62,6 +62,18 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  tupleLimit = 1000
 }

+/**
+ * Holds if `arg` is an argument of `call` with an argument position that matches
+ * parameter position `ppos`.
+ */
+pragma[noinline]
+predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
+  exists(ArgumentPosition apos |
+    arg.argumentOf(call, apos) and
+    parameterMatch(ppos, apos)
+  )
+}
+
 /**
 * Provides a simple data-flow analysis for resolving lambda calls. The analysis
 * currently excludes read-steps, store-steps, and flow-through.
@@ -71,25 +83,27 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
 * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
 */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallable(call), i)
+  pragma[noinline]
+  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallable(call), ppos)
  }

-  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), i)
+  pragma[noinline]
+  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), ppos)
  }

  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParamNonLambda(call, i, p) and
-      arg.argumentOf(call, i)
+    exists(ParameterPosition ppos |
+      viableParamNonLambda(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos)
    )
  }

  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParamLambda(call, i, p) and
-      arg.argumentOf(call, i)
+    exists(ParameterPosition ppos |
+      viableParamLambda(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos)
    )
  }

@@ -322,7 +336,7 @@ private module Cached {
    or
    exists(ArgNode arg |
      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
    )
  }

@@ -330,7 +344,7 @@ private module Cached {
  predicate returnNodeExt(Node n, ReturnKindExt k) {
    k = TValueReturn(n.(ReturnNode).getKind())
    or
-    exists(ParamNode p, int pos |
+    exists(ParamNode p, ParameterPosition pos |
      parameterValueFlowsToPreUpdate(p, n) and
      p.isParameterOf(_, pos) and
      k = TParamUpdate(pos)
@@ -352,11 +366,13 @@ private module Cached {
  }

  cached
-  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }
+  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
+    isParameterNode(p, c, pos)
+  }

  cached
-  predicate argumentNode(Node n, DataFlowCall call, int pos) {
-    n.(ArgumentNode).argumentOf(call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
+    isArgumentNode(n, call, pos)
  }

  /**
@@ -374,12 +390,12 @@ private module Cached {
  }

  /**
-   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
-   * The instance parameter is considered to have index `-1`.
+   * Holds if `p` is the parameter of a viable dispatch target of `call`,
+   * and `p` has position `ppos`.
   */
  pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), i)
+  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), ppos)
  }

  /**
@@ -388,9 +404,9 @@ private module Cached {
   */
  cached
  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(int i |
-      viableParam(call, i, p) and
-      arg.argumentOf(call, i) and
+    exists(ParameterPosition ppos |
+      viableParam(call, ppos, p) and
+      argumentPositionMatch(call, arg, ppos) and
      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
    )
  }
@@ -862,7 +878,7 @@ private module Cached {
  cached
  newtype TReturnKindExt =
    TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }

  cached
  newtype TBooleanOption =
@@ -1054,9 +1070,9 @@ class ParamNode extends Node {

  /**
   * Holds if this node is the parameter of callable `c` at the specified
-   * (zero-based) position.
+   * position.
   */
-  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
 }

 /** A data-flow node that represents a call argument. */
@@ -1064,7 +1080,9 @@ class ArgNode extends Node {
  ArgNode() { argumentNode(this, _, _) }

  /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+    argumentNode(this, call, pos)
+  }
 }

 /**
@@ -1110,11 +1128,14 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }

 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private int pos;
+  private ParameterPosition pos;

  ParamUpdateReturnKind() { this = TParamUpdate(pos) }

-  int getPosition() { result = pos }
+  ParameterPosition getPosition() { result = pos }
+
+  pragma[nomagic]
+  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }

  override string toString() { result = "param update " + pos }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -15,11 +15,23 @@ module Consistency {
  class ConsistencyConfiguration extends TConsistencyConfiguration {
    string toString() { none() }

+    /** Holds if `n` should be excluded from the consistency test `uniqueEnclosingCallable`. */
+    predicate uniqueEnclosingCallableExclude(Node n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `uniqueNodeLocation`. */
+    predicate uniqueNodeLocationExclude(Node n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `missingLocation`. */
+    predicate missingLocationExclude(Node n) { none() }
+
    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
    predicate postWithInFlowExclude(Node n) { none() }

    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
+
+    /** Holds if `n` should be excluded from the consistency test `reverseRead`. */
+    predicate reverseReadExclude(Node n) { none() }
  }

  private class RelevantNode extends Node {
@@ -46,6 +58,7 @@ module Consistency {
      n instanceof RelevantNode and
      c = count(nodeGetEnclosingCallable(n)) and
      c != 1 and
+      not any(ConsistencyConfiguration conf).uniqueEnclosingCallableExclude(n) and
      msg = "Node should have one enclosing callable but has " + c + "."
    )
  }
@@ -66,6 +79,7 @@ module Consistency {
          n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
        ) and
      c != 1 and
+      not any(ConsistencyConfiguration conf).uniqueNodeLocationExclude(n) and
      msg = "Node should have one location but has " + c + "."
    )
  }
@@ -76,7 +90,8 @@ module Consistency {
        strictcount(Node n |
          not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
            n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-          )
+          ) and
+          not any(ConsistencyConfiguration conf).missingLocationExclude(n)
        ) and
      msg = "Nodes without location: " + c
    )
@@ -172,6 +187,7 @@ module Consistency {

  query predicate reverseRead(Node n, string msg) {
    exists(Node n2 | readStep(n, _, n2) and hasPost(n2) and not hasPost(n)) and
+    not any(ConsistencyConfiguration conf).reverseReadExclude(n) and
    msg = "Origin of readStep is missing a PostUpdateNode."
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -8,7 +8,14 @@ private import DataFlowImplConsistency
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+  p.isParameterOf(c, pos)
+}
+
+/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
+predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
+  arg.argumentOf(c, pos)
+}

 /**
 * A data flow node that occurs as the argument of a call and is passed as-is
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -452,7 +452,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {

  /** Holds if this phi node has input from the `rnk`'th write operation in block `block`. */
  final predicate hasInputAtRankInBlock(IRBlock block, int rnk) {
-    hasInputAtRankInBlock(block, rnk, _)
+    this.hasInputAtRankInBlock(block, rnk, _)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -266,6 +266,20 @@ private predicate operandReturned(Operand operand, IntValue bitOffset) {
  bitOffset = Ints::unknown()
 }

+pragma[nomagic]
+private predicate initializeParameterInstructionHasVariable(
+  IRVariable var, InitializeParameterInstruction init
+) {
+  init.getIRVariable() = var
+}
+
+private predicate instructionInitializesThisInFunction(
+  Language::Function f, InitializeParameterInstruction init
+) {
+  initializeParameterInstructionHasVariable(any(IRThisVariable var), pragma[only_bind_into](init)) and
+  init.getEnclosingFunction() = f
+}
+
 private predicate isArgumentForParameter(
  CallInstruction ci, Operand operand, InitializeParameterInstruction init
 ) {
@@ -275,8 +289,7 @@ private predicate isArgumentForParameter(
    (
      init.getParameter() = f.getParameter(operand.(PositionalArgumentOperand).getIndex())
      or
-      init.getIRVariable() instanceof IRThisVariable and
-      unique( | | init.getEnclosingFunction()) = f and
+      instructionInitializesThisInFunction(f, init) and
      operand instanceof ThisArgumentOperand
    ) and
    not Language::isFunctionVirtual(f) and
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -266,6 +266,20 @@ private predicate operandReturned(Operand operand, IntValue bitOffset) {
  bitOffset = Ints::unknown()
 }

+pragma[nomagic]
+private predicate initializeParameterInstructionHasVariable(
+  IRVariable var, InitializeParameterInstruction init
+) {
+  init.getIRVariable() = var
+}
+
+private predicate instructionInitializesThisInFunction(
+  Language::Function f, InitializeParameterInstruction init
+) {
+  initializeParameterInstructionHasVariable(any(IRThisVariable var), pragma[only_bind_into](init)) and
+  init.getEnclosingFunction() = f
+}
+
 private predicate isArgumentForParameter(
  CallInstruction ci, Operand operand, InitializeParameterInstruction init
 ) {
@@ -275,8 +289,7 @@ private predicate isArgumentForParameter(
    (
      init.getParameter() = f.getParameter(operand.(PositionalArgumentOperand).getIndex())
      or
-      init.getIRVariable() instanceof IRThisVariable and
-      unique( | | init.getEnclosingFunction()) = f and
+      instructionInitializesThisInFunction(f, init) and
      operand instanceof ThisArgumentOperand
    ) and
    not Language::isFunctionVirtual(f) and
--- a/cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll
@@ -71,13 +71,30 @@ abstract class BufferWrite extends Expr {
   */
  int getMaxData() { none() }

+  /**
+   * Gets an upper bound to the amount of data that's being written (if one
+   * can be found), specifying the reason for the estimation.
+   */
+  int getMaxData(BufferWriteEstimationReason reason) {
+    reason instanceof NoSpecifiedEstimateReason and result = getMaxData()
+  }
+
  /**
   * Gets an upper bound to the amount of data that's being written (if one
   * can be found), except that float to string conversions are assumed to be
   * much smaller (8 bytes) than their true maximum length.  This can be
   * helpful in determining the cause of a buffer overflow issue.
   */
-  int getMaxDataLimited() { result = this.getMaxData() }
+  int getMaxDataLimited() { result = getMaxData() }
+
+  /**
+   * Gets an upper bound to the amount of data that's being written (if one
+   * can be found), specifying the reason for the estimation, except that
+   * float to string conversions are assumed to be much smaller (8 bytes)
+   * than their true maximum length.  This can be helpful in determining the
+   * cause of a buffer overflow issue.
+   */
+  int getMaxDataLimited(BufferWriteEstimationReason reason) { result = getMaxData(reason) }

  /**
   * Gets the size of a single character of the type this
@@ -135,10 +152,16 @@ class StrCopyBW extends BufferWriteCall {
    result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
  }

-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+    // when result exists, it is an exact flow analysis
+    reason instanceof ValueFlowAnalysis and
    result =
      this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
  }
+
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
 }

 /**
@@ -173,10 +196,16 @@ class StrCatBW extends BufferWriteCall {
    result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
  }

-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+    // when result exists, it is an exact flow analysis
+    reason instanceof ValueFlowAnalysis and
    result =
      this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
  }
+
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
 }

 /**
@@ -233,19 +262,29 @@ class SprintfBW extends BufferWriteCall {

  override Expr getDest() { result = this.getArgument(f.getOutputParameterIndex(false)) }

-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
    exists(FormatLiteral fl |
      fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLength() * this.getCharSize()
+      result = fl.getMaxConvertedLengthWithReason(reason) * this.getCharSize()
    )
  }

-  override int getMaxDataLimited() {
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+
+  private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
    exists(FormatLiteral fl |
      fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLengthLimited() * this.getCharSize()
+      result = fl.getMaxConvertedLengthLimitedWithReason(reason) * this.getCharSize()
    )
  }
+
+  override int getMaxDataLimited(BufferWriteEstimationReason reason) {
+    result = getMaxDataLimitedImpl(reason)
+  }
+
+  override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
 }

 /**
@@ -336,19 +375,29 @@ class SnprintfBW extends BufferWriteCall {
    result = this.getArgument(this.getParamSize()).getValue().toInt() * this.getCharSize()
  }

-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
    exists(FormatLiteral fl |
      fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLength() * this.getCharSize()
+      result = fl.getMaxConvertedLengthWithReason(reason) * this.getCharSize()
    )
  }

-  override int getMaxDataLimited() {
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+
+  private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
    exists(FormatLiteral fl |
      fl = this.(FormattingFunctionCall).getFormat() and
-      result = fl.getMaxConvertedLengthLimited() * this.getCharSize()
+      result = fl.getMaxConvertedLengthLimitedWithReason(reason) * this.getCharSize()
    )
  }
+
+  override int getMaxDataLimited(BufferWriteEstimationReason reason) {
+    result = getMaxDataLimitedImpl(reason)
+  }
+
+  override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
 }

 /**
@@ -436,7 +485,9 @@ class ScanfBW extends BufferWrite {

  override Expr getDest() { result = this }

-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+    // when this returns, it is based on exact flow analysis
+    reason instanceof ValueFlowAnalysis and
    exists(ScanfFunctionCall fc, ScanfFormatLiteral fl, int arg |
      this = fc.getArgument(arg) and
      fl = fc.getFormat() and
@@ -444,6 +495,10 @@ class ScanfBW extends BufferWrite {
    )
  }

+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
+
  override string getBWDesc() {
    exists(FunctionCall fc |
      this = fc.getArgument(_) and
@@ -474,8 +529,14 @@ class RealpathBW extends BufferWriteCall {

  override Expr getASource() { result = this.getArgument(0) }

-  override int getMaxData() {
+  private int getMaxDataImpl(BufferWriteEstimationReason reason) {
+    // although there may be some unknown invariants guaranteeing that a real path is shorter than PATH_MAX, we can consider providing less than PATH_MAX a problem with high precision
+    reason instanceof ValueFlowAnalysis and
    result = path_max() and
    this = this // Suppress a compiler warning
  }
+
+  override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
+
+  override int getMaxData() { result = max(getMaxDataImpl(_)) }
 }
--- a/cpp/ql/src/AlertSuppression.ql
+++ b/cpp/ql/src/AlertSuppression.ql
@@ -18,12 +18,12 @@ class SuppressionComment extends Comment {
    (
      this instanceof CppStyleComment and
      // strip the beginning slashes
-      text = getContents().suffix(2)
+      text = this.getContents().suffix(2)
      or
      this instanceof CStyleComment and
      // strip both the beginning /* and the end */ the comment
      exists(string text0 |
-        text0 = getContents().suffix(2) and
+        text0 = this.getContents().suffix(2) and
        text = text0.prefix(text0.length() - 2)
      ) and
      // The /* */ comment must be a single-line comment
--- a/Show More
+++ b/Show More