Revert "JS: Recognize DomSanitizer from @angular/core"

This reverts commit ff1d0cc4c7.
Remove NoSQL sinks since September 2018
2026-05-27 01:21:23 +02:00 · 2021-11-25 17:18:34 +00:00 · 2021-11-25 17:18:34 +00:00 · 2021-11-25 17:18:33 +00:00 · 2021-11-25 17:18:33 +00:00 · 2021-11-25 17:18:33 +00:00
1178 changed files with 23399 additions and 54743 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -10,14 +10,7 @@
        "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
        "misc/legacy-support/*/qlpack.yml",
        "misc/suite-helpers/qlpack.yml",
-        "ruby/extractor-pack/codeql-extractor.yml",
-        "ruby/ql/consistency-queries/qlpack.yml"
-    ],
-    "versionPolicies": {
-      "default": {
-        "requireChangeNotes": true,
-        "committedPrereleaseSuffix": "dev",
-        "committedVersion": "nextPatchRelease"
-      }
-    }
-}
+        "ruby/ql/consistency-queries/qlpack.yml",
+        "ruby/extractor-pack/codeql-extractor.yml"
+   ]
+}
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -24,7 +24,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
+        repo: [rails/rails, discourse/discourse, spree/spree]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
--- a/benjamin-button.md
+++ b/benjamin-button.md
@@ -0,0 +1,51 @@
+# benjamin-buttons.md
+
+This file describes the changes that have been applied to
+the library to make it behave as if it was younger.
+
+## TaintedPath.ql
+
+Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+
+Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+pathinjection
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+tainted-path
+
+Sinks from the "graceful-fs" and "fs-extra" (added before the open-sourcing squash).
+
+## Xss.ql
+
+Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+
+- recursive type tracking for `jQuery::dollar`, `DOM::domValueRef`.
+
+## SqlInjection.ql
+
+Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-089
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+
+Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-089
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sql
+
+TypeTracking in SQL.qll (added before the open-sourcing squash)
+
+The model of `mssql` and `sequelize` (added before the open-sourcing squash)
+
+## PseudoProperties
+
+Pseudo-properties (`$name$`) used in type-tracking and global dataflow configurations have been disabled.
+Found by searching for `"\$.*\$"`.
--- a/cpp/old-change-notes/2020-09-29-range-analysis-rollup.md
+++ b/cpp/old-change-notes/2020-09-29-range-analysis-rollup.md
--- a/cpp/old-change-notes/2020-10-21-erroneous-types.md
+++ b/cpp/old-change-notes/2020-10-21-erroneous-types.md
--- a/cpp/old-change-notes/2020-10-21-size-check-queries.md
+++ b/cpp/old-change-notes/2020-10-21-size-check-queries.md
--- a/cpp/old-change-notes/2020-11-02-unused-local-variable.md
+++ b/cpp/old-change-notes/2020-11-02-unused-local-variable.md
--- a/cpp/old-change-notes/2020-11-05-formatting-function.md
+++ b/cpp/old-change-notes/2020-11-05-formatting-function.md
--- a/cpp/old-change-notes/2020-11-05-private-models.md
+++ b/cpp/old-change-notes/2020-11-05-private-models.md
--- a/cpp/old-change-notes/2020-11-12-unsafe-use-of-this.md
+++ b/cpp/old-change-notes/2020-11-12-unsafe-use-of-this.md
--- a/cpp/old-change-notes/2020-11-27-downgrade-to-recommendation.md
+++ b/cpp/old-change-notes/2020-11-27-downgrade-to-recommendation.md
--- a/cpp/old-change-notes/2021-02-04-unsigned-difference-expression-compared-zero.md
+++ b/cpp/old-change-notes/2021-02-04-unsigned-difference-expression-compared-zero.md
--- a/cpp/old-change-notes/2021-02-24-memset-may-be-deleted.md
+++ b/cpp/old-change-notes/2021-02-24-memset-may-be-deleted.md
--- a/cpp/old-change-notes/2021-03-01-fluent-interface-data-flow.md
+++ b/cpp/old-change-notes/2021-03-01-fluent-interface-data-flow.md
--- a/cpp/old-change-notes/2021-03-11-failed-extractions.md
+++ b/cpp/old-change-notes/2021-03-11-failed-extractions.md
--- a/cpp/old-change-notes/2021-03-11-overflow-abs.md
+++ b/cpp/old-change-notes/2021-03-11-overflow-abs.md
--- a/cpp/old-change-notes/2021-03-17-av-rule-79.md
+++ b/cpp/old-change-notes/2021-03-17-av-rule-79.md
--- a/cpp/old-change-notes/2021-04-06-assign-where-compare-meant.md
+++ b/cpp/old-change-notes/2021-04-06-assign-where-compare-meant.md
--- a/cpp/old-change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md
+++ b/cpp/old-change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md
--- a/cpp/old-change-notes/2021-04-13-arithmetic-queries.md
+++ b/cpp/old-change-notes/2021-04-13-arithmetic-queries.md
--- a/cpp/old-change-notes/2021-04-21-return-stack-allocated-object.md
+++ b/cpp/old-change-notes/2021-04-21-return-stack-allocated-object.md
--- a/cpp/old-change-notes/2021-04-26-more-sound-expr-might-overflow.md
+++ b/cpp/old-change-notes/2021-04-26-more-sound-expr-might-overflow.md
--- a/cpp/old-change-notes/2021-05-10-comparison-with-wider-type.md
+++ b/cpp/old-change-notes/2021-05-10-comparison-with-wider-type.md
--- a/cpp/old-change-notes/2021-05-12-uncontrolled-arithmetic.md
+++ b/cpp/old-change-notes/2021-05-12-uncontrolled-arithmetic.md
--- a/cpp/old-change-notes/2021-05-14-uncontrolled-allocation-size.md
+++ b/cpp/old-change-notes/2021-05-14-uncontrolled-allocation-size.md
--- a/cpp/old-change-notes/2021-05-18-static-buffer-overflow.md
+++ b/cpp/old-change-notes/2021-05-18-static-buffer-overflow.md
--- a/cpp/old-change-notes/2021-05-19-weak-cryptographic-algorithm.md
+++ b/cpp/old-change-notes/2021-05-19-weak-cryptographic-algorithm.md
--- a/cpp/old-change-notes/2021-05-20-incorrect-allocation-error-handling.md
+++ b/cpp/old-change-notes/2021-05-20-incorrect-allocation-error-handling.md
--- a/cpp/old-change-notes/2021-05-20-ref-qualifiers.md
+++ b/cpp/old-change-notes/2021-05-20-ref-qualifiers.md
--- a/cpp/old-change-notes/2021-05-21-unsafe-strncat.md
+++ b/cpp/old-change-notes/2021-05-21-unsafe-strncat.md
--- a/cpp/old-change-notes/2021-06-10-cleartext-transmission.md
+++ b/cpp/old-change-notes/2021-06-10-cleartext-transmission.md
--- a/cpp/old-change-notes/2021-06-10-std-types.md
+++ b/cpp/old-change-notes/2021-06-10-std-types.md
--- a/cpp/old-change-notes/2021-06-21-weak-cryptographic-algorithm.md
+++ b/cpp/old-change-notes/2021-06-21-weak-cryptographic-algorithm.md
--- a/cpp/old-change-notes/2021-06-22-sql-tainted.md
+++ b/cpp/old-change-notes/2021-06-22-sql-tainted.md
--- a/cpp/old-change-notes/2021-06-24-dataflow-implicit-reads.md
+++ b/cpp/old-change-notes/2021-06-24-dataflow-implicit-reads.md
--- a/cpp/old-change-notes/2021-06-24-uncontrolled-arithmetic.md
+++ b/cpp/old-change-notes/2021-06-24-uncontrolled-arithmetic.md
--- a/cpp/old-change-notes/2021-06-30-wrong-type-format-argument.md
+++ b/cpp/old-change-notes/2021-06-30-wrong-type-format-argument.md
--- a/cpp/old-change-notes/2021-07-13-cleartext-storage-file.md
+++ b/cpp/old-change-notes/2021-07-13-cleartext-storage-file.md
--- a/cpp/old-change-notes/2021-07-20-toctou-race-condition.md
+++ b/cpp/old-change-notes/2021-07-20-toctou-race-condition.md
--- a/cpp/old-change-notes/2021-07-27-uncontrolled-arithmetic.md
+++ b/cpp/old-change-notes/2021-07-27-uncontrolled-arithmetic.md
--- a/cpp/old-change-notes/2021-07-29-virtual-function-declaration-specifiers.md
+++ b/cpp/old-change-notes/2021-07-29-virtual-function-declaration-specifiers.md
--- a/cpp/old-change-notes/2021-08-10-has-trailing-return-type.md
+++ b/cpp/old-change-notes/2021-08-10-has-trailing-return-type.md
--- a/cpp/old-change-notes/2021-08-17-has-c-linkage.md
+++ b/cpp/old-change-notes/2021-08-17-has-c-linkage.md
--- a/cpp/old-change-notes/2021-08-23-ctime-weaken-claims.md
+++ b/cpp/old-change-notes/2021-08-23-ctime-weaken-claims.md
--- a/cpp/old-change-notes/2021-08-23-getPrimaryQlClasses.md
+++ b/cpp/old-change-notes/2021-08-23-getPrimaryQlClasses.md
--- a/cpp/old-change-notes/2021-08-24-implicit-downcast-from-bitfield.md
+++ b/cpp/old-change-notes/2021-08-24-implicit-downcast-from-bitfield.md
--- a/cpp/old-change-notes/2021-08-31-range-analysis-upper-bound.md
+++ b/cpp/old-change-notes/2021-08-31-range-analysis-upper-bound.md
--- a/cpp/old-change-notes/2021-09-13-overflow-static.md
+++ b/cpp/old-change-notes/2021-09-13-overflow-static.md
--- a/cpp/old-change-notes/2021-09-27-command-line-injection.md
+++ b/cpp/old-change-notes/2021-09-27-command-line-injection.md
--- a/cpp/old-change-notes/2021-09-27-overflow-static.md
+++ b/cpp/old-change-notes/2021-09-27-overflow-static.md
--- a/cpp/old-change-notes/2021-10-01-improper-null-termination.md
+++ b/cpp/old-change-notes/2021-10-01-improper-null-termination.md
--- a/cpp/old-change-notes/2021-10-07-extraction-errors.md
+++ b/cpp/old-change-notes/2021-10-07-extraction-errors.md
--- a/cpp/change-notes/2021-11-01-isFromSystemMacroDefinition.md
+++ b/cpp/change-notes/2021-11-01-isFromSystemMacroDefinition.md
@@ -1,7 +1,4 @@
-## 0.0.4
-
-### New Features
-
+lgtm,codescanning
 * The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
  `isFromSystemMacroDefinition` for identifying code that originates from a
  macro outside the project being analyzed.
--- a/cpp/change-notes/2021-11-09-use-of-http.md
+++ b/cpp/change-notes/2021-11-09-use-of-http.md
@@ -1,5 +1,2 @@
-## 0.0.4
-
-### New Queries
-
+lgtm,codescanning
 * A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,9 +0,0 @@
-## 0.0.5
-
-## 0.0.4
-
-### New Features
-
-* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
-  `isFromSystemMacroDefinition` for identifying code that originates from a
-  macro outside the project being analyzed.
--- a/cpp/ql/lib/change-notes/released/0.0.5.md
+++ b/cpp/ql/lib/change-notes/released/0.0.5.md
@@ -1 +0,0 @@
-## 0.0.5
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +0,0 @@
---
-lastReleaseVersion: 0.0.5
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,8 +1,7 @@
 name: codeql/cpp-all
-version: 0.0.6-dev
-groups: cpp
+version: 0.0.2
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
 dependencies:
-  codeql/cpp-upgrades: ^0.0.3
+  codeql/cpp-upgrades: 0.0.2
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -626,9 +626,9 @@ library class ExprEvaluator extends int {
      // All assignments must have the same int value
      result =
        unique(Expr value |
-          value = v.getAnAssignedValue() and not this.ignoreVariableAssignment(e, v, value)
+          value = v.getAnAssignedValue() and not ignoreVariableAssignment(e, v, value)
        |
-          this.getValueInternalNonSubExpr(value)
+          getValueInternalNonSubExpr(value)
        )
    )
  }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
@@ -1,6 +1,4 @@
 private import cpp
-private import semmle.code.cpp.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.dataflow.internal.DataFlowUtil

 /**
 * Gets a function that might be called by `call`.
@@ -65,17 +63,3 @@ predicate mayBenefitFromCallContext(Call call, Function f) { none() }
 * restricted to those `call`s for which a context might make a difference.
 */
 Function viableImplInCallContext(Call call, Call ctx) { none() }
-
-/** A parameter position represented by an integer. */
-class ParameterPosition extends int {
-  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
-}
-
-/** An argument position represented by an integer. */
-class ArgumentPosition extends int {
-  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
-}
-
-/** Holds if arguments at position `apos` match parameters at position `ppos`. */
-pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -62,18 +62,6 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  tupleLimit = 1000
 }

-/**
- * Holds if `arg` is an argument of `call` with an argument position that matches
- * parameter position `ppos`.
- */
-pragma[noinline]
-predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
-  exists(ArgumentPosition apos |
-    arg.argumentOf(call, apos) and
-    parameterMatch(ppos, apos)
-  )
-}
-
 /**
 * Provides a simple data-flow analysis for resolving lambda calls. The analysis
 * currently excludes read-steps, store-steps, and flow-through.
@@ -83,27 +71,25 @@ predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPositio
 * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
 */
 private module LambdaFlow {
-  pragma[noinline]
-  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallable(call), ppos)
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallable(call), i)
  }

-  pragma[noinline]
-  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), ppos)
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), i)
  }

  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamNonLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamNonLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

@@ -336,7 +322,7 @@ private module Cached {
    or
    exists(ArgNode arg |
      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
    )
  }

@@ -344,7 +330,7 @@ private module Cached {
  predicate returnNodeExt(Node n, ReturnKindExt k) {
    k = TValueReturn(n.(ReturnNode).getKind())
    or
-    exists(ParamNode p, ParameterPosition pos |
+    exists(ParamNode p, int pos |
      parameterValueFlowsToPreUpdate(p, n) and
      p.isParameterOf(_, pos) and
      k = TParamUpdate(pos)
@@ -366,13 +352,11 @@ private module Cached {
  }

  cached
-  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
-    isParameterNode(p, c, pos)
-  }
+  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }

  cached
-  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
-    isArgumentNode(n, call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
  }

  /**
@@ -390,12 +374,12 @@ private module Cached {
  }

  /**
-   * Holds if `p` is the parameter of a viable dispatch target of `call`,
-   * and `p` has position `ppos`.
+   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
+   * The instance parameter is considered to have index `-1`.
   */
  pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), ppos)
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), i)
  }

  /**
@@ -404,9 +388,9 @@ private module Cached {
   */
  cached
  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParam(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos) and
+    exists(int i |
+      viableParam(call, i, p) and
+      arg.argumentOf(call, i) and
      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
    )
  }
@@ -878,7 +862,7 @@ private module Cached {
  cached
  newtype TReturnKindExt =
    TValueReturn(ReturnKind kind) or
-    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }

  cached
  newtype TBooleanOption =
@@ -1070,9 +1054,9 @@ class ParamNode extends Node {

  /**
   * Holds if this node is the parameter of callable `c` at the specified
-   * position.
+   * (zero-based) position.
   */
-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
 }

 /** A data-flow node that represents a call argument. */
@@ -1080,9 +1064,7 @@ class ArgNode extends Node {
  ArgNode() { argumentNode(this, _, _) }

  /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    argumentNode(this, call, pos)
-  }
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
 }

 /**
@@ -1128,14 +1110,11 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }

 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private ParameterPosition pos;
+  private int pos;

  ParamUpdateReturnKind() { this = TParamUpdate(pos) }

-  ParameterPosition getPosition() { result = pos }
-
-  pragma[nomagic]
-  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }
+  int getPosition() { result = pos }

  override string toString() { result = "param update " + pos }
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -9,19 +9,6 @@ private import tainttracking1.TaintTrackingParameter::Private
 private import tainttracking1.TaintTrackingParameter::Public

 module Consistency {
-  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
-
-  /** A class for configuring the consistency queries. */
-  class ConsistencyConfiguration extends TConsistencyConfiguration {
-    string toString() { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
-    predicate postWithInFlowExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
-    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
-  }
-
  private class RelevantNode extends Node {
    RelevantNode() {
      this instanceof ArgumentNode or
@@ -177,7 +164,7 @@ module Consistency {

  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
    not hasPost(n) and
-    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
+    not isImmutableOrUnobservable(n) and
    msg = "ArgumentNode is missing PostUpdateNode."
  }

@@ -190,7 +177,6 @@ module Consistency {
    isPostUpdateNode(n) and
    not clearsContent(n, _) and
    simpleLocalFlowStep(_, n) and
-    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
    msg = "PostUpdateNode should not be the target of local flow."
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -2,20 +2,12 @@ private import cpp
 private import DataFlowUtil
 private import DataFlowDispatch
 private import FlowVar
-private import DataFlowImplConsistency

 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c, pos)
-}
-
-/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
-predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
-  arg.argumentOf(c, pos)
-}
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }

 /** Gets the instance argument of a non-static call. */
 private Node getInstanceArgument(Call call) {
@@ -267,6 +259,27 @@ class Unit extends TUnit {
  string toString() { result = "unit" }
 }

+/**
+ * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
+ * modified or its modification cannot be observed, for example if it is a
+ * freshly created object that is not saved in a variable.
+ *
+ * This predicate is only used for consistency checks.
+ */
+predicate isImmutableOrUnobservable(Node n) {
+  // Is the null pointer (or something that's not really a pointer)
+  exists(n.asExpr().getValue())
+  or
+  // Isn't a pointer or is a pointer to const
+  forall(DerivedType dt | dt = n.asExpr().getActualType() |
+    dt.getBaseType().isConst()
+    or
+    dt.getBaseType() instanceof RoutineType
+  )
+  // The above list of cases isn't exhaustive, but it narrows down the
+  // consistency alerts enough that most of them are interesting.
+}
+
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) { none() }

@@ -289,19 +302,3 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
 * by default as a heuristic.
 */
 predicate allowParameterReturnInSelf(ParameterNode p) { none() }
-
-private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
-  override predicate argHasPostUpdateExclude(ArgumentNode n) {
-    // Is the null pointer (or something that's not really a pointer)
-    exists(n.asExpr().getValue())
-    or
-    // Isn't a pointer or is a pointer to const
-    forall(DerivedType dt | dt = n.asExpr().getActualType() |
-      dt.getBaseType().isConst()
-      or
-      dt.getBaseType() instanceof RoutineType
-    )
-    // The above list of cases isn't exhaustive, but it narrows down the
-    // consistency alerts enough that most of them are interesting.
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -2,7 +2,6 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon

 /**
@@ -267,17 +266,3 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
    result = ctx.getArgument(i).getUnconvertedResultExpression().(FunctionAccess).getTarget()
  )
 }
-
-/** A parameter position represented by an integer. */
-class ParameterPosition extends int {
-  ParameterPosition() { any(ParameterNode p).isParameterOf(_, this) }
-}
-
-/** An argument position represented by an integer. */
-class ArgumentPosition extends int {
-  ArgumentPosition() { any(ArgumentNode a).argumentOf(_, this) }
-}
-
-/** Holds if arguments at position `apos` match parameters at position `ppos`. */
-pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -256,11 +256,11 @@ private class ArgNodeEx extends NodeEx {
 private class ParamNodeEx extends NodeEx {
  ParamNodeEx() { this.asNode() instanceof ParamNode }

-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-    this.asNode().(ParamNode).isParameterOf(c, pos)
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.asNode().(ParamNode).isParameterOf(c, i)
  }

-  ParameterPosition getPosition() { this.isParameterOf(_, result) }
+  int getPosition() { this.isParameterOf(_, result) }

  predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
 }
@@ -289,7 +289,6 @@ private predicate outBarrier(NodeEx node, Configuration config) {
  )
 }

-pragma[nomagic]
 private predicate fullBarrier(NodeEx node, Configuration config) {
  exists(Node n | node.asNode() = n |
    config.isBarrier(n)
@@ -308,23 +307,11 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
 }

 pragma[nomagic]
-private predicate sourceNode(NodeEx node, Configuration config) {
-  config.isSource(node.asNode()) and
-  not fullBarrier(node, config)
-}
+private predicate sourceNode(NodeEx node, Configuration config) { config.isSource(node.asNode()) }

 pragma[nomagic]
 private predicate sinkNode(NodeEx node, Configuration config) { config.isSink(node.asNode()) }

-/** Provides the relevant barriers for a step from `node1` to `node2`. */
-pragma[inline]
-private predicate stepFilter(NodeEx node1, NodeEx node2, Configuration config) {
-  not outBarrier(node1, config) and
-  not inBarrier(node2, config) and
-  not fullBarrier(node1, config) and
-  not fullBarrier(node2, config)
-}
-
 /**
 * Holds if data can flow in one local step from `node1` to `node2`.
 */
@@ -333,14 +320,16 @@ private predicate localFlowStep(NodeEx node1, NodeEx node2, Configuration config
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    simpleLocalFlowStepExt(n1, n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.asNode() = n and
-    node2.isImplicitReadNode(n, false) and
-    not fullBarrier(node1, config)
+    node2.isImplicitReadNode(n, false)
  )
 }

@@ -353,14 +342,16 @@ private predicate additionalLocalFlowStep(NodeEx node1, NodeEx node2, Configurat
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) = getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config)
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config)
  )
  or
  exists(Node n |
    config.allowImplicitRead(n, _) and
    node1.isImplicitReadNode(n, true) and
-    node2.asNode() = n and
-    not fullBarrier(node2, config)
+    node2.asNode() = n
  )
 }

@@ -372,7 +363,10 @@ private predicate jumpStep(NodeEx node1, NodeEx node2, Configuration config) {
    node1.asNode() = n1 and
    node2.asNode() = n2 and
    jumpStepCached(n1, n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }
@@ -386,14 +380,16 @@ private predicate additionalJumpStep(NodeEx node1, NodeEx node2, Configuration c
    node2.asNode() = n2 and
    config.isAdditionalFlowStep(n1, n2) and
    getNodeEnclosingCallable(n1) != getNodeEnclosingCallable(n2) and
-    stepFilter(node1, node2, config) and
+    not outBarrier(node1, config) and
+    not inBarrier(node2, config) and
+    not fullBarrier(node1, config) and
+    not fullBarrier(node2, config) and
    not config.getAFeature() instanceof FeatureEqualSourceSinkCallContext
  )
 }

 private predicate read(NodeEx node1, Content c, NodeEx node2, Configuration config) {
-  read(node1.asNode(), c, node2.asNode()) and
-  stepFilter(node1, node2, config)
+  read(node1.asNode(), c, node2.asNode())
  or
  exists(Node n |
    node2.isImplicitReadNode(n, true) and
@@ -406,8 +402,7 @@ private predicate store(
  NodeEx node1, TypedContent tc, NodeEx node2, DataFlowType contentType, Configuration config
 ) {
  store(node1.asNode(), tc, node2.asNode(), contentType) and
-  read(_, tc.getContent(), _, config) and
-  stepFilter(node1, node2, config)
+  read(_, tc.getContent(), _, config)
 }

 pragma[nomagic]
@@ -456,59 +451,63 @@ private module Stage1 {
   * argument in a call.
   */
  predicate fwdFlow(NodeEx node, Cc cc, Configuration config) {
-    sourceNode(node, config) and
-    if hasSourceCallCtx(config) then cc = true else cc = false
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      localFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, cc, config) and
-      additionalLocalFlowStep(mid, node, config)
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      jumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    exists(NodeEx mid |
-      fwdFlow(mid, _, config) and
-      additionalJumpStep(mid, node, config) and
-      cc = false
-    )
-    or
-    // store
-    exists(NodeEx mid |
-      useFieldFlow(config) and
-      fwdFlow(mid, cc, config) and
-      store(mid, _, node, _, config)
-    )
-    or
-    // read
-    exists(Content c |
-      fwdFlowRead(c, node, cc, config) and
-      fwdFlowConsCand(c, config)
-    )
-    or
-    // flow into a callable
-    exists(NodeEx arg |
-      fwdFlow(arg, _, config) and
-      viableParamArgEx(_, node, arg) and
-      cc = true and
-      not fullBarrier(node, config)
-    )
-    or
-    // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, false, config) and
-      cc = false
+    not fullBarrier(node, config) and
+    (
+      sourceNode(node, config) and
+      if hasSourceCallCtx(config) then cc = true else cc = false
      or
-      fwdFlowOutFromArg(call, node, config) and
-      fwdFlowIsEntered(call, cc, config)
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(NodeEx mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(NodeEx mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _, config) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(NodeEx arg |
+        fwdFlow(arg, _, config) and
+        viableParamArgEx(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
    )
  }

@@ -548,8 +547,7 @@ private module Stage1 {
  private predicate fwdFlowOut(DataFlowCall call, NodeEx out, Cc cc, Configuration config) {
    exists(ReturnPosition pos |
      fwdFlowReturnPosition(pos, cc, config) and
-      viableReturnPosOutEx(call, pos, out) and
-      not fullBarrier(out, config)
+      viableReturnPosOutEx(call, pos, out)
    )
  }

@@ -775,7 +773,6 @@ private module Stage1 {
   * Holds if flow may enter through `p` and reach a return node making `p` a
   * candidate for the origin of a summary.
   */
-  pragma[nomagic]
  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
    exists(ReturnKindExt kind |
      throughFlowNodeCand(p, config) and
@@ -1012,9 +1009,6 @@ private module Stage2 {

  private predicate flowIntoCall = flowIntoCallNodeCand1/5;

-  bindingset[node, ap]
-  private predicate filter(NodeEx node, Ap ap) { any() }
-
  bindingset[ap, contentType]
  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }

@@ -1023,23 +1017,14 @@ private module Stage2 {
    PrevStage::revFlow(node, _, _, apa, config)
  }

-  bindingset[result, apa]
-  private ApApprox unbindApa(ApApprox apa) {
-    exists(ApApprox apa0 |
-      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
-    )
-  }
-
  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1052,13 +1037,6 @@ private module Stage2 {
   */
  pragma[nomagic]
  predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
-    fwdFlow0(node, cc, argAp, ap, config) and
-    flowCand(node, unbindApa(getApprox(ap)), config) and
-    filter(node, ap)
-  }
-
-  pragma[nomagic]
-  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
    flowCand(node, _, config) and
    sourceNode(node, config) and
    (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1129,7 +1107,7 @@ private module Stage2 {
  ) {
    exists(DataFlowType contentType |
      fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
      typecheckStore(ap1, contentType)
    )
  }
@@ -1164,8 +1142,9 @@ private module Stage2 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1180,8 +1159,9 @@ private module Stage2 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1191,8 +1171,10 @@ private module Stage2 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1206,7 +1188,7 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p |
      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
    )
  }

@@ -1248,11 +1230,6 @@ private module Stage2 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -1329,7 +1306,7 @@ private module Stage2 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -1364,8 +1341,9 @@ private module Stage2 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1375,8 +1353,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1386,8 +1365,9 @@ private module Stage2 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1447,7 +1427,7 @@ private module Stage2 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -1727,14 +1707,12 @@ private module Stage3 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -1859,8 +1837,9 @@ private module Stage3 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1875,8 +1854,9 @@ private module Stage3 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1886,8 +1866,10 @@ private module Stage3 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -1943,11 +1925,6 @@ private module Stage3 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2024,7 +2001,7 @@ private module Stage3 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2059,8 +2036,9 @@ private module Stage3 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2070,8 +2048,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2081,8 +2060,9 @@ private module Stage3 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2142,7 +2122,7 @@ private module Stage3 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2493,14 +2473,12 @@ private module Stage4 {

  pragma[nomagic]
  private predicate flowThroughOutOfCall(
-    DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow, Configuration config
  ) {
    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
    PrevStage::parameterMayFlowThrough(_, ret.getEnclosingCallable(), _,
-      pragma[only_bind_into](config)) and
-    ccc.matchesCall(call)
+      pragma[only_bind_into](config))
  }

  /**
@@ -2625,8 +2603,9 @@ private module Stage4 {
    exists(ArgNodeEx arg, boolean allowsFieldFlow |
      fwdFlow(arg, outercc, argAp, ap, config) and
      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
-      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      innercc = getCallContextCall(call, p.getEnclosingCallable(), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2641,8 +2620,9 @@ private module Stage4 {
      fwdFlow(ret, innercc, argAp, ap, config) and
      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
      inner = ret.getEnclosingCallable() and
-      ccOut = getCallContextReturn(inner, call, innercc) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      ccOut = getCallContextReturn(inner, call, innercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2652,8 +2632,10 @@ private module Stage4 {
  ) {
    exists(RetNodeEx ret, boolean allowsFieldFlow, CcCall ccc |
      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
-      flowThroughOutOfCall(call, ccc, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2709,11 +2691,6 @@ private module Stage4 {
    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
  }

-  pragma[nomagic]
-  private predicate returnNodeMayFlowThrough(RetNodeEx ret, Ap ap, Configuration config) {
-    fwdFlow(ret, any(CcCall ccc), apSome(_), ap, config)
-  }
-
  /**
   * Holds if `node` with access path `ap` is part of a path from a source to a
   * sink in the configuration `config`.
@@ -2790,7 +2767,7 @@ private module Stage4 {
    // flow out of a callable
    revFlowOut(_, node, _, _, ap, config) and
    toReturn = true and
-    if returnNodeMayFlowThrough(node, ap, config)
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
    then returnAp = apSome(ap)
    else returnAp = apNone()
  }
@@ -2825,8 +2802,9 @@ private module Stage4 {
  ) {
    exists(NodeEx out, boolean allowsFieldFlow |
      revFlow(out, toReturn, returnAp, ap, config) and
-      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2836,8 +2814,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, false, returnAp, ap, config) and
-      flowIntoCall(_, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2847,8 +2826,9 @@ private module Stage4 {
  ) {
    exists(ParamNodeEx p, boolean allowsFieldFlow |
      revFlow(p, true, apSome(returnAp), ap, config) and
-      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config) and
-      if allowsFieldFlow = false then ap instanceof ApNil else any()
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
    )
  }

@@ -2908,7 +2888,7 @@ private module Stage4 {
  }

  predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
-    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, ParameterPosition pos |
+    exists(RetNodeEx ret, Ap ap0, ReturnKindExt kind, int pos |
      parameterFlow(p, ap, ap0, c, config) and
      c = ret.getEnclosingCallable() and
      revFlow(pragma[only_bind_into](ret), true, apSome(_), pragma[only_bind_into](ap0),
@@ -2992,7 +2972,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }

-  ParameterPosition getParameterPos() { p.isParameterOf(_, result) }
+  int getParameterPos() { p.isParameterOf(_, result) }

  ParamNodeEx getParamNode() { result = p }

@@ -3639,40 +3619,39 @@ private predicate pathOutOfCallable(PathNodeMid mid, NodeEx out, CallContext cc)
 */
 pragma[noinline]
 private predicate pathIntoArg(
-  PathNodeMid mid, ParameterPosition ppos, CallContext cc, DataFlowCall call, AccessPath ap,
-  AccessPathApprox apa, Configuration config
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa,
+  Configuration config
 ) {
-  exists(ArgNode arg, ArgumentPosition apos |
+  exists(ArgNode arg |
    arg = mid.getNodeEx().asNode() and
    cc = mid.getCallContext() and
-    arg.argumentOf(call, apos) and
+    arg.argumentOf(call, i) and
    ap = mid.getAp() and
    apa = ap.getApprox() and
-    config = mid.getConfiguration() and
-    parameterMatch(ppos, apos)
+    config = mid.getConfiguration()
  )
 }

 pragma[nomagic]
 private predicate parameterCand(
-  DataFlowCallable callable, ParameterPosition pos, AccessPathApprox apa, Configuration config
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
  exists(ParamNodeEx p |
    Stage4::revFlow(p, _, _, apa, config) and
-    p.isParameterOf(callable, pos)
+    p.isParameterOf(callable, i)
  )
 }

 pragma[nomagic]
 private predicate pathIntoCallable0(
-  PathNodeMid mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
-  DataFlowCall call, AccessPath ap, Configuration config
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap, Configuration config
 ) {
  exists(AccessPathApprox apa |
-    pathIntoArg(mid, pragma[only_bind_into](pos), outercc, call, ap, pragma[only_bind_into](apa),
+    pathIntoArg(mid, pragma[only_bind_into](i), outercc, call, ap, pragma[only_bind_into](apa),
      pragma[only_bind_into](config)) and
    callable = resolveCall(call, outercc) and
-    parameterCand(callable, pragma[only_bind_into](pos), pragma[only_bind_into](apa),
+    parameterCand(callable, pragma[only_bind_into](i), pragma[only_bind_into](apa),
      pragma[only_bind_into](config))
  )
 }
@@ -3687,9 +3666,9 @@ private predicate pathIntoCallable(
  PathNodeMid mid, ParamNodeEx p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
  DataFlowCall call, Configuration config
 ) {
-  exists(ParameterPosition pos, DataFlowCallable callable, AccessPath ap |
-    pathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-    p.isParameterOf(callable, pos) and
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+    p.isParameterOf(callable, i) and
    (
      sc = TSummaryCtxSome(p, ap)
      or
@@ -3713,7 +3692,7 @@ private predicate paramFlowsThrough(
  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
  Configuration config
 ) {
-  exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos |
+  exists(PathNodeMid mid, RetNodeEx ret, int pos |
    mid.getNodeEx() = ret and
    kind = ret.getKind() and
    cc = mid.getCallContext() and
@@ -4442,25 +4421,24 @@ private module FlowExploration {

  pragma[noinline]
  private predicate partialPathIntoArg(
-    PartialPathNodeFwd mid, ParameterPosition ppos, CallContext cc, DataFlowCall call,
-    PartialAccessPath ap, Configuration config
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
  ) {
-    exists(ArgNode arg, ArgumentPosition apos |
+    exists(ArgNode arg |
      arg = mid.getNodeEx().asNode() and
      cc = mid.getCallContext() and
-      arg.argumentOf(call, apos) and
+      arg.argumentOf(call, i) and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate partialPathIntoCallable0(
-    PartialPathNodeFwd mid, DataFlowCallable callable, ParameterPosition pos, CallContext outercc,
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
    DataFlowCall call, PartialAccessPath ap, Configuration config
  ) {
-    partialPathIntoArg(mid, pos, outercc, call, ap, config) and
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
    callable = resolveCall(call, outercc)
  }

@@ -4469,9 +4447,9 @@ private module FlowExploration {
    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
    Configuration config
  ) {
-    exists(ParameterPosition pos, DataFlowCallable callable |
-      partialPathIntoCallable0(mid, callable, pos, outercc, call, ap, config) and
-      p.isParameterOf(callable, pos) and
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
      sc1 = TSummaryCtx1Param(p) and
      sc2 = TSummaryCtx2Some(ap)
    |
@@ -4635,23 +4613,22 @@ private module FlowExploration {

  pragma[nomagic]
  private predicate revPartialPathFlowsThrough(
-    ArgumentPosition apos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
-    RevPartialAccessPath ap, Configuration config
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
  ) {
-    exists(PartialPathNodeRev mid, ParamNodeEx p, ParameterPosition ppos |
+    exists(PartialPathNodeRev mid, ParamNodeEx p |
      mid.getNodeEx() = p and
-      p.getPosition() = ppos and
+      p.getPosition() = pos and
      sc1 = mid.getSummaryCtx1() and
      sc2 = mid.getSummaryCtx2() and
      ap = mid.getAp() and
-      config = mid.getConfiguration() and
-      parameterMatch(ppos, apos)
+      config = mid.getConfiguration()
    )
  }

  pragma[nomagic]
  private predicate revPartialPathThroughCallable0(
-    DataFlowCall call, PartialPathNodeRev mid, ArgumentPosition pos, RevPartialAccessPath ap,
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
    Configuration config
  ) {
    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
@@ -4664,7 +4641,7 @@ private module FlowExploration {
  private predicate revPartialPathThroughCallable(
    PartialPathNodeRev mid, ArgNodeEx node, RevPartialAccessPath ap, Configuration config
  ) {
-    exists(DataFlowCall call, ArgumentPosition pos |
+    exists(DataFlowCall call, int pos |
      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
      node.asNode().(ArgNode).argumentOf(call, pos)
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -62,18 +62,6 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  tupleLimit = 1000
 }

-/**
- * Holds if `arg` is an argument of `call` with an argument position that matches
- * parameter position `ppos`.
- */
-pragma[noinline]
-predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPosition ppos) {
-  exists(ArgumentPosition apos |
-    arg.argumentOf(call, apos) and
-    parameterMatch(ppos, apos)
-  )
-}
-
 /**
 * Provides a simple data-flow analysis for resolving lambda calls. The analysis
 * currently excludes read-steps, store-steps, and flow-through.
@@ -83,27 +71,25 @@ predicate argumentPositionMatch(DataFlowCall call, ArgNode arg, ParameterPositio
 * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
 */
 private module LambdaFlow {
-  pragma[noinline]
-  private predicate viableParamNonLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallable(call), ppos)
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallable(call), i)
  }

-  pragma[noinline]
-  private predicate viableParamLambda(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableLambda(call, _), ppos)
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableLambda(call, _), i)
  }

  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamNonLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamNonLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParamLambda(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos)
+    exists(int i |
+      viableParamLambda(call, i, p) and
+      arg.argumentOf(call, i)
    )
  }

@@ -336,7 +322,7 @@ private module Cached {
    or
    exists(ArgNode arg |
      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, k.(ParamUpdateReturnKind).getAMatchingArgumentPosition())
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
    )
  }

@@ -344,7 +330,7 @@ private module Cached {
  predicate returnNodeExt(Node n, ReturnKindExt k) {
    k = TValueReturn(n.(ReturnNode).getKind())
    or
-    exists(ParamNode p, ParameterPosition pos |
+    exists(ParamNode p, int pos |
      parameterValueFlowsToPreUpdate(p, n) and
      p.isParameterOf(_, pos) and
      k = TParamUpdate(pos)
@@ -366,13 +352,11 @@ private module Cached {
  }

  cached
-  predicate parameterNode(Node p, DataFlowCallable c, ParameterPosition pos) {
-    isParameterNode(p, c, pos)
-  }
+  predicate parameterNode(Node p, DataFlowCallable c, int pos) { isParameterNode(p, c, pos) }

  cached
-  predicate argumentNode(Node n, DataFlowCall call, ArgumentPosition pos) {
-    isArgumentNode(n, call, pos)
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
  }

  /**
@@ -390,12 +374,12 @@ private module Cached {
  }

  /**
-   * Holds if `p` is the parameter of a viable dispatch target of `call`,
-   * and `p` has position `ppos`.
+   * Holds if `p` is the `i`th parameter of a viable dispatch target of `call`.
+   * The instance parameter is considered to have index `-1`.
   */
  pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, ParameterPosition ppos, ParamNode p) {
-    p.isParameterOf(viableCallableExt(call), ppos)
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
+    p.isParameterOf(viableCallableExt(call), i)
  }

  /**
@@ -404,9 +388,9 @@ private module Cached {
   */
  cached
  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
-    exists(ParameterPosition ppos |
-      viableParam(call, ppos, p) and
-      argumentPositionMatch(call, arg, ppos) and
+    exists(int i |
+      viableParam(call, i, p) and
+      arg.argumentOf(call, i) and
      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
    )
  }
@@ -878,7 +862,7 @@ private module Cached {
  cached
  newtype TReturnKindExt =
    TValueReturn(ReturnKind kind) or
-    TParamUpdate(ParameterPosition pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }

  cached
  newtype TBooleanOption =
@@ -1070,9 +1054,9 @@ class ParamNode extends Node {

  /**
   * Holds if this node is the parameter of callable `c` at the specified
-   * position.
+   * (zero-based) position.
   */
-  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { parameterNode(this, c, pos) }
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
 }

 /** A data-flow node that represents a call argument. */
@@ -1080,9 +1064,7 @@ class ArgNode extends Node {
  ArgNode() { argumentNode(this, _, _) }

  /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    argumentNode(this, call, pos)
-  }
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
 }

 /**
@@ -1128,14 +1110,11 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
 }

 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
-  private ParameterPosition pos;
+  private int pos;

  ParamUpdateReturnKind() { this = TParamUpdate(pos) }

-  ParameterPosition getPosition() { result = pos }
-
-  pragma[nomagic]
-  ArgumentPosition getAMatchingArgumentPosition() { parameterMatch(pos, result) }
+  int getPosition() { result = pos }

  override string toString() { result = "param update " + pos }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -9,19 +9,6 @@ private import tainttracking1.TaintTrackingParameter::Private
 private import tainttracking1.TaintTrackingParameter::Public

 module Consistency {
-  private newtype TConsistencyConfiguration = MkConsistencyConfiguration()
-
-  /** A class for configuring the consistency queries. */
-  class ConsistencyConfiguration extends TConsistencyConfiguration {
-    string toString() { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `postWithInFlow`. */
-    predicate postWithInFlowExclude(Node n) { none() }
-
-    /** Holds if `n` should be excluded from the consistency test `argHasPostUpdate`. */
-    predicate argHasPostUpdateExclude(ArgumentNode n) { none() }
-  }
-
  private class RelevantNode extends Node {
    RelevantNode() {
      this instanceof ArgumentNode or
@@ -177,7 +164,7 @@ module Consistency {

  query predicate argHasPostUpdate(ArgumentNode n, string msg) {
    not hasPost(n) and
-    not any(ConsistencyConfiguration c).argHasPostUpdateExclude(n) and
+    not isImmutableOrUnobservable(n) and
    msg = "ArgumentNode is missing PostUpdateNode."
  }

@@ -190,7 +177,6 @@ module Consistency {
    isPostUpdateNode(n) and
    not clearsContent(n, _) and
    simpleLocalFlowStep(_, n) and
-    not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and
    msg = "PostUpdateNode should not be the target of local flow."
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -2,20 +2,12 @@ private import cpp
 private import DataFlowUtil
 private import semmle.code.cpp.ir.IR
 private import DataFlowDispatch
-private import DataFlowImplConsistency

 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
-  p.isParameterOf(c, pos)
-}
-
-/** Holds if `arg` is an `ArgumentNode` of `c` with position `pos`. */
-predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos) {
-  arg.argumentOf(c, pos)
-}
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }

 /**
 * A data flow node that occurs as the argument of a call and is passed as-is
@@ -293,6 +285,19 @@ class Unit extends TUnit {
  string toString() { result = "unit" }
 }

+/**
+ * Holds if `n` does not require a `PostUpdateNode` as it either cannot be
+ * modified or its modification cannot be observed, for example if it is a
+ * freshly created object that is not saved in a variable.
+ *
+ * This predicate is only used for consistency checks.
+ */
+predicate isImmutableOrUnobservable(Node n) {
+  // The rules for whether an IR argument gets a post-update node are too
+  // complex to model here.
+  any()
+}
+
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
  n instanceof OperandNode and not n instanceof ArgumentNode
@@ -325,11 +330,3 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
 * by default as a heuristic.
 */
 predicate allowParameterReturnInSelf(ParameterNode p) { none() }
-
-private class MyConsistencyConfiguration extends Consistency::ConsistencyConfiguration {
-  override predicate argHasPostUpdateExclude(ArgumentNode n) {
-    // The rules for whether an IR argument gets a post-update node are too
-    // complex to model here.
-    any()
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -452,7 +452,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {

  /** Holds if this phi node has input from the `rnk`'th write operation in block `block`. */
  final predicate hasInputAtRankInBlock(IRBlock block, int rnk) {
-    this.hasInputAtRankInBlock(block, rnk, _)
+    hasInputAtRankInBlock(block, rnk, _)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
  final override string toString() { result = tag.toString() }

  final override Instruction getAnyDef() {
-    result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
+    result = unique(Instruction defInstr | hasDefinition(defInstr, _))
  }

  final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
--- a/cpp/ql/src/AlertSuppression.ql
+++ b/cpp/ql/src/AlertSuppression.ql
@@ -18,12 +18,12 @@ class SuppressionComment extends Comment {
    (
      this instanceof CppStyleComment and
      // strip the beginning slashes
-      text = this.getContents().suffix(2)
+      text = getContents().suffix(2)
      or
      this instanceof CStyleComment and
      // strip both the beginning /* and the end */ the comment
      exists(string text0 |
-        text0 = this.getContents().suffix(2) and
+        text0 = getContents().suffix(2) and
        text = text0.prefix(text0.length() - 2)
      ) and
      // The /* */ comment must be a single-line comment
--- a/Opportunities/ClassesWithManyFields.ql
+++ b/Opportunities/ClassesWithManyFields.ql
@@ -153,12 +153,12 @@ class ExtClass extends Class {
  }

  predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
-    if this.hasOneVariableGroup()
+    if hasOneVariableGroup()
    then
      exists(VariableDeclarationGroup vdg | vdg.getClass() = this |
        vdg.hasLocationInfo(path, startline, startcol, endline, endcol)
      )
-    else this.getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
+    else getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
  }
 }

--- a/Entities/UnusedStaticFunctions.ql
+++ b/Entities/UnusedStaticFunctions.ql
@@ -50,16 +50,6 @@ predicate reachableThing(Thing t) {
  exists(Thing mid | reachableThing(mid) and mid.callsOrAccesses() = t)
 }

-pragma[nomagic]
-predicate callsOrAccessesPlus(Thing thing1, FunctionToRemove thing2) {
-  thing1.callsOrAccesses() = thing2
-  or
-  exists(Thing mid |
-    thing1.callsOrAccesses() = mid and
-    callsOrAccessesPlus(mid, thing2)
-  )
-}
-
 class Thing extends Locatable {
  Thing() {
    this instanceof Function or
@@ -91,7 +81,7 @@ class FunctionToRemove extends Function {
  }

  Thing getOther() {
-    callsOrAccessesPlus(result, this) and
+    result.callsOrAccesses+() = this and
    this != result and
    // We will already be reporting the enclosing function of a
    // local variable, so don't also report the variable
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,12 +0,0 @@
-## 0.0.5
-
-### New Queries
-
-* A new query `cpp/certificate-not-checked` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
-* A new query `cpp/certificate-result-conflation` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
-
-## 0.0.4
-
-### New Queries
-
-* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -103,9 +103,9 @@ class CallWithBufferSize extends FunctionCall {
    // `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
    // result in this case we pick the minimum value obtainable from dataflow and range analysis.
    result =
-      upperBound(this.statedSizeExpr())
+      upperBound(statedSizeExpr())
          .minimum(min(Expr statedSizeSrc |
-              DataFlow::localExprFlow(statedSizeSrc, this.statedSizeExpr())
+              DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
            |
              statedSizeSrc.getValue().toInt()
            ))
--- a/cpp/ql/src/JPL_C/LOC-2/Rule
+++ b/cpp/ql/src/JPL_C/LOC-2/Rule
@@ -22,7 +22,7 @@ abstract class LockOperation extends FunctionCall {
  ControlFlowNode getAReachedNode() {
    result = this
    or
-    exists(ControlFlowNode mid | mid = this.getAReachedNode() |
+    exists(ControlFlowNode mid | mid = getAReachedNode() |
      not mid != this.getMatchingUnlock() and
      result = mid.getASuccessor()
    )
--- a/Year/LeapYear.qll
+++ b/Year/LeapYear.qll
@@ -156,8 +156,8 @@ abstract class LeapYearFieldAccess extends YearFieldAccess {
    //
    // https://aa.usno.navy.mil/faq/docs/calendars.php
    this.isUsedInMod4Operation() and
-    this.additionalModulusCheckForLeapYear(400) and
-    this.additionalModulusCheckForLeapYear(100)
+    additionalModulusCheckForLeapYear(400) and
+    additionalModulusCheckForLeapYear(100)
  }
 }

@@ -176,17 +176,17 @@ class StructTmLeapYearFieldAccess extends LeapYearFieldAccess {

  override predicate isUsedInCorrectLeapYearCheck() {
    this.isUsedInMod4Operation() and
-    this.additionalModulusCheckForLeapYear(400) and
-    this.additionalModulusCheckForLeapYear(100) and
+    additionalModulusCheckForLeapYear(400) and
+    additionalModulusCheckForLeapYear(100) and
    // tm_year represents years since 1900
    (
-      this.additionalAdditionOrSubstractionCheckForLeapYear(1900)
+      additionalAdditionOrSubstractionCheckForLeapYear(1900)
      or
      // some systems may use 2000 for 2-digit year conversions
-      this.additionalAdditionOrSubstractionCheckForLeapYear(2000)
+      additionalAdditionOrSubstractionCheckForLeapYear(2000)
      or
      // converting from/to Unix epoch
-      this.additionalAdditionOrSubstractionCheckForLeapYear(1970)
+      additionalAdditionOrSubstractionCheckForLeapYear(1970)
    )
  }
 }
--- a/Management/AllocaInLoop.ql
+++ b/Management/AllocaInLoop.ql
@@ -57,7 +57,7 @@ class LoopWithAlloca extends Stmt {
    or
    // `e == 0`
    exists(EQExpr eq |
-      this.conditionRequires(eq, truth.booleanNot()) and
+      conditionRequires(eq, truth.booleanNot()) and
      eq.getAnOperand().getValue().toInt() = 0 and
      e = eq.getAnOperand() and
      not exists(e.getValue())
@@ -65,7 +65,7 @@ class LoopWithAlloca extends Stmt {
    or
    // `e != 0`
    exists(NEExpr eq |
-      this.conditionRequires(eq, truth) and
+      conditionRequires(eq, truth) and
      eq.getAnOperand().getValue().toInt() = 0 and
      e = eq.getAnOperand() and
      not exists(e.getValue())
@@ -73,7 +73,7 @@ class LoopWithAlloca extends Stmt {
    or
    // `(bool)e == true`
    exists(EQExpr eq |
-      this.conditionRequires(eq, truth) and
+      conditionRequires(eq, truth) and
      eq.getAnOperand().getValue().toInt() = 1 and
      e = eq.getAnOperand() and
      e.getUnspecifiedType() instanceof BoolType and
@@ -82,7 +82,7 @@ class LoopWithAlloca extends Stmt {
    or
    // `(bool)e != true`
    exists(NEExpr eq |
-      this.conditionRequires(eq, truth.booleanNot()) and
+      conditionRequires(eq, truth.booleanNot()) and
      eq.getAnOperand().getValue().toInt() = 1 and
      e = eq.getAnOperand() and
      e.getUnspecifiedType() instanceof BoolType and
@@ -90,7 +90,7 @@ class LoopWithAlloca extends Stmt {
    )
    or
    exists(NotExpr notExpr |
-      this.conditionRequires(notExpr, truth.booleanNot()) and
+      conditionRequires(notExpr, truth.booleanNot()) and
      e = notExpr.getOperand()
    )
    or
@@ -98,7 +98,7 @@ class LoopWithAlloca extends Stmt {
    // requires both of its operand to be true as well.
    exists(LogicalAndExpr andExpr |
      truth = true and
-      this.conditionRequires(andExpr, truth) and
+      conditionRequires(andExpr, truth) and
      e = andExpr.getAnOperand()
    )
    or
@@ -106,7 +106,7 @@ class LoopWithAlloca extends Stmt {
    // it requires both of its operand to be false as well.
    exists(LogicalOrExpr orExpr |
      truth = false and
-      this.conditionRequires(orExpr, truth) and
+      conditionRequires(orExpr, truth) and
      e = orExpr.getAnOperand()
    )
  }
@@ -141,9 +141,9 @@ class LoopWithAlloca extends Stmt {
   * `conditionRequiresInequality`.
   */
  private Variable getAControllingVariable() {
-    this.conditionRequires(result.getAnAccess(), _)
+    conditionRequires(result.getAnAccess(), _)
    or
-    this.conditionRequiresInequality(result.getAnAccess(), _, _)
+    conditionRequiresInequality(result.getAnAccess(), _, _)
  }

  /**
--- a/Management/NtohlArrayNoBound.qll
+++ b/Management/NtohlArrayNoBound.qll
@@ -61,72 +61,72 @@ class PointerArithmeticAccess extends BufferAccess, Expr {
 * A pair of buffer accesses through a call to memcpy.
 */
 class MemCpy extends BufferAccess, FunctionCall {
-  MemCpy() { this.getTarget().hasName("memcpy") }
+  MemCpy() { getTarget().hasName("memcpy") }

  override Expr getPointer() {
-    result = this.getArgument(0) or
-    result = this.getArgument(1)
+    result = getArgument(0) or
+    result = getArgument(1)
  }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class StrncpySizeExpr extends BufferAccess, FunctionCall {
-  StrncpySizeExpr() { this.getTarget().hasName("strncpy") }
+  StrncpySizeExpr() { getTarget().hasName("strncpy") }

  override Expr getPointer() {
-    result = this.getArgument(0) or
-    result = this.getArgument(1)
+    result = getArgument(0) or
+    result = getArgument(1)
  }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class RecvSizeExpr extends BufferAccess, FunctionCall {
-  RecvSizeExpr() { this.getTarget().hasName("recv") }
+  RecvSizeExpr() { getTarget().hasName("recv") }

-  override Expr getPointer() { result = this.getArgument(1) }
+  override Expr getPointer() { result = getArgument(1) }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class SendSizeExpr extends BufferAccess, FunctionCall {
-  SendSizeExpr() { this.getTarget().hasName("send") }
+  SendSizeExpr() { getTarget().hasName("send") }

-  override Expr getPointer() { result = this.getArgument(1) }
+  override Expr getPointer() { result = getArgument(1) }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class SnprintfSizeExpr extends BufferAccess, FunctionCall {
-  SnprintfSizeExpr() { this.getTarget().hasName("snprintf") }
+  SnprintfSizeExpr() { getTarget().hasName("snprintf") }

-  override Expr getPointer() { result = this.getArgument(0) }
+  override Expr getPointer() { result = getArgument(0) }

-  override Expr getAccessedLength() { result = this.getArgument(1) }
+  override Expr getAccessedLength() { result = getArgument(1) }
 }

 class MemcmpSizeExpr extends BufferAccess, FunctionCall {
-  MemcmpSizeExpr() { this.getTarget().hasName("Memcmp") }
+  MemcmpSizeExpr() { getTarget().hasName("Memcmp") }

  override Expr getPointer() {
-    result = this.getArgument(0) or
-    result = this.getArgument(1)
+    result = getArgument(0) or
+    result = getArgument(1)
  }

-  override Expr getAccessedLength() { result = this.getArgument(2) }
+  override Expr getAccessedLength() { result = getArgument(2) }
 }

 class MallocSizeExpr extends BufferAccess, FunctionCall {
-  MallocSizeExpr() { this.getTarget().hasName("malloc") }
+  MallocSizeExpr() { getTarget().hasName("malloc") }

  override Expr getPointer() { none() }

-  override Expr getAccessedLength() { result = this.getArgument(0) }
+  override Expr getAccessedLength() { result = getArgument(0) }
 }

 class NetworkFunctionCall extends FunctionCall {
-  NetworkFunctionCall() { this.getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
+  NetworkFunctionCall() { getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
 }

 class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {
--- a/Bugs/Protocols/TlsSettingsMisconfiguration.ql
+++ b/Bugs/Protocols/TlsSettingsMisconfiguration.ql
@@ -3,10 +3,8 @@
 * @description Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols, or disabling minimum-recommended protocols.
 * @kind problem
 * @problem.severity error
- * @security-severity 7.5
 * @id cpp/boost/tls-settings-misconfiguration
 * @tags security
- *       external/cwe/cwe-326
 */

 import cpp
--- a/Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+++ b/Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
@@ -3,10 +3,8 @@
 * @description Using a deprecated hard-coded protocol using the boost::asio library.
 * @kind problem
 * @problem.severity error
- * @security-severity 7.5
 * @id cpp/boost/use-of-deprecated-hardcoded-security-protocol
 * @tags security
- *       external/cwe/cwe-327
 */

 import cpp
--- a/4/FunctionTooLong.ql
+++ b/4/FunctionTooLong.ql
@@ -13,7 +13,7 @@ import cpp

 class MacroFunctionCall extends MacroInvocation {
  MacroFunctionCall() {
-    not exists(this.getParentInvocation()) and
+    not exists(getParentInvocation()) and
    this.getMacro().getHead().matches("%(%")
  }

--- a/5/AssertionDensity.ql
+++ b/5/AssertionDensity.ql
@@ -13,7 +13,7 @@ import semmle.code.cpp.commons.Assertions

 class MacroFunctionCall extends MacroInvocation {
  MacroFunctionCall() {
-    not exists(this.getParentInvocation()) and
+    not exists(getParentInvocation()) and
    this.getMacro().getHead().matches("%(%")
  }

--- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
+++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
@@ -38,7 +38,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
  int getIndex() { result = i }

  /** Gets the description of the function being called. */
-  string getFunctionDescription() { result = this.getExternalFunction().toString() }
+  string getFunctionDescription() { result = getExternalFunction().toString() }
 }

 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */
--- a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
+++ b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
@@ -38,7 +38,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
  int getIndex() { result = i }

  /** Gets the description of the function being called. */
-  string getFunctionDescription() { result = this.getExternalFunction().toString() }
+  string getFunctionDescription() { result = getExternalFunction().toString() }
 }

 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -42,7 +42,7 @@ class VarargsFunction extends Function {
  }

  private int trailingArgValueCount(string value) {
-    result = strictcount(FunctionCall fc | this.trailingArgValue(fc) = value)
+    result = strictcount(FunctionCall fc | trailingArgValue(fc) = value)
  }

  string nonTrailingVarArgValue(FunctionCall fc, int index) {
@@ -58,11 +58,11 @@ class VarargsFunction extends Function {

  string normalTerminator(int cnt) {
    result = ["0", "-1"] and
-    cnt = this.trailingArgValueCount(result) and
-    2 * cnt > this.totalCount() and
+    cnt = trailingArgValueCount(result) and
+    2 * cnt > totalCount() and
    not exists(FunctionCall fc, int index |
      // terminator value is used in a non-terminating position
-      this.nonTrailingVarArgValue(fc, index) = result
+      nonTrailingVarArgValue(fc, index) = result
    )
  }

--- a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
@@ -42,7 +42,7 @@ class TaintSource extends VariableAccess {
    definitionUsePair(_, this, va)
    or
    exists(VariableAccess mid, Expr def |
-      this.sourceReaches(mid) and
+      sourceReaches(mid) and
      exprDefinition(_, def, mid) and
      definitionUsePair(_, def, va)
    )
@@ -53,11 +53,11 @@ class TaintSource extends VariableAccess {
   * from `va`, possibly using intermediate reassignments.
   */
  private predicate reachesSink(VariableAccess va, VariableAccess sink) {
-    this.isSink(sink) and
+    isSink(sink) and
    va = sink
    or
    exists(VariableAccess mid, Expr def |
-      this.reachesSink(mid, sink) and
+      reachesSink(mid, sink) and
      exprDefinition(_, def, va) and
      definitionUsePair(_, def, mid)
    )
@@ -71,15 +71,15 @@ class TaintSource extends VariableAccess {
   * this source to `sink` found via `tainted(source, sink)`.)
   */
  predicate reaches(VariableAccess sink) {
-    this.isSink(sink) and
+    isSink(sink) and
    not exists(VariableAccess va |
      va != this and
      va != sink and
      mayAddNullTerminator(_, va)
    |
-      this.sourceReaches(va)
+      sourceReaches(va)
      or
-      this.reachesSink(va, sink)
+      reachesSink(va, sink)
    )
  }
 }
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.qhelp
@@ -1,28 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>When checking the result of SSL certificate verification, accepting any error code may allow an attacker to impersonate someone who is trusted.</p>
-
-</overview>
-<recommendation>
-
-<p>When checking an SSL certificate with <code>SSL_get_verify_result</code>, only <code>X509_V_OK</code> is a success code. If there is any other result the certificate should not be accepted.</p>
-
-</recommendation>
-<example>
-
-<p>In this example the error code <code>X509_V_ERR_CERT_HAS_EXPIRED</code> is treated the same as an OK result. An expired certificate should not be accepted as it is more likely to be compromised than a valid certificate.</p>
-
-<sample src="SSLResultConflationBad.cpp" />
-
-<p>In the corrected example, only a result of <code>X509_V_OK</code> is accepted.</p>
-
-<sample src="SSLResultConflationGood.cpp" />
-
-</example>
-<references>
-
-</references>
-</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
@@ -1,50 +0,0 @@
-/**
- * @name Certificate result conflation
- * @description Only accept SSL certificates that pass certificate verification.
- * @kind problem
- * @problem.severity error
- * @security-severity 7.5
- * @precision medium
- * @id cpp/certificate-result-conflation
- * @tags security
- *       external/cwe/cwe-295
- */
-
-import cpp
-import semmle.code.cpp.controlflow.Guards
-import semmle.code.cpp.dataflow.DataFlow
-
-/**
- * A call to `SSL_get_verify_result`.
- */
-class SSLGetVerifyResultCall extends FunctionCall {
-  SSLGetVerifyResultCall() { getTarget().getName() = "SSL_get_verify_result" }
-}
-
-/**
- * Data flow from a call to `SSL_get_verify_result` to a guard condition
- * that references the result.
- */
-class VerifyResultConfig extends DataFlow::Configuration {
-  VerifyResultConfig() { this = "VerifyResultConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof SSLGetVerifyResultCall
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(GuardCondition guard | guard.getAChild*() = sink.asExpr())
-  }
-}
-
-from
-  VerifyResultConfig config, DataFlow::Node source, DataFlow::Node sink1, DataFlow::Node sink2,
-  GuardCondition guard, Expr c1, Expr c2, boolean testIsTrue
-where
-  config.hasFlow(source, sink1) and
-  config.hasFlow(source, sink2) and
-  guard.comparesEq(sink1.asExpr(), c1, 0, false, testIsTrue) and // (value != c1) => testIsTrue
-  guard.comparesEq(sink2.asExpr(), c2, 0, false, testIsTrue) and // (value != c2) => testIsTrue
-  c1.getValue().toInt() = 0 and
-  c2.getValue().toInt() != 0
-select guard, "This expression conflates OK and non-OK results from $@.", source, source.toString()
--- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationBad.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationBad.cpp
@@ -1,13 +0,0 @@
-// ...
-
-if (cert = SSL_get_peer_certificate(ssl))
-{
-	result = SSL_get_verify_result(ssl);
-
-	if ((result == X509_V_OK) || (result == X509_V_ERR_CERT_HAS_EXPIRED)) // BAD (conflates OK and a non-OK codes)
-	{
-		do_ok();
-	} else {
-		do_error();
-	}
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Max Schaefer	2189ab030d	Revert "JS: Recognize DomSanitizer from @angular/core" This reverts commit `ff1d0cc4c7`.	2021-11-25 17:18:34 +00:00
Henry Mercer	667305e27e	Remove NoSQL sinks since September 2018	2021-11-25 17:18:34 +00:00
Esben Sparre Andreasen	79b9d05576	Remove additional Xss sinks	2021-11-25 17:18:33 +00:00
Esben Sparre Andreasen	894ef629f4	Remove additional SQL sinks	2021-11-25 17:18:33 +00:00
Esben Sparre Andreasen	16e5d70027	Remove additional path-injection sinks	2021-11-25 17:18:33 +00:00
Esben Sparre Andreasen	76128c6c98	Add benjamin-button.md	2021-11-25 17:18:33 +00:00
Esben Sparre Andreasen	07a1cbe499	Remove pseudo-properties	2021-11-25 17:18:33 +00:00
Esben Sparre Andreasen	662153464e	Remove 2020 sinks from SqlInjection.ql	2021-11-25 17:18:33 +00:00
Esben Sparre Andreasen	8cd3b13d84	Remove 2020 sinks from Xss.ql	2021-11-25 17:18:33 +00:00
Esben Sparre Andreasen	7d5205acee	Remove 2020 sinks from TaintedPath.ql	2021-11-25 17:18:33 +00:00